Merge pull request #55 from streamnative/external_id_source_identity

Add support for external_id/source_id and policy updates
streamnative · Mar 10, 2022 · 073bf01 · 073bf01
2 parents 53b5c19 + 8ee3cd6
commit 073bf01
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 24 deletions.
diff --git a/modules/managed-cloud/cloudformation/managed_cloud.yaml b/modules/managed-cloud/cloudformation/managed_cloud.yaml
@@ -17,25 +17,25 @@ Resources:
         Properties:
             Path: "/StreamNative/"
             RoleName: "StreamNativeCloudBootstrapRole"
-            AssumeRolePolicyDocument: 
+            AssumeRolePolicyDocument:
               Version: '2012-10-17'
               Statement:
               - Sid: AllowStreamNativeVendorAccess
                 Effect: Allow
                 Principal:
-                  AWS: 
+                  AWS:
                     - !Ref VendorSupportRoleArn
                 Action: sts:AssumeRole
             MaxSessionDuration: 3600
             PermissionsBoundary: !Ref PermissionBoundaryPolicy
-            ManagedPolicyArns: 
+            ManagedPolicyArns:
               - !Ref BootstrapPolicy
             Description: "This role is used to bootstrap the StreamNative Cloud within the AWS account. It is limited in scope to the attached policy and also the permission boundary."
-            Tags: 
-              - 
+            Tags:
+              -
                 Key: "Vendor"
                 Value: "StreamNative"
-  
+
     ManagementRole:
         Type: "AWS::IAM::Role"
         Properties:
@@ -60,11 +60,11 @@ Resources:
                     accounts.google.com:aud: !Ref ControlPlaneSAID
             MaxSessionDuration: 3600
             PermissionsBoundary: !Ref PermissionBoundaryPolicy
-            ManagedPolicyArns: 
+            ManagedPolicyArns:
               - !Ref ManagementPolicy
             Description: "This role is used by StreamNative for the day to day management of the StreamNative Cloud deployment."
-            Tags: 
-              - 
+            Tags:
+              -
                 Key: "Vendor"
                 Value: "StreamNative"
 
@@ -178,7 +178,7 @@ Resources:
                 			"Resource": "arn:aws:iam::${AWS::AccountId}:role/StreamNative/*",
                 			"Condition": {
                 				"ArnNotLike": {
-                					"iam:PolicyARN": [ 
+                					"iam:PolicyARN": [
                 						"arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*-AWSLoadBalancerControllerPolicy",
                 						"arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*-CertManagerPolicy",
                 						"arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*-ClusterAutoscalerPolicy",
@@ -251,7 +251,7 @@ Resources:
                 			"Effect": "Allow",
                 			"Action": [
                 				"acm:ListCertificates",
-                				"acm:ListTagsForCertificate",	
+                				"acm:ListTagsForCertificate",
                 				"autoscaling:Describe*",
                 				"dynamodb:ListBackups",
                 				"dynamodb:ListGlobalTables",
@@ -291,6 +291,9 @@ Resources:
                 				"logs:CreateLogGroup",
                 				"logs:DescribeLogGroups",
                 				"logs:ListTagsLogGroup",
+                        "route53:CreateHostedZone",
+                        "route53:ChangeTagsForResource",
+                        "route53:GetChange",
                         "route53:GetHostedZone",
                         "route53:ListHostedZones",
                         "route53:ListTagsForResource",
@@ -343,10 +346,10 @@ Resources:
                 				"ec2:CreateVpc",
                 				"ec2:CreateVpcEndpoint",
                 				"ec2:CreateTags",
+                        "ec2:*TransitGateway*",
                 				"eks:Create*",
                         "eks:RegisterCluster",
-                				"eks:TagResource",
-                        "route53:CreateHostedZone"
+                				"eks:TagResource"
                 			],
                 			"Resource": "*",
                 			"Condition": {
@@ -388,6 +391,8 @@ Resources:
                 				"ec2:Release*",
                 				"ec2:Revoke*",
                 				"ec2:RunInstances",
+                        "ec2:TerminateInstances",
+                        "ec2:*TransitGateway*",
                 				"ec2:Update*",
                         "eks:DeleteAddon",
                         "eks:DeleteCluster",
@@ -396,8 +401,7 @@ Resources:
                         "eks:DisassociateIdentityProviderConfig",
                 				"eks:U*",
                 				"logs:DeleteLogGroup",
-                				"logs:PutRetentionPolicy",
-                        "route53:DeleteHostedZone"
+                				"logs:PutRetentionPolicy"
                 			],
                 			"Resource": "*",
                 			"Condition": {
@@ -663,4 +667,4 @@ Resources:
                      }
                     }
                   ]
-                }
+                }
diff --git a/modules/managed-cloud/files/bootstrap_role_iam_policy.json.tpl b/modules/managed-cloud/files/bootstrap_role_iam_policy.json.tpl
@@ -46,6 +46,9 @@
 				"logs:CreateLogGroup",
 				"logs:DescribeLogGroups",
 				"logs:ListTagsLogGroup",
+				"route53:CreateHostedZone",
+				"route53:ChangeTagsForResource",
+				"route53:GetChange",
 				"route53:GetHostedZone",
 				"route53:ListHostedZones",
 				"route53:ListTagsForResource",
@@ -98,10 +101,10 @@
 				"ec2:CreateVpc",
 				"ec2:CreateVpcEndpoint",
 				"ec2:CreateTags",
+        "ec2:*TransitGateway*",
 				"eks:Create*",
 				"eks:RegisterCluster",
-				"eks:TagResource",
-				"route53:CreateHostedZone"
+				"eks:TagResource"
 			],
 			"Resource": "*",
 			"Condition": {
@@ -143,6 +146,8 @@
 				"ec2:Release*",
 				"ec2:Revoke*",
 				"ec2:RunInstances",
+        "ec2:TerminateInstances",
+        "ec2:*TransitGateway*",
 				"ec2:Update*",
 				"eks:DeleteAddon",
 				"eks:DeleteCluster",
@@ -151,8 +156,7 @@
 				"eks:DisassociateIdentityProviderConfig",
 				"eks:U*",
 				"logs:DeleteLogGroup",
-				"logs:PutRetentionPolicy",
-				"route53:DeleteHostedZone"
+				"logs:PutRetentionPolicy"
 			],
 			"Resource": "*",
 			"Condition": {

