feat: workload identity federation

meshcloud · Mar 21, 2024 · f31cd3b · f31cd3b
1 parent a60d551
commit f31cd3b
Show file tree

Hide file tree

Showing 9 changed files with 130 additions and 0 deletions.
diff --git a/identity_provider.tf b/identity_provider.tf
@@ -0,0 +1,8 @@
+# in case of workload identity federation we must add the appropriate identity provider
+resource "aws_iam_openid_connect_provider" "meshstack" {
+  count = var.workload_identity_federation != null ? 1 : 0
+
+  url             = var.workload_identity_federation.issuer
+  client_id_list  = [var.workload_identity_federation.audience]
+  thumbprint_list = [var.workload_identity_federation.thumbprint]
+}
diff --git a/main.tf b/main.tf
@@ -17,6 +17,12 @@ module "meshcloud_account_metering_access" {
   privileged_external_id               = var.cost_explorer_privileged_external_id
   management_account_service_role_name = var.cost_explorer_management_account_service_role_name
   meshcloud_account_service_user_name  = var.cost_explorer_meshcloud_account_service_user_name
+
+  workload_identity_federation = var.workload_identity_federation == null ? null : {
+    issuer                = var.workload_identity_federation.issuer,
+    subject               = var.kraken_subject,
+    identity_provider_arn = aws_iam_openid_connect_provider.meshstack.arn
+  }
 }
 
 module "meshcloud_account_replicator_access" {
@@ -30,6 +36,12 @@ module "meshcloud_account_replicator_access" {
   meshcloud_account_service_user_name  = var.meshcloud_account_service_user_name
   management_account_service_role_name = var.management_account_service_role_name
   automation_account_service_role_name = var.automation_account_service_role_name
+
+  workload_identity_federation = var.workload_identity_federation == null ? null : {
+    issuer                = var.workload_identity_federation.issuer,
+    subject               = var.replicator_subject,
+    identity_provider_arn = aws_iam_openid_connect_provider.meshstack.arn
+  }
 }
 
 module "management_account_metering_access" {

diff --git a/modules/meshcloud-cost-explorer/ce-meshcloud-account-access/data.tf b/modules/meshcloud-cost-explorer/ce-meshcloud-account-access/data.tf
@@ -19,3 +19,31 @@ data "aws_iam_policy_document" "meshcloud_cost_explorer_user_assume_role" {
     }
   }
 }
+
+data "aws_iam_policy_document" "workload_identity_federation" {
+  count   = var.workload_identity_federation == null ? 0 : 1
+  version = "2012-10-17"
+
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:${var.workload_identity_federation.identity_provider_arn}"]
+    }
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "${trimprefix(var.workload_identity_federation.issuer, "https://")}:aud}"
+
+      values = [var.workload_identity_federation.audience]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "${trimprefix(var.workload_identity_federation.issuer, "https://")}:sub}"
+
+      values = [var.workload_identity_federation.subject]
+    }
+  }
+}
diff --git a/modules/meshcloud-cost-explorer/ce-meshcloud-account-access/module.tf b/modules/meshcloud-cost-explorer/ce-meshcloud-account-access/module.tf
@@ -16,3 +16,19 @@ resource "aws_iam_user_policy_attachment" "meshcloud_cost_explorer" {
   user       = aws_iam_user.meshcloud_cost_explorer.name
   policy_arn = aws_iam_policy.meshcloud_cost_explorer_user.arn
 }
+#
+# role which can be assumed by federated workload
+resource "aws_iam_role" "assume_cost_explorer_role" {
+  count = var.workload_identity_federation == null ? 0 : 1
+
+  name               = "${aws_iam_user.meshcloud_cost_explorer.name}IdentityFederation"
+  assume_role_policy = data.aws_iam_policy_document.workload_identity_federation.json
+}
+
+# attach permissions to assumed role
+resource "aws_iam_role_policy_attachment" "meshfed_service" {
+  count = var.workload_identity_federation == null ? 0 : 1
+
+  role       = aws_iam_role.assume_cost_explorer_role
+  policy_arn = aws_iam_policy.meshcloud_cost_explorer_user.arn
+}
diff --git a/modules/meshcloud-cost-explorer/ce-meshcloud-account-access/variables.tf b/modules/meshcloud-cost-explorer/ce-meshcloud-account-access/variables.tf
@@ -19,3 +19,8 @@ variable "privileged_external_id" {
   type        = string
   description = "Privileged external ID for the cost-explorer-service to use"
 }
+
+variable "workload_identity_federation" {
+  type    = object({ issuer = string, identity_provider_arn = string, subject = string })
+  default = null
+}
diff --git a/modules/meshcloud-replicator/replicator-meshcloud-account-access/data.tf b/modules/meshcloud-replicator/replicator-meshcloud-account-access/data.tf
@@ -8,6 +8,7 @@ data "aws_partition" "current" {}
 
