From 0ba06c87cd393db7caa91f603051011de6a13c46 Mon Sep 17 00:00:00 2001
From: Jok <67024248+jokreliable@users.noreply.github.com>
Date: Thu, 10 Mar 2022 03:30:39 -0800
Subject: [PATCH] feat: Add Support for Alternative Partitions in ARNs (like
govcloud) (#1815)
* arn partition is not always aws
* correct typo
* missed a variable handoff
* missing CR at the end
* updates to formatting and docs from tflint and terraform-docs
---
README.md | 1 +
main.tf | 11 ++++++-----
modules/runners/README.md | 1 +
modules/runners/policies-runner.tf | 4 ++--
.../policies/service-linked-role-create-policy.json | 2 +-
modules/runners/pool.tf | 2 ++
modules/runners/pool/main.tf | 2 +-
modules/runners/pool/variables.tf | 6 ++++++
modules/runners/scale-down.tf | 2 +-
modules/runners/scale-up.tf | 4 ++--
modules/runners/variables.tf | 6 ++++++
modules/setup-iam-permissions/README.md | 1 +
modules/setup-iam-permissions/main.tf | 5 ++++-
.../policies/assume-role-for-account.json | 2 +-
modules/setup-iam-permissions/policies/boundary.json | 2 +-
.../policies/deploy-boundary.json | 10 +++++-----
modules/setup-iam-permissions/variables.tf | 6 ++++++
variables.tf | 6 ++++++
18 files changed, 53 insertions(+), 20 deletions(-)
diff --git a/README.md b/README.md
index 9d59e2989c..1588b30d6e 100644
--- a/README.md
+++ b/README.md
@@ -395,6 +395,7 @@ In case the setup does not work as intended follow the trace of events:
|------|-------------|------|---------|:--------:|
| [ami\_filter](#input\_ami\_filter) | List of maps used to create the AMI filter for the action runner AMI. By default amazon linux 2 is used. | `map(list(string))` | `null` | no |
| [ami\_owners](#input\_ami\_owners) | The list of owners used to select the AMI of action runner instances. | `list(string)` | [
"amazon"
]
| no |
+| [aws\_partition](#input\_aws\_partition) | (optiona) partition in the arn namespace to use if not 'aws' | `string` | `"aws"` | no |
| [aws\_region](#input\_aws\_region) | AWS region. | `string` | n/a | yes |
| [block\_device\_mappings](#input\_block\_device\_mappings) | The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops` | `map(string)` | `{}` | no |
| [cloudwatch\_config](#input\_cloudwatch\_config) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | `string` | `null` | no |
diff --git a/main.tf b/main.tf
index aaf0a56dd9..bcbca23e49 100644
--- a/main.tf
+++ b/main.tf
@@ -83,11 +83,12 @@ module "webhook" {
module "runners" {
source = "./modules/runners"
- aws_region = var.aws_region
- vpc_id = var.vpc_id
- subnet_ids = var.subnet_ids
- environment = var.environment
- tags = local.tags
+ aws_region = var.aws_region
+ aws_partition = var.aws_partition
+ vpc_id = var.vpc_id
+ subnet_ids = var.subnet_ids
+ environment = var.environment
+ tags = local.tags
s3_bucket_runner_binaries = module.runner_binaries.bucket
s3_location_runner_binaries = local.s3_action_runner_url
diff --git a/modules/runners/README.md b/modules/runners/README.md
index bd3fcd5e21..0be93b9d04 100644
--- a/modules/runners/README.md
+++ b/modules/runners/README.md
@@ -115,6 +115,7 @@ yarn run dist
|------|-------------|------|---------|:--------:|
| [ami\_filter](#input\_ami\_filter) | Map of lists used to create the AMI filter for the action runner AMI. | `map(list(string))` | `null` | no |
| [ami\_owners](#input\_ami\_owners) | The list of owners used to select the AMI of action runner instances. | `list(string)` | [
"amazon"
]
| no |
+| [aws\_partition](#input\_aws\_partition) | (optional) partition for the base arn if not 'aws' | `string` | `"aws"` | no |
| [aws\_region](#input\_aws\_region) | AWS region. | `string` | n/a | yes |
| [block\_device\_mappings](#input\_block\_device\_mappings) | The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops` | `map(string)` | `{}` | no |
| [cloudwatch\_config](#input\_cloudwatch\_config) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | `string` | `null` | no |
diff --git a/modules/runners/policies-runner.tf b/modules/runners/policies-runner.tf
index dc90d47b0b..2e6351ac00 100644
--- a/modules/runners/policies-runner.tf
+++ b/modules/runners/policies-runner.tf
@@ -26,8 +26,8 @@ resource "aws_iam_role_policy" "ssm_parameters" {
role = aws_iam_role.runner.name
policy = templatefile("${path.module}/policies/instance-ssm-parameters-policy.json",
{
- arn_ssm_parameters_prefix = "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}-*"
- arn_ssm_parameters_path = "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*"
+ arn_ssm_parameters_prefix = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}-*"
+ arn_ssm_parameters_path = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*"
}
)
}
