Merge branch 'main' into ethan/test-metrics

Formula/telophasecli.rb

@@ -5,21 +5,21 @@
 class Telophasecli < Formula
   desc "Open-Source AWS Control Tower"
   homepage "https://github.com/Santiago-Labs/telophasecli"
-  version "0.5.2"
+  version "0.5.3"
   license "GPL-3.0"
 
   on_macos do
     if Hardware::CPU.intel?
-      url "https://github.com/Santiago-Labs/telophasecli/releases/download/v0.5.2/telophasecli_Darwin_x86_64.tar.gz"
-      sha256 "a49b9c1e6e32e3ef963420effb9343eeb5fce848cda1032668e5084926a71341"
+      url "https://github.com/Santiago-Labs/telophasecli/releases/download/v0.5.3/telophasecli_Darwin_x86_64.tar.gz"
+      sha256 "194d6a334e839444493f5f2aa0e499f6ccc9f92f242794e0b2a162f822a2082e"
 
       def install
         bin.install "telophasecli"
       end
     end
     if Hardware::CPU.arm?
-      url "https://github.com/Santiago-Labs/telophasecli/releases/download/v0.5.2/telophasecli_Darwin_arm64.tar.gz"
-      sha256 "f9b38f7ff345304b42ac3aade9bff70c2514aeb18bd04dcfe782919844fd8542"
+      url "https://github.com/Santiago-Labs/telophasecli/releases/download/v0.5.3/telophasecli_Darwin_arm64.tar.gz"
+      sha256 "28a439c463fdc6d7609203570d05afa6ca51cd1b3d89f4d5eaf4745fb9637085"
 
       def install
         bin.install "telophasecli"
@@ -29,16 +29,16 @@ def install
 
   on_linux do
     if Hardware::CPU.intel?
-      url "https://github.com/Santiago-Labs/telophasecli/releases/download/v0.5.2/telophasecli_Linux_x86_64.tar.gz"
-      sha256 "ebcdc802e62fff70979bed5b8e3ab0e71b69aac47a67358178da09b1905e5e7e"
+      url "https://github.com/Santiago-Labs/telophasecli/releases/download/v0.5.3/telophasecli_Linux_x86_64.tar.gz"
+      sha256 "555aee8a3cbdd7462d74847297ff6f73f11353d049c751921c6e8a8dda1c77cf"
 
       def install
         bin.install "telophasecli"
       end
     end
     if Hardware::CPU.arm? && Hardware::CPU.is_64_bit?
-      url "https://github.com/Santiago-Labs/telophasecli/releases/download/v0.5.2/telophasecli_Linux_arm64.tar.gz"
-      sha256 "63af55ae0f49fbafec077aa4f8262fcaf96c7dc2a82ad1eddec012541cf30ca7"
+      url "https://github.com/Santiago-Labs/telophasecli/releases/download/v0.5.3/telophasecli_Linux_arm64.tar.gz"
+      sha256 "c9fcaa09d72831c3d6c85088dc2086c505927a3d0446dcb69042e5e8904688de"
 
       def install
         bin.install "telophasecli"

examples/localstack/organization.yml

@@ -10,6 +10,10 @@ Organization:
           - Type: "Terraform"
             Path: "./tf/ci_iam"
             Name: "Default IAM Roles for CI"
+          - Type: "Terraform"
+            Path: "./tf/workspace"
+            Region: "eu-west-1"
+            Workspace: "${telophase.account_id}_${telophase.region}"
         Tags:
           - "production"
         Accounts:

examples/localstack/setup.sh

@@ -46,4 +46,6 @@ aws dynamodb create-table --table-name tf-test-state \
 --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
 --endpoint-url http://localhost:4566
 
+awslocal organizations create-organization --feature-set ALL
+
 print_green "Setup complete! You can now run telophasecli :)"

examples/localstack/tf/workspace/main.tf

@@ -0,0 +1,30 @@
+resource "aws_dynamodb_table" "example" {
+  name             = "${terraform.workspace}-eu"
+
+  hash_key         = "TestTableHashKey"
+  billing_mode     = "PAY_PER_REQUEST"
+  stream_enabled   = true
+  stream_view_type = "NEW_AND_OLD_IMAGES"
+
+  attribute {
+    name = "TestTableHashKey"
+    type = "S"
+  }
+}
+
+locals {
+  region = split("_",terraform.workspace)[1]
+}
+
+provider "aws" {
+    # Two options can use ${telophase.region} or look at local config
+    region = "${telophase.region}" 
+}
+
+terraform {
+  backend "s3" {
+    bucket = "tfstate-${telophase.account_id}"
+    key    = "workspace/terraform.tfstate"
+    region = "us-west-2"
+  }
+}

lib/awssts/awssts.go

@@ -9,7 +9,8 @@ import (
 func SetEnviron(currEnv []string,
 	accessKeyID,
 	secretAccessKey,
-	sessionToken string) []string {
+	sessionToken string,
+	awsRegion *string) []string {
 	var newEnv []string
 	for _, e := range currEnv {
 		if strings.Contains(e, "AWS_ACCESS_KEY_ID=") ||
@@ -18,14 +19,22 @@ func SetEnviron(currEnv []string,
 			continue
 		}
 
