Skip to content

ROSAENG-57757 | feat: add trust_policy_external_id to account-iam-resources#149

Merged
openshift-merge-bot[bot] merged 1 commit into
terraform-redhat:mainfrom
michaelryanmcneill:ROSA-786
Jul 2, 2026
Merged

ROSAENG-57757 | feat: add trust_policy_external_id to account-iam-resources#149
openshift-merge-bot[bot] merged 1 commit into
terraform-redhat:mainfrom
michaelryanmcneill:ROSA-786

Conversation

@michaelryanmcneill

@michaelryanmcneill michaelryanmcneill commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

PR Summary

Adds optional trust_policy_external_id to modules/account-iam-resources so installer and support ROSA Classic account roles can require an STS external ID in their IAM trust policies.

Detailed Description of the Issue

ROSA customers using STS external IDs in account role trust policies need Terraform module support to inject sts:ExternalId when creating account roles. The HCP module already had partial support; Classic account-iam-resources did not expose this capability.

The RHCS provider (terraform-provider-rhcs) validates sts.trust_policy_external_id at cluster create against these IAM policies. Module and cluster configuration must accept the same optional value.

Related Issues and PRs

Type of Change

  • feat - adds a new module capability or new user-facing behavior.
  • fix - resolves incorrect module behavior or bug.
  • docs - updates documentation only.
  • style - formatting/naming changes with no logic impact.
  • refactor - module code restructuring with no behavior change.
  • test - adds or updates tests only.
  • chore - maintenance work (tooling, housekeeping, non-product code).
  • build - changes build system, packaging, or dependencies for build output.
  • ci - changes CI pipelines, jobs, or automation workflows.
  • perf - improves performance without changing intended behavior.

Previous Behavior

  • modules/account-iam-resources had no trust_policy_external_id variable.
  • Installer and support trust policies never included an sts:ExternalId condition.
  • Worker and control plane roles unchanged (service principal trust only).

Behavior After This Change

  • New optional input trust_policy_external_id (default null).
  • Empty string normalized to unset (no condition injected).
  • When set, dynamic StringEquals on sts:ExternalId applied to Installer and Support roles only.
  • Worker and ControlPlane roles do not receive external ID conditions.
  • New output trust_policy_external_id (included in time_sleep triggers).
  • Module README regenerated via make terraform-docs.

Example wiring

module "account_iam_resources" {
  source  = "terraform-redhat/rosa-classic/rhcs//modules/account-iam-resources"
  version = ">=1.6.3"

  account_role_prefix      = var.account_role_prefix
  trust_policy_external_id = var.trust_policy_external_id
}

resource "rhcs_cluster_rosa_classic" "example" {
  sts = {
    trust_policy_external_id = var.trust_policy_external_id
    # role_arn, support_role_arn, ...
  }
}

How to Test (Step-by-Step)

Preconditions

  • AWS credentials for target account
  • RHCS provider configured (for policies data sources)
  • Terraform >= 1.0

Test Steps

  1. Format and validate module:
    cd modules/account-iam-resources
    terraform fmt
    terraform validate
  2. Apply module with trust_policy_external_id = "test-external-id-123".
  3. Inspect installer and support role trust policies in AWS IAM; confirm sts:ExternalId condition is present with the expected value.
  4. Confirm worker and control plane roles have no external ID condition.
  5. Apply with trust_policy_external_id = null; confirm no external ID condition is present.

Expected Results

  • External ID condition appears only on installer and support when variable is set.
  • Module output reflects the configured value.
  • Omitting the variable preserves prior trust policy shape.

Proof of the Fix

  • Screenshots: IAM trust policy JSON showing sts:ExternalId on installer/support
  • Videos: N/A
  • Logs/CLI output: terraform apply output
  • Other artifacts: N/A

Breaking Changes

  • No breaking changes
  • Yes, this PR introduces a breaking change (describe impact and migration plan below)

Breaking Change Details / Migration Plan

N/A — new optional variable with default null. Existing module consumers are unaffected until they opt in.

