|
| 1 | +# Copyright Red Hat |
| 2 | +# SPDX-License-Identifier: Apache-2.0 |
| 3 | + |
| 4 | +locals { |
| 5 | + path = coalesce(var.path, "/") |
| 6 | + |
| 7 | + role_type = "OCM" |
| 8 | + role_suffix = "-${local.role_type}-Role-${data.rhcs_info.current.organization_external_id}" |
| 9 | + max_prefix_length = 64 - length(local.role_suffix) |
| 10 | + truncated_role_prefix = local.max_prefix_length > 0 ? substr(var.ocm_role_prefix, 0, local.max_prefix_length) : "" |
| 11 | + role_name = "${local.truncated_role_prefix}${local.role_suffix}" |
| 12 | + max_policy_name_length = 128 |
| 13 | + standard_policy_enabled = contains(["standard", "admin"], var.profile) |
| 14 | + admin_policy_enabled = var.profile == "admin" |
| 15 | + no_console_enabled = var.profile == "no-console" |
| 16 | + |
| 17 | + ocm_environment = ( |
| 18 | + strcontains(data.rhcs_info.current.ocm_api, "api.stage.") ? "staging" : |
| 19 | + ( |
| 20 | + strcontains(data.rhcs_info.current.ocm_api, "integration") || strcontains(data.rhcs_info.current.ocm_api, ".int.") ? "integration" : "production" |
| 21 | + ) |
| 22 | + ) |
| 23 | + |
| 24 | + base_tags = merge(var.tags, { |
| 25 | + red-hat-managed = true |
| 26 | + rosa_role_prefix = var.ocm_role_prefix |
| 27 | + rosa_role_type = local.role_type |
| 28 | + rosa_environment = local.ocm_environment |
| 29 | + }) |
| 30 | + |
| 31 | + role_tags = local.admin_policy_enabled ? merge(local.base_tags, { |
| 32 | + rosa_admin_role = true |
| 33 | + }) : ( |
| 34 | + local.no_console_enabled ? merge(local.base_tags, { |
| 35 | + rosa_no_console_role = true |
| 36 | + }) : local.base_tags |
| 37 | + ) |
| 38 | +} |
| 39 | + |
| 40 | +data "rhcs_hcp_policies" "all_policies" {} |
| 41 | + |
| 42 | +data "rhcs_info" "current" {} |
| 43 | + |
| 44 | +resource "aws_iam_role" "ocm_role" { |
| 45 | + name = local.role_name |
| 46 | + permissions_boundary = var.permissions_boundary |
| 47 | + path = local.path |
| 48 | + assume_role_policy = data.rhcs_hcp_policies.all_policies.ocm_role_policies.sts_ocm_trust_policy |
| 49 | + force_detach_policies = true |
| 50 | + |
| 51 | + tags = local.role_tags |
| 52 | +} |
| 53 | + |
| 54 | +resource "aws_iam_policy" "standard_permission_policy" { |
| 55 | + count = local.standard_policy_enabled ? 1 : 0 |
| 56 | + |
| 57 | + name = substr("${local.role_name}-Policy", 0, local.max_policy_name_length) |
| 58 | + path = local.path |
| 59 | + policy = data.rhcs_hcp_policies.all_policies.ocm_role_policies.sts_ocm_permission_policy |
| 60 | + |
| 61 | + tags = local.base_tags |
| 62 | +} |
| 63 | + |
| 64 | +resource "aws_iam_role_policy_attachment" "standard_permission_policy_attachment" { |
| 65 | + count = local.standard_policy_enabled ? 1 : 0 |
| 66 | + |
| 67 | + role = aws_iam_role.ocm_role.name |
| 68 | + policy_arn = aws_iam_policy.standard_permission_policy[0].arn |
| 69 | +} |
| 70 | + |
| 71 | +resource "aws_iam_policy" "ocm_admin_permission_policy" { |
| 72 | + count = local.admin_policy_enabled ? 1 : 0 |
| 73 | + |
| 74 | + name = substr("${local.role_name}-Admin-Policy", 0, local.max_policy_name_length) |
| 75 | + path = local.path |
| 76 | + policy = data.rhcs_hcp_policies.all_policies.ocm_role_policies.sts_ocm_admin_permission_policy |
| 77 | + |
| 78 | + tags = merge(local.base_tags, { |
| 79 | + rosa_admin_role = true |
| 80 | + }) |
| 81 | +} |
| 82 | + |
| 83 | +resource "aws_iam_role_policy_attachment" "ocm_admin_permission_policy_attachment" { |
| 84 | + count = local.admin_policy_enabled ? 1 : 0 |
| 85 | + |
| 86 | + role = aws_iam_role.ocm_role.name |
| 87 | + policy_arn = aws_iam_policy.ocm_admin_permission_policy[0].arn |
| 88 | +} |
| 89 | + |
| 90 | +resource "aws_iam_policy" "ocm_no_console_permission_policy" { |
| 91 | + count = local.no_console_enabled ? 1 : 0 |
| 92 | + |
| 93 | + name = substr("${local.role_name}-NoConsole-Policy", 0, local.max_policy_name_length) |
| 94 | + path = local.path |
| 95 | + policy = data.rhcs_hcp_policies.all_policies.ocm_role_policies.sts_ocm_no_console_permission_policy |
| 96 | + |
| 97 | + tags = merge(local.base_tags, { |
| 98 | + rosa_no_console_role = true |
| 99 | + }) |
| 100 | +} |
| 101 | + |
| 102 | +resource "aws_iam_role_policy_attachment" "ocm_no_console_permission_policy_attachment" { |
| 103 | + count = local.no_console_enabled ? 1 : 0 |
| 104 | + |
| 105 | + role = aws_iam_role.ocm_role.name |
| 106 | + policy_arn = aws_iam_policy.ocm_no_console_permission_policy[0].arn |
| 107 | +} |
| 108 | + |
| 109 | +resource "rhcs_rosa_ocm_role_link" "this" { |
| 110 | + count = var.create_link ? 1 : 0 |
| 111 | + |
| 112 | + role_arn = aws_iam_role.ocm_role.arn |
| 113 | +} |
0 commit comments