 data "aws_iam_policy_document" "meshfed_service_user_assume_role" {
   version = "2012-10-17"
+
   statement {
     effect    = "Allow"
     actions   = ["sts:AssumeRole"]
@@ -30,3 +31,31 @@ data "aws_iam_policy_document" "meshfed_service_user_assume_role" {
     }
   }
 }
+
+data "aws_iam_policy_document" "workload_identity_federation" {
+  count   = var.workload_identity_federation == null ? 0 : 1
+  version = "2012-10-17"
+
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:${var.workload_identity_federation.identity_provider_arn}"]
+    }
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "${trimprefix(var.workload_identity_federation.issuer, "https://")}:aud}"
+
+      values = [var.workload_identity_federation.audience]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "${trimprefix(var.workload_identity_federation.issuer, "https://")}:sub}"
+
+      values = [var.workload_identity_federation.subject]
+    }
+  }
+}
diff --git a/modules/meshcloud-replicator/replicator-meshcloud-account-access/module.tf b/modules/meshcloud-replicator/replicator-meshcloud-account-access/module.tf
@@ -16,3 +16,19 @@ resource "aws_iam_user_policy_attachment" "meshfed_service" {
   user       = aws_iam_user.meshfed_service.name
   policy_arn = aws_iam_policy.meshfed_service_user.arn
 }
+
+# role which can be assumed by federated workload
+resource "aws_iam_role" "assume_meshfed_service_role" {
+  count = var.workload_identity_federation == null ? 0 : 1
+
+  name               = "${aws_iam_user.meshfed_service.name}IdentityFederation"
+  assume_role_policy = data.aws_iam_policy_document.workload_identity_federation.json
+}
+
+# attach permissions to assumed role
+resource "aws_iam_role_policy_attachment" "meshfed_service" {
+  count = var.workload_identity_federation == null ? 0 : 1
+
+  role       = aws_iam_role.assume_meshfed_service_role
+  policy_arn = aws_iam_policy.meshfed_service_user.arn
+}
diff --git a/modules/meshcloud-replicator/replicator-meshcloud-account-access/variables.tf b/modules/meshcloud-replicator/replicator-meshcloud-account-access/variables.tf
@@ -30,3 +30,8 @@ variable "privileged_external_id" {
   type        = string
   description = "Privileged external ID for the meshfed-service to use"
 }
+
+variable "workload_identity_federation" {
+  type    = object({ issuer = string, identity_provider_arn = string, subject = string })
+  default = null
+}
diff --git a/variables.tf b/variables.tf
@@ -79,3 +79,14 @@ variable "support_root_account_via_aws_sso" {
   default     = false
   description = "Set to true to allow meshStack to manage the Organization's AWS Root account's access via AWS SSO."
 }
+
+variable "workload_identity_federation" {
+  type = object({
+    issuer             = string,
+    audience           = string,
+    thumbprint         = string,
+    replicator_subject = string,
+    kraken_subject     = string
+  })
+  default = null
+}