Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions examples/ocm-role/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# ocm-role example

Creates and links an OCM IAM role with the required ROSA CLI-parity tags using the `ocm-role` module.

<!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK -->
## Requirements

| Name | Version |
| ---- | ------- |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
| <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs) | >= 1.7.7 |

## Providers

No providers.

## Modules

| Name | Source | Version |
| ---- | ------ | ------- |
| <a name="module_ocm_role"></a> [ocm\_role](#module\_ocm\_role) | ../../modules/ocm-role | n/a |

## Resources

No resources.

## Inputs

| Name | Description | Type | Default | Required |
| ---- | ----------- | ---- | ------- | :------: |
| <a name="input_ocm_role_prefix"></a> [ocm\_role\_prefix](#input\_ocm\_role\_prefix) | User-defined prefix for the OCM IAM role name. | `string` | `"ManagedOpenShift"` | no |
| <a name="input_profile"></a> [profile](#input\_profile) | Profile of the OCM role to create. Allowed values are `standard`, `admin`, and `no-console`. | `string` | `"standard"` | no |

## Outputs

| Name | Description |
| ---- | ----------- |
| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the created OCM IAM role. |
| <a name="output_role_link_id"></a> [role\_link\_id](#output\_role\_link\_id) | The identifier of the OCM-side role link. |
| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | The name of the created OCM IAM role. |
<!-- END_AUTOMATED_TF_DOCS_BLOCK -->
12 changes: 12 additions & 0 deletions examples/ocm-role/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Copyright Red Hat
# SPDX-License-Identifier: Apache-2.0

############################
# OCM Role
############################
module "ocm_role" {
source = "../../modules/ocm-role"

ocm_role_prefix = var.ocm_role_prefix
profile = var.profile
}
17 changes: 17 additions & 0 deletions examples/ocm-role/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Copyright Red Hat
# SPDX-License-Identifier: Apache-2.0

output "role_arn" {
value = module.ocm_role.role_arn
description = "The ARN of the created OCM IAM role."
}

output "role_name" {
value = module.ocm_role.role_name
description = "The name of the created OCM IAM role."
}

output "role_link_id" {
value = module.ocm_role.role_link_id
description = "The identifier of the OCM-side role link."
}
14 changes: 14 additions & 0 deletions examples/ocm-role/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Copyright Red Hat
# SPDX-License-Identifier: Apache-2.0

variable "ocm_role_prefix" {
type = string
description = "User-defined prefix for the OCM IAM role name."
default = "ManagedOpenShift"
}

variable "profile" {
type = string
description = "Profile of the OCM role to create. Allowed values are `standard`, `admin`, and `no-console`."
default = "standard"
}
17 changes: 17 additions & 0 deletions examples/ocm-role/versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Copyright Red Hat
# SPDX-License-Identifier: Apache-2.0

terraform {
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 6.0"
}
rhcs = {
source = "terraform-redhat/rhcs"
version = ">= 1.7.7"
}
}
}
76 changes: 76 additions & 0 deletions modules/ocm-role/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# ocm-role

## Introduction

This Terraform sub-module creates the AWS IAM OCM role with the tags required by the ROSA CLI and OCM. The role is used to grant OpenShift Cluster Manager permissions in the customer's AWS account.
Comment thread
amandahla marked this conversation as resolved.

The module creates the IAM role, attaches the appropriate permission policies for the selected profile, applies the required tags, and links the role to the current OCM organization via `rhcs_rosa_ocm_role_link`.

For more information, see [Understanding OCM role and User role for ROSA](https://access.redhat.com/articles/6961686).

## Example Usage

```
module "ocm_role" {
source = "terraform-redhat/rosa-hcp/rhcs//modules/ocm-role"
version = "1.7.7"

ocm_role_prefix = "ManagedOpenShift"
profile = "standard"
}
```

<!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK -->
## Requirements

| Name | Version |
| ---- | ------- |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
| <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs) | >= 1.7.7 |

## Providers

| Name | Version |
| ---- | ------- |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
| <a name="provider_rhcs"></a> [rhcs](#provider\_rhcs) | >= 1.7.7 |

## Modules

No modules.

## Resources

| Name | Type |
| ---- | ---- |
| [aws_iam_policy.ocm_admin_permission_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.ocm_no_console_permission_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.standard_permission_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.ocm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.ocm_admin_permission_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.ocm_no_console_permission_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.standard_permission_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [rhcs_rosa_ocm_role_link.this](https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs/resources/rosa_ocm_role_link) | resource |
| [rhcs_hcp_policies.all_policies](https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs/data-sources/hcp_policies) | data source |
| [rhcs_info.current](https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs/data-sources/info) | data source |

## Inputs

| Name | Description | Type | Default | Required |
| ---- | ----------- | ---- | ------- | :------: |
| <a name="input_create_link"></a> [create\_link](#input\_create\_link) | (Optional) Whether to link the created role to the OCM organization via rhcs\_rosa\_ocm\_role\_link. Set to false when importing an already-linked role. | `bool` | `true` | no |
| <a name="input_ocm_role_prefix"></a> [ocm\_role\_prefix](#input\_ocm\_role\_prefix) | User-defined prefix for the OCM IAM role name. The final role name is `<prefix>-OCM-Role-<organization_external_id>`. | `string` | n/a | yes |
| <a name="input_path"></a> [path](#input\_path) | (Optional) The IAM path for the OCM role and its policies. Must begin and end with '/'. | `string` | `"/"` | no |
| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | (Optional) The ARN of the policy used to set the permissions boundary for the OCM IAM role. | `string` | `""` | no |
| <a name="input_profile"></a> [profile](#input\_profile) | Profile of the OCM role to create. Allowed values are `standard`, `admin`, and `no-console`. | `string` | `"standard"` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Additional AWS resource tags to merge into the OCM role and its policies. | `map(string)` | `null` | no |

