Skip to content

Commit 569daf9

Browse files
committed
ROSAENG-6808 | feat: add OCM role submodule with required ROSA CLI tags
Add modules/ocm-role/ that creates the AWS IAM OCM role with the tags the ROSA CLI applies (red-hat-managed, rosa_role_prefix, rosa_role_type, rosa_environment, and conditional rosa_admin_role). Permission policies are read from the rhcs_hcp_policies data source using the policy IDs confirmed in terraform-provider-rhcs PR #1156. The submodule outputs role_arn for composition with the provider's rhcs_rosa_ocm_role_link resource. An example and tests are included. Signed-off-by: lufreita <lufreita@redhat.com>
1 parent 70b5862 commit 569daf9

13 files changed

Lines changed: 570 additions & 3 deletions

File tree

README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -77,15 +77,15 @@ We recommend you install the following CLI tools:
7777
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
7878
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.44.0 |
7979
| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.4 |
80-
| <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs) | >= 1.7.6 |
80+
| <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs) | >= 1.8.0 |
8181

8282
## Providers
8383

8484
| Name | Version |
8585
| ---- | ------- |
8686
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.44.0 |
8787
| <a name="provider_null"></a> [null](#provider\_null) | >= 3.2.4 |
88-
| <a name="provider_rhcs"></a> [rhcs](#provider\_rhcs) | >= 1.7.6 |
88+
| <a name="provider_rhcs"></a> [rhcs](#provider\_rhcs) | >= 1.8.0 |
8989

9090
## Modules
9191

examples/ocm-role/README.md

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
# ocm-role example
2+
3+
Creates an OCM IAM role with the required ROSA CLI-parity tags and links it to the current OCM organization.
4+
5+
<!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK -->
6+
## Requirements
7+
8+
| Name | Version |
9+
| ---- | ------- |
10+
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
11+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
12+
| <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs) | >= 1.8.0 |
13+
14+
## Providers
15+
16+
| Name | Version |
17+
| ---- | ------- |
18+
| <a name="provider_rhcs"></a> [rhcs](#provider\_rhcs) | >= 1.8.0 |
19+
20+
## Modules
21+
22+
| Name | Source | Version |
23+
| ---- | ------ | ------- |
24+
| <a name="module_ocm_role"></a> [ocm\_role](#module\_ocm\_role) | ../../modules/ocm-role | n/a |
25+
26+
## Resources
27+
28+
| Name | Type |
29+
| ---- | ---- |
30+
| [rhcs_rosa_ocm_role_link.link](https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs/resources/rosa_ocm_role_link) | resource |
31+
32+
## Inputs
33+
34+
| Name | Description | Type | Default | Required |
35+
| ---- | ----------- | ---- | ------- | :------: |
36+
| <a name="input_admin"></a> [admin](#input\_admin) | Enable admin capabilities for the OCM role. | `bool` | `false` | no |
37+
| <a name="input_ocm_organization_id"></a> [ocm\_organization\_id](#input\_ocm\_organization\_id) | The OCM organization external ID used as the sts:ExternalId condition in the OCM role trust policy. | `string` | n/a | yes |
38+
| <a name="input_ocm_role_prefix"></a> [ocm\_role\_prefix](#input\_ocm\_role\_prefix) | User-defined prefix for the OCM IAM role name. | `string` | `"ManagedOpenShift"` | no |
39+
40+
## Outputs
41+
42+
| Name | Description |
43+
| ---- | ----------- |
44+
| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the created OCM IAM role. |
45+
| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | The name of the created OCM IAM role. |
46+
<!-- END_AUTOMATED_TF_DOCS_BLOCK -->

examples/ocm-role/main.tf

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
# Copyright Red Hat
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
############################
5+
# OCM Role
6+
############################
7+
module "ocm_role" {
8+
source = "../../modules/ocm-role"
9+
10+
ocm_role_prefix = var.ocm_role_prefix
11+
ocm_organization_id = var.ocm_organization_id
12+
admin = var.admin
13+
}
14+
15+
############################
16+
# Link OCM Role to OCM org
17+
############################
18+
resource "rhcs_rosa_ocm_role_link" "link" {
19+
role_arn = module.ocm_role.role_arn
20+
}

examples/ocm-role/outputs.tf

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# Copyright Red Hat
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
output "role_arn" {
5+
value = module.ocm_role.role_arn
6+
description = "The ARN of the created OCM IAM role."
7+
}
8+
9+
output "role_name" {
10+
value = module.ocm_role.role_name
11+
description = "The name of the created OCM IAM role."
12+
}

