fix: associate meshfed service role with portfolio

README.md

@@ -194,6 +194,7 @@ Before opening a Pull Request, we recommend following the below steps to get a f
 | <a name="input_automation_account_service_role_name"></a> [automation\_account\_service\_role\_name](#input\_automation\_account\_service\_role\_name) | Name of the custom role in the automation account. See https://docs.meshcloud.io/docs/meshstack.how-to.integrate-meshplatform-aws-manually.html#set-up-aws-account-3-automation | `string` | `"MeshfedAutomationRole"` | no |
 | <a name="input_aws_sso_instance_arn"></a> [aws\_sso\_instance\_arn](#input\_aws\_sso\_instance\_arn) | AWS SSO Instance ARN. Needs to be of the form arn:aws:sso:::instance/ssoins-xxxxxxxxxxxxxxx. Setup instructions https://docs.meshcloud.io/docs/meshstack.aws.sso-setup.html. | `string` | n/a | yes |
 | <a name="input_control_tower_enrollment_enabled"></a> [control\_tower\_enrollment\_enabled](#input\_control\_tower\_enrollment\_enabled) | Set to true, to allow meshStack to enroll Accounts via AWS Control Tower for the meshPlatform. | `bool` | `false` | no |
+| <a name="input_control_tower_portfolio_id"></a> [control\_tower\_portfolio\_id](#input\_control\_tower\_portfolio\_id) | Must be set for AWS Control Tower | `string` | `""` | no |
 | <a name="input_cost_explorer_management_account_service_role_name"></a> [cost\_explorer\_management\_account\_service\_role\_name](#input\_cost\_explorer\_management\_account\_service\_role\_name) | Name of the custom role in the management account used by the cost explorer user. | `string` | `"MeshCostExplorerServiceRole"` | no |
 | <a name="input_cost_explorer_meshcloud_account_service_user_name"></a> [cost\_explorer\_meshcloud\_account\_service\_user\_name](#input\_cost\_explorer\_meshcloud\_account\_service\_user\_name) | Name of the user using cost explorer service to collect metering data. | `string` | `"meshcloud-cost-explorer-user"` | no |
 | <a name="input_cost_explorer_privileged_external_id"></a> [cost\_explorer\_privileged\_external\_id](#input\_cost\_explorer\_privileged\_external\_id) | Set this variable to a random UUID version 4. The external id is a secondary key to make an AssumeRole API call. | `string` | n/a | yes |

examples/basic-aws-integration/main.tf

@@ -43,6 +43,7 @@ module "meshplatform" {
 
   aws_sso_instance_arn                 = "arn:aws:sso:::instance/ssoins-xxxxxxxxxxxxxxx"
   control_tower_enrollment_enable      = true
+  control_tower_portfolio_id           = "port-xxxxxxxxxxx"
   replicator_privileged_external_id    = "replace with random UUID v4"
   cost_explorer_privileged_external_id = "replace with random UUID v4"
   landing_zone_ou_arns                 = ["arn:aws:organizations::*:ou/o-*/ou-*"]

main.tf

@@ -57,6 +57,7 @@ module "management_account_replicator_access" {
   support_root_account_via_aws_sso     = var.support_root_account_via_aws_sso
   aws_sso_instance_arn                 = var.aws_sso_instance_arn
   control_tower_enrollment_enabled     = var.control_tower_enrollment_enabled
+  control_tower_portfolio_id           = var.control_tower_portfolio_id
   meshcloud_account_service_user_name  = var.meshcloud_account_service_user_name
   management_account_service_role_name = var.management_account_service_role_name
   landing_zone_ou_arns                 = var.landing_zone_ou_arns

modules/meshcloud-replicator/replicator-management-account-access/README.md

@@ -26,6 +26,7 @@ No modules.
 | [aws_iam_role_policy_attachment.meshfed_service_enrollment_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.meshfed_service_enrollment_sc_adm_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.meshfed_service_enrollment_sc_enduser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_servicecatalog_principal_portfolio_association.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/servicecatalog_principal_portfolio_association) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.meshfed_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.meshfed_service_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -37,6 +38,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_sso_instance_arn"></a> [aws\_sso\_instance\_arn](#input\_aws\_sso\_instance\_arn) | ARN of the AWS SSO instance to use | `string` | n/a | yes |
 | <a name="input_control_tower_enrollment_enabled"></a> [control\_tower\_enrollment\_enabled](#input\_control\_tower\_enrollment\_enabled) | Set to true, to allow meshStack to enroll Accounts via AWS Control Tower for the meshPlatform | `bool` | `false` | no |
+| <a name="input_control_tower_portfolio_id"></a> [control\_tower\_portfolio\_id](#input\_control\_tower\_portfolio\_id) | Must be set for AWS Control Tower | `string` | `""` | no |
 | <a name="input_landing_zone_ou_arns"></a> [landing\_zone\_ou\_arns](#input\_landing\_zone\_ou\_arns) | Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage. | `list(string)` | <pre>[<br>  "arn:aws:organizations::*:ou/o-*/ou-*"<br>]</pre> | no |
 | <a name="input_management_account_service_role_name"></a> [management\_account\_service\_role\_name](#input\_management\_account\_service\_role\_name) | Name of the custom role in the management account. See https://docs.meshcloud.io/docs/meshstack.how-to.integrate-meshplatform-aws-manually.html#set-up-aws-account-2-management | `string` | `"MeshfedServiceRole"` | no |
 | <a name="input_meshcloud_account_id"></a> [meshcloud\_account\_id](#input\_meshcloud\_account\_id) | The ID of the meshcloud AWS Account | `string` | n/a | yes |

modules/meshcloud-replicator/replicator-management-account-access/module.tf

@@ -38,3 +38,9 @@ resource "aws_iam_role_policy_attachment" "meshfed_service_enrollment_additional
   role       = aws_iam_role.meshfed_service.name
   policy_arn = aws_iam_policy.meshfed_service_enrollment_additional[0].arn
 }
+
+resource "aws_servicecatalog_principal_portfolio_association" "example" {
+  count         = var.control_tower_enrollment_enabled ? 1 : 0
+  portfolio_id  = var.aws_control_tower_portfolio_id
+  principal_arn = aws_iam_role.meshfed_service.arn
+}

modules/meshcloud-replicator/replicator-management-account-access/variables.tf

@@ -32,6 +32,12 @@ variable "control_tower_enrollment_enabled" {
   default     = false
 }
 
+variable "control_tower_portfolio_id" {
+  type        = string
+  default     = ""
+  description = "Must be set for AWS Control Tower"
+}
+
 variable "aws_sso_instance_arn" {
   type        = string
   description = "ARN of the AWS SSO instance to use"

variables.tf

@@ -9,6 +9,12 @@ variable "control_tower_enrollment_enabled" {
   description = "Set to true, to allow meshStack to enroll Accounts via AWS Control Tower for the meshPlatform."
 }
 
+variable "control_tower_portfolio_id" {
+  type        = string
+  default     = ""
+  description = "Must be set for AWS Control Tower"
+}
+
 variable "replicator_privileged_external_id" {
   type        = string
   description = "Set this variable to a random UUID version 4. The external id is a secondary key to make an AssumeRole API call."