From 7e53d4847000b2e25fc1bdd2a3c47dcde62d8c4e Mon Sep 17 00:00:00 2001 From: Max Xu Date: Mon, 19 Jun 2023 10:24:58 +0800 Subject: [PATCH] chore: tidy code and README (#25) Signed-off-by: Max Xu --- .github/CODEOWNERS | 2 +- README.md | 20 ++++++++++++--- modules/aws/main.tf | 59 ++++++++++++++++++--------------------------- 3 files changed, 41 insertions(+), 40 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 7fcdc8e..e6dc1a1 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -12,5 +12,5 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Owning team's slack is #f_cloud_terraform +# Owning team's slack is #f_sn_cloud * @streamnative/cloud diff --git a/README.md b/README.md index 93e45b5..8a6e587 100644 --- a/README.md +++ b/README.md @@ -15,21 +15,35 @@ --> # StreamNative Managed Cloud -This repository contains Terraform modules for the management of StreamNative's vendor access into a Cloud Provider. +This repository contains Terraform modules for the management of StreamNative's vendor access to a Cloud Provider. -Previous verions of these modules can be found in the following locations: +Previous versions of these modules can be found in the following locations: - [terraform-aws-cloud//modules/managed-cloud?ref=v2.5.0](https://github.com/streamnative/terraform-aws-cloud/tree/v2.5.0-alpha/modules/managed-cloud): This was the original location of the AWS vendor access module, which has been moved to this repository. The last version released to the Terraform Registry was `v2.5.0-alpha`. - [https://github.com/streamnative/terraform-aws-managed-cloud](https://github.com/streamnative/terraform-aws-managed-cloud): This repository contains an older AWS vendor access module, which has been deprecated and is no longer in use. ## Modules The modules are organized by Cloud Provider. For example, the AWS modules are in the `modules/aws` directory and the GCP modules (WIP) modules are in the `modules/gcp`, and so on. +## Quickstart + +### Using AWS module + +Run the following terraform file within your AWS profile: + +```hcl +module "sn_managed_cloud" { + source = "github.com/streamnative/terraform-managed-cloud//modules/aws?ref=v3.1.1" + + external_id = "" +} +``` + ## Examples Examples of the modules can be found in the `examples` directory. Details on the modules themselves and their requirements can be found in their respective README files, contained in the `modules` directory. -## Upgrading an existing AWS module +## Upgrading from the old AWS modules If you have used the previous version of the AWS vendor access module, your configuration should have looked something like this: ```hcl diff --git a/modules/aws/main.tf b/modules/aws/main.tf index 939b16c..988e9be 100644 --- a/modules/aws/main.tf +++ b/modules/aws/main.tf @@ -16,18 +16,7 @@ data "aws_caller_identity" "current" {} -data "aws_iam_policy_document" "streamnative_vendor_access" { - statement { - effect = "Allow" - actions = ["sts:AssumeRole"] - - principals { - type = "AWS" - identifiers = var.streamnative_vendor_access_role_arns - } - } -} - +data "aws_partition" "current" {} data "aws_kms_key" "ebs_default" { key_id = "alias/aws/ebs" @@ -37,8 +26,6 @@ data "aws_kms_key" "s3_default" { key_id = "alias/aws/s3" } -data "aws_partition" "current" {} - locals { account_id = data.aws_caller_identity.current.account_id additional_iam_policy_arns = distinct(compact(var.additional_iam_policy_arns)) @@ -70,7 +57,7 @@ locals { ###### #-- Trust Relationship for StreamNative Vendor Access Roles ###### -data "aws_iam_policy_document" "streamnative_control_plane_access" { +data "aws_iam_policy_document" "streamnative_bootstrap_access" { statement { sid = "AllowStreamNativeVendorAccess" effect = "Allow" @@ -90,6 +77,25 @@ data "aws_iam_policy_document" "streamnative_control_plane_access" { } } + statement { + sid = "AllowStreamNativeEngineerAccess" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "AWS" + identifiers = var.streamnative_support_access_role_arns + } + dynamic "condition" { + for_each = local.support_assume_conditions + content { + test = condition.value["test"] + values = condition.value["values"] + variable = condition.value["variable"] + } + } + } + statement { sid = "AllowStreamNativeControlPlaneAccess" effect = "Allow" @@ -109,7 +115,7 @@ data "aws_iam_policy_document" "streamnative_control_plane_access" { } } -data "aws_iam_policy_document" "streamnative_bootstrap_access" { +data "aws_iam_policy_document" "streamnative_management_access" { statement { sid = "AllowStreamNativeVendorAccess" effect = "Allow" @@ -129,25 +135,6 @@ data "aws_iam_policy_document" "streamnative_bootstrap_access" { } } - statement { - sid = "AllowStreamNativeEngineerAccess" - effect = "Allow" - actions = ["sts:AssumeRole"] - - principals { - type = "AWS" - identifiers = var.streamnative_support_access_role_arns - } - dynamic "condition" { - for_each = local.support_assume_conditions - content { - test = condition.value["test"] - values = condition.value["values"] - variable = condition.value["variable"] - } - } - } - statement { sid = "AllowStreamNativeControlPlaneAccess" effect = "Allow" @@ -247,7 +234,7 @@ resource "aws_iam_policy" "management_role" { resource "aws_iam_role" "management_role" { name = "StreamNativeCloudManagementRole${var.test_suffix}" description = "This role is used by StreamNative for the day to day management of the StreamNative Cloud deployment." - assume_role_policy = data.aws_iam_policy_document.streamnative_control_plane_access.json + assume_role_policy = data.aws_iam_policy_document.streamnative_management_access.json path = "/StreamNative/" permissions_boundary = aws_iam_policy.permission_boundary.arn tags = local.tag_set