feat: Allow array of Org IDs #97

mitch-hamm · 2024-11-13T17:59:05Z

Set org id as a list to allow multiple orgs in the same AWS account

Result of tf plan on an existing apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.sn_managed_cloud.aws_iam_role.bootstrap_role[0] will be updated in-place
  ~ resource "aws_iam_role" "bootstrap_role" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Condition = {
                          + "ForAllValues:StringEquals" = {
                              + "sts:ExternalId" = [
                                  + "o-nd3gv",
                                  + "o-z7cmp",
                                ]
                            }
                          - StringEquals                = {
                              - "sts:ExternalId" = "o-nd3gv"
                            }
                        }
                        # (4 unchanged attributes hidden)
                    },
                  ~ {
                      ~ Condition = {
                          + "ForAllValues:StringEquals" = {
                              + "sts:ExternalId" = [
                                  + "o-nd3gv",
                                  + "o-z7cmp",
                                ]
                            }
                          - StringEquals                = {
                              - "sts:ExternalId" = "o-nd3gv"
                            }
                        }
                        # (4 unchanged attributes hidden)
                    },
                    {
                        Action    = "sts:AssumeRoleWithWebIdentity"
                        Condition = {
                            StringEquals = {
                                "accounts.google.com:aud" = "108050666045451143798"
                            }
                        }
                        Effect    = "Allow"
                        Principal = {
                            Federated = "accounts.google.com"
                        }
                        Sid       = "AllowStreamNativeControlPlaneAccess"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        id                    = "StreamNativeCloudBootstrapRole"
        name                  = "StreamNativeCloudBootstrapRole"
        tags                  = {
            "SNVersion" = "3.14.1"
            "Vendor"    = "StreamNative"
        }
        # (10 unchanged attributes hidden)
    }

  # module.sn_managed_cloud.aws_iam_role.management_role will be updated in-place
  ~ resource "aws_iam_role" "management_role" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Condition = {
                          + "ForAllValues:StringEquals" = {
                              + "sts:ExternalId" = [
                                  + "o-nd3gv",
                                  + "o-z7cmp",
                                ]
                            }
                          - StringEquals                = {
                              - "sts:ExternalId" = "o-nd3gv"
                            }
                        }
                        # (4 unchanged attributes hidden)
                    },
                    {
                        Action    = "sts:AssumeRoleWithWebIdentity"
                        Condition = {
                            StringEquals = {
                                "accounts.google.com:aud" = "108050666045451143798"
                            }
                        }
                        Effect    = "Allow"
                        Principal = {
                            Federated = "accounts.google.com"
                        }
                        Sid       = "AllowStreamNativeControlPlaneAccess"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        id                    = "StreamNativeCloudManagementRole"
        name                  = "StreamNativeCloudManagementRole"
        tags                  = {
            "SNVersion" = "3.14.1"
            "Vendor"    = "StreamNative"
        }
        # (10 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

Apply results

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.sn_managed_cloud.aws_iam_role.bootstrap_role[0] will be updated in-place
  ~ resource "aws_iam_role" "bootstrap_role" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Condition = {
                          + "ForAllValues:StringEquals" = {
                              + "sts:ExternalId" = [
                                  + "o-nd3gv",
                                  + "o-z7cmp",
                                ]
                            }
                          - StringEquals                = {
                              - "sts:ExternalId" = "o-nd3gv"
                            }
                        }
                        # (4 unchanged attributes hidden)
                    },
                  ~ {
                      ~ Condition = {
                          + "ForAllValues:StringEquals" = {
                              + "sts:ExternalId" = [
                                  + "o-nd3gv",
                                  + "o-z7cmp",
                                ]
                            }
                          - StringEquals                = {
                              - "sts:ExternalId" = "o-nd3gv"
                            }
                        }
                        # (4 unchanged attributes hidden)
                    },
                    {
                        Action    = "sts:AssumeRoleWithWebIdentity"
                        Condition = {
                            StringEquals = {
                                "accounts.google.com:aud" = "108050666045451143798"
                            }
                        }
                        Effect    = "Allow"
                        Principal = {
                            Federated = "accounts.google.com"
                        }
                        Sid       = "AllowStreamNativeControlPlaneAccess"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        id                    = "StreamNativeCloudBootstrapRole"
        name                  = "StreamNativeCloudBootstrapRole"
        tags                  = {
            "SNVersion" = "3.14.1"
            "Vendor"    = "StreamNative"
        }
        # (10 unchanged attributes hidden)
    }

  # module.sn_managed_cloud.aws_iam_role.management_role will be updated in-place
  ~ resource "aws_iam_role" "management_role" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Condition = {
                          + "ForAllValues:StringEquals" = {
                              + "sts:ExternalId" = [
                                  + "o-nd3gv",
                                  + "o-z7cmp",
                                ]
                            }
                          - StringEquals                = {
                              - "sts:ExternalId" = "o-nd3gv"
                            }
                        }
                        # (4 unchanged attributes hidden)
                    },
                    {
                        Action    = "sts:AssumeRoleWithWebIdentity"
                        Condition = {
                            StringEquals = {
                                "accounts.google.com:aud" = "108050666045451143798"
                            }
                        }
                        Effect    = "Allow"
                        Principal = {
                            Federated = "accounts.google.com"
                        }
                        Sid       = "AllowStreamNativeControlPlaneAccess"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        id                    = "StreamNativeCloudManagementRole"
        name                  = "StreamNativeCloudManagementRole"
        tags                  = {
            "SNVersion" = "3.14.1"
            "Vendor"    = "StreamNative"
        }
        # (10 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.sn_managed_cloud.aws_iam_role.bootstrap_role[0]: Modifying... [id=StreamNativeCloudBootstrapRole]
module.sn_managed_cloud.aws_iam_role.management_role: Modifying... [id=StreamNativeCloudManagementRole]
module.sn_managed_cloud.aws_iam_role.bootstrap_role[0]: Modifications complete after 0s [id=StreamNativeCloudBootstrapRole]
module.sn_managed_cloud.aws_iam_role.management_role: Modifications complete after 1s [id=StreamNativeCloudManagementRole]

