From a98f4612837534b47defa488ed9e5092d6caee2c Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 4 Oct 2023 16:14:20 +0100 Subject: [PATCH 1/6] :wrench: Add OIDC IAM Role --- .../environment-configurations.tf | 20 +++++++++++++++ .../data-platform/iam-policies.tf | 25 +++++++++++++++++++ .../environments/data-platform/iam-roles.tf | 19 ++++++++++++++ 3 files changed, 64 insertions(+) create mode 100644 terraform/environments/data-platform/environment-configurations.tf create mode 100644 terraform/environments/data-platform/iam-policies.tf create mode 100644 terraform/environments/data-platform/iam-roles.tf diff --git a/terraform/environments/data-platform/environment-configurations.tf b/terraform/environments/data-platform/environment-configurations.tf new file mode 100644 index 00000000000..ec7c1e55228 --- /dev/null +++ b/terraform/environments/data-platform/environment-configurations.tf @@ -0,0 +1,20 @@ +locals { + environment_configuration = local.environment_configurations[local.environment] + environment_configurations = { + development = { + apps_tools_eks_oidc_url = "oidc.eks.eu-west-2.amazonaws.com/id/BEE86BED6494692D4ED31C2ED2319E13" + } + test = { + // TODO: Replace with test values, keeping these as a placeholder + apps_tools_eks_oidc_url = "oidc.eks.eu-west-2.amazonaws.com/id/BEE86BED6494692D4ED31C2ED2319E13" + } + preproduction = { + // TODO: Replace with preproduction values, keeping these as a placeholder + apps_tools_eks_oidc_url = "oidc.eks.eu-west-2.amazonaws.com/id/BEE86BED6494692D4ED31C2ED2319E13" + } + production = { + // TODO: Replace with production values, keeping these as a placeholder + apps_tools_eks_oidc_url = "oidc.eks.eu-west-2.amazonaws.com/id/BEE86BED6494692D4ED31C2ED2319E13" + } + } +} \ No newline at end of file diff --git a/terraform/environments/data-platform/iam-policies.tf b/terraform/environments/data-platform/iam-policies.tf new file mode 100644 index 00000000000..0aed55aa600 --- /dev/null +++ b/terraform/environments/data-platform/iam-policies.tf @@ -0,0 +1,25 @@ +// TODO Scope this down... + +data "aws_iam_policy_document" "openmetadata" { + statement { + sid = "openmetadata" + effect = "Allow" + actions = [ + "s3:*", + "athena:*", + "glue:*" + ] + resources = ["*"] + } +} + +module "openmetadata_iam_policy" { + source = "terraform-aws-modules/iam/aws//modules/iam-policy" + version = "~> 5.0" + + name_prefix = "openmetadata" + + policy = data.aws_iam_policy_document.openmetadata.json + + tags = local.tags +} \ No newline at end of file diff --git a/terraform/environments/data-platform/iam-roles.tf b/terraform/environments/data-platform/iam-roles.tf new file mode 100644 index 00000000000..62314a8eeff --- /dev/null +++ b/terraform/environments/data-platform/iam-roles.tf @@ -0,0 +1,19 @@ +module "iam_assumable_role_admin" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" + version = "~> 5.0" + + create_role = true + + role_name_prefix = "openmetadata" + + provider_url = local.environment_configuration.apps_tools_eks_oidc_url + + role_policy_arns = [ + "arn:aws:iam::aws:policy/service-role/AWSQuicksightAthenaAccess", + module.openmetadata_iam_policy.iam_role_arn + ] + + oidc_fully_qualified_subjects = ["system:serviceaccount:openmetadata:airflow"] + + tags = local.tags +} \ No newline at end of file From 2f1538e5dedc46ac50d4918602d65c92eb6531af Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 4 Oct 2023 16:18:35 +0100 Subject: [PATCH 2/6] :pencil2: Typo --- terraform/environments/data-platform/iam-roles.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/data-platform/iam-roles.tf b/terraform/environments/data-platform/iam-roles.tf index 62314a8eeff..b5d32f278f6 100644 --- a/terraform/environments/data-platform/iam-roles.tf +++ b/terraform/environments/data-platform/iam-roles.tf @@ -1,4 +1,4 @@ -module "iam_assumable_role_admin" { +module "openmetadata_iam_role" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "~> 5.0" @@ -10,7 +10,7 @@ module "iam_assumable_role_admin" { role_policy_arns = [ "arn:aws:iam::aws:policy/service-role/AWSQuicksightAthenaAccess", - module.openmetadata_iam_policy.iam_role_arn + module.openmetadata_iam_policy.arn ] oidc_fully_qualified_subjects = ["system:serviceaccount:openmetadata:airflow"] From 8b4cdfccb43b34217d684058503231fd48640f30 Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 4 Oct 2023 16:22:40 +0100 Subject: [PATCH 3/6] :wrench: Add TLS provider --- terraform/environments/data-platform/platform_versions.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/environments/data-platform/platform_versions.tf b/terraform/environments/data-platform/platform_versions.tf index 6161ef3bc02..4f1ac2a298e 100644 --- a/terraform/environments/data-platform/platform_versions.tf +++ b/terraform/environments/data-platform/platform_versions.tf @@ -8,6 +8,10 @@ terraform { version = "~> 3.0" source = "hashicorp/http" } + tls = { + source = "hashicorp/tls" + version = "4.0.4" + } } required_version = "~> 1.0" } From eb0f45890e6f87d9bf73456a4d29305ec943d3d1 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 5 Oct 2023 08:40:56 +0000 Subject: [PATCH 4/6] Switch to assumable-role Get account ID from MP secret Signed-off-by: Jacob Woffenden --- .../data-platform/environment-configurations.tf | 4 ++++ terraform/environments/data-platform/iam-roles.tf | 15 +++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/terraform/environments/data-platform/environment-configurations.tf b/terraform/environments/data-platform/environment-configurations.tf index ec7c1e55228..38f9fecc661 100644 --- a/terraform/environments/data-platform/environment-configurations.tf +++ b/terraform/environments/data-platform/environment-configurations.tf @@ -2,18 +2,22 @@ locals { environment_configuration = local.environment_configurations[local.environment] environment_configurations = { development = { + apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] apps_tools_eks_oidc_url = "oidc.eks.eu-west-2.amazonaws.com/id/BEE86BED6494692D4ED31C2ED2319E13" } test = { // TODO: Replace with test values, keeping these as a placeholder + apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] apps_tools_eks_oidc_url = "oidc.eks.eu-west-2.amazonaws.com/id/BEE86BED6494692D4ED31C2ED2319E13" } preproduction = { // TODO: Replace with preproduction values, keeping these as a placeholder + apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] apps_tools_eks_oidc_url = "oidc.eks.eu-west-2.amazonaws.com/id/BEE86BED6494692D4ED31C2ED2319E13" } production = { // TODO: Replace with production values, keeping these as a placeholder + apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] apps_tools_eks_oidc_url = "oidc.eks.eu-west-2.amazonaws.com/id/BEE86BED6494692D4ED31C2ED2319E13" } } diff --git a/terraform/environments/data-platform/iam-roles.tf b/terraform/environments/data-platform/iam-roles.tf index b5d32f278f6..2985ab0a9b0 100644 --- a/terraform/environments/data-platform/iam-roles.tf +++ b/terraform/environments/data-platform/iam-roles.tf @@ -1,19 +1,18 @@ module "openmetadata_iam_role" { - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" version = "~> 5.0" - + create_role = true - role_name_prefix = "openmetadata" + role_name_prefix = "openmetadata" + role_requires_mfa = false - provider_url = local.environment_configuration.apps_tools_eks_oidc_url + trusted_role_arns = ["arn:aws:iam::${local.apps_tools_account_id}:root"] - role_policy_arns = [ + custom_role_policy_arns = [ "arn:aws:iam::aws:policy/service-role/AWSQuicksightAthenaAccess", module.openmetadata_iam_policy.arn ] - oidc_fully_qualified_subjects = ["system:serviceaccount:openmetadata:airflow"] - tags = local.tags -} \ No newline at end of file +} From 194106adcd2ff48c51813ac87861790d8072294e Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 5 Oct 2023 08:43:32 +0000 Subject: [PATCH 5/6] Fix reference Signed-off-by: Jacob Woffenden --- .../data-platform/environment-configurations.tf | 17 +++++------------ .../environments/data-platform/iam-roles.tf | 2 +- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/terraform/environments/data-platform/environment-configurations.tf b/terraform/environments/data-platform/environment-configurations.tf index 38f9fecc661..e5f58ae69f2 100644 --- a/terraform/environments/data-platform/environment-configurations.tf +++ b/terraform/environments/data-platform/environment-configurations.tf @@ -2,23 +2,16 @@ locals { environment_configuration = local.environment_configurations[local.environment] environment_configurations = { development = { - apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] - apps_tools_eks_oidc_url = "oidc.eks.eu-west-2.amazonaws.com/id/BEE86BED6494692D4ED31C2ED2319E13" + apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] } test = { - // TODO: Replace with test values, keeping these as a placeholder - apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] - apps_tools_eks_oidc_url = "oidc.eks.eu-west-2.amazonaws.com/id/BEE86BED6494692D4ED31C2ED2319E13" + apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] } preproduction = { - // TODO: Replace with preproduction values, keeping these as a placeholder - apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] - apps_tools_eks_oidc_url = "oidc.eks.eu-west-2.amazonaws.com/id/BEE86BED6494692D4ED31C2ED2319E13" + apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] } production = { - // TODO: Replace with production values, keeping these as a placeholder - apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] - apps_tools_eks_oidc_url = "oidc.eks.eu-west-2.amazonaws.com/id/BEE86BED6494692D4ED31C2ED2319E13" + apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-production"] } } -} \ No newline at end of file +} diff --git a/terraform/environments/data-platform/iam-roles.tf b/terraform/environments/data-platform/iam-roles.tf index 2985ab0a9b0..d06dfa9d978 100644 --- a/terraform/environments/data-platform/iam-roles.tf +++ b/terraform/environments/data-platform/iam-roles.tf @@ -7,7 +7,7 @@ module "openmetadata_iam_role" { role_name_prefix = "openmetadata" role_requires_mfa = false - trusted_role_arns = ["arn:aws:iam::${local.apps_tools_account_id}:root"] + trusted_role_arns = ["arn:aws:iam::${local.environment_configuration.apps_tools_account_id}:root"] custom_role_policy_arns = [ "arn:aws:iam::aws:policy/service-role/AWSQuicksightAthenaAccess", From 750988a3480807fa4db4954fc196a281989d3997 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 5 Oct 2023 08:55:27 +0000 Subject: [PATCH 6/6] Remove TLS provider, it was neede to reverse a change Signed-off-by: Jacob Woffenden --- terraform/environments/data-platform/platform_versions.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/terraform/environments/data-platform/platform_versions.tf b/terraform/environments/data-platform/platform_versions.tf index 4f1ac2a298e..6161ef3bc02 100644 --- a/terraform/environments/data-platform/platform_versions.tf +++ b/terraform/environments/data-platform/platform_versions.tf @@ -8,10 +8,6 @@ terraform { version = "~> 3.0" source = "hashicorp/http" } - tls = { - source = "hashicorp/tls" - version = "4.0.4" - } } required_version = "~> 1.0" }