ROSAENG-57757 | fix: apply trust_policy_external_id to support role trust policy#160
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (5)
💤 Files with no reviewable changes (1)
🚧 Files skipped from review as they are similar to previous changes (4)
WalkthroughThe ChangesTrust policy external ID normalization and conditional ExternalId inclusion
Estimated code review effort: 3 (Moderate) | ~25 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 5 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Hi @michaelryanmcneill. Thanks for your PR. I'm waiting for a terraform-redhat member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/hold |
|
Working on additional manual testing before submitting for review. |
|
@coderabbitai review |
✅ Action performedReview finished.
|
|
/ok-to-test |
1 similar comment
|
/ok-to-test |
|
/retest |
|
Test results: |
✅ Action performedReview finished.
|
|
@coderabbitai review |
✅ Action performedReview finished.
|
|
@coderabbitai review |
✅ Action performedReview finished.
|
|
As discussed, since the CI jobs are a known issue, this is ready for final review @olucasfreitas. |
|
/unhold |
|
/retest-required |
a2a5b00 to
08ac68f
Compare
|
/test rosa-hcp-public |
9d751c8 to
d94f4c7
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@modules/account-iam-resources/variables.tf`:
- Around line 48-50: The validation condition for `trust_policy_external_id`
uses the `||` operator which does not short-circuit in Terraform 1.5.7, causing
`trimspace()` to be evaluated on a null value and fail. Replace the logical OR
approach with a conditional operator that first checks if the variable is null
before attempting to call `trimspace()` on it, ensuring that string functions
are only evaluated when the variable contains an actual string value.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: c4ddfd74-5689-42bf-977a-a1086b846ecf
📒 Files selected for processing (5)
modules/account-iam-resources/README.mdmodules/account-iam-resources/main.tfmodules/account-iam-resources/outputs.tfmodules/account-iam-resources/tests/trust_policy_external_id.tftest.hclmodules/account-iam-resources/variables.tf
19f4dce to
ba89400
Compare
f00109a to
ffcaf25
Compare
|
/ok-to-test |
ffcaf25 to
ebc382b
Compare
…rust policy Align support account role with installer when trust_policy_external_id is set and normalize empty strings to unset for external ID injection. Part of ROSA-786. Signed-off-by: michaelryanmcneill <michael@michaelryanmcneill.com>
ebc382b to
3b2c533
Compare
|
@coderabbitai resume |
|
✅ Action performedReviews resumed. Review finished.
|
|
/test rosa-hcp-private |
|
/lgtm |
|
@olucasfreitas: /override requires failed status contexts, check run or a prowjob name to operate on.
Only the following failed contexts/checkruns were expected:
If you are trying to override a checkrun that has a space in it, you must put a double quote on the context. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: michaelryanmcneill, olucasfreitas The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/ok-to-test |
1ca111a
into
terraform-redhat:main
PR Summary
Fixes
modules/account-iam-resourcessotrust_policy_external_idis injected into the support role trust policy (not just installer) and empty strings are treated as unset.Detailed Description of the Issue
The HCP
account-iam-resourcesmodule already exposedtrust_policy_external_id, but only the installer role received thests:ExternalIdtrust policy condition. The support role hadexternal_id = null, so cluster create validation in the RHCS provider (which requires the external ID in both installer and support policies) would fail even when users configured the module correctly.This change aligns HCP module behavior with ROSA product expectations and with the new Classic module implementation.
Related Issues and PRs
sts.trust_policy_external_idon cluster resources and create-time validationtrust_policy_external_idsupport in account-iam-resourcesType of Change
Previous Behavior
trust_policy_external_idapplied to installer role trust policy only.sts:ExternalIdwhen the variable was set.Behavior After This Change
local.trust_policy_external_idnormalizesnulland""to unset.local.trust_policy_external_idfor trust policy conditions.time_sleeptriggers use normalized local value.Example wiring
How to Test (Step-by-Step)
Preconditions
Test Steps
cd modules/account-iam-resources terraform fmttrust_policy_external_id = "test-external-id-123".sts:ExternalIdwith the same value.trust_policy_external_id = null; confirm conditions are removed on new role creation (or validate on fresh prefix).Expected Results
Proof of the Fix
sts:ExternalIdterraform applyoutputBreaking Changes
Breaking Change Details / Migration Plan
N/A for new deployments.
Note for existing deployments: clusters created with external ID on installer only may need support role trust policy updated (re-apply module or manual IAM update) before RHCS provider validation will pass when
sts.trust_policy_external_idis set on the cluster.Developer Verification Checklist
[JIRA-TICKET] | [TYPE]: <MESSAGE>.make pre-push-checkspasses (or each step:verify,verify-gen,lint,unit-tests,license-check,docs-lint).make terraform-docs).Summary by CodeRabbit
Release Notes
Bug Fixes
trust_policy_external_idso empty/unset values behave asnull, omitting thests:ExternalIdcondition for installer/support roles while keeping worker free ofsts:ExternalId.New Features
Validation & Tests
Documentation