diff --git a/modules/runners/policies/service-linked-role-create-policy.json b/modules/runners/policies/service-linked-role-create-policy.json
index db6224d266..18a47d5104 100644
--- a/modules/runners/policies/service-linked-role-create-policy.json
+++ b/modules/runners/policies/service-linked-role-create-policy.json
@@ -4,7 +4,7 @@
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
- "Resource": "arn:aws:iam::*:role/aws-service-role/*"
+ "Resource": "arn:${aws_partition}:iam::*:role/aws-service-role/*"
}
]
}
diff --git a/modules/runners/pool.tf b/modules/runners/pool.tf
index 6c749a5ca5..87b551ffb0 100644
--- a/modules/runners/pool.tf
+++ b/modules/runners/pool.tf
@@ -44,4 +44,6 @@ module "pool" {
tags = local.tags
}
+ aws_partition = var.aws_partition
+
}
diff --git a/modules/runners/pool/main.tf b/modules/runners/pool/main.tf
index 8c8c24bc04..41c60dc17b 100644
--- a/modules/runners/pool/main.tf
+++ b/modules/runners/pool/main.tf
@@ -82,7 +82,7 @@ resource "aws_iam_role_policy" "pool_logging" {
resource "aws_iam_role_policy_attachment" "pool_vpc_execution_role" {
count = length(var.config.lambda.subnet_ids) > 0 ? 1 : 0
role = aws_iam_role.pool.name
- policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+ policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
data "aws_iam_policy_document" "lambda_assume_role_policy" {
diff --git a/modules/runners/pool/variables.tf b/modules/runners/pool/variables.tf
index 0fcbe345f9..bc44a91b49 100644
--- a/modules/runners/pool/variables.tf
+++ b/modules/runners/pool/variables.tf
@@ -50,3 +50,9 @@ variable "config" {
role_path = string
})
}
+
+variable "aws_partition" {
+ description = "(optional) partition for the arn if not 'aws'"
+ type = string
+ default = "aws"
+}
diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf
index 44b2ae1749..49475fc244 100644
--- a/modules/runners/scale-down.tf
+++ b/modules/runners/scale-down.tf
@@ -97,5 +97,5 @@ resource "aws_iam_role_policy" "scale_down_logging" {
resource "aws_iam_role_policy_attachment" "scale_down_vpc_execution_role" {
count = length(var.lambda_subnet_ids) > 0 ? 1 : 0
role = aws_iam_role.scale_down.name
- policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+ policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf
index 234e4f7667..c38e81fbce 100644
--- a/modules/runners/scale-up.tf
+++ b/modules/runners/scale-up.tf
@@ -99,11 +99,11 @@ resource "aws_iam_role_policy" "service_linked_role" {
count = var.create_service_linked_role_spot ? 1 : 0
name = "${var.environment}-service_linked_role"
role = aws_iam_role.scale_up.name
- policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", {})
+ policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", { aws_partition = var.aws_partition })
}
resource "aws_iam_role_policy_attachment" "scale_up_vpc_execution_role" {
count = length(var.lambda_subnet_ids) > 0 ? 1 : 0
role = aws_iam_role.scale_up.name
- policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+ policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf
index 9fe83656e2..ad04031f4f 100644
--- a/modules/runners/variables.tf
+++ b/modules/runners/variables.tf
@@ -306,6 +306,12 @@ variable "create_service_linked_role_spot" {
default = false
}
+variable "aws_partition" {
+ description = "(optional) partition for the base arn if not 'aws'"
+ type = string
+ default = "aws"
+}
+
variable "runner_iam_role_managed_policy_arns" {
description = "Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role"
type = list(string)
diff --git a/modules/setup-iam-permissions/README.md b/modules/setup-iam-permissions/README.md
index c0e78f7638..b66adb7e50 100644
--- a/modules/setup-iam-permissions/README.md
+++ b/modules/setup-iam-permissions/README.md
@@ -70,6 +70,7 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [account\_id](#input\_account\_id) | The module allows to switch to the created role from the provided account id. | `string` | n/a | yes |
+| [aws\_partition](#input\_aws\_partition) | (optional) partition in the arn namespace if not aws | `string` | `"aws"` | no |
| [environment](#input\_environment) | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes |
| [namespaces](#input\_namespaces) | The role will be only allowed to create roles, policies and instance profiles in the given namespace / path. All policies in the boundaries namespace cannot be modified by this role. | object({
boundary_namespace = string
role_namespace = string
policy_namespace = string
instance_profile_namespace = string
}) | n/a | yes |
diff --git a/modules/setup-iam-permissions/main.tf b/modules/setup-iam-permissions/main.tf
index d06c0c7770..a577dfd482 100644
--- a/modules/setup-iam-permissions/main.tf
