feat: support for aws permission boundary (#157)

ondrej-smola · ianaya89 · commit d153753fb694 · 2025-05-07T23:45:05.000-03:00
build(deps): bump golangci/golangci-lint-action from 7.0.0 to 8.0.0 (#161) Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 7.0.0 to 8.0.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@1481404...4afd733) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Ignacio Anaya <ignacio.anaya89@gmail.com> fix: make resource_prefix computed fix: set resource_prefix after create fix: set resource_prefix after update
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -24,7 +24,7 @@ jobs:
       - run: go mod download
       - run: go build -v .
       - name: Run linters
-        uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           version: latest
 
diff --git a/docs/data-sources/env_aws.md b/docs/data-sources/env_aws.md
@@ -66,11 +66,13 @@ Bring Your Own Cloud (BYOC) AWS environment data source.
 - `maintenance_windows` (Attributes List) List of maintenance windows during which automatic maintenance is permitted. By default updates are applied as soon as they are available. (see [below for nested schema](#nestedatt--maintenance_windows))
 - `node_groups` (Attributes Set) List of node groups. At least one required. (see [below for nested schema](#nestedatt--node_groups))
 - `peering_connections` (Attributes List) AWS environment VPC peering configuration. (see [below for nested schema](#nestedatt--peering_connections))
+- `permissions_boundary_policy_arn` (String) Policy ARN that sets the maximum permissions for the IAM roles created by the environment. **[IMMUTABLE]**
 - `region` (String) AWS region ([docs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html#Concepts.RegionsAndAvailabilityZones.Regions)). **[IMMUTABLE]**
 
 		Examples:
 		- "us-east-1"
 		- "sa-east-1"
+- `resource_prefix` (String) Resource prefix used for provisioned resources **[IMMUTABLE]**
 - `skip_deprovision_on_destroy` (Boolean) Set to `true` will delete without waiting for environment deprovisioning. Use this with precaution, it may end up with dangling resources in your cloud provider (default `false`).
 - `spec_revision` (Number) Spec revision
 - `tags` (Attributes List) Tags to apply to AWS resources. (see [below for nested schema](#nestedatt--tags))
diff --git a/docs/resources/env_aws.md b/docs/resources/env_aws.md
@@ -258,6 +258,8 @@ resource "aws_vpc_peering_connection_accepter" "peer" {
 - `maintenance_windows` (Attributes List) List of maintenance windows during which automatic maintenance is permitted. By default updates are applied as soon as they are available. (see [below for nested schema](#nestedatt--maintenance_windows))
 - `nat` (Boolean) Enable AWS NAT Gateway. **[IMMUTABLE]**
 - `peering_connections` (Attributes List) AWS environment VPC peering configuration. (see [below for nested schema](#nestedatt--peering_connections))
+- `permissions_boundary_policy_arn` (String) Policy ARN that sets the maximum permissions for the IAM roles created by the environment. **[IMMUTABLE]**
+- `resource_prefix` (String) Resource prefix used for provisioned resources **[IMMUTABLE]**
 - `skip_deprovision_on_destroy` (Boolean) Set to `true` will delete without waiting for environment deprovisioning. Use this with precaution, it may end up with dangling resources in your cloud provider (default `false`).
 - `tags` (Attributes List) Tags to apply to AWS resources. (see [below for nested schema](#nestedatt--tags))
 - `zones` (List of String) Explicit list of AWS availability zones. At least 2 required.
diff --git a/internal/provider/common/docs.go b/internal/provider/common/docs.go
@@ -138,6 +138,8 @@ const ENDPOINT_SERVICE_NAME_DESCRIPTION = "VPC endpoint service name in $endpoin
 const ENDPOINT_ALIAS_DESCRIPTION = "By default, VPC endpoints get assigned $endpoint_service_id.$env_name.altinity.cloud DNS record. Alias allows to override DNS record name to `$alias.$env_name.altinity.cloud`."
 const ENDPOINT_PRIVATE_DNS_DESCRIPTION = "`true` indicates whether to associate a private hosted zone with the specified VPC (default `false`)."
 const CLOUD_CONNECT_DESCRIPTION = "`true` indicates that cloud resources are to be managed via altinity/cloud-connect and `false` means direct management (default `true`). **[IMMUTABLE]**"
+const PERMISSIONS_BOUNDARY_POLICY_ARN_DESCRIPTION = "Policy ARN that sets the maximum permissions for the IAM roles created by the environment. **[IMMUTABLE]**"
+const RESOURCE_PREFIX_DESCRIPTION = "Resource prefix used for provisioned resources **[IMMUTABLE]**"
 const NAT_DESCRIPTION = "Enable AWS NAT Gateway. **[IMMUTABLE]**"
 