## Outputs

| Name | Description |
| ---- | ----------- |
| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the created OCM IAM role. |
| <a name="output_role_link_id"></a> [role\_link\_id](#output\_role\_link\_id) | The identifier of the OCM-side role link created for the IAM role, or null when create\_link is false. |
| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | The name of the created OCM IAM role. |
<!-- END_AUTOMATED_TF_DOCS_BLOCK -->
113 changes: 113 additions & 0 deletions modules/ocm-role/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
# Copyright Red Hat
# SPDX-License-Identifier: Apache-2.0

locals {
path = coalesce(var.path, "/")

role_type = "OCM"
role_suffix = "-${local.role_type}-Role-${data.rhcs_info.current.organization_external_id}"
max_prefix_length = 64 - length(local.role_suffix)
truncated_role_prefix = local.max_prefix_length > 0 ? substr(var.ocm_role_prefix, 0, local.max_prefix_length) : ""
role_name = "${local.truncated_role_prefix}${local.role_suffix}"
max_policy_name_length = 128
standard_policy_enabled = contains(["standard", "admin"], var.profile)
admin_policy_enabled = var.profile == "admin"
no_console_enabled = var.profile == "no-console"

ocm_environment = (
strcontains(data.rhcs_info.current.ocm_api, "api.stage.") ? "staging" :
(
strcontains(data.rhcs_info.current.ocm_api, "integration") || strcontains(data.rhcs_info.current.ocm_api, ".int.") ? "integration" : "production"
)
)

base_tags = merge(var.tags, {
red-hat-managed = true
rosa_role_prefix = var.ocm_role_prefix
rosa_role_type = local.role_type
rosa_environment = local.ocm_environment
})

role_tags = local.admin_policy_enabled ? merge(local.base_tags, {
rosa_admin_role = true
}) : (
local.no_console_enabled ? merge(local.base_tags, {
rosa_no_console_role = true
}) : local.base_tags
)
}

data "rhcs_hcp_policies" "all_policies" {}

data "rhcs_info" "current" {}

resource "aws_iam_role" "ocm_role" {
Comment thread
olucasfreitas marked this conversation as resolved.
name = local.role_name
permissions_boundary = var.permissions_boundary
path = local.path
assume_role_policy = data.rhcs_hcp_policies.all_policies.ocm_role_policies.sts_ocm_trust_policy
force_detach_policies = true

tags = local.role_tags
}

resource "aws_iam_policy" "standard_permission_policy" {
count = local.standard_policy_enabled ? 1 : 0

name = substr("${local.role_name}-Policy", 0, local.max_policy_name_length)
path = local.path
policy = data.rhcs_hcp_policies.all_policies.ocm_role_policies.sts_ocm_permission_policy

tags = local.base_tags
}

resource "aws_iam_role_policy_attachment" "standard_permission_policy_attachment" {
count = local.standard_policy_enabled ? 1 : 0

role = aws_iam_role.ocm_role.name
policy_arn = aws_iam_policy.standard_permission_policy[0].arn
}

resource "aws_iam_policy" "ocm_admin_permission_policy" {
Comment thread
olucasfreitas marked this conversation as resolved.
count = local.admin_policy_enabled ? 1 : 0

name = substr("${local.role_name}-Admin-Policy", 0, local.max_policy_name_length)
path = local.path
policy = data.rhcs_hcp_policies.all_policies.ocm_role_policies.sts_ocm_admin_permission_policy

tags = merge(local.base_tags, {
rosa_admin_role = true
})
}

resource "aws_iam_role_policy_attachment" "ocm_admin_permission_policy_attachment" {
count = local.admin_policy_enabled ? 1 : 0

role = aws_iam_role.ocm_role.name
policy_arn = aws_iam_policy.ocm_admin_permission_policy[0].arn
}

resource "aws_iam_policy" "ocm_no_console_permission_policy" {
count = local.no_console_enabled ? 1 : 0

name = substr("${local.role_name}-NoConsole-Policy", 0, local.max_policy_name_length)
path = local.path
policy = data.rhcs_hcp_policies.all_policies.ocm_role_policies.sts_ocm_no_console_permission_policy
Comment thread
olucasfreitas marked this conversation as resolved.

tags = merge(local.base_tags, {
rosa_no_console_role = true
})
}

resource "aws_iam_role_policy_attachment" "ocm_no_console_permission_policy_attachment" {
count = local.no_console_enabled ? 1 : 0

role = aws_iam_role.ocm_role.name
policy_arn = aws_iam_policy.ocm_no_console_permission_policy[0].arn
}

resource "rhcs_rosa_ocm_role_link" "this" {
Comment thread
olucasfreitas marked this conversation as resolved.
count = var.create_link ? 1 : 0

role_arn = aws_iam_role.ocm_role.arn
}
17 changes: 17 additions & 0 deletions modules/ocm-role/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Copyright Red Hat
# SPDX-License-Identifier: Apache-2.0

output "role_arn" {
value = aws_iam_role.ocm_role.arn
description = "The ARN of the created OCM IAM role."
}

output "role_name" {
value = aws_iam_role.ocm_role.name
description = "The name of the created OCM IAM role."
}

output "role_link_id" {
Comment thread
olucasfreitas marked this conversation as resolved.
value = try(rhcs_rosa_ocm_role_link.this[0].id, null)
description = "The identifier of the OCM-side role link created for the IAM role, or null when create_link is false."
}
Loading