Developer Verification Checklist

  • I checked if this affects terraform-rhcs-rosa-hcp and submitted (or already submitted) a companion PR when needed.
  • Commit subject/title follows [JIRA-TICKET] | [TYPE]: <MESSAGE>.
  • PR description clearly explains both what changed and why.
  • Relevant Jira/GitHub issues and related PRs are linked.
  • Tests were added/updated where appropriate.
  • I manually tested the change.
  • make pre-push-checks passes (or each step: verify, verify-gen, lint, unit-tests, license-check, docs-lint).
  • Documentation was added/updated where appropriate (see make terraform-docs).
  • Any risk, limitation, or follow-up work is documented.

Summary by CodeRabbit

Release Notes

  • New Features

    • Added an optional, validated trust_policy_external_id input to configure the sts:ExternalId condition for installer and support IAM trust policies.
    • Exposed the configured trust_policy_external_id via module output.
  • Tests

    • Added test coverage for null handling, rejection of empty/whitespace values, and correct inclusion/exclusion of sts:ExternalId across role trust policies.
  • Documentation

    • Updated module README to include the new input and output.

@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 066ced04-bd2a-4435-a2a8-cb13949454eb

📥 Commits

Reviewing files that changed from the base of the PR and between c37c41e and fa134cb.

📒 Files selected for processing (5)
  • modules/account-iam-resources/README.md
  • modules/account-iam-resources/main.tf
  • modules/account-iam-resources/outputs.tf
  • modules/account-iam-resources/tests/trust_policy_external_id.tftest.hcl
  • modules/account-iam-resources/variables.tf
✅ Files skipped from review due to trivial changes (1)
  • modules/account-iam-resources/README.md
🚧 Files skipped from review as they are similar to previous changes (3)
  • modules/account-iam-resources/variables.tf
  • modules/account-iam-resources/tests/trust_policy_external_id.tftest.hcl
  • modules/account-iam-resources/main.tf

Walkthrough

The modules/account-iam-resources module adds an optional trust_policy_external_id input. Trust policy JSON generation now conditionally includes sts:ExternalId for Installer and Support roles. The module also exposes the external ID through outputs and adds Terraform tests for null, empty, whitespace, and valid values.

Changes

IAM trust policy external ID support

Layer / File(s) Summary
Module input variable and README contract
modules/account-iam-resources/variables.tf, modules/account-iam-resources/README.md
trust_policy_external_id is added with null default and non-empty validation, and the autogenerated README documents the new input/output while removing aws_iam_policy_document.custom_trust_policy from the resource list.
Local state and trust policy JSON generation
modules/account-iam-resources/main.tf
local.trust_policy_external_id is derived from the variable, per-role external_id values are assigned, local.patch_version_list is rebuilt, and trust policy JSON is generated with conditional sts:ExternalId inclusion.
Module wiring and outputs
modules/account-iam-resources/main.tf, modules/account-iam-resources/outputs.tf
The generated trust policy JSON is passed into module.account_iam_role, time_sleep triggers include the external ID, and the module output returns the external ID value.
tftest validation runs
modules/account-iam-resources/tests/trust_policy_external_id.tftest.hcl
New test runs cover null, empty, whitespace, and non-empty inputs and verify sts:ExternalId presence, omission, and role counts.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Suggested labels: approved, lgtm

Suggested reviewers: BraeTroutman, amandahla

🚥 Pre-merge checks | ✅ 6
✅ Passed checks (6 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise, follows the repo's ticket/type format, and accurately summarizes the main change.
Description check ✅ Passed The description covers the issue, related work, behavior before/after, testing steps, proof, and breaking-change status.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Pr Checklist Claims Vs Evidence (Generic) ✅ Passed Checklist items are supported by the diff/PR body; make pre-push-checks is not verifiable from visible context, and no contradictions appear.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@michaelryanmcneill

Copy link
Copy Markdown
Contributor Author

/hold

@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Hi @michaelryanmcneill. Thanks for your PR.