diff --git a/modules/managed-cloud/files/permission_boundary_iam_policy.json.tpl b/modules/managed-cloud/files/permission_boundary_iam_policy.json.tpl
@@ -102,7 +102,7 @@
 			"Resource": "arn:aws:iam::${account_id}:role/StreamNative/*",
 			"Condition": {
 				"ArnNotLike": {
-					"iam:PolicyARN": [ 
+					"iam:PolicyARN": [
 						"arn:aws:iam::${account_id}:policy/StreamNative/*-AWSLoadBalancerControllerPolicy",
 						"arn:aws:iam::${account_id}:policy/StreamNative/*-CertManagerPolicy",
 						"arn:aws:iam::${account_id}:policy/StreamNative/*-ClusterAutoscalerPolicy",
@@ -153,9 +153,11 @@
 			],
 			"Resource": [
 				"arn:aws:iam:::policy/StreamNative/StreamNativeCloudPermissionBoundary",
+				"arn:aws:iam:::policy/StreamNative/StreamNativeCloudBootstrapPolicy",
+				"arn:aws:iam:::policy/StreamNative/StreamNativeCloudManagementPolicy",
 				"arn:aws:iam::${account_id}:role/StreamNative/StreamNativeBootstrapRole",
 				"arn:aws:iam::${account_id}:role/StreamNative/StreamNativeManagementRole"
 			]
 		}
 	]
-}
+}
diff --git a/modules/managed-cloud/main.tf b/modules/managed-cloud/main.tf
@@ -33,6 +33,12 @@ data "aws_iam_policy_document" "streamnative_vendor_access" {
   }
 }
 
+locals {
+  external_id = (var.external_id != "" ? [{test: "StringEquals", variable: "sts:ExternalId", values: [var.external_id]}] : [])
+  source_identity = (length(var.source_identities) > 0 ? [{test: var.source_identity_test, variable: "sts:SourceIdentity", values: var.source_identities}] : [])
+  assume_conditions = concat(local.external_id, local.source_identity)
+}
+
 data "aws_iam_policy_document" "streamnative_control_plane_access" {
   statement {
     sid     = "AllowStreamNativeVendorAccess"
@@ -46,6 +52,14 @@ data "aws_iam_policy_document" "streamnative_control_plane_access" {
         var.streamnative_control_plane_role_arn
       ]
     }
+    dynamic "condition" {
+      for_each = local.assume_conditions
+      content {
+        test     = condition.value["test"]
+        values   = condition.value["values"]
+        variable = condition.value["variable"]
+      }
+    }
   }
 
   statement {

diff --git a/modules/managed-cloud/variables.tf b/modules/managed-cloud/variables.tf
@@ -25,7 +25,26 @@ variable "create_bootstrap_role" {
 }
 
 variable "region" {
-  description = "The AWS region where your instance of StreamNative Cloud is deployed, i.e. \"us-west-2\""
+  default     = "*"
+  description = "The AWS region where your instance of StreamNative Cloud is deployed. Defaults to all regions \"*\""
+  type        = string
+}
+
+variable "external_id" {
+  default     = ""
+  description = "The external ID, provided by StreamNative, which is used for all assume role calls. If not provided, no check for external_id is added. (NOTE: a future version will force the passing of this parameter)"
+  type        = string
+}
+
+variable "source_identities" {
+  default     = []
+  description = "Place an additional constraint on source identity, disabled by default and only to be used if specified by StreamNative"
+  type        = list
+}
+
+variable "source_identity_test" {
+  default     = "ForAnyValue:StringLike"
+  description = "The test to use for source identity"
   type        = string
 }
 
@@ -42,6 +61,7 @@ variable "streamnative_google_account_id" {
 }
 
 variable "streamnative_vendor_access_role_arn" {
+  default     = "arn:aws:iam::311022431024:role/cloud-manager"
   description = "The arn for the IAM principle (role) provided by StreamNative. This role is used exclusively by StreamNative (with strict permissions) for vendor access into your AWS account"
   type        = string
 }
@@ -50,4 +70,4 @@ variable "tags" {
   default     = {}
   description = "Extra tags to apply to the resources created by this module."
   type        = map(string)
-}
+}