Apply complete! Resources: 0 added, 2 changed, 0 destroyed.

modules/aws/vendor-access/variables.tf

mitch-hamm · 2024-11-14T23:20:40Z

2 Different Orgs 2 Clusters

mitch-hamm · 2024-11-14T23:26:07Z

Org 1

Org 2

maxsxu · 2024-11-15T01:44:16Z

modules/aws/vendor-access/variables.tf

  description = "A external ID that correspond to your Organization within StreamNative Cloud, used for all STS assume role calls to the IAM roles created by the module. This will be the organization ID in the StreamNative console, e.g. \"o-xhopj\"."
  type        = string
 }

+variable "external_ids" {
+  default     = []


It should not have default value, users have to provide the Organization id list as the external ids

How should we handle this, I thought the idea would be to allow either the external_id OR the external_ids value to be set. If we remove the default = [] it will break existing modules when they update because it will expect a defined value.

maxsxu · 2024-11-15T01:44:25Z

modules/aws/vendor-access/variables.tf

@@ -52,10 +52,17 @@ variable "eks_cluster_pattern" {
 }

 variable "external_id" {
+  default     = ""


It should not have default value, users have to provide the Organization id as the external id

Similar to above, do we want the user to have to specify both external_id and external_ids? Personally I think the best change would be to just have the external_ids array and when customers upgrade have them update the tf, that way we're not maintaining 2 variables that are related

maxsxu · 2024-11-15T01:46:13Z

modules/aws/vendor-access/main.tf

@@ -32,12 +32,13 @@ locals {
  allowed_iam_policies       = join(", ", formatlist("\"%s\"", distinct(concat(local.additional_iam_policy_arns, local.default_allowed_iam_policies))))
  arn_like_vpcs              = formatlist("\"arn:%s:ec2:%s:%s:vpc/%s\"", local.aws_partition, var.region, local.account_id, var.vpc_allowed_ids)
  arn_like_vpcs_str          = format("[%s]", join(",", local.arn_like_vpcs))
-  assume_conditions          = concat(local.external_id, local.source_identity, local.principal_check, local.vendor_federation)
-  support_assume_conditions  = concat(local.external_id, local.source_identity)
+  assume_conditions          = length(var.external_ids) != 0 ? concat(local.external_ids, local.source_identity, local.principal_check, local.vendor_federation) : concat(local.external_id, local.source_identity, local.principal_check, local.vendor_federation)


We should append the external_id to the external_ids, so existing user won't be break.

If the external_ids is an empty array it will default to the existing behaviour, so the TF will show no changes.
If we append the external_id to the end of the array does that mean we also want to update the policy from StringEquals to ForAllValues:StringEquals?

mitch-hamm · 2024-11-15T19:07:19Z

Current limit is 62 Orgs

Set org id as a list to allow multiple orgs in the same AWS account

84657ae

mitch-hamm requested a review from a team as a code owner November 13, 2024 17:59

github-actions bot assigned mitch-hamm Nov 13, 2024

ciiiii reviewed Nov 14, 2024

View reviewed changes

modules/aws/vendor-access/variables.tf Show resolved Hide resolved

Update to use new variable

c7ba306

mitch-hamm changed the title ~~WIP: Allow array of Org IDs~~ feat: Allow array of Org IDs Nov 14, 2024

maxsxu reviewed Nov 15, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Allow array of Org IDs #97

feat: Allow array of Org IDs #97

mitch-hamm commented Nov 13, 2024 •

edited

Loading

mitch-hamm commented Nov 14, 2024

mitch-hamm commented Nov 14, 2024

maxsxu Nov 15, 2024

mitch-hamm Nov 15, 2024

maxsxu Nov 15, 2024

mitch-hamm Nov 15, 2024

maxsxu Nov 15, 2024

mitch-hamm Nov 15, 2024

mitch-hamm commented Nov 15, 2024

feat: Allow array of Org IDs #97

Are you sure you want to change the base?

feat: Allow array of Org IDs #97

Conversation

mitch-hamm commented Nov 13, 2024 • edited Loading

Apply results

mitch-hamm commented Nov 14, 2024

mitch-hamm commented Nov 14, 2024

maxsxu Nov 15, 2024

Choose a reason for hiding this comment

mitch-hamm Nov 15, 2024

Choose a reason for hiding this comment

maxsxu Nov 15, 2024

Choose a reason for hiding this comment

mitch-hamm Nov 15, 2024

Choose a reason for hiding this comment

maxsxu Nov 15, 2024

Choose a reason for hiding this comment

mitch-hamm Nov 15, 2024

Choose a reason for hiding this comment

mitch-hamm commented Nov 15, 2024

mitch-hamm commented Nov 13, 2024 •

edited

Loading