I'm waiting for a terraform-redhat member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@michaelryanmcneill

Copy link
Copy Markdown
Contributor Author

Working on additional manual testing before submitting for review.

@michaelryanmcneill

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
modules/account-iam-resources/README.md (1)

1-85: ⚠️ Potential issue | 🟠 Major

Add/update *.tftest.hcl coverage for trust_policy_external_id behavior in modules/account-iam-resources — the module contains no *.tftest.hcl (and no tests/ directory), so the new trust-policy condition logic (external ID present vs null/empty, and ensuring Worker/ControlPlane roles never get the condition) is currently untested.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/account-iam-resources/README.md` around lines 1 - 85, The repo is
missing tftest coverage for the new trust policy external ID behavior in
modules/account-iam-resources; add a *.tftest.hcl (or tests/ directory) that
exercises the input trust_policy_external_id with three scenarios: (1)
null/empty external ID -> ensure the aws_iam_policy_document/custom_trust_policy
does not include the ExternalId condition, (2) non-empty external ID -> ensure
the ExternalId condition is present in the custom_trust_policy for
installer/support roles, and (3) verify Worker and ControlPlane role policy
documents (the IAM roles produced by module account_iam_role / aws_iam_role
resources) never include the ExternalId condition regardless of
trust_policy_external_id; reference the module input trust_policy_external_id,
data.aws_iam_policy_document.custom_trust_policy, and the account_iam_role/role
resources to assert the expected policy document contents.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@modules/account-iam-resources/README.md`:
- Around line 1-85: The repo is missing tftest coverage for the new trust policy
external ID behavior in modules/account-iam-resources; add a *.tftest.hcl (or
tests/ directory) that exercises the input trust_policy_external_id with three
scenarios: (1) null/empty external ID -> ensure the
aws_iam_policy_document/custom_trust_policy does not include the ExternalId
condition, (2) non-empty external ID -> ensure the ExternalId condition is
present in the custom_trust_policy for installer/support roles, and (3) verify
Worker and ControlPlane role policy documents (the IAM roles produced by module
account_iam_role / aws_iam_role resources) never include the ExternalId
condition regardless of trust_policy_external_id; reference the module input
trust_policy_external_id, data.aws_iam_policy_document.custom_trust_policy, and
the account_iam_role/role resources to assert the expected policy document
contents.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b015f861-fc47-42e7-ad04-d7480f2d76c0

📥 Commits

Reviewing files that changed from the base of the PR and between 7ddac04 and 036f669.

📒 Files selected for processing (4)
  • modules/account-iam-resources/README.md
  • modules/account-iam-resources/main.tf
  • modules/account-iam-resources/outputs.tf
  • modules/account-iam-resources/variables.tf

@olucasfreitas

Copy link
Copy Markdown
Contributor

/ok-to-test

@olucasfreitas

Copy link
Copy Markdown
Contributor

/ok-to-test

@michaelryanmcneill michaelryanmcneill force-pushed the ROSA-786 branch 2 times, most recently from 39c90e6 to 772571d Compare June 11, 2026 18:19
@michaelryanmcneill

Copy link
Copy Markdown
Contributor Author

Test results:

==> Verifying IAM trust policies for prefix r786-manual-set (scenario=set)
PASS: Installer has sts:ExternalId=test-external-id-12345
PASS: Support has sts:ExternalId=test-external-id-12345
PASS: Worker has no sts:ExternalId
PASS: ControlPlane has no sts:ExternalId
PASS: Worker trusts ec2.amazonaws.com
PASS: ControlPlane trusts ec2.amazonaws.com
PASS: Module output trust_policy_external_id=test-external-id-12345

Installer trust policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "test-external-id-12345"
        }
      }
    }
  ]
}
Support trust policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::710019948333:role/RH-Technical-Support-14540493"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "test-external-id-12345"
        }
      }
    }
  ]
}

