Fixed oidc provider

streamnative · Dec 25, 2024 · 559eea4 · 559eea4
1 parent a5929c5
commit 559eea4
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 47 deletions.
diff --git a/modules/aws/sn-volume-access/main.tf b/modules/aws/sn-volume-access/main.tf
@@ -1,21 +1,47 @@
+data "aws_caller_identity" "current" {}
 locals {
-  external_id                = (var.external_id != "" ? [{ test : "StringEquals", variable : "sts:ExternalId", values : [var.external_id] }] : [])
-  assume_conditions          = concat(local.external_id, local.source_identity, local.principal_check, local.vendor_federation)
-  support_assume_conditions  = concat(local.external_id, local.source_identity)
-  source_identity            = (length(var.source_identities) > 0 ? [{ test : var.source_identity_test, variable : "sts:SourceIdentity", values : var.source_identities }] : [])
-  principal_check            = (length(var.streamnative_principal_ids) > 0 ? [{ test : "StringLike", variable : "aws:PrincipalArn", values : var.streamnative_principal_ids }] : [])
-  federated_identifiers = distinct(concat(local.default_federated_identifiers, var.additional_federated_identifiers))
-  tag_set                    = merge({ Vendor = "StreamNative", Module = "StreamNative Volume", SNVersion = var.sn_policy_version }, var.tags)
-  vendor_federation          = (var.enforce_vendor_federation ? [{ test : "StringLike", variable : "aws:FederatedProvider", values : ["accounts.google.com"] }] : [])
-  # this is for data plane access aws s3 bucket role
-  default_federated_identifiers = compact([
-    "accounts.google.com"
-  ])
+  account_id                = data.aws_caller_identity.current.account_id
+  external_id               = (var.external_id != "" ? [{ test : "StringEquals", variable : "sts:ExternalId", values : [var.external_id] }] : [])
+  assume_conditions         = concat(local.external_id, local.source_identity, local.principal_check, local.vendor_federation)
+  support_assume_conditions = concat(local.external_id, local.source_identity)
+  source_identity           = (length(var.source_identities) > 0 ? [{ test : var.source_identity_test, variable : "sts:SourceIdentity", values : var.source_identities }] : [])
+  oidc_providers            = distinct(concat(var.oidc_providers, local.default_oidc_providers))
+  principal_check           = (length(var.streamnative_principal_ids) > 0 ? [{ test : "StringLike", variable : "aws:PrincipalArn", values : var.streamnative_principal_ids }] : [])
+  tag_set                   = merge({ Vendor = "StreamNative", Module = "StreamNative Volume", SNVersion = var.sn_policy_version }, var.tags)
+  vendor_federation         = (var.enforce_vendor_federation ? [{ test : "StringLike", variable : "aws:FederatedProvider", values : ["accounts.google.com"] }] : [])
+  default_oidc_providers    = compact([])
+  conditionSuffix           = ["aud", "sub"]
+  conditions = [
+    for value in local.oidc_providers :
+    [
+      {
+        provider : "${value}",
+        test : "StringEquals",
+        variable : "${value}:aud",
+        values : ["sts.amazonaws.com"]
+      },
+      {
+        provider : "${value}",
+        test : "StringEquals",
+        variable : "${value}:sub",
+        values : [format("system:serviceaccount:%s:*", var.external_id)]
+      }
+    ]
+  ]
+}
+
+output "conditions" {
+  value = local.conditions
+}
+resource "aws_iam_openid_connect_provider" "streamnative_oidc_providers" {
+  count          = length(local.oidc_providers)
+  url            = "https://${var.oidc_providers[count.index]}"
+  client_id_list = ["sts.amazonaws.com"]
 }
 
 data "aws_iam_policy_document" "streamnative_management_access" {
   statement {
-    sid     = "AllowStreamNativeVendorAccess"
+    sid     = "AllowStreamNativeControlPlaneAccess"
     effect  = "Allow"
     actions = ["sts:AssumeRole"]
 
@@ -33,19 +59,25 @@ data "aws_iam_policy_document" "streamnative_management_access" {
     }
   }
 