 // GCP descriptions.
diff --git a/internal/provider/env/aws/model.go b/internal/provider/env/aws/model.go
@@ -9,22 +9,24 @@ import (
 )
 
 type AWSEnvResourceModel struct {
-	Id                    types.String                    `tfsdk:"id"`
-	Name                  types.String                    `tfsdk:"name"`
-	CustomDomain          types.String                    `tfsdk:"custom_domain"`
-	LoadBalancingStrategy types.String                    `tfsdk:"load_balancing_strategy"`
-	Region                types.String                    `tfsdk:"region"`
-	NAT                   types.Bool                      `tfsdk:"nat"`
-	CIDR                  types.String                    `tfsdk:"cidr"`
-	AWSAccountID          types.String                    `tfsdk:"aws_account_id"`
-	Zones                 types.List                      `tfsdk:"zones"`
-	LoadBalancers         *LoadBalancersModel             `tfsdk:"load_balancers"`
-	NodeGroups            []common.NodeGroupsModel        `tfsdk:"node_groups"`
-	PeeringConnections    []AWSEnvPeeringConnectionModel  `tfsdk:"peering_connections"`
-	Endpoints             []AWSEnvEndpointModel           `tfsdk:"endpoints"`
-	Tags                  []common.KeyValueModel          `tfsdk:"tags"`
-	CloudConnect          types.Bool                      `tfsdk:"cloud_connect"`
-	MaintenanceWindows    []common.MaintenanceWindowModel `tfsdk:"maintenance_windows"`
+	Id                           types.String                    `tfsdk:"id"`
+	Name                         types.String                    `tfsdk:"name"`
+	CustomDomain                 types.String                    `tfsdk:"custom_domain"`
+	LoadBalancingStrategy        types.String                    `tfsdk:"load_balancing_strategy"`
+	Region                       types.String                    `tfsdk:"region"`
+	PermissionsBoundaryPolicyArn types.String                    `tfsdk:"permissions_boundary_policy_arn"`
+	ResourcePrefix               types.String                    `tfsdk:"resource_prefix"`
+	NAT                          types.Bool                      `tfsdk:"nat"`
+	CIDR                         types.String                    `tfsdk:"cidr"`
+	AWSAccountID                 types.String                    `tfsdk:"aws_account_id"`
+	Zones                        types.List                      `tfsdk:"zones"`
+	LoadBalancers                *LoadBalancersModel             `tfsdk:"load_balancers"`
+	NodeGroups                   []common.NodeGroupsModel        `tfsdk:"node_groups"`
+	PeeringConnections           []AWSEnvPeeringConnectionModel  `tfsdk:"peering_connections"`
+	Endpoints                    []AWSEnvEndpointModel           `tfsdk:"endpoints"`
+	Tags                         []common.KeyValueModel          `tfsdk:"tags"`
+	CloudConnect                 types.Bool                      `tfsdk:"cloud_connect"`
+	MaintenanceWindows           []common.MaintenanceWindowModel `tfsdk:"maintenance_windows"`
 