==> Verifying IAM trust policies for prefix r786-manual-none (scenario=none)
PASS: Installer has no sts:ExternalId
PASS: Support has no sts:ExternalId
PASS: Worker has no sts:ExternalId
PASS: ControlPlane has no sts:ExternalId
PASS: Worker trusts ec2.amazonaws.com
PASS: ControlPlane trusts ec2.amazonaws.com
PASS: Module output trust_policy_external_id unset

Installer trust policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Support trust policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::710019948333:role/RH-Technical-Support-14540493"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

==> Verifying IAM trust policies for prefix r786-manual-empty (scenario=empty)
PASS: Installer has no sts:ExternalId
PASS: Support has no sts:ExternalId
PASS: Worker has no sts:ExternalId
PASS: ControlPlane has no sts:ExternalId
PASS: Worker trusts ec2.amazonaws.com
PASS: ControlPlane trusts ec2.amazonaws.com
PASS: Module output trust_policy_external_id unset

Installer trust policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Support trust policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::710019948333:role/RH-Technical-Support-14540493"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

@michaelryanmcneill

Copy link
Copy Markdown
Contributor Author

/unhold

@olucasfreitas

Copy link
Copy Markdown
Contributor

/ok-to-test

@michaelryanmcneill

Copy link
Copy Markdown
Contributor Author

Ready for final review @olucasfreitas, thanks!

@michaelryanmcneill

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@michaelryanmcneill

michaelryanmcneill commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
modules/account-iam-resources/tests/trust_policy_external_id.tftest.hcl (1)

105-244: ⚡ Quick win

Add explicit assertions for output.trust_policy_external_id across scenarios.

The new feature contract includes output normalization (null/"" -> unset, non-empty -> preserved), but this test file currently validates only output.custom_trust_policy_json. Please assert the output value in each run to prevent regressions in time_sleep trigger wiring/output exposure.

As per coding guidelines, “if behavior changes and modules//tests/.tftest.hcl exists (or needs updates), run terraform test” and keep module behavior coverage updated, including changed interfaces/outputs.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/account-iam-resources/tests/trust_policy_external_id.tftest.hcl`
around lines 105 - 244, Update each test run to explicitly assert the normalized
output.trust_policy_external_id value: in runs
"null_external_id_omits_condition" assert output.trust_policy_external_id is
null (or equals null-equivalent); in "empty_external_id_omits_condition" assert
it is an empty string or null-equivalent per normalization; in
"non_empty_external_id_adds_condition_to_installer_and_support" assert
output.trust_policy_external_id equals "test-external-id-12345"; and in
"worker_and_control_plane_never_include_external_id" assert
output.trust_policy_external_id equals "test-external-id-12345" as well. Use the
existing run blocks and the output name trust_policy_external_id to add these
assertions so the tests cover the output normalization contract and prevent
regressions in time_sleep/output wiring.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@modules/account-iam-resources/variables.tf`:
- Around line 33-37: The variable trust_policy_external_id currently accepts
whitespace-only strings as valid; add a validation block to normalize/reject
such inputs by ensuring the value is either null or contains non-whitespace
characters. Inside the trust_policy_external_id variable block add: validation {
condition = var == null || length(trim(var)) > 0 message =
"trust_policy_external_id must be null or a non-empty, non-whitespace string" }
so whitespace-only values are rejected at the variable boundary.
- Around line 33-37: The variable trust_policy_external_id is not marked
sensitive; update the variable block for trust_policy_external_id to include
sensitive = true so Terraform redacts it in CLI output and logs; locate the
variable "trust_policy_external_id" in
modules/account-iam-resources/variables.tf and add the sensitive = true
attribute inside that variable declaration.

---

Nitpick comments:
In `@modules/account-iam-resources/tests/trust_policy_external_id.tftest.hcl`:
- Around line 105-244: Update each test run to explicitly assert the normalized
output.trust_policy_external_id value: in runs
"null_external_id_omits_condition" assert output.trust_policy_external_id is
null (or equals null-equivalent); in "empty_external_id_omits_condition" assert
it is an empty string or null-equivalent per normalization; in
"non_empty_external_id_adds_condition_to_installer_and_support" assert
output.trust_policy_external_id equals "test-external-id-12345"; and in
"worker_and_control_plane_never_include_external_id" assert
output.trust_policy_external_id equals "test-external-id-12345" as well. Use the
existing run blocks and the output name trust_policy_external_id to add these
assertions so the tests cover the output normalization contract and prevent
regressions in time_sleep/output wiring.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e548fa5b-b63b-46b2-b286-a551cdee22ff

📥 Commits

Reviewing files that changed from the base of the PR and between 39c90e6 and 645a60b.