-  statement {
-    sid     = "AllowStreamNativeControlPlaneAccess"
-    effect  = "Allow"
-    actions = ["sts:AssumeRoleWithWebIdentity"]
+  dynamic "statement" {
+    for_each = local.conditions
+    content {
+      effect  = "Allow"
+      actions = ["sts:AssumeRoleWithWebIdentity"]
 
-    principals {
-      type = "Federated"
-      identifiers = local.federated_identifiers
-    }
-    condition {
-      test     = "StringEquals"
-      values   = length(var.streamnative_google_account_ids) > 0 ? var.streamnative_google_account_ids : [var.streamnative_google_account_id]
-      variable = "accounts.google.com:aud"
+      principals {
+        type        = "Federated"
+        identifiers = [for provider in local.oidc_providers : "arn:aws:iam::${local.account_id}:oidc-provider/${provider}" if "${provider}" == statement.value[0].provider]
+      }
+
+      dynamic "condition" {
+        for_each = toset(statement.value)
+        content {
+          test     = condition.value["test"]
+          values   = condition.value["values"]
+          variable = condition.value["variable"]
+        }
+      }
     }
   }
 }
@@ -54,19 +86,19 @@ data "aws_iam_policy_document" "streamnative_management_access" {
 #-- Create the IAM role for the the StreamNative Cloud data plane access to s3 bucket
 ######
 resource "aws_iam_policy" "access_bucket_role" {
-  name = "sn-${var.external_id}-${var.bucket}-${var.path}"
+  name        = "sn-${var.external_id}-${var.bucket}-${var.path}"
   description = "This policy sets the limits for the access s3 bucket for StreamNative's vendor access."
   path        = "/StreamNative/"
   policy = templatefile("${path.module}/files/sn_volume_s3_bucket.json.tpl",
-  {
-    bucket = var.bucket
-    path = var.path
+    {
+      bucket = var.bucket
+      path   = var.path
   })
   tags = local.tag_set
 }
 
 resource "aws_iam_role" "access_bucket_role" {
-  name = "sn-${var.external_id}-${var.bucket}-${var.path}"
+  name                 = "sn-${var.external_id}-${var.bucket}-${var.path}"
   description          = "This role is used by StreamNative for the access s3 bucket."
   assume_role_policy   = data.aws_iam_policy_document.streamnative_management_access.json
   path                 = "/StreamNative/"

diff --git a/modules/aws/sn-volume-access/variables.tf b/modules/aws/sn-volume-access/variables.tf
@@ -1,6 +1,6 @@
 variable "sn_policy_version" {
   description = "The value of SNVersion tag"
-  default     = "3.16.1"  # {{ x-release-please-version }}
+  default     = "3.16.1" # {{ x-release-please-version }}
   type        = string
 }
 
@@ -10,18 +10,6 @@ variable "region" {
   type        = string
 }
 
-variable "streamnative_google_account_id" {
-  default     = "108050666045451143798"
-  description = "(Deprecated, use streamnative_google_account_ids instead) The Google Cloud service account ID used by StreamNative for Control Plane operations"
-  type        = string
-}
-
-variable "streamnative_google_account_ids" {
-  default     = ["108050666045451143798"]
-  description = "The Google Cloud service account IDs used by StreamNative for Control Plane operations"
-  type        = list(string)
-}
-
 variable "streamnative_vendor_access_role_arns" {
   default     = ["arn:aws:iam::311022431024:role/cloud-manager"]
   description = "This role for access customer s3 bucket on control plane."
@@ -71,11 +59,17 @@ variable "enforce_vendor_federation" {
 }
 
 variable "bucket" {
-    description = "User bucket name"
-    type = string
+  description = "User bucket name"
+  type        = string
 }
 
 variable "path" {
-    description = "S3 bucket path"
-    type = string
+  description = "S3 bucket path"
+  type        = string
 }
+
+variable "oidc_providers" {
+  default     = []
+  description = "Your aws eks cluster OIDC Providers"
+  type        = list(string)
+}