Skip to content

Commit 97cbc80

Browse files
committed
ROSAENG-6808 | feat: add OCM role submodule with required ROSA CLI tags
Add modules/ocm-role/ that creates the AWS IAM OCM role with the tags the ROSA CLI applies (red-hat-managed, rosa_role_prefix, rosa_role_type, rosa_environment, and conditional rosa_admin_role). Permission policies are read from the rhcs_hcp_policies data source using the policy IDs confirmed in terraform-provider-rhcs PR #1156. The submodule outputs role_arn for composition with the provider's rhcs_rosa_ocm_role_link resource. An example and tests are included. Signed-off-by: lufreita <lufreita@redhat.com>
1 parent 70b5862 commit 97cbc80

11 files changed

Lines changed: 540 additions & 0 deletions

File tree

examples/ocm-role/README.md

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
# ocm-role example
2+
3+
Creates an OCM IAM role with the required ROSA CLI-parity tags and links it to the current OCM organization.
4+
5+
<!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK -->
6+
## Requirements
7+
8+
| Name | Version |
9+
| ---- | ------- |
10+
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
11+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
12+
| <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs) | >= 1.7.6 |
13+
14+
## Providers
15+
16+
| Name | Version |
17+
| ---- | ------- |
18+
| <a name="provider_rhcs"></a> [rhcs](#provider\_rhcs) | >= 1.7.6 |
19+
20+
## Modules
21+
22+
| Name | Source | Version |
23+
| ---- | ------ | ------- |
24+
| <a name="module_ocm_role"></a> [ocm\_role](#module\_ocm\_role) | ../../modules/ocm-role | n/a |
25+
26+
## Resources
27+
28+
| Name | Type |
29+
| ---- | ---- |
30+
| [rhcs_rosa_ocm_role_link.link](https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs/resources/rosa_ocm_role_link) | resource |
31+
32+
## Inputs
33+
34+
| Name | Description | Type | Default | Required |
35+
| ---- | ----------- | ---- | ------- | :------: |
36+
| <a name="input_admin"></a> [admin](#input\_admin) | Enable admin capabilities for the OCM role. | `bool` | `false` | no |
37+
| <a name="input_ocm_organization_id"></a> [ocm\_organization\_id](#input\_ocm\_organization\_id) | The OCM organization external ID used as the sts:ExternalId condition in the OCM role trust policy. | `string` | n/a | yes |
38+
| <a name="input_ocm_role_prefix"></a> [ocm\_role\_prefix](#input\_ocm\_role\_prefix) | User-defined prefix for the OCM IAM role name. | `string` | `"ManagedOpenShift"` | no |
39+
40+
## Outputs
41+
42+
| Name | Description |
43+
| ---- | ----------- |
44+
| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the created OCM IAM role. |
45+
| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | The name of the created OCM IAM role. |
46+
<!-- END_AUTOMATED_TF_DOCS_BLOCK -->

examples/ocm-role/main.tf

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
############################
2+
# OCM Role
3+
############################
4+
module "ocm_role" {
5+
source = "../../modules/ocm-role"
6+
7+
ocm_role_prefix = var.ocm_role_prefix
8+
ocm_organization_id = var.ocm_organization_id
9+
admin = var.admin
10+
}
11+
12+
############################
13+
# Link OCM Role to OCM org
14+
############################
15+
resource "rhcs_rosa_ocm_role_link" "link" {
16+
role_arn = module.ocm_role.role_arn
17+
}

examples/ocm-role/outputs.tf

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
output "role_arn" {
2+
value = module.ocm_role.role_arn
3+
description = "The ARN of the created OCM IAM role."
4+
}
5+
6+
output "role_name" {
7+
value = module.ocm_role.role_name
8+
description = "The name of the created OCM IAM role."
9+
}

examples/ocm-role/variables.tf

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
variable "ocm_role_prefix" {
2+
type = string
3+
default = "ManagedOpenShift"
4+
description = "User-defined prefix for the OCM IAM role name."
5+
}
6+
7+
variable "ocm_organization_id" {
8+
type = string
9+
description = "The OCM organization external ID used as the sts:ExternalId condition in the OCM role trust policy."
10+
}
11+
12+
variable "admin" {
13+
type = bool
14+
default = false
15+
description = "Enable admin capabilities for the OCM role."
16+
}