📒 Files selected for processing (5)
  • modules/account-iam-resources/README.md
  • modules/account-iam-resources/main.tf
  • modules/account-iam-resources/outputs.tf
  • modules/account-iam-resources/tests/trust_policy_external_id.tftest.hcl
  • modules/account-iam-resources/variables.tf
🚧 Files skipped from review as they are similar to previous changes (3)
  • modules/account-iam-resources/outputs.tf
  • modules/account-iam-resources/main.tf
  • modules/account-iam-resources/README.md

Comment thread modules/account-iam-resources/variables.tf
@michaelryanmcneill

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 12, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (3)
modules/ocm-role/main.tf (1)

5-5: 💤 Low value

Redundant coalesce on variable with non-null default.

var.path has a default value of "/" (variables.tf line 33), so coalesce(var.path, "/") will always return var.path and never the fallback. Remove the coalesce wrapper.

♻️ Simplify to direct assignment
-  path = coalesce(var.path, "/")
+  path = var.path
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/ocm-role/main.tf` at line 5, The assignment uses coalesce(var.path,
"/") which is redundant because var.path has a non-null default of "/" in
variables.tf; replace the coalesce expression with a direct use of var.path
(update the assignment that sets path = coalesce(var.path, "/") to path =
var.path) to simplify the code and remove the unnecessary coalesce call.
modules/account-iam-resources/tests/trust_policy_external_id.tftest.hcl (2)

105-258: 💤 Low value

Consider documenting the array index mapping for custom_trust_policy_json.

The tests assume custom_trust_policy_json[0] is Installer, [1] is Support, [2] is Worker, and [3] is ControlPlane. While this ordering is likely stable (based on the for_each iteration in main.tf), adding a brief comment above the test runs explaining this mapping would improve test maintainability.

📝 Suggested comment
 variables {
   account_role_prefix = "tf-test-acc"
   openshift_version   = "4.14.24"
 }
+
+# custom_trust_policy_json output array indices:
+# [0] = Installer, [1] = Support, [2] = Worker, [3] = ControlPlane

 run "null_external_id_omits_condition" {
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/account-iam-resources/tests/trust_policy_external_id.tftest.hcl`
around lines 105 - 258, Add a short comment above the test runs documenting the
index-to-role mapping for output.custom_trust_policy_json (0=Installer,
1=Support, 2=Worker, 3=ControlPlane) so future readers understand the ordering
assumed by the assertions; modify the tests file to include that single-line
comment near the top of the run blocks (before the first run
"null_external_id_omits_condition") referencing custom_trust_policy_json to make
the mapping explicit and maintainable.

105-258: ⚡ Quick win

Consider adding test coverage for the trust_policy_external_id output.

The test suite thoroughly validates custom_trust_policy_json behavior but does not verify that the trust_policy_external_id output correctly reflects the input value (or normalized null for empty strings). Adding assertions on this output would complete the test coverage.

💡 Example assertion to add

In the null_external_id_omits_condition run:

  assert {
    condition     = !strcontains(output.custom_trust_policy_json[1], "sts:ExternalId")
    error_message = "Support trust policy must not include sts:ExternalId when trust_policy_external_id is null."
  }
+
+ assert {
+   condition     = output.trust_policy_external_id == null
+   error_message = "trust_policy_external_id output must be null when input is null."
+ }

