Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: allow policy customization #23

Merged
merged 12 commits into from
Jul 31, 2024
Merged

feat: allow policy customization #23

merged 12 commits into from
Jul 31, 2024

Conversation

leonsteinhaeuser
Copy link
Contributor

@leonsteinhaeuser leonsteinhaeuser commented Jul 29, 2024
edited
Loading

Description

This PR refactors the AWS IAM role and policy management for dynamic credential authentication between AWS and Terraform Cloud. The goal of this PR was to support dedicated workspace assignment. This was not possible in the previous implementation.

How Has This Been Tested?

I started a local plan with my temporary credentials for our AWS management account.

Plan Output 
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.tfc_aws_dynamic_credentials.tfe_project_variable_set.tfc_project will be created
  + resource "tfe_project_variable_set" "tfc_project" {
      + id              = (known after apply)
      + project_id      = "prj-<something>"
      + variable_set_id = (known after apply)
    }

  # module.tfc_aws_dynamic_credentials.tfe_variable.tfe_aws_provider_auth will be created
  + resource "tfe_variable" "tfe_aws_provider_auth" {
      + category        = "env"
      + description     = "AWS provider auth"
      + hcl             = false
      + id              = (known after apply)
      + key             = "TFC_AWS_PROVIDER_AUTH"
      + readable_value  = "true"
      + sensitive       = false
      + value           = (sensitive value)
      + variable_set_id = (known after apply)
    }

  # module.tfc_aws_dynamic_credentials.tfe_variable.tfe_aws_provider_auth_arn will be created
  + resource "tfe_variable" "tfe_aws_provider_auth_arn" {
      + category        = "env"
      + description     = "AWS provider auth"
      + hcl             = false
      + id              = (known after apply)
      + key             = "TFC_AWS_RUN_ROLE_ARN"
      + readable_value  = (known after apply)
      + sensitive       = false
      + value           = (sensitive value)
      + variable_set_id = (known after apply)
    }

  # module.tfc_aws_dynamic_credentials.tfe_variable_set.tfc_aws_dynamic_credentials will be created
  + resource "tfe_variable_set" "tfc_aws_dynamic_credentials" {
      + description   = "AWS dynamic credentials"
      + global        = false
      + id            = (known after apply)
      + name          = "aws-dynamic-credentials-management"
      + organization  = "Tagesspiegel"
      + priority      = false
      + workspace_ids = (known after apply)
    }

  # module.tfc_aws_dynamic_credentials.module.aws_identity_provider.aws_iam_openid_connect_provider.this will be created
  + resource "aws_iam_openid_connect_provider" "this" {
      + arn             = (known after apply)
      + client_id_list  = [
          + "app.terraform.io",
        ]
      + id              = (known after apply)
      + tags_all        = (known after apply)
      + thumbprint_list = [
          + "<thumbprint>",
        ]
      + url             = "https://app.terraform.io"
    }

  # module.tfc_aws_dynamic_credentials.module.aws_tfc_dynamic_credentials_iam_roles.aws_iam_policy.this will be created
  + resource "aws_iam_policy" "this" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + description      = "Grants terraform cloud access to AWS (generated by terraform). This policy is attached to the role created by terraform. Do not modify this policy manually. If you need to modify the permissions, modify the terraform code and re-run terraform."
      + id               = (known after apply)
      + name             = "terraform-cloud-dynamic-credentials"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "ec2:*",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                    },
                  + {
                      + Action   = [
                          + "iam:*",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                    },
                  + {
                      + Action   = [
                          + "s3:*",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id        = (known after apply)
      + tags_all         = (known after apply)
    }

  # module.tfc_aws_dynamic_credentials.module.aws_tfc_dynamic_credentials_iam_roles.aws_iam_role.this will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = (known after apply)
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "terraform-cloud-dynamic-credentials"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = (known after apply)
      + unique_id             = (known after apply)

      + inline_policy (known after apply)
    }

  # module.tfc_aws_dynamic_credentials.module.aws_tfc_dynamic_credentials_iam_roles.aws_iam_role_policy_attachment.this will be created
  + resource "aws_iam_role_policy_attachment" "this" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "terraform-cloud-dynamic-credentials"
    }