+		if awsRegion != nil && strings.Contains(e, "AWS_REGION=") {
+			continue
+		}
+
 		newEnv = append(newEnv, e)
 	}
 
 	newEnv = append(newEnv,
 		"AWS_ACCESS_KEY_ID="+accessKeyID,
 		"AWS_SECRET_ACCESS_KEY="+secretAccessKey,
 		"AWS_SESSION_TOKEN="+sessionToken,
-		"AWS_REGION="+"us-west-2")
+	)
+
+	if awsRegion != nil {
+		newEnv = append(newEnv, *awsRegion)
+	}
 
 	if localstack.UsingLocalStack() {
 		// We need to set this to true for localstack so that tflocal will use

lib/terraform/local.go

@@ -24,12 +24,12 @@ func TmpPath(acct resource.Account, filePath string) string {
 	return path.Join("telophasedirs", fmt.Sprintf("tf-tmp%s-%s", acct.ID(), hashString))
 }
 
-func CopyDir(src string, dst string, resource resource.Resource) error {
+func CopyDir(stack resource.Stack, dst string, resource resource.Resource) error {
 	ignoreDir := "telophasedirs"
 
-	abs, err := filepath.Abs(src)
+	abs, err := filepath.Abs(stack.Path)
 	if err != nil {
-		return oops.Wrapf(err, "could not get absolute file path for path: %s", src)
+		return oops.Wrapf(err, "could not get absolute file path for path: %s", stack.Path)
 	}
 	return filepath.Walk(abs, func(path string, info fs.FileInfo, err error) error {
 		if err != nil {
@@ -46,12 +46,12 @@ func CopyDir(src string, dst string, resource resource.Resource) error {
 		if info.IsDir() {
 			return os.MkdirAll(targetPath, info.Mode())
 		} else {
-			return replaceVariablesInFile(path, targetPath, resource)
+			return replaceVariablesInFile(path, targetPath, resource, stack)
 		}
 	})
 }
 
-func replaceVariablesInFile(srcFile, dstFile string, resource resource.Resource) error {
+func replaceVariablesInFile(srcFile, dstFile string, resource resource.Resource, stack resource.Stack) error {
 	content, err := ioutil.ReadFile(srcFile)
 	if err != nil {
 		return err
@@ -68,5 +68,13 @@ func replaceVariablesInFile(srcFile, dstFile string, resource resource.Resource)
 	updatedContent = strings.ReplaceAll(updatedContent, "${telophase.resource_name}", resource.Name())
 	updatedContent = strings.ReplaceAll(updatedContent, "telophase.resource_name", fmt.Sprintf("\"%s\"", resource.Name()))
 
+	// Update Region
+	preRegionContent := updatedContent
+	updatedContent = strings.ReplaceAll(updatedContent, "${telophase.region}", stack.Region)
+	updatedContent = strings.ReplaceAll(updatedContent, "telophase.region", stack.Region)
+	if updatedContent != preRegionContent && stack.Region == "" {
+		return oops.Errorf("Region needs to be set on stack if performing substitution")
+	}
+
 	return ioutil.WriteFile(dstFile, []byte(updatedContent), 0644)
 }

mintlifydocs/config/organization.mdx

@@ -104,6 +104,8 @@ Stacks:
     Type:  # (Required) "CDK" or "Terraform".
     Name:  # (Optional) Apply only CDK stack with this name. By default, all CDK stacks are applied. (CDK Only)
     RoleOverrideARN:  # (Optional) Force CDK and Terraform to us a specific role when applying a stack. The default role is the account's `AssumeRoleName`.
+    Region: # (Optional) What region the stack's resources will be provisioned in.
+    Workspace: # (Optional) Specify a Terraform workspace to use.
 ```
 
 ### Example

mintlifydocs/features/Assign-IaC-Blueprints-To-Accounts.mdx

@@ -22,6 +22,8 @@ Organization:
                 # This stack will be applied to `Safety Firmware` account only.
               - Path: tf/safety/firmware_bucket 
                 Type: Terraform
+                # You can set the region for where you want the resources to be created.
+                Region: "us-west-2"
           - Email: [email protected]
             AccountName: Safety Ingestion Team
       - Name: Development
@@ -34,3 +36,16 @@ Organization:
           - Email: [email protected]
             AccountName: Engineer A
 ```
+
+# Stacks
+CDK and Terraform stacks can be assigned to `Account`s and `OrganizationUnits`s. Stacks assigned to `OrganizationUnits` will be applied to all child `Account`s.
+
+```yaml
+Stacks:
+  - Path:  # (Required) Path to CDK or Terraform project. This must be a directory.
+    Type:  # (Required) "CDK" or "Terraform".
+    Name:  # (Optional) Apply only CDK stack with this name. By default, all CDK stacks are applied. (CDK Only)
+    RoleOverrideARN:  # (Optional) Force CDK and Terraform to us a specific role when applying a stack. The default role is the account's `AssumeRoleName`.
+    Region: # (Optional) What region the stack's resources will be provisioned in.
+    Workspace: # (Optional) Specify a Terraform workspace to use. 
+```