In the non_empty_external_id_adds_condition_to_installer_and_support run:

  assert {
    condition = strcontains(
      output.custom_trust_policy_json[1],
      "sts:ExternalId",
    )
    error_message = "Support trust policy must include sts:ExternalId condition key."
  }
+
+ assert {
+   condition     = output.trust_policy_external_id == "test-external-id-12345"
+   error_message = "trust_policy_external_id output must match the configured value."
+ }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/account-iam-resources/tests/trust_policy_external_id.tftest.hcl`
around lines 105 - 258, Add assertions that verify the trust_policy_external_id
output is correctly populated/normalized: in the
"null_external_id_omits_condition" run add an assert that
output.trust_policy_external_id == null (or not set) to confirm null input
yields null output; in the
"non_empty_external_id_adds_condition_to_installer_and_support" run add an
assert that output.trust_policy_external_id == "test-external-id-12345" to
confirm the output mirrors the provided value; reference the variable
var.trust_policy_external_id and the output output.trust_policy_external_id when
adding these checks.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@examples/ocm-role/versions.tf`:
- Line 5: Update the Terraform constraint in this example by changing the
versions.tf required_version setting: replace the current required_version value
with ">= 1.5.7" so the example matches the repo root terraform.required_version
minimum; ensure the single required_version attribute in the versions.tf file is
updated accordingly.

In `@hack/install-release-tool.sh`:
- Around line 148-155: The checkov case in hack/install-release-tool.sh
currently only maps darwin_amd64 and windows_amd64 (see the case patterns
darwin_amd64/windows_amd64 and the asset variable assignment) so darwin_arm64
falls to the default error path; either add a darwin_arm64) branch that sets
asset="checkov_darwin_ARM64.zip" (or the correct published filename) and add the
corresponding SHA256 line to hack/checksums/checkov-3.2.529.sha256sums, or
explicitly gate/document the lack of darwin_arm64 support at the caller level so
the script doesn't hard-fail (choose the mapping+checksum fix if you intend to
support Apple Silicon).

In `@modules/ocm-role/main.tf`:
- Around line 40-113: This module currently depends on the HCP-only data source
data.rhcs_hcp_policies.all_policies (used by
aws_iam_role.ocm_role.assume_role_policy and aws_iam_policy.*.policy), which
violates the Classic-only repo boundary; change the module to accept policies
via input variables (e.g., var.assume_role_policy,
var.standard_permission_policy, var.admin_permission_policy,
var.no_console_permission_policy) and replace all references to
data.rhcs_hcp_policies.all_policies in aws_iam_role.ocm_role and
aws_iam_policy.standard_permission_policy / ocm_admin_permission_policy /
ocm_no_console_permission_policy with those variables (or alternatively move
this module into the terraform-rhcs-rosa-hcp repo if HCP-specific logic is
required). Ensure variable defaults/validation are added and remove the
rhcs_hcp_policies data source usage.

---

Nitpick comments:
In `@modules/account-iam-resources/tests/trust_policy_external_id.tftest.hcl`:
- Around line 105-258: Add a short comment above the test runs documenting the
index-to-role mapping for output.custom_trust_policy_json (0=Installer,
1=Support, 2=Worker, 3=ControlPlane) so future readers understand the ordering
assumed by the assertions; modify the tests file to include that single-line
comment near the top of the run blocks (before the first run
"null_external_id_omits_condition") referencing custom_trust_policy_json to make
the mapping explicit and maintainable.
- Around line 105-258: Add assertions that verify the trust_policy_external_id
output is correctly populated/normalized: in the
"null_external_id_omits_condition" run add an assert that
output.trust_policy_external_id == null (or not set) to confirm null input
yields null output; in the
"non_empty_external_id_adds_condition_to_installer_and_support" run add an
assert that output.trust_policy_external_id == "test-external-id-12345" to
confirm the output mirrors the provided value; reference the variable
var.trust_policy_external_id and the output output.trust_policy_external_id when
adding these checks.

In `@modules/ocm-role/main.tf`:
- Line 5: The assignment uses coalesce(var.path, "/") which is redundant because
var.path has a non-null default of "/" in variables.tf; replace the coalesce
expression with a direct use of var.path (update the assignment that sets path =
coalesce(var.path, "/") to path = var.path) to simplify the code and remove the
unnecessary coalesce call.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2f18a2c6-7003-45dd-b363-3f7d064a4a5a

📥 Commits

Reviewing files that changed from the base of the PR and between 645a60b and e2dffdc.