examples/ocm-role/variables.tf

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
# Copyright Red Hat
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
variable "ocm_role_prefix" {
5+
type = string
6+
default = "ManagedOpenShift"
7+
description = "User-defined prefix for the OCM IAM role name."
8+
}
9+
10+
variable "ocm_organization_id" {
11+
type = string
12+
description = "The OCM organization external ID used as the sts:ExternalId condition in the OCM role trust policy."
13+
}
14+
15+
variable "admin" {
16+
type = bool
17+
default = false
18+
description = "Enable admin capabilities for the OCM role."
19+
}

examples/ocm-role/versions.tf

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
# Copyright Red Hat
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
terraform {
5+
required_version = ">= 1.0"
6+
7+
required_providers {
8+
aws = {
9+
source = "hashicorp/aws"
10+
version = ">= 6.0"
11+
}
12+
rhcs = {
13+
source = "terraform-redhat/rhcs"
14+
version = ">= 1.8.0"
15+
}
16+
}
17+
}

modules/ocm-role/README.md

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
# ocm-role
2+
3+
## Introduction
4+
5+
This Terraform sub-module creates the AWS IAM OCM role with the tags required by the ROSA CLI and OCM. The role is used to grant OpenShift Cluster Manager permissions in the customer's AWS account.
6+
7+
The module creates the IAM role, attaches the appropriate permission policy (standard or admin), and applies the required tags so the role is recognized by ROSA tooling. The OCM-side link is handled separately via the `rhcs_rosa_ocm_role_link` provider resource.
8+
9+
For more information, see [Understanding OCM role and User role for ROSA](https://access.redhat.com/articles/6961686).
10+
11+
## Example Usage
12+
13+
```
14+
module "ocm_role" {
15+
source = "terraform-redhat/rosa-hcp/rhcs//modules/ocm-role"
16+
version = "1.7.6"
17+
18+
ocm_role_prefix = "ManagedOpenShift"
19+
ocm_organization_id = "1abc2defg3hijk4l5mn6op7qr8s"
20+
}
21+
22+
resource "rhcs_rosa_ocm_role_link" "link" {
23+
role_arn = module.ocm_role.role_arn
24+
}
25+
```
26+
27+
<!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK -->
28+
## Requirements
29+
30+
| Name | Version |
31+
| ---- | ------- |
32+
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
33+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
34+
| <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs) | >= 1.8.0 |
35+
36+
## Providers
37+
38+
| Name | Version |
39+
| ---- | ------- |
40+
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
41+
| <a name="provider_rhcs"></a> [rhcs](#provider\_rhcs) | >= 1.8.0 |
42+
43+
## Modules
44+
45+
No modules.
46+
47+
## Resources
48+
49+
| Name | Type |
50+
| ---- | ---- |
51+
| [aws_iam_policy.ocm_admin_permission_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
52+
| [aws_iam_policy.ocm_permission_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
53+
| [aws_iam_role.ocm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
54+
| [aws_iam_role_policy_attachment.ocm_admin_permission_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
55+
| [aws_iam_role_policy_attachment.ocm_permission_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
56+
| [aws_iam_policy_document.ocm_trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
57+
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
58+
| [rhcs_hcp_policies.all_policies](https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs/data-sources/hcp_policies) | data source |
59+
| [rhcs_info.current](https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs/data-sources/info) | data source |
60+
61+
## Inputs
62+
63+
| Name | Description | Type | Default | Required |
64+
| ---- | ----------- | ---- | ------- | :------: |
65+
| <a name="input_admin"></a> [admin](#input\_admin) | Enable admin capabilities for the OCM role. When true the admin permission policy is attached and the role is tagged with rosa\_admin\_role=true. | `bool` | `false` | no |
66+
| <a name="input_ocm_environment"></a> [ocm\_environment](#input\_ocm\_environment) | OCM environment for the rosa\_environment tag (production, staging, or integration). | `string` | `"production"` | no |
67+
| <a name="input_ocm_organization_id"></a> [ocm\_organization\_id](#input\_ocm\_organization\_id) | The OCM organization external ID used as the sts:ExternalId condition in the OCM role trust policy. | `string` | n/a | yes |
68+
| <a name="input_ocm_role_prefix"></a> [ocm\_role\_prefix](#input\_ocm\_role\_prefix) | User-defined prefix for the OCM IAM role name. The final role name is `<prefix>-OCM-Role`. | `string` | n/a | yes |
69+
| <a name="input_path"></a> [path](#input\_path) | (Optional) The IAM path for the OCM role and its policies. Must begin and end with '/'. | `string` | `"/"` | no |
70+
| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy used to set the permissions boundary for the OCM IAM role. | `string` | `""` | no |
71+
| <a name="input_tags"></a> [tags](#input\_tags) | Additional AWS resource tags to merge into the OCM role and its policies. | `map(string)` | `null` | no |
72+
73+
## Outputs
74+
75+
| Name | Description |
76+
| ---- | ----------- |
77+
| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the created OCM IAM role. Pass this to rhcs\_rosa\_ocm\_role\_link to complete the OCM-side link. |
78+
| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | The name of the created OCM IAM role. |
79+
<!-- END_AUTOMATED_TF_DOCS_BLOCK -->

