[OPAL-7906] Support AWS accounts in Terraform #24

andrewsy-opal · 2023-08-10T14:17:54Z

Description of the change

We were out of parity with the SDK, this supports it.

Test AWS accounts:

Test AWS role:

Checklist

I performed a self-review of my code
I manually tested my code change (please list details in description)
I added unit tests
I updated the changelog
I updated the public facing docs

linear · 2023-08-10T14:17:57Z

OPAL-7906 [P1] - Sophos | AWS Organizations - Terraform fails for Opal AWS IAM Role Resource

Terraform is failing for AWS Organizations using AWS IAM Roles:

TF update, I've tried to get the IAM Roles added via TF and get an error "Error: opal api error: 400 Bad Request: account_id is required for aws sso app" Looking at the API docs there is an option to add account_id for AWS_IAM_ROLE type Opal resource, https://docs.opal.dev/reference/createresource

"remote_info": { "aws_iam_role": { "account_id": 234234234234, "arn": "arn:aws:iam::179308207300:role/MyRole" } },
I've tried the API without the account_id and get the same error, so it looks like its required but not available in the TF provider, you can only specify the arn https://registry.terraform.io/providers/opalsecurity/opal/latest/docs/resources/resource#nested-schema-for-remote_infoaws_iam_role

Please can we get this added to the remaining TF provider work along with getting the "AWS_ACCOUNT" Opal resource type available in the TF provider, as they're both in the same area, thanks.

ken-opal

one question - do we want to support reading out the remote info for other AWS resources?

terraform-provider-opal/opal/resource.go

Lines 414 to 436 in 24eb7c5

    
           if resource.Metadata != nil { 
        
           	remoteInfoIList := make([]any, 0, 1) 
        
           	switch *resource.ResourceType { 
        
           	case opal.RESOURCETYPEENUM_AWS_SSO_PERMISSION_SET: 
        
           		// TODO: Handle other AWS Orgs resource types 
        
           		var metadata opal.AwsPermissionSetMetadata 
        
           		if err := json.Unmarshal([]byte(*resource.Metadata), &metadata); err != nil { 
        
           			return diagFromErr(ctx, err) 
        
           		} 
        
           		permissionSetIList := make([]any, 0, 1) 
        
           		permissionSetIList = append(permissionSetIList, map[string]any{ 
        
           			"arn":        metadata.AwsPermissionSet.Arn, 
        
           			"account_id": metadata.AwsPermissionSet.AccountId, 
        
           		}) 
        
           		remoteInfoIList = append(remoteInfoIList, map[string]any{ 
        
           			"aws_permission_set": permissionSetIList, 
        
           		}) 
        
           	} 
        
           	if len(remoteInfoIList) == 1 { 
        
           		d.Set("remote_info", remoteInfoIList) 
        
           	} 
        
           }

some more context here: https://github.com/opalsecurity/terraform-provider-opal/pull/19/files#r1205825077

opal/resource.go

ken-opal

LGTM with one comment on validating the import + plan workflow

opal/resource.go

opal/verify.go

andrewsy-opal had a problem deploying to Test August 10, 2023 14:18 — with GitHub Actions Failure

andrewsy-opal requested review from jan-opal and ken-opal August 10, 2023 14:18

andrewsy-opal force-pushed the andrewsy/opal-7906-p1-sophos-aws-organizations-terraform-fails-for-opal-aws-iam branch from 356075f to d54835e Compare August 10, 2023 14:23

andrewsy-opal had a problem deploying to Test August 10, 2023 14:23 — with GitHub Actions Failure

andrewsy-opal force-pushed the andrewsy/opal-7906-p1-sophos-aws-organizations-terraform-fails-for-opal-aws-iam branch from d54835e to c2d860e Compare August 10, 2023 14:26

andrewsy-opal had a problem deploying to Test August 10, 2023 14:26 — with GitHub Actions Failure

andrewsy-opal force-pushed the andrewsy/opal-7906-p1-sophos-aws-organizations-terraform-fails-for-opal-aws-iam branch from c2d860e to 661382d Compare August 10, 2023 14:28

andrewsy-opal had a problem deploying to Test August 10, 2023 14:28 — with GitHub Actions Failure

andrewsy-opal temporarily deployed to Test August 10, 2023 14:35 — with GitHub Actions Inactive