examples/ocm-role/versions.tf

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
terraform {
2+
required_version = ">= 1.0"
3+
4+
required_providers {
5+
aws = {
6+
source = "hashicorp/aws"
7+
version = ">= 6.0"
8+
}
9+
rhcs = {
10+
source = "terraform-redhat/rhcs"
11+
version = ">= 1.7.6"
12+
}
13+
}
14+
}

modules/ocm-role/README.md

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
# ocm-role
2+
3+
## Introduction
4+
5+
This Terraform sub-module creates the AWS IAM OCM role with the tags required by the ROSA CLI and OCM. The role is used to grant OpenShift Cluster Manager permissions in the customer's AWS account.
6+
7+
The module creates the IAM role, attaches the appropriate permission policy (standard or admin), and applies the required tags so the role is recognized by ROSA tooling. The OCM-side link is handled separately via the `rhcs_rosa_ocm_role_link` provider resource.
8+
9+
For more information, see [Understanding OCM role and User role for ROSA](https://access.redhat.com/articles/6961686).
10+
11+
## Example Usage
12+
13+
```
14+
module "ocm_role" {
15+
source = "terraform-redhat/rosa-hcp/rhcs//modules/ocm-role"
16+
version = "1.7.6"
17+
18+
ocm_role_prefix = "ManagedOpenShift"
19+
ocm_organization_id = "1abc2defg3hijk4l5mn6op7qr8s"
20+
}
21+
22+
resource "rhcs_rosa_ocm_role_link" "link" {
23+
role_arn = module.ocm_role.role_arn
24+
}
25+
```
26+
27+
<!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK -->
28+
## Requirements
29+
30+
| Name | Version |
31+
| ---- | ------- |
32+
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
33+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
34+
| <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs) | >= 1.7.6 |
35+
36+
## Providers
37+
38+
| Name | Version |
39+
| ---- | ------- |
40+
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
41+
| <a name="provider_rhcs"></a> [rhcs](#provider\_rhcs) | >= 1.7.6 |
42+
43+
## Modules
44+
45+
No modules.
46+
47+
## Resources
48+
49+
| Name | Type |
50+
| ---- | ---- |
51+
| [aws_iam_policy.ocm_admin_permission_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
52+
| [aws_iam_policy.ocm_permission_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
53+
| [aws_iam_role.ocm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
54+
| [aws_iam_role_policy_attachment.ocm_admin_permission_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
55+
| [aws_iam_role_policy_attachment.ocm_permission_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
56+
| [aws_iam_policy_document.ocm_trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
57+
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
58+
| [rhcs_hcp_policies.all_policies](https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs/data-sources/hcp_policies) | data source |
59+
| [rhcs_info.current](https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs/data-sources/info) | data source |
60+
61+
## Inputs
62+
63+
| Name | Description | Type | Default | Required |
64+
| ---- | ----------- | ---- | ------- | :------: |
65+
| <a name="input_admin"></a> [admin](#input\_admin) | Enable admin capabilities for the OCM role. When true the admin permission policy is attached and the role is tagged with rosa\_admin\_role=true. | `bool` | `false` | no |
66+
| <a name="input_ocm_environment"></a> [ocm\_environment](#input\_ocm\_environment) | OCM environment for the rosa\_environment tag (production, staging, or integration). | `string` | `"production"` | no |
67+
| <a name="input_ocm_organization_id"></a> [ocm\_organization\_id](#input\_ocm\_organization\_id) | The OCM organization external ID used as the sts:ExternalId condition in the OCM role trust policy. | `string` | n/a | yes |
68+
| <a name="input_ocm_role_prefix"></a> [ocm\_role\_prefix](#input\_ocm\_role\_prefix) | User-defined prefix for the OCM IAM role name. The final role name is `<prefix>-OCM-Role`. | `string` | n/a | yes |
69+
| <a name="input_path"></a> [path](#input\_path) | (Optional) The IAM path for the OCM role and its policies. Must begin and end with '/'. | `string` | `"/"` | no |
70+
| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy used to set the permissions boundary for the OCM IAM role. | `string` | `""` | no |
71+
| <a name="input_tags"></a> [tags](#input\_tags) | Additional AWS resource tags to merge into the OCM role and its policies. | `map(string)` | `null` | no |
72+
73+
## Outputs
74+
75+
| Name | Description |
76+
| ---- | ----------- |
77+
| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the created OCM IAM role. Pass this to rhcs\_rosa\_ocm\_role\_link to complete the OCM-side link. |
78+
| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | The name of the created OCM IAM role. |
79+
<!-- END_AUTOMATED_TF_DOCS_BLOCK -->