resource/stack.go

@@ -4,5 +4,19 @@ type Stack struct {
 	Name            string `yaml:"Name"`
 	Type            string `yaml:"Type"`
 	Path            string `yaml:"Path"`
+	Region          string `yaml:"Region,omitempty"`
 	RoleOverrideARN string `yaml:"RoleOverrideARN,omitempty"`
+	Workspace       string `yaml:"Workspace,omitempty"`
+}
+
+func (s Stack) AWSRegionEnv() *string {
+	if s.Region != "" {
+		v := "AWS_REGION=" + s.Region
+		return &v
+	}
+	return nil
+}
+
+func (s Stack) WorkspaceEnabled() bool {
+	return s.Workspace != ""
 }

resourceoperation/cdk.go

@@ -104,7 +104,9 @@ func (co *cdkOperation) Call(ctx context.Context) error {
 		cmd.Env = awssts.SetEnviron(os.Environ(),
 			*opRole.Credentials.AccessKeyId,
 			*opRole.Credentials.SecretAccessKey,
-			*opRole.Credentials.SessionToken)
+			*opRole.Credentials.SessionToken,
+			co.Stack.AWSRegionEnv(),
+		)
 	}
 	if err := co.OutputUI.RunCmd(cmd, *co.Account); err != nil {
 		return err
@@ -138,7 +140,9 @@ func bootstrapCDK(result *sts.AssumeRoleOutput, region string, acct resource.Acc
 		cmd.Env = awssts.SetEnviron(os.Environ(),
 			*result.Credentials.AccessKeyId,
 			*result.Credentials.SecretAccessKey,
-			*result.Credentials.SessionToken)
+			*result.Credentials.SessionToken,
+			stack.AWSRegionEnv(),
+		)
 	}
 
 	return cmd
@@ -162,7 +166,9 @@ func synthCDK(result *sts.AssumeRoleOutput, acct resource.Account, stack resourc
 		cmd.Env = awssts.SetEnviron(os.Environ(),
 			*result.Credentials.AccessKeyId,
 			*result.Credentials.SecretAccessKey,
-			*result.Credentials.SessionToken)
+			*result.Credentials.SessionToken,
+			stack.AWSRegionEnv(),
+		)
 	}
 
 	return cmd

resourceoperation/scp.go

@@ -125,7 +125,10 @@ func (so *scpOperation) Call(ctx context.Context) error {
 			initTFCmd.Env = awssts.SetEnviron(os.Environ(),
 				*acctRole.Credentials.AccessKeyId,
 				*acctRole.Credentials.SecretAccessKey,
-				*acctRole.Credentials.SessionToken)
+				*acctRole.Credentials.SessionToken,
+				// SCPs can't have regions
+				nil,
+			)
 		}
 		if err := so.OutputUI.RunCmd(initTFCmd, *so.MgmtAcct); err != nil {
 			return err
@@ -151,7 +154,10 @@ func (so *scpOperation) Call(ctx context.Context) error {
 		cmd.Env = awssts.SetEnviron(os.Environ(),
 			*acctRole.Credentials.AccessKeyId,
 			*acctRole.Credentials.SecretAccessKey,
-			*acctRole.Credentials.SessionToken)
+			*acctRole.Credentials.SessionToken,
+			// SCPs don't have regions
+			nil,
+		)
 	}
 
 	if err := so.OutputUI.RunCmd(cmd, *so.MgmtAcct); err != nil {
@@ -184,7 +190,7 @@ func (so *scpOperation) initTf() (*exec.Cmd, error) {
 			return nil, fmt.Errorf("failed to create directory %s: %v", terraformDir, err)
 		}
 
-		if err := terraform.CopyDir(so.Stack.Path, workingPath, so.targetResource()); err != nil {
+		if err := terraform.CopyDir(so.Stack, workingPath, so.targetResource()); err != nil {
 			return nil, fmt.Errorf("failed to copy files from %s to %s: %v", so.Stack.Path, workingPath, err)
 		}