Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: (PSKD-904) Support credentials when assuming an IAM role #319

Merged
merged 11 commits into from
Feb 10, 2025
Merged

feat: (PSKD-904) Support credentials when assuming an IAM role #319

merged 11 commits into from
Feb 10, 2025
+100 −43

Conversation

dhoucgitter
Copy link
Member

@dhoucgitter dhoucgitter commented Jan 28, 2025
edited
Loading

Changes

  • Updates to support authenticating to Terraform using temporary AWS credentials generated by assuming an IAM role
  • Expose EKS cluster authentication_mode as a General configuration variable
  • Add admin_access_entry_role_arns as a General configuration variable. Add behavior to create an admin level EKS access entry for each role ARN specified in this list of strings.
  • Added CONFIG-VARS.md doc for the two new configuration variables.

@dhoucgitter
feat: (PSKD-904) Support credentials when assuming an IAM role
Loading
Loading status checks…
6273bed 
Signed-off-by: David.Houck <[email protected]>
@dhoucgitter dhoucgitter added the enhancement New feature or request label Jan 28, 2025
@dhoucgitter dhoucgitter self-assigned this Jan 28, 2025
@dhoucgitter dhoucgitter requested a review from supear January 28, 2025 18:13
@dhoucgitter
access entry, policy and variable updates
Loading
Loading status checks…
97553cf 
Signed-off-by: David.Houck <[email protected]>
@dhoucgitter
Add Terraform install to TFLint action
Loading
Loading status checks…
f5a7956 
Signed-off-by: David.Houck <[email protected]>
supear
supear requested changes Jan 29, 2025
View reviewed changes
Copy link
Contributor

@supear supear left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here are some edits!

@dhoucgitter
Apply doc review edits from Susan
Loading
Loading status checks…
5011530 
Signed-off-by: David.Houck <[email protected]>
@dhoucgitter
Copy link
Member Author

Hi @supear, please review the latest commit for updates based on your suggested doc changes, thanks.

supear
supear requested changes Jan 30, 2025
View reviewed changes
Copy link
Contributor

@supear supear left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one typo. I think it's good to go once that's fixed!

@ajeffowens
Copy link

ajeffowens commented Jan 30, 2025
edited
Loading

This line from fsx_ontap will need to be adapted for the iam role scenario:

viya4-iac-aws/modules/aws_fsx_ontap/main.tf

Line 81 in 5011530

user = data.aws_iam_user.terraform.user_name
.

Otherwise it fails like this:

╷
│ Error: getting user: operation error IAM: GetUser, https response error StatusCode: 404, RequestID: 2ad78f83-7713-4d54-81c3-e343f5eb1f9a, NoSuchEntity: The user with name GitHubActions cannot be found.
│ 
│   with module.ontap[0].data.aws_iam_user.terraform,
│   on modules/aws_fsx_ontap/main.tf line 76, in data "aws_iam_user" "terraform":
│   76: data "aws_iam_user" "terraform" {
│ 
╵

@dhoucgitter
Fix typo
de9b95b 
Signed-off-by: David.Houck <[email protected]>
@dhoucgitter
Use admin_access_entry_role_arns variable name per Jeff's code review…
Loading
Loading status checks…
fdc384e 
… comment

Signed-off-by: David.Houck <[email protected]>
@dhoucgitter
Copy link
Member Author

Hi @supear, based on your last comment and the new commit, I will go ahead and resolve your doc review comments as completed, sound good?

@dhoucgitter
Fix FSx filesystem policy attachment using assumed role auth
Loading
Loading status checks…
f9117dd 
Signed-off-by: David.Houck <[email protected]>
@dhoucgitter
Copy link
Member Author

This line from fsx_ontap will need to be adapted for the iam role scenario:

viya4-iac-aws/modules/aws_fsx_ontap/main.tf

Line 81 in 5011530

user = data.aws_iam_user.terraform.user_name

.
Otherwise it fails like this:

╷
│ Error: getting user: operation error IAM: GetUser, https response error StatusCode: 404, RequestID: 2ad78f83-7713-4d54-81c3-e343f5eb1f9a, NoSuchEntity: The user with name GitHubActions cannot be found.
│ 
│   with module.ontap[0].data.aws_iam_user.terraform,
│   on modules/aws_fsx_ontap/main.tf line 76, in data "aws_iam_user" "terraform":
│   76: data "aws_iam_user" "terraform" {
│ 
╵

Hi @ajeffowens , the latest commit should handle creating the correct policy attachment whether using an assumed IAM role or IAM user. I'll message you once I have a new image ready that I'm hoping you can try out again.

@dhoucgitter
Add tflint ignore rule for resource
Loading
Loading status checks…
6dd4852 
Signed-off-by: David.Houck <[email protected]>
@dhoucgitter
Use role_name from ARN, not role session name for role based authenti…
Loading
Loading status checks…
7a6b3a2 
…cation

Signed-off-by: David.Houck <[email protected]>
@dhoucgitter
Update tflint ignore rule
Loading
Loading status checks…
014a391 
Signed-off-by: David.Houck <[email protected]>
@dhoucgitter
disable problem tflint rule in hcl file
Loading
Loading status checks…
30d6e91 
Signed-off-by: David.Houck <[email protected]>
@dhoucgitter dhoucgitter merged commit 437e7d3 into staging Feb 10, 2025
5 checks passed
@dhoucgitter dhoucgitter deleted the pskd-904 branch February 10, 2025 20:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ajeffowens ajeffowens

@supear supear

@saschjmil saschjmil

Assignees

@dhoucgitter dhoucgitter

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@dhoucgitter @ajeffowens @supear @saschjmil