fix: update aws policy and docs (#59)

fix: update aws policy
streamnative · Jan 23, 2024 · a08c964 · a08c964
1 parent 1217189
commit a08c964
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 37 deletions.
diff --git a/README.md b/README.md
@@ -17,12 +17,10 @@
 # StreamNative Managed Cloud
 This repository contains Terraform modules for the management of StreamNative's vendor access to a Cloud Provider.
 
-Previous versions of these modules can be found in the following locations:
-- [terraform-aws-cloud//modules/managed-cloud?ref=v2.5.0](https://github.com/streamnative/terraform-aws-cloud/tree/v2.5.0-alpha/modules/managed-cloud): This was the original location of the AWS vendor access module, which has been moved to this repository. The last version released to the Terraform Registry was `v2.5.0-alpha`.
-- [https://github.com/streamnative/terraform-aws-managed-cloud](https://github.com/streamnative/terraform-aws-managed-cloud): This repository contains an older AWS vendor access module, which has been deprecated and is no longer in use.
-
 ## Modules
-The modules are organized by Cloud Provider. For example, the AWS modules are in the `modules/aws` directory and the GCP modules (WIP) modules are in the `modules/gcp`, and for Azure the modules are in the `modules/azure` directory, and so on.
+The modules are organized by Cloud Provider. For example, the AWS modules are in the `modules/aws` directory and the GCP modules are in the `modules/gcp`, and for Azure the modules are in the `modules/azure` directory.
+
+More detailed documentation can be viewed in the respective module directory.
 
 ## Quickstart
 
@@ -32,55 +30,62 @@ Run the following terraform file within your AWS profile:
 
 ```hcl
 module "sn_managed_cloud" {
-  source = "github.com/streamnative/terraform-managed-cloud//modules/aws?ref=v3.1.1"
+  source = "github.com/streamnative/terraform-managed-cloud//modules/aws?ref=<LATEST_GIT_TAG>"
 
   external_id = "<YOUR_SNCLOUD_ORG_ID>"
 }
 ```
 
-## Examples
-Examples of the modules can be found in the `examples` directory.
-
-Details on the modules themselves and their requirements can be found in their respective README files, contained in the `modules` directory.
+### Using GCP module
 
-## Upgrading from the old AWS modules
-If you have used the previous version of the AWS vendor access module, your configuration should have looked something like this:
+Run the following terraform file within your GCP credentials:
 
 ```hcl
+provider "google" {
+  project = "<YOUR_PROJECT>"
+}
+
 module "sn_managed_cloud" {
-  source = "github.com/streamnative/terraform-aws-cloud//modules/managed-cloud?ref=v2.5.0-alpha"
+  source = "github.com/streamnative/terraform-managed-cloud//modules/gcp/vendor-access?ref=<LATEST_GIT_TAG>"
+  project = "<YOUR_PROJECT>"
+}
+```
+
+### Using Asure module
 
-  external_id                     = "o-kxb4r"
-  runtime_hosted_zone_allowed_ids = ["arn:aws:route53:::hostedzone/Z00048871IAX8IX9HGD0"]
-  region                          = "us-west-2"
-  use_runtime_policy              = true
+Run the following terraform file within your Azure credentials:
 
+```hcl
+provider "azurerm" {
+  features {
+
+  }
 }
-```
 
-Upgrading to this version of the module is quite simple, but does involve a few minor changes.
+provider "azuread" {}
 
-- The `source` URL has changed to `github.com/streamnative/terraform--managed-cloud//modules/aws?ref=v3.0.1` (note the tag reference, which as of this writing is `v3.0.1`).
-- `use_runtime_policy` has been removed, as it is now the default behavior.
-- `runtime_hosted_zone_allowed_ids` has been renamed to `hosted_zone_allowed_ids`, and it now properly accepts a list of IDs for your hosted zones, rather than the full ARNs.
+module "azure_sn_cloud_manager" {
+  source = "github.com/streamnative/terraform-managed-cloud//modules/azure/sn-cloud-manager?ref=<LATEST_GIT_TAG>"
 
-With these changes in mind, your configuration should now look like this:
+  resource_group_location = "<RESOURCE_GROUP_LOCATION>"
+  streamnative_org_id = "<YOUR_SNCLOUD_ORG_ID>"
+}
 
-```hcl
 module "sn_managed_cloud" {
-  source = "github.com/streamnative/terraform-managed-cloud//modules/aws?ref=v3.0.1"
+  source = "github.com/streamnative/terraform-managed-cloud//modules/azure/vendor-access?ref=<LATEST_GIT_TAG>"
+
+  resource_group_name     = "<RESOURCE_GROUP_NAME>"
+  resource_group_location = "<RESOURCE_GROUP_LOCATION>"
 
-  external_id             = "o-kxb4r"
-  hosted_zone_allowed_ids = ["Z00048871IAX8IX9HGD0"]
-  region                  = "us-west-2"
+  streamnative_org_id = "<YOUR_SNCLOUD_ORG_ID>"
 
+  depends_on = [
+    module.azure-sn-cloud-manager
+  ]
 }
 ```
 
-After making changes to your configuration, you can run `terraform init` to download the new module, and then `terraform apply` to apply the changes. 
-
-In most cases, you will see the module wanting to change 7 resources (the total number of resources created by this module, if `use_runtime_policy` was set to `true`).
-
-Most of the changes are in the IAM policies, which allow for compatability with the [v3.0.0 release](https://github.com/streamnative/terraform-aws-cloud/pull/91) of the `terraform-aws-cloud` module (this Terraform module is used for creating a StreamNative Cloud EKS environment).
+## Examples
+Examples of the modules can be found in the `examples` directory.
 
-If you have questions or concerns with these changes, please reach out to your StreamNative account representative.
+Details on the modules themselves and their requirements can be found in their respective README files, contained in the `modules` directory.
diff --git a/modules/aws/README.md b/modules/aws/README.md
@@ -71,9 +71,6 @@ module "sn_managed_cloud" {
   source = "github.com/streamnative/terraform-managed-cloud//modules/aws?ref=v3.0.0"
 
   external_id             = "<YOUR_SNCLOUD_ORG_ID>"
-  hosted_zone_allowed_ids = [ "<YOUR_R3_HOSTED_ZONE_IDs>" ]
-  region                  = "<YOUR_REGION>"
-
 }
 ```
 

diff --git a/modules/aws/files/bootstrap_role_iam_policy.json.tpl b/modules/aws/files/bootstrap_role_iam_policy.json.tpl
@@ -300,6 +300,8 @@
       "Action": [
         "iam:AddRoleToInstanceProfile",
         "iam:CreateRole",
+        "iam:CreatePolicy",
+        "iam:CreatePolicyVersion",
         "iam:DeleteInstanceProfile",
         "iam:DeleteOpenIDConnectProvider",
         "iam:DeleteRole",

diff --git a/modules/aws/files/permission_boundary_iam_policy.json.tpl b/modules/aws/files/permission_boundary_iam_policy.json.tpl
@@ -35,6 +35,8 @@
         "iam:AddRoleToInstanceProfile",
         "iam:CreateOpenIDConnectProvider",
         "iam:CreateServiceLinkedRole",
+        "iam:CreatePolicy",
+        "iam:CreatePolicyVersion",
         "iam:DeleteInstanceProfile",
         "iam:DeleteOpenIDConnectProvider",
         "iam:DeletePolicy",