Skip to content

Commit 036f669

Browse files
ROSAENG-57757 | feat: add trust_policy_external_id to account-iam-resources
Inject optional sts:ExternalId into installer and support account role trust policies, expose module input/output, and regenerate module documentation. Part of ROSA-786. Signed-off-by: michaelryanmcneill <michael@michaelryanmcneill.com>
1 parent 7ddac04 commit 036f669

4 files changed

Lines changed: 35 additions & 5 deletions

File tree

modules/account-iam-resources/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,7 @@ module "account_iam_resources" {
7171
| <a name="input_path"></a> [path](#input\_path) | The ARN path for the account/operator roles as well as their policies. | `string` | `"/"` | no |
7272
| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the IAM roles in STS clusters. | `string` | `""` | no |
7373
| <a name="input_tags"></a> [tags](#input\_tags) | List of AWS resource tags to apply. | `map(string)` | `null` | no |
74+
| <a name="input_trust_policy_external_id"></a> [trust\_policy\_external\_id](#input\_trust\_policy\_external\_id) | External ID for trust policy condition in installer and support account roles. | `string` | `null` | no |
7475

7576
## Outputs
7677

@@ -80,4 +81,5 @@ module "account_iam_resources" {
8081
| <a name="output_account_roles_arn"></a> [account\_roles\_arn](#output\_account\_roles\_arn) | A map of Amazon Resource Names (ARNs) associated with the AWS IAM roles created. The key in the map represents the name of an AWS IAM role, while the corresponding value represents the associated Amazon Resource Name (ARN) of that role. |
8182
| <a name="output_openshift_version"></a> [openshift\_version](#output\_openshift\_version) | The Openshift cluster version of the cluster those account roles are used for. |
8283
| <a name="output_path"></a> [path](#output\_path) | The arn path for the account/operator roles as well as their policies. |
84+
| <a name="output_trust_policy_external_id"></a> [trust\_policy\_external\_id](#output\_trust\_policy\_external\_id) | External ID for trust policy condition in account roles |
8385
<!-- END_AUTOMATED_TF_DOCS_BLOCK -->

modules/account-iam-resources/main.tf

Lines changed: 22 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4,13 +4,17 @@
44
locals {
55
path = coalesce(var.path, "/")
66
short_openshift_version = format("%s.%s", split(".", var.openshift_version)[0], split(".", var.openshift_version)[1])
7+
trust_policy_external_id = (
8+
var.trust_policy_external_id != null && var.trust_policy_external_id != ""
9+
) ? var.trust_policy_external_id : null
710
account_roles_properties = [
811
{
912
role_name = "Installer"
1013
role_type = "installer"
1114
policy_details = data.rhcs_policies.all_policies.account_role_policies["sts_installer_permission_policy"]
1215
principal_type = "AWS"
1316
principal_identifier = "arn:${data.aws_partition.current.partition}:iam::${data.rhcs_info.current.ocm_aws_account_id}:role/RH-Managed-OpenShift-Installer"
17+
external_id = local.trust_policy_external_id
1418
},
1519
{
1620
role_name = "Support"
@@ -19,20 +23,23 @@ locals {
1923
principal_type = "AWS"
2024
// This is a SRE RH Support role which is used to assume this support role
2125
principal_identifier = data.rhcs_policies.all_policies.account_role_policies["sts_support_rh_sre_role"]
26+
external_id = local.trust_policy_external_id
2227
},
2328
{
2429
role_name = "Worker"
2530
role_type = "instance_worker"
2631
policy_details = data.rhcs_policies.all_policies.account_role_policies["sts_instance_worker_permission_policy"]
2732
principal_type = "Service"
2833
principal_identifier = "ec2.amazonaws.com"
34+
external_id = null
2935
},
3036
{
3137
role_name = "ControlPlane"
3238
role_type = "instance_controlplane"
3339
policy_details = data.rhcs_policies.all_policies.account_role_policies["sts_instance_controlplane_permission_policy"]
3440
principal_type = "Service"
3541
principal_identifier = "ec2.amazonaws.com"
42+
external_id = null
3643
}
3744
]
3845
account_roles_count = null_resource.validate_openshift_version != null ? length(local.account_roles_properties) : 0
@@ -59,6 +66,15 @@ data "aws_iam_policy_document" "custom_trust_policy" {
5966
type = local.account_roles_properties[count.index].principal_type
6067
identifiers = [local.account_roles_properties[count.index].principal_identifier]
6168
}
69+
70+
dynamic "condition" {
71+
for_each = local.account_roles_properties[count.index].external_id != null ? [1] : []
72+
content {
73+
test = "StringEquals"
74+
variable = "sts:ExternalId"
75+
values = [local.account_roles_properties[count.index].external_id]
76+
}
77+
}
6278
}
6379
}
6480

@@ -140,11 +156,12 @@ resource "time_sleep" "account_iam_resources_wait" {
140156
destroy_duration = "10s"
141157
create_duration = "10s"
142158
triggers = {
143-
account_iam_role_name = jsonencode([for value in aws_iam_role_policy_attachment.role_policy_attachment : value.role])
144-
account_roles_arn = jsonencode({ for idx, value in module.account_iam_role : local.account_roles_properties[idx].role_name => value.iam_role_arn })
145-
account_role_prefix = local.account_role_prefix_valid
146-
openshift_version = var.openshift_version
147-
path = var.path
159+
account_iam_role_name = jsonencode([for value in aws_iam_role_policy_attachment.role_policy_attachment : value.role])
160+
account_roles_arn = jsonencode({ for idx, value in module.account_iam_role : local.account_roles_properties[idx].role_name => value.iam_role_arn })
161+
account_role_prefix = local.account_role_prefix_valid
162+
openshift_version = var.openshift_version
163+
path = var.path
164+
trust_policy_external_id = local.trust_policy_external_id
148165
}
149166
}
150167

modules/account-iam-resources/outputs.tf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,3 +20,8 @@ output "path" {
2020
value = time_sleep.account_iam_resources_wait.triggers["path"]
2121
description = "The arn path for the account/operator roles as well as their policies."
2222
}
23+
24+
output "trust_policy_external_id" {
25+
value = time_sleep.account_iam_resources_wait.triggers["trust_policy_external_id"]
26+
description = "External ID for trust policy condition in account roles"
27+
}

modules/account-iam-resources/variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,3 +29,9 @@ variable "tags" {
2929
default = null
3030
description = "List of AWS resource tags to apply."
3131
}
32+
33+
variable "trust_policy_external_id" {
34+
type = string
35+
default = null
36+
description = "External ID for trust policy condition in installer and support account roles."
37+
}

0 commit comments

Comments
 (0)