Plan: 8 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + aws_tfc_audience = (sensitive value)
  + full_name        = "terraform-cloud-dynamic-credentials"
  + oidc_claims      = (known after apply)
  + role_arns        = (known after apply)

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings

@leonsteinhaeuser leonsteinhaeuser self-assigned this Jul 29, 2024
@github-actions github-actions bot added feature Denotes a PR to implement a new feature. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jul 29, 2024
@leonsteinhaeuser leonsteinhaeuser added breaking-change Denotes a PR that changes CODE that affects the "API" refactor Denotes a PR that refactors a specific part of an application. labels Jul 29, 2024
leonsteinhaeuser added 9 commits July 29, 2024 16:02
feat(module/iam_roles): allow customization for iam role customization
42f3dc6 
Signed-off-by: leonsteinhaeuser <[email protected]>
feat(root): improve aws iam role handling
677a728 
Signed-off-by: leonsteinhaeuser <[email protected]>
chore(deps): upgrade aws provider version to 5.59
0ae9a88 
Signed-off-by: leonsteinhaeuser <[email protected]>
fix(role): iam role name override var ref
a94029a 
Signed-off-by: leonsteinhaeuser <[email protected]>
chore(aud): remove unused audience secret claims
1763391 
Signed-off-by: leonsteinhaeuser <[email protected]>
chore(git): ignore .envrc files
7710f6a 
Signed-off-by: leonsteinhaeuser <[email protected]>
chore: add example configuration
cb3d1b7 
Signed-off-by: leonsteinhaeuser <[email protected]>
fix(root): module output references
8eb36df 
Signed-off-by: leonsteinhaeuser <[email protected]>
feat(example): add outputs
9e072b3 
Signed-off-by: leonsteinhaeuser <[email protected]>
@leonsteinhaeuser leonsteinhaeuser force-pushed the feat/allow-policy-customization branch from 19f42de to 05b8686 Compare July 29, 2024 14:03
@leonsteinhaeuser leonsteinhaeuser changed the title Feat/allow policy customization feat: allow policy customization Jul 29, 2024
@leonsteinhaeuser leonsteinhaeuser marked this pull request as ready for review July 29, 2024 14:04
@leonsteinhaeuser leonsteinhaeuser requested a review from a team as a code owner July 29, 2024 14:04
lusitania
lusitania reviewed Jul 30, 2024
View reviewed changes
variables.tf Outdated Show resolved Hide resolved
lusitania
lusitania reviewed Jul 30, 2024
View reviewed changes
variables.tf Outdated Show resolved Hide resolved
lusitania
lusitania reviewed Jul 30, 2024
View reviewed changes
variables.tf Outdated Show resolved Hide resolved
docs(root): improve output description
d334345 
Signed-off-by: leonsteinhaeuser <[email protected]>
@leonsteinhaeuser leonsteinhaeuser force-pushed the feat/allow-policy-customization branch from 05b8686 to 46f65f1 Compare July 31, 2024 09:53
@leonsteinhaeuser leonsteinhaeuser force-pushed the feat/allow-policy-customization branch from 46f65f1 to 9c43d38 Compare July 31, 2024 09:53
@lusitania lusitania mentioned this pull request Jul 31, 2024
Closed
@leonsteinhaeuser leonsteinhaeuser force-pushed the feat/allow-policy-customization branch from 08d2daf to 424cf8c Compare July 31, 2024 10:58
@leonsteinhaeuser leonsteinhaeuser merged commit 5f221c3 into main Jul 31, 2024
5 checks passed
@leonsteinhaeuser leonsteinhaeuser deleted the feat/allow-policy-customization branch July 31, 2024 11:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lusitania lusitania lusitania approved these changes

Assignees

@leonsteinhaeuser leonsteinhaeuser

Labels
breaking-change Denotes a PR that changes CODE that affects the "API" feature Denotes a PR to implement a new feature. refactor Denotes a PR that refactors a specific part of an application. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@leonsteinhaeuser @lusitania