modules/ocm-role/main.tf

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
locals {
2+
path = coalesce(var.path, "/")
3+
role_name = substr("${var.ocm_role_prefix}-OCM-Role", 0, 64)
4+
5+
base_tags = merge(var.tags, {
6+
red-hat-managed = true
7+
rosa_role_prefix = var.ocm_role_prefix
8+
rosa_role_type = "ocm"
9+
rosa_environment = var.ocm_environment
10+
})
11+
12+
role_tags = var.admin ? merge(local.base_tags, {
13+
rosa_admin_role = true
14+
}) : local.base_tags
15+
}
16+
17+
data "aws_partition" "current" {}
18+
19+
data "rhcs_hcp_policies" "all_policies" {}
20+
21+
data "rhcs_info" "current" {}
22+
23+
data "aws_iam_policy_document" "ocm_trust_policy" {
24+
statement {
25+
effect = "Allow"
26+
actions = ["sts:AssumeRole"]
27+
principals {
28+
type = "AWS"
29+
identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.rhcs_info.current.ocm_aws_account_id}:role/RH-Managed-OpenShift-Installer"]
30+
}
31+
condition {
32+
test = "StringEquals"
33+
variable = "sts:ExternalId"
34+
values = [var.ocm_organization_id]
35+
}
36+
}
37+
}
38+
39+
resource "aws_iam_role" "ocm_role" {
40+
name = local.role_name
41+
permissions_boundary = var.permissions_boundary
42+
path = local.path
43+
assume_role_policy = data.aws_iam_policy_document.ocm_trust_policy.json
44+
45+
tags = local.role_tags
46+
}
47+
48+
resource "aws_iam_policy" "ocm_permission_policy" {
49+
name = substr("${local.role_name}-Policy", 0, 128)
50+
path = local.path
51+
policy = data.rhcs_hcp_policies.all_policies.ocm_role_policies["sts_ocm_permission_policy"]
52+
53+
tags = local.base_tags
54+
}
55+
56+
resource "aws_iam_role_policy_attachment" "ocm_permission_policy_attachment" {
57+
role = aws_iam_role.ocm_role.name
58+
policy_arn = aws_iam_policy.ocm_permission_policy.arn
59+
}
60+
61+
resource "aws_iam_policy" "ocm_admin_permission_policy" {
62+
count = var.admin ? 1 : 0
63+
64+
name = substr("${local.role_name}-Admin-Policy", 0, 128)
65+
path = local.path
66+
policy = data.rhcs_hcp_policies.all_policies.ocm_role_policies["sts_ocm_admin_permission_policy"]
67+
68+
tags = merge(local.base_tags, {
69+
rosa_admin_role = true
70+
})
71+
}
72+
73+
resource "aws_iam_role_policy_attachment" "ocm_admin_permission_policy_attachment" {
74+
count = var.admin ? 1 : 0
75+
76+
role = aws_iam_role.ocm_role.name
77+
policy_arn = aws_iam_policy.ocm_admin_permission_policy[0].arn
78+
}

modules/ocm-role/outputs.tf

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
output "role_arn" {
2+
value = aws_iam_role.ocm_role.arn
3+
description = "The ARN of the created OCM IAM role. Pass this to rhcs_rosa_ocm_role_link to complete the OCM-side link."
4+
}
5+
6+
output "role_name" {
7+
value = aws_iam_role.ocm_role.name
8+
description = "The name of the created OCM IAM role."
9+
}

0 commit comments

Comments
 (0)