 	SpecRevision                 types.Int64 `tfsdk:"spec_revision"`
 	ForceDestroy                 types.Bool  `tfsdk:"force_destroy"`
@@ -102,20 +104,22 @@ func (e AWSEnvResourceModel) toSDK() (sdk.CreateAWSEnvInput, sdk.UpdateAWSEnvInp
 	create := sdk.CreateAWSEnvInput{
 		Name: e.Name.ValueString(),
 		Spec: &sdk.CreateAWSEnvSpecInput{
-			CustomDomain:          e.CustomDomain.ValueStringPointer(),
-			LoadBalancingStrategy: loadBalancingStrategy,
-			LoadBalancers:         LoadBalancers,
-			NodeGroups:            nodeGroups,
-			Region:                e.Region.ValueString(),
-			Nat:                   e.NAT.ValueBoolPointer(),
-			AWSAccountID:          e.AWSAccountID.ValueString(),
-			Cidr:                  e.CIDR.ValueString(),
-			Zones:                 zones,
-			PeeringConnections:    peeringConnections,
-			Endpoints:             endpoints,
-			Tags:                  tags,
-			CloudConnect:          &cloudConnect,
-			MaintenanceWindows:    maintenanceWindows,
+			CustomDomain:                 e.CustomDomain.ValueStringPointer(),
+			LoadBalancingStrategy:        loadBalancingStrategy,
+			LoadBalancers:                LoadBalancers,
+			NodeGroups:                   nodeGroups,
+			Region:                       e.Region.ValueString(),
+			Nat:                          e.NAT.ValueBoolPointer(),
+			AWSAccountID:                 e.AWSAccountID.ValueString(),
+			Cidr:                         e.CIDR.ValueString(),
+			Zones:                        zones,
+			PeeringConnections:           peeringConnections,
+			Endpoints:                    endpoints,
+			Tags:                         tags,
+			CloudConnect:                 &cloudConnect,
+			MaintenanceWindows:           maintenanceWindows,
+			PermissionsBoundaryPolicyArn: e.PermissionsBoundaryPolicyArn.ValueStringPointer(),
+			ResourcePrefix:               e.ResourcePrefix.ValueStringPointer(),
 		},
 	}
 
@@ -151,6 +155,8 @@ func (model *AWSEnvResourceModel) toModel(env sdk.GetAWSEnv_AWSEnv) {
 	model.NodeGroups = nodeGroupsToModel(env.Spec.NodeGroups)
 	model.MaintenanceWindows = maintenanceWindowsToModel(env.Spec.MaintenanceWindows)
 	model.Zones = common.ListToModel(env.Spec.Zones)
+	model.PermissionsBoundaryPolicyArn = types.StringPointerValue(env.Spec.PermissionsBoundaryPolicyArn)
+	model.ResourcePrefix = types.StringValue(env.Spec.ResourcePrefix)
 
 	var peeringConnections []AWSEnvPeeringConnectionModel
 	for _, p := range env.Spec.PeeringConnections {
diff --git a/internal/provider/env/aws/resource.go b/internal/provider/env/aws/resource.go
@@ -55,6 +55,7 @@ func (r *AWSEnvResource) Create(ctx context.Context, req resource.CreateRequest,
 	data.Zones = common.ListToModel(apiResp.CreateAWSEnv.Spec.Zones)
 	data.NodeGroups = nodeGroupsToModel(apiResp.CreateAWSEnv.Spec.NodeGroups)
 	data.SpecRevision = types.Int64Value(apiResp.CreateAWSEnv.SpecRevision)
+	data.ResourcePrefix = types.StringValue(apiResp.CreateAWSEnv.Spec.ResourcePrefix)
 
 	tflog.Trace(ctx, "created resource", map[string]interface{}{"name": envName})
 	diags = resp.State.Set(ctx, &data)
@@ -120,6 +121,7 @@ func (r *AWSEnvResource) Update(ctx context.Context, req resource.UpdateRequest,
 	data.Zones = common.ListToModel(apiResp.UpdateAWSEnv.Spec.Zones)
 	data.NodeGroups = nodeGroupsToModel(apiResp.UpdateAWSEnv.Spec.NodeGroups)
 	data.SpecRevision = types.Int64Value(apiResp.UpdateAWSEnv.SpecRevision)
+	data.ResourcePrefix = types.StringValue(apiResp.UpdateAWSEnv.Spec.ResourcePrefix)
 
