Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add option to pass tags as parameter to apply to aws resources #10

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,19 @@ This terraform module tries to replicate rosa CLI roles creation so that:
|ocm_environment| string | the OCM environments. The value should be one of those: production, staging, integration, local | "production" |
|account_role_policies| object | account role policies details for account roles creation | [an example can be found below](https://github.com/terraform-redhat/terraform-aws-rosa-sts/tree/use_data_source_for_account_policies/account_roles_creation#account_role_policies-object) |
|operator_role_policies| object | operator role policies details for operator role policies creation | [an example can be found below](https://github.com/terraform-redhat/terraform-aws-rosa-sts/tree/use_data_source_for_account_policies/account_roles_creation#operator_role_policies-object) |
|tags | map of strings |List of AWS resource tags to apply | [an example can be found below](#tags-object) |

### tags object
`tags` is a map of strings with resource tags to be applied to AWS resources created.
The map looks like:
```
{
contact = "[email protected]"
cost-center = "12345"
owner = "productteam"
environment = "test"
}
```

## Get OCM Information for operator roles and OIDC provider

Expand Down Expand Up @@ -168,6 +180,14 @@ module "create_account_roles"{
rosa_openshift_version = var.rosa_openshift_version
account_role_policies = var.account_role_policies
operator_role_policies = var.operator_role_policies

#optional
tags = {
contact = "[email protected]"
cost-center = "12345"
owner = "productteam"
environment = "test"
}
}
```

Expand All @@ -191,6 +211,14 @@ module operator_roles {
rh_oidc_provider_thumbprint = ocm_cluster_rosa_classic.rosa_sts_cluster.sts.thumbprint
rh_oidc_provider_url = ocm_cluster_rosa_classic.rosa_sts_cluster.sts.oidc_endpoint_url
operator_roles_properties = data.ocm_rosa_operator_roles.operator_roles.operator_iam_roles

#optional
tags = {
contact = "[email protected]"
cost-center = "12345"
owner = "productteam"
environment = "test"
}
}
```

Expand Down
41 changes: 31 additions & 10 deletions account_roles_creation/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,19 @@ Terraform AWS ROSA STS
|ocm_environment| string | the OCM environments. The value should be one of those: production, staging, integration, local | "production" |
|account_role_policies| object | account role policies details for account roles creation | [an example can be found below](https://github.com/terraform-redhat/terraform-aws-rosa-sts/tree/use_data_source_for_account_policies/account_roles_creation#account_role_policies-object) |
|operator_role_policies| object | operator role policies details for operator role policies creation | [an example can be found below](https://github.com/terraform-redhat/terraform-aws-rosa-sts/tree/use_data_source_for_account_policies/account_roles_creation#operator_role_policies-object) |
|tags | map of strings | List of AWS resource tags to apply | [an example can be found below](#tags-object) |

### tags object
`tags` is a map of strings with resource tags to be applied to AWS resources created.
The map looks like:
```
{
contact = "[email protected]"
cost-center = "12345"
owner = "productteam"
environment = "test"
}
```

### account_role_policies object
`account_role_policies` is an object that holds the policy details for each account role.
Expand Down Expand Up @@ -53,18 +66,26 @@ The object looks like:

```
module "create_account_roles"{
source = "terraform-redhat/rosa-sts/aws"
version = ">=0.0.3"
source = "terraform-redhat/rosa-sts/aws"
version = ">=0.0.3"

create_operator_roles = false
create_oidc_provider = false
create_account_roles = true

create_operator_roles = false
create_oidc_provider = false
create_account_roles = true
account_role_prefix = var.account_role_prefix
ocm_environment = var.ocm_environment
rosa_openshift_version = var.rosa_openshift_version
account_role_policies = var.account_role_policies
operator_role_policies = var.operator_role_policies

account_role_prefix = var.account_role_prefix
ocm_environment = var.ocm_environment
rosa_openshift_version = var.rosa_openshift_version
account_role_policies = var.account_role_policies
operator_role_policies = var.operator_role_policies
#optional
tags = {
contact = "[email protected]"
cost-center = "12345"
owner = "productteam"
environment = "test"
}
}
```

Expand Down
18 changes: 9 additions & 9 deletions account_roles_creation/account_role/account_role_resource.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,22 +14,22 @@ resource "aws_iam_role" "account_role" {
]
})

tags = {
tags = merge(var.tags, {
rosa_openshift_version = var.rosa_openshift_version
rosa_role_prefix = "${var.account_role_prefix}"
rosa_role_type = "${var.account_role_properties.role_type}"
}
rosa_role_prefix = "${var.account_role_prefix}"
rosa_role_type = "${var.account_role_properties.role_type}"
})
}

# policy
resource "aws_iam_policy" "account_role_policy" {
name = "${var.account_role_prefix}-${var.account_role_properties.role_name}-Role-Policy"
name = "${var.account_role_prefix}-${var.account_role_properties.role_name}-Role-Policy"
policy = var.account_role_properties.policy_details
tags = {
tags = merge(var.tags, {
rosa_openshift_version = var.rosa_openshift_version
rosa_role_prefix = "${var.account_role_prefix}"
rosa_role_type = "${var.account_role_properties.role_type}"
}
rosa_role_prefix = "${var.account_role_prefix}"
rosa_role_type = "${var.account_role_properties.role_type}"
})
}


Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,22 +15,22 @@ resource "aws_iam_role" "instance_account_role" {
]
})

tags = {
tags = merge(var.tags, {
rosa_openshift_version = var.rosa_openshift_version
rosa_role_prefix = "${var.account_role_prefix}"
rosa_role_type = "instance_${var.instance_account_role_properties.role_type}"
}
rosa_role_prefix = "${var.account_role_prefix}"
rosa_role_type = "instance_${var.instance_account_role_properties.role_type}"
})
}

# policy
resource "aws_iam_policy" "instance_account_role_policy" {
name = "${var.account_role_prefix}-${var.instance_account_role_properties.role_name}-Role-Policy"
name = "${var.account_role_prefix}-${var.instance_account_role_properties.role_name}-Role-Policy"
policy = var.instance_account_role_properties.policy_details
tags = {
tags = merge(var.tags, {
rosa_openshift_version = var.rosa_openshift_version
rosa_role_prefix = "${var.account_role_prefix}"
rosa_role_type = "instance_${var.instance_account_role_properties.role_type}"
}
rosa_role_prefix = "${var.account_role_prefix}"
rosa_role_type = "instance_${var.instance_account_role_properties.role_type}"
})
}


Expand Down
52 changes: 29 additions & 23 deletions account_roles_creation/account_role/variables.tf
Original file line number Diff line number Diff line change
@@ -1,30 +1,36 @@
variable account_role_prefix {
type = string
variable "account_role_prefix" {
type = string
}

variable account_role_properties {
description = "Account IAM role properties"
type = object({
role_name = string
role_type = string
principal = string
policy_details = string
})
variable "account_role_properties" {
description = "Account IAM role properties"
type = object({
role_name = string
role_type = string
principal = string
policy_details = string
})
}

variable instance_account_role_properties {
description = "Account IAM role properties"
type = object({
role_name = string
role_type = string
policy_details = string
})
variable "instance_account_role_properties" {
description = "Account IAM role properties"
type = object({
role_name = string
role_type = string
policy_details = string
})
}

variable rosa_openshift_version {
type = string
default = "4.12"
variable "rosa_openshift_version" {
type = string
default = "4.12"
}
variable "account_id" {
type = string
}

variable "tags" {
description = "List of AWS resource tags to apply."
type = map(string)
default = null
}
variable account_id {
type = string
}
138 changes: 70 additions & 68 deletions account_roles_creation/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,96 +7,98 @@ terraform {
}
}

module rosa_account_roles {
source = "./account_role"
count = 2
module "rosa_account_roles" {
source = "./account_role"
count = 2

account_role_prefix = var.account_role_prefix
rosa_openshift_version = var.rosa_openshift_version
account_role_properties = local.account_roles_properties[count.index]
instance_account_role_properties = local.instance_account_roles_properties[count.index]
account_id = lookup({"production"="710019948333", "staging"="644306948063", "integration"="896164604406", "local"="765374464689"}, var.ocm_environment, "710019948333")
account_role_prefix = var.account_role_prefix
rosa_openshift_version = var.rosa_openshift_version
account_role_properties = local.account_roles_properties[count.index]
instance_account_role_properties = local.instance_account_roles_properties[count.index]
account_id = lookup({ "production" = "710019948333", "staging" = "644306948063", "integration" = "896164604406", "local" = "765374464689" }, var.ocm_environment, "710019948333")
tags = var.tags
vamsinm marked this conversation as resolved.
Show resolved Hide resolved
}

module rosa_operator_role_policies {
source = "./operator_role_policy"
count = 6
module "rosa_operator_role_policies" {
source = "./operator_role_policy"
count = 6

account_role_prefix = var.account_role_prefix
rosa_openshift_version = var.rosa_openshift_version
operator_role_policy_properties = local.operator_roles_policy_properties[count.index]
account_role_prefix = var.account_role_prefix
rosa_openshift_version = var.rosa_openshift_version
operator_role_policy_properties = local.operator_roles_policy_properties[count.index]
tags = var.tags
}

locals {
account_roles_properties = [{
# installer
role_name = "Installer"
role_type = "installer"
principal = "RH-Managed-OpenShift-Installer"
policy_details = var.account_role_policies["sts_installer_permission_policy"]
account_roles_properties = [{
# installer
role_name = "Installer"
role_type = "installer"
principal = "RH-Managed-OpenShift-Installer"
policy_details = var.account_role_policies["sts_installer_permission_policy"]
},
{
# support
role_name = "Support"
role_type = "support"
principal = "RH-Technical-Support-Access"
# support
role_name = "Support"
role_type = "support"
principal = "RH-Technical-Support-Access"
policy_details = var.account_role_policies["sts_support_permission_policy"]
}]
}]

instance_account_roles_properties = [{
# worker
role_name = "Worker"
role_type = "worker"
policy_details = var.account_role_policies["sts_instance_worker_permission_policy"]
instance_account_roles_properties = [{
# worker
role_name = "Worker"
role_type = "worker"
policy_details = var.account_role_policies["sts_instance_worker_permission_policy"]
},
{
# control plan
role_name = "ControlPlane"
role_type = "controlplane"
policy_details = var.account_role_policies["sts_instance_controlplane_permission_policy"]
}]
# control plan
role_name = "ControlPlane"
role_type = "controlplane"
policy_details = var.account_role_policies["sts_instance_controlplane_permission_policy"]
}]