andrewsy-opal added 2 commits August 10, 2023 11:14

resource_remote_info: bring remote info to parity with go sdk

317ac07

docs: generate docs

15a80e7

andrewsy-opal force-pushed the andrewsy/opal-7906-p1-sophos-aws-organizations-terraform-fails-for-opal-aws-iam branch from 1901ab6 to 15a80e7 Compare August 10, 2023 15:14

andrewsy-opal temporarily deployed to Test August 10, 2023 15:14 — with GitHub Actions Inactive

andrewsy-opal had a problem deploying to Test August 10, 2023 15:29 — with GitHub Actions Failure

andrewsy-opal temporarily deployed to Test August 10, 2023 16:07 — with GitHub Actions Inactive

ken-opal reviewed Aug 10, 2023

View reviewed changes

andrewsy-opal temporarily deployed to Test August 10, 2023 21:00 — with GitHub Actions Inactive

andrewsy-opal force-pushed the andrewsy/opal-7906-p1-sophos-aws-organizations-terraform-fails-for-opal-aws-iam branch from 48f9ed7 to 86b9fe5 Compare August 11, 2023 16:43

andrewsy-opal temporarily deployed to Test August 11, 2023 16:43 — with GitHub Actions Inactive

andrewsy-opal commented Aug 11, 2023

View reviewed changes

opal/resource.go Outdated Show resolved Hide resolved

andrewsy-opal requested a review from ken-opal August 11, 2023 17:45

andrewsy-opal temporarily deployed to Test August 11, 2023 17:56 — with GitHub Actions Inactive

andrewsy-opal temporarily deployed to Test August 11, 2023 17:57 — with GitHub Actions Inactive

ken-opal approved these changes Aug 11, 2023

View reviewed changes

opal/resource.go Outdated Show resolved Hide resolved

opal/resource.go Outdated Show resolved Hide resolved

opal/resource.go Outdated Show resolved Hide resolved

opal/resource.go Outdated Show resolved Hide resolved

opal/verify.go Show resolved Hide resolved

andrewsy-opal force-pushed the andrewsy/opal-7906-p1-sophos-aws-organizations-terraform-fails-for-opal-aws-iam branch from 3ee8f54 to 74643c6 Compare August 11, 2023 21:24

andrewsy-opal temporarily deployed to Test August 11, 2023 21:24 — with GitHub Actions Inactive

verify: allow parent accounts to not set reviewer stages

0f8eb10

andrewsy-opal force-pushed the andrewsy/opal-7906-p1-sophos-aws-organizations-terraform-fails-for-opal-aws-iam branch from 74643c6 to 0f8eb10 Compare August 11, 2023 21:31

andrewsy-opal temporarily deployed to Test August 11, 2023 21:31 — with GitHub Actions Inactive

andrewsy-opal merged commit 4c51ad9 into main Aug 11, 2023
1 check passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[OPAL-7906] Support AWS accounts in Terraform #24

[OPAL-7906] Support AWS accounts in Terraform #24

andrewsy-opal commented Aug 10, 2023 •

edited

Loading

linear bot commented Aug 10, 2023

ken-opal left a comment

ken-opal left a comment

	if resource.Metadata != nil {
	remoteInfoIList := make([]any, 0, 1)
	switch *resource.ResourceType {
	case opal.RESOURCETYPEENUM_AWS_SSO_PERMISSION_SET:
	// TODO: Handle other AWS Orgs resource types
	var metadata opal.AwsPermissionSetMetadata
	if err := json.Unmarshal([]byte(*resource.Metadata), &metadata); err != nil {
	return diagFromErr(ctx, err)
	}
	permissionSetIList := make([]any, 0, 1)
	permissionSetIList = append(permissionSetIList, map[string]any{
	"arn": metadata.AwsPermissionSet.Arn,
	"account_id": metadata.AwsPermissionSet.AccountId,
	})
	remoteInfoIList = append(remoteInfoIList, map[string]any{
	"aws_permission_set": permissionSetIList,
	})
	}

	if len(remoteInfoIList) == 1 {
	d.Set("remote_info", remoteInfoIList)
	}
	}

[OPAL-7906] Support AWS accounts in Terraform #24

[OPAL-7906] Support AWS accounts in Terraform #24

Conversation

andrewsy-opal commented Aug 10, 2023 • edited Loading

Description of the change

Checklist

linear bot commented Aug 10, 2023

ken-opal left a comment

Choose a reason for hiding this comment

ken-opal left a comment

Choose a reason for hiding this comment

andrewsy-opal commented Aug 10, 2023 •

edited

Loading