📒 Files selected for processing (20)
  • Dockerfile
  • README.md
  • examples/ocm-role/README.md
  • examples/ocm-role/main.tf
  • examples/ocm-role/outputs.tf
  • examples/ocm-role/variables.tf
  • examples/ocm-role/versions.tf
  • hack/install-release-tool.sh
  • modules/account-iam-resources/README.md
  • modules/account-iam-resources/main.tf
  • modules/account-iam-resources/outputs.tf
  • modules/account-iam-resources/tests/trust_policy_external_id.tftest.hcl
  • modules/account-iam-resources/variables.tf
  • modules/ocm-role/README.md
  • modules/ocm-role/main.tf
  • modules/ocm-role/outputs.tf
  • modules/ocm-role/tests/ocm_role.tftest.hcl
  • modules/ocm-role/variables.tf
  • modules/ocm-role/versions.tf
  • versions.tf
✅ Files skipped from review due to trivial changes (5)
  • modules/ocm-role/versions.tf
  • Dockerfile
  • modules/ocm-role/README.md
  • examples/ocm-role/README.md
  • README.md
🚧 Files skipped from review as they are similar to previous changes (4)
  • modules/account-iam-resources/variables.tf
  • modules/account-iam-resources/outputs.tf
  • modules/account-iam-resources/README.md
  • modules/account-iam-resources/main.tf

Comment thread examples/ocm-role/versions.tf
Comment thread hack/install-release-tool.sh
Comment thread modules/ocm-role/main.tf Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
modules/account-iam-resources/README.md (1)

31-31: ⚠️ Potential issue | 🟠 Major

Update the module's provider constraint to match the root versions.tf.

The modules/account-iam-resources/versions.tf specifies rhcs >= 1.6.2, but the root versions.tf requires >= 1.7.7. The README correctly reflects the module constraint, but the module itself must be updated to the root floor. Update modules/account-iam-resources/versions.tf to rhcs >= 1.7.7.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/account-iam-resources/README.md` at line 31, Update the rhcs provider
version constraint in modules/account-iam-resources/versions.tf from >= 1.6.2 to
>= 1.7.7 to match the root versions.tf constraint. Locate the rhcs requirement
block in the module's versions.tf file and change the required_version value to
>= 1.7.7 so the module aligns with the root floor version requirement.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@modules/account-iam-resources/README.md`:
- Line 31: Update the rhcs provider version constraint in
modules/account-iam-resources/versions.tf from >= 1.6.2 to >= 1.7.7 to match the
root versions.tf constraint. Locate the rhcs requirement block in the module's
versions.tf file and change the required_version value to >= 1.7.7 so the module
aligns with the root floor version requirement.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 12ab0430-4afe-496f-ae3e-b75e547d981a

📥 Commits

Reviewing files that changed from the base of the PR and between e2dffdc and e4e659b.

📒 Files selected for processing (20)
  • Dockerfile
  • README.md
  • examples/ocm-role/README.md
  • examples/ocm-role/main.tf
  • examples/ocm-role/outputs.tf
  • examples/ocm-role/variables.tf
  • examples/ocm-role/versions.tf
  • hack/install-release-tool.sh
  • modules/account-iam-resources/README.md
  • modules/account-iam-resources/main.tf
  • modules/account-iam-resources/outputs.tf
  • modules/account-iam-resources/tests/trust_policy_external_id.tftest.hcl
  • modules/account-iam-resources/variables.tf
  • modules/ocm-role/README.md
  • modules/ocm-role/main.tf
  • modules/ocm-role/outputs.tf
  • modules/ocm-role/tests/ocm_role.tftest.hcl
  • modules/ocm-role/variables.tf
  • modules/ocm-role/versions.tf
  • versions.tf
✅ Files skipped from review due to trivial changes (8)
  • examples/ocm-role/outputs.tf
  • versions.tf
  • README.md
  • modules/ocm-role/outputs.tf
  • Dockerfile
  • examples/ocm-role/versions.tf
  • examples/ocm-role/README.md
  • modules/ocm-role/README.md
🚧 Files skipped from review as they are similar to previous changes (10)
  • examples/ocm-role/main.tf
  • examples/ocm-role/variables.tf
  • modules/ocm-role/versions.tf
  • modules/ocm-role/variables.tf
  • modules/account-iam-resources/outputs.tf
  • modules/account-iam-resources/tests/trust_policy_external_id.tftest.hcl
  • modules/ocm-role/main.tf
  • modules/ocm-role/tests/ocm_role.tftest.hcl
  • hack/install-release-tool.sh
  • modules/account-iam-resources/main.tf