# TODO: if there is a new policy for a new OCP versions, need to add it here also
operator_roles_policy_properties = [{
# openshift-machine-api
policy_name = substr("${var.account_role_prefix}-openshift-cloud-network-config-controller-cloud-credentials", 0, 64)
policy_details = var.operator_role_policies["openshift_cloud_network_config_controller_cloud_credentials_policy"]
namespace = "openshift-cloud-network-config-controller"
operator_name = "cloud-credentials"
# TODO: if there is a new policy for a new OCP versions, need to add it here also
operator_roles_policy_properties = [{
# openshift-machine-api
policy_name = substr("${var.account_role_prefix}-openshift-cloud-network-config-controller-cloud-credentials", 0, 64)
policy_details = var.operator_role_policies["openshift_cloud_network_config_controller_cloud_credentials_policy"]
namespace = "openshift-cloud-network-config-controller"
operator_name = "cloud-credentials"
},
{
# openshift-cloud-credential-operator
policy_name = substr("${var.account_role_prefix}-openshift-machine-api-aws-cloud-credentials", 0, 64)
policy_details = var.operator_role_policies["openshift_machine_api_aws_cloud_credentials_policy"]
namespace = "openshift-machine-api"
operator_name = "aws-cloud-credentials"
# openshift-cloud-credential-operator
policy_name = substr("${var.account_role_prefix}-openshift-machine-api-aws-cloud-credentials", 0, 64)
policy_details = var.operator_role_policies["openshift_machine_api_aws_cloud_credentials_policy"]
namespace = "openshift-machine-api"
operator_name = "aws-cloud-credentials"
},
{
# openshift-cloud-network-config-controller
policy_name = substr("${var.account_role_prefix}-openshift-cloud-credential-operator-cloud-credential-operator-iam-ro-creds", 0, 64)
policy_details = var.operator_role_policies["openshift_cloud_credential_operator_cloud_credential_operator_iam_ro_creds_policy"]
namespace = "openshift-cloud-credential-operator"
operator_name = "cloud-credential-operator-iam-ro-creds"
# openshift-cloud-network-config-controller
policy_name = substr("${var.account_role_prefix}-openshift-cloud-credential-operator-cloud-credential-operator-iam-ro-creds", 0, 64)
policy_details = var.operator_role_policies["openshift_cloud_credential_operator_cloud_credential_operator_iam_ro_creds_policy"]
namespace = "openshift-cloud-credential-operator"
operator_name = "cloud-credential-operator-iam-ro-creds"
},
{
# openshift-image-registry
policy_name = substr("${var.account_role_prefix}-openshift-image-registry-installer-cloud-credentials", 0, 64)
policy_details = var.operator_role_policies["openshift_image_registry_installer_cloud_credentials_policy"]
namespace = "openshift-image-registry"
operator_name = "installer-cloud-credentials"
# openshift-image-registry
policy_name = substr("${var.account_role_prefix}-openshift-image-registry-installer-cloud-credentials", 0, 64)
policy_details = var.operator_role_policies["openshift_image_registry_installer_cloud_credentials_policy"]
namespace = "openshift-image-registry"
operator_name = "installer-cloud-credentials"
},
{
# openshift-ingress-operator
policy_name = substr("${var.account_role_prefix}-openshift-ingress-operator-cloud-credentials", 0, 64)
policy_details = var.operator_role_policies["openshift_ingress_operator_cloud_credentials_policy"]
namespace = "openshift-ingress-operator"
operator_name = "cloud-credentials"
# openshift-ingress-operator
policy_name = substr("${var.account_role_prefix}-openshift-ingress-operator-cloud-credentials", 0, 64)
policy_details = var.operator_role_policies["openshift_ingress_operator_cloud_credentials_policy"]
namespace = "openshift-ingress-operator"
operator_name = "cloud-credentials"
},
{
# openshift-cluster-csi-drivers
policy_name = substr("${var.account_role_prefix}-openshift-cluster-csi-drivers-ebs-cloud-credentials", 0, 64)
policy_details = var.operator_role_policies["openshift_cluster_csi_drivers_ebs_cloud_credentials_policy"]
namespace = "openshift-cluster-csi-drivers"
operator_name = "ebs-cloud-credentials"
}]
# openshift-cluster-csi-drivers
policy_name = substr("${var.account_role_prefix}-openshift-cluster-csi-drivers-ebs-cloud-credentials", 0, 64)
policy_details = var.operator_role_policies["openshift_cluster_csi_drivers_ebs_cloud_credentials_policy"]
namespace = "openshift-cluster-csi-drivers"
operator_name = "ebs-cloud-credentials"
}]
}
Loading