 	tflog.Trace(ctx, "updated resource", map[string]interface{}{"name": envName})
 	diags = resp.State.Set(ctx, &data)
diff --git a/internal/provider/env/aws/schema.go b/internal/provider/env/aws/schema.go
@@ -41,6 +41,9 @@ func (r *AWSEnvResource) Schema(ctx context.Context, req resource.SchemaRequest,
 			"endpoints":                       getEndpointsAttribute(false, true, false),
 			"tags":                            getTagsAttribute(false, true, false),
 			"cloud_connect":                   getCloudConnectAttribute(false, true, true),
+			"resource_prefix":                 getResourcePrefixAttribute(false, true, true),
+			"permissions_boundary_policy_arn": getPermissionsBoundaryPolicyArnAttribute(false, true, false),
+
 			"spec_revision":                   common.SpecRevisionAttribute,
 			"force_destroy":                   common.GetForceDestroyAttribute(false, true, true),
 			"force_destroy_clusters":          common.GetForceDestroyClustersAttribute(false, true, true),
@@ -54,23 +57,25 @@ func (d *AWSEnvDataSource) Schema(ctx context.Context, req datasource.SchemaRequ
 	resp.Schema = dschema.Schema{
 		MarkdownDescription: heredoc.Doc(`Bring Your Own Cloud (BYOC) AWS environment data source.`),
 		Attributes: map[string]dschema.Attribute{
-			"id":                      common.IDAttribute,
-			"name":                    common.NameAttribute,
-			"custom_domain":           common.GetCommonCustomDomainAttribute(false, false, true),
-			"load_balancers":          getLoadBalancersAttribute(false, false, true),
-			"load_balancing_strategy": common.GetLoadBalancingStrategyAttribute(false, false, true),
-			"maintenance_windows":     common.GetMaintenanceWindowAttribute(false, false, true),
-			"cidr":                    common.GetCIDRAttribute(false, false, true),
-			"zones":                   getZonesAttribute(false, false, true, common.AWS_ZONES_DESCRIPTION),
-			"node_groups":             common.GetNodeGroupsAttribute(false, false, true),
-			"aws_account_id":          getAWSAccountIDAttribute(false, false, true),
-			"region":                  common.GetRegionAttribute(false, false, true, common.AWS_REGION_DESCRIPTION),
-			"nat":                     getNATAttribute(false, true, true),
-			"peering_connections":     getPeeringConnectionsAttribute(false, false, true),
-			"endpoints":               getEndpointsAttribute(false, false, true),
-			"tags":                    getTagsAttribute(false, false, true),
-			"cloud_connect":           getCloudConnectAttribute(false, false, true),
-			"spec_revision":           common.SpecRevisionAttribute,
+			"id":                              common.IDAttribute,
+			"name":                            common.NameAttribute,
+			"custom_domain":                   common.GetCommonCustomDomainAttribute(false, false, true),
+			"load_balancers":                  getLoadBalancersAttribute(false, false, true),
+			"load_balancing_strategy":         common.GetLoadBalancingStrategyAttribute(false, false, true),
+			"maintenance_windows":             common.GetMaintenanceWindowAttribute(false, false, true),
+			"cidr":                            common.GetCIDRAttribute(false, false, true),
+			"zones":                           getZonesAttribute(false, false, true, common.AWS_ZONES_DESCRIPTION),
+			"node_groups":                     common.GetNodeGroupsAttribute(false, false, true),
+			"aws_account_id":                  getAWSAccountIDAttribute(false, false, true),
+			"region":                          common.GetRegionAttribute(false, false, true, common.AWS_REGION_DESCRIPTION),
+			"nat":                             getNATAttribute(false, true, true),
+			"peering_connections":             getPeeringConnectionsAttribute(false, false, true),
+			"endpoints":                       getEndpointsAttribute(false, false, true),
+			"tags":                            getTagsAttribute(false, false, true),
+			"cloud_connect":                   getCloudConnectAttribute(false, false, true),
+			"permissions_boundary_policy_arn": getPermissionsBoundaryPolicyArnAttribute(false, false, true),
+			"resource_prefix":                 getResourcePrefixAttribute(false, false, true),
+			"spec_revision":                   common.SpecRevisionAttribute,
 
 			// these options are not used in data sources,
 			// but we need to include them in the schema to avoid conversion errors.
@@ -204,6 +209,30 @@ func getNATAttribute(required, optional, computed bool) rschema.BoolAttribute {
 	}
 }
 
+func getPermissionsBoundaryPolicyArnAttribute(required, optional, computed bool) rschema.StringAttribute {
+	return rschema.StringAttribute{
+		Required: required,
+		Optional: optional,
+		Computed: computed,
+		PlanModifiers: []planmodifier.String{
+			modifiers.ImmutableString("permissions_boundary_policy_arn"),
+		},
+		MarkdownDescription: common.PERMISSIONS_BOUNDARY_POLICY_ARN_DESCRIPTION,
+	}
+}
+
+func getResourcePrefixAttribute(required, optional, computed bool) rschema.StringAttribute {
+	return rschema.StringAttribute{
+		Required: required,
+		Optional: optional,
+		Computed: computed,
+		PlanModifiers: []planmodifier.String{
+			modifiers.ImmutableString("resource_prefix"),