modules/ocm-role/main.tf

Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
# Copyright Red Hat
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
locals {
5+
path = coalesce(var.path, "/")
6+
role_name = substr("${var.ocm_role_prefix}-OCM-Role", 0, 64)
7+
8+
base_tags = merge(var.tags, {
9+
red-hat-managed = true
10+
rosa_role_prefix = var.ocm_role_prefix
11+
rosa_role_type = "ocm"
12+
rosa_environment = var.ocm_environment
13+
})
14+
15+
role_tags = var.admin ? merge(local.base_tags, {
16+
rosa_admin_role = true
17+
}) : local.base_tags
18+
}
19+
20+
data "aws_partition" "current" {}
21+
22+
data "rhcs_hcp_policies" "all_policies" {}
23+
24+
data "rhcs_info" "current" {}
25+
26+
data "aws_iam_policy_document" "ocm_trust_policy" {
27+
statement {
28+
effect = "Allow"
29+
actions = ["sts:AssumeRole"]
30+
principals {
31+
type = "AWS"
32+
identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.rhcs_info.current.ocm_aws_account_id}:role/RH-Managed-OpenShift-Installer"]
33+
}
34+
condition {
35+
test = "StringEquals"
36+
variable = "sts:ExternalId"
37+
values = [var.ocm_organization_id]
38+
}
39+
}
40+
}
41+
42+
resource "aws_iam_role" "ocm_role" {
43+
name = local.role_name
44+
permissions_boundary = var.permissions_boundary
45+
path = local.path
46+
assume_role_policy = data.aws_iam_policy_document.ocm_trust_policy.json
47+
48+
tags = local.role_tags
49+
}
50+
51+
resource "aws_iam_policy" "ocm_permission_policy" {
52+
name = substr("${local.role_name}-Policy", 0, 128)
53+
path = local.path
54+
policy = data.rhcs_hcp_policies.all_policies.ocm_role_policies["sts_ocm_permission_policy"]
55+
56+
tags = local.base_tags
57+
}
58+
59+
resource "aws_iam_role_policy_attachment" "ocm_permission_policy_attachment" {
60+
role = aws_iam_role.ocm_role.name
61+
policy_arn = aws_iam_policy.ocm_permission_policy.arn
62+
}
63+
64+
resource "aws_iam_policy" "ocm_admin_permission_policy" {
65+
count = var.admin ? 1 : 0
66+
67+
name = substr("${local.role_name}-Admin-Policy", 0, 128)
68+
path = local.path
69+
policy = data.rhcs_hcp_policies.all_policies.ocm_role_policies["sts_ocm_admin_permission_policy"]
70+
71+
tags = merge(local.base_tags, {
72+
rosa_admin_role = true
73+
})
74+
}
75+
76+
resource "aws_iam_role_policy_attachment" "ocm_admin_permission_policy_attachment" {
77+
count = var.admin ? 1 : 0
78+
79+
role = aws_iam_role.ocm_role.name
80+
policy_arn = aws_iam_policy.ocm_admin_permission_policy[0].arn
81+
}

modules/ocm-role/outputs.tf

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# Copyright Red Hat
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
output "role_arn" {
5+
value = aws_iam_role.ocm_role.arn
6+
description = "The ARN of the created OCM IAM role. Pass this to rhcs_rosa_ocm_role_link to complete the OCM-side link."
7+
}
8+
9+
output "role_name" {
10+
value = aws_iam_role.ocm_role.name
11+
description = "The name of the created OCM IAM role."
12+
}

0 commit comments

Comments
 (0)