+++ b/modules/setup-iam-permissions/main.tf
@@ -5,7 +5,8 @@ resource "aws_iam_role" "deploy" {
permissions_boundary = aws_iam_policy.deploy_boundary.arn
assume_role_policy = templatefile("${path.module}/policies/assume-role-for-account.json", {
- account_id = var.account_id
+ account_id = var.account_id
+ aws_partition = var.aws_partition
})
}
@@ -16,6 +17,7 @@ resource "aws_iam_policy" "boundary" {
policy = templatefile("${path.module}/policies/boundary.json", {
role_namespace = var.namespaces.role_namespace
account_id = data.aws_caller_identity.current.account_id
+ aws_partition = var.aws_partition
})
}
@@ -44,5 +46,6 @@ resource "aws_iam_policy" "deploy_boundary" {
instance_profile_namespace = var.namespaces.instance_profile_namespace
boundary_namespace = var.namespaces.boundary_namespace
permission_boundary = aws_iam_policy.boundary.arn
+ aws_partition = var.aws_partition
})
}
diff --git a/modules/setup-iam-permissions/policies/assume-role-for-account.json b/modules/setup-iam-permissions/policies/assume-role-for-account.json
index d8300991a8..b6c51b5f96 100644
--- a/modules/setup-iam-permissions/policies/assume-role-for-account.json
+++ b/modules/setup-iam-permissions/policies/assume-role-for-account.json
@@ -3,7 +3,7 @@
"Statement": [
{
"Action": "sts:AssumeRole",
- "Principal": { "AWS": "arn:aws:iam::${account_id}:root" },
+ "Principal": { "AWS": "arn:${aws_partition}:iam::${account_id}:root" },
"Effect": "Allow",
"Sid": "",
"Condition": {
diff --git a/modules/setup-iam-permissions/policies/boundary.json b/modules/setup-iam-permissions/policies/boundary.json
index f336edadec..5e9363456a 100644
--- a/modules/setup-iam-permissions/policies/boundary.json
+++ b/modules/setup-iam-permissions/policies/boundary.json
@@ -21,7 +21,7 @@
"Sid": "RoleInNamespace",
"Effect": "Allow",
"Action": ["iam:PassRole"],
- "Resource": "arn:aws:iam::${account_id}:role/${role_namespace}/*"
+ "Resource": "arn:${aws_partition}:iam::${account_id}:role/${role_namespace}/*"
},
{
"Sid": "Decrypt",
diff --git a/modules/setup-iam-permissions/policies/deploy-boundary.json b/modules/setup-iam-permissions/policies/deploy-boundary.json
index 1b6f7fc8c8..e6111e5f19 100644
--- a/modules/setup-iam-permissions/policies/deploy-boundary.json
+++ b/modules/setup-iam-permissions/policies/deploy-boundary.json
@@ -10,7 +10,7 @@
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy"
],
- "Resource": "arn:aws:iam::${account_id}:role/${role_namespace}/*",
+ "Resource": "arn:${aws_partition}:iam::${account_id}:role/${role_namespace}/*",
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "${permission_boundary}"
@@ -29,7 +29,7 @@
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy"
],
- "Resource": "arn:aws:iam::${account_id}:role/${role_namespace}/*"
+ "Resource": "arn:${aws_partition}:iam::${account_id}:role/${role_namespace}/*"
},
{
"Sid": "PolicyInNamespace",
@@ -42,7 +42,7 @@
"iam:GetPolicyVersion",
"iam:SetDefaultPolicyVersion"
],
- "Resource": "arn:aws:iam::${account_id}:policy/${policy_namespace}/*"
+ "Resource": "arn:${aws_partition}:iam::${account_id}:policy/${policy_namespace}/*"
},
{
"Sid": "InstanceProfileInNamespace",
@@ -54,7 +54,7 @@
"iam:AddRoleToInstanceProfile",
"iam:GetInstanceProfile"
],
- "Resource": "arn:aws:iam::${account_id}:instance-profile/${instance_profile_namespace}/*"
+ "Resource": "arn:${aws_partition}:iam::${account_id}:instance-profile/${instance_profile_namespace}/*"
},
{
"Sid": "IamListActions",
@@ -78,7 +78,7 @@
"iam:DeletePolicyVersion",
"iam:SetDefaultPolicyVersion"
],
- "Resource": "arn:aws:iam::${account_id}:policy/${boundary_namespace}/*"
+ "Resource": "arn:${aws_partition}:iam::${account_id}:policy/${boundary_namespace}/*"
},
{
"Sid": "Services",
diff --git a/modules/setup-iam-permissions/variables.tf b/modules/setup-iam-permissions/variables.tf
index 32e514a0bb..a67d56648c 100644
--- a/modules/setup-iam-permissions/variables.tf
+++ b/modules/setup-iam-permissions/variables.tf
@@ -18,3 +18,9 @@ variable "account_id" {
type = string
}
+
+variable "aws_partition" {
+ description = "(optional) partition in the arn namespace if not aws"
+ type = string
+ default = "aws"
+}
diff --git a/variables.tf b/variables.tf
index 5865e32225..f242649dbd 100644
--- a/variables.tf
+++ b/variables.tf
@@ -586,6 +586,12 @@ variable "pool_config" {
default = []
}
+variable "aws_partition" {
+ description = "(optiona) partition in the arn namespace to use if not 'aws'"
+ type = string
+ default = "aws"
+}
+
variable "disable_runner_autoupdate" {
description = "Disable the auto update of the github runner agent. Be-aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/)"
type = bool