adding shared vpc arn

Author: steve-fraser

castai/data_source_eks_settings.go

@@ -13,13 +13,14 @@ import (
 )
 
 const (
-	EKSSettingsFieldAccountId          = "account_id"
-	EKSSettingsFieldRegion             = "region"
-	EKSSettingsFieldVpc                = "vpc"
-	EKSSettingsFieldCluster            = "cluster"
-	EKSSettingsFieldIamPolicyJson      = "iam_policy_json"
-	EKSSettingsFieldIamUserPolicyJson  = "iam_user_policy_json"
-	EKSSettingsFieldIamManagedPolicies = "iam_managed_policies"
+	EKSSettingsFieldAccountId             = "account_id"
+	EKSSettingsFieldRegion                = "region"
+	EKSSettingsFieldVpc                   = "vpc"
+	EKSSettingsFieldCluster               = "cluster"
+	EKSSettingsFieldIamPolicyJson         = "iam_policy_json"
+	EKSSettingsFieldIamUserPolicyJson     = "iam_user_policy_json"
+	EKSSettingsFieldIamManagedPolicies    = "iam_managed_policies"
+	EKSSettingsFieldAWSSharedVPCAccountId = "aws_shared_vpc_account_id"
 
 	GovCloudPrefix = "us-gov"
 )
@@ -66,6 +67,13 @@ func dataSourceEKSSettings() *schema.Resource {
 				Elem:     &schema.Schema{Type: schema.TypeString},
 				Computed: true,
 			},
+			EKSSettingsFieldAWSSharedVPCAccountId: {
+				Type:             schema.TypeString,
+				Optional:         true,
+				ForceNew:         true,
+				Description:      "AWS account ID where the VPC and subnets are located, for shared VPC setups. If not provided, defaults to the account_id.",
+				ValidateDiagFunc: validation.ToDiagFunc(validation.StringIsNotWhiteSpace),
+			},
 		},
 	}
 }
@@ -75,11 +83,17 @@ func dataSourceCastaiEKSSettingsRead(ctx context.Context, data *schema.ResourceD
 	vpc := data.Get(EKSSettingsFieldVpc).(string)
 	region := data.Get(EKSSettingsFieldRegion).(string)
 	cluster := data.Get(EKSSettingsFieldCluster).(string)
+	sharedVPCAccountID := data.Get(EKSSettingsFieldAWSSharedVPCAccountId).(string)
 
 	arn := fmt.Sprintf("%s:%s", region, accountID)
 	partition := getPartition(region)
 
-	userPolicy, _ := policies.GetUserInlinePolicy(cluster, arn, vpc, partition)
+	var sharedVPCArn string
+	if sharedVPCAccountID != "" {
+		sharedVPCArn = fmt.Sprintf("%s:%s", region, sharedVPCAccountID)
+	}
+
+	userPolicy, _ := policies.GetUserInlinePolicy(cluster, arn, vpc, partition, sharedVPCArn)
 	iamPolicy, _ := policies.GetIAMPolicy(accountID, partition)
 	managedPolicies := policies.GetManagedPolicies(partition)
 

castai/policies/policy.go

@@ -37,26 +37,33 @@ func GetIAMPolicy(accountNumber, partition string) (string, error) {
 	return buf.String(), nil
 }
 
-func GetUserInlinePolicy(clusterName, arn, vpc, partition string) (string, error) {
+func GetUserInlinePolicy(clusterName, arn, vpc, partition, sharedVPCArn string) (string, error) {
 	tmpl, err := template.New("json").Parse(UserPolicy)
 	if err != nil {
 		return "", fmt.Errorf("parsing template: %w", err)
 	}
 
+	// If sharedVPCArn is not provided, use the main ARN for VPC/subnet resources
+	if sharedVPCArn == "" {
+		sharedVPCArn = arn
+	}
+
 	type tmplValues struct {
-		ClusterName string
-		ARN         string
-		VPC         string
-		Partition   string
+		ClusterName  string
+		ARN          string
+		VPC          string
+		Partition    string
+		SharedVPCArn string
 	}
 
 	var buf bytes.Buffer
 
 	if err := tmpl.Execute(&buf, tmplValues{
-		ClusterName: clusterName,
-		ARN:         arn,
-		VPC:         vpc,
-		Partition:   partition,
+		ClusterName:  clusterName,
+		ARN:          arn,
+		VPC:          vpc,
+		Partition:    partition,
+		SharedVPCArn: sharedVPCArn,
 	}); err != nil {
 		return "", fmt.Errorf("interpolating template: %w", err)
 	}

castai/policies/policy_test.go

@@ -24,7 +24,7 @@ func TestPolicies(t *testing.T) {
 	})
 
 	t.Run("User policy", func(t *testing.T) {
-		userpolicy, err := GetUserInlinePolicy("clustername", "testarn", "testvpc", "testpartition")
+		userpolicy, err := GetUserInlinePolicy("clustername", "testarn", "testvpc", "testpartition", "")
 		if err != nil || userpolicy == "" {
 			t.Fatalf("couldn't generate user policy")
 		}
@@ -40,6 +40,29 @@ func TestPolicies(t *testing.T) {
 		}
 	})
 
+	t.Run("User policy with shared VPC account", func(t *testing.T) {
+		userpolicy, err := GetUserInlinePolicy("clustername", "testarn", "testvpc", "testpartition", "sharedvpcarn")
+		if err != nil || userpolicy == "" {
+			t.Fatalf("couldn't generate user policy")
+		}
+
+		vpcResource := "arn:testpartition:ec2:sharedvpcarn:vpc/testvpc"
+		subnetResource := "arn:testpartition:ec2:sharedvpcarn:subnet/*"
+		instanceResource := "arn:testpartition:ec2:testarn:instance/*"
+
+		if !strings.Contains(userpolicy, vpcResource) {
+			t.Fatalf("generated User policy does not contain shared VPC resource")
+		}
+
+		if !strings.Contains(userpolicy, subnetResource) {
+			t.Fatalf("generated User policy does not contain shared subnet resource")
+		}
+
+		if !strings.Contains(userpolicy, instanceResource) {
+			t.Fatalf("generated User policy should still use main ARN for instance resources")
+		}
+	})
+
 	t.Run("Managed policies", func(t *testing.T) {
 		managedPolicies := GetManagedPolicies("testpartition")
 

castai/policies/user-policy.json

@@ -16,10 +16,10 @@
       "Sid": "RunInstancesVpcRestriction",
       "Effect": "Allow",
       "Action": "ec2:RunInstances",
-      "Resource": "arn:{{ .Partition }}:ec2:{{ .ARN }}:subnet/*",
+      "Resource": "arn:{{ .Partition }}:ec2:{{ .SharedVPCArn }}:subnet/*",
       "Condition": {
         "StringEquals": {
-          "ec2:Vpc": "arn:{{ .Partition }}:ec2:{{ .ARN }}:vpc/{{ .VPC }}"
+          "ec2:Vpc": "arn:{{ .Partition }}:ec2:{{ .SharedVPCArn }}:vpc/{{ .VPC }}"
         }
       }
     },