@michaelryanmcneill

Copy link
Copy Markdown
Contributor Author

@coderabbitai resume

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown
✅ Action performed

Reviews resumed.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@modules/account-iam-resources/outputs.tf`:
- Around line 24-32: The outputs trust_policy_external_id and
custom_trust_policy_json contain sensitive security material including
sts:ExternalId and trust policy details that should not appear in plain text
during terraform show, logs, or debug operations. Mark both output blocks as
sensitive by adding the sensitive = true attribute to each one to comply with
security guardrails and prevent exposure of this sensitive trust-policy
information.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2fa5ff84-faa0-4787-b396-f42ef983df54

📥 Commits

Reviewing files that changed from the base of the PR and between e2dffdc and c37c41e.

📒 Files selected for processing (5)
  • modules/account-iam-resources/README.md
  • modules/account-iam-resources/main.tf
  • modules/account-iam-resources/outputs.tf
  • modules/account-iam-resources/tests/trust_policy_external_id.tftest.hcl
  • modules/account-iam-resources/variables.tf
🚧 Files skipped from review as they are similar to previous changes (3)
  • modules/account-iam-resources/variables.tf
  • modules/account-iam-resources/tests/trust_policy_external_id.tftest.hcl
  • modules/account-iam-resources/main.tf

Comment thread modules/account-iam-resources/outputs.tf Outdated
Comment thread modules/account-iam-resources/main.tf Outdated
Comment thread modules/account-iam-resources/outputs.tf Outdated
Comment thread modules/account-iam-resources/main.tf
…ources

Inject optional sts:ExternalId into installer and support account role trust
policies, expose module input/output, and regenerate module documentation.

Part of ROSA-786.

Signed-off-by: michaelryanmcneill <michael@michaelryanmcneill.com>
@olucasfreitas

Copy link
Copy Markdown
Contributor

/lgtm
/approve
/override ci/prow/security

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@olucasfreitas: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

  • ci/prow/security

Only the following failed contexts/checkruns were expected:

  • CodeRabbit
  • ci/prow/images
  • ci/prow/pre-push-checks
  • ci/prow/rosa-classic-private-with-autoscaler-unmanaged-oidc-byo-vpc
  • ci/prow/rosa-classic-public
  • ci/prow/security-check
  • pull-ci-terraform-redhat-terraform-rhcs-rosa-classic-main-images
  • pull-ci-terraform-redhat-terraform-rhcs-rosa-classic-main-pre-push-checks
  • pull-ci-terraform-redhat-terraform-rhcs-rosa-classic-main-rosa-classic-private-with-autoscaler-unmanaged-oidc-byo-vpc
  • pull-ci-terraform-redhat-terraform-rhcs-rosa-classic-main-rosa-classic-public
  • pull-ci-terraform-redhat-terraform-rhcs-rosa-classic-main-security-check
  • tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/lgtm
/approve
/override ci/prow/security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: michaelryanmcneill, olucasfreitas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved label Jul 2, 2026
@olucasfreitas

Copy link
Copy Markdown
Contributor

/ok-to-test

@openshift-merge-bot openshift-merge-bot Bot merged commit 98dbbe4 into terraform-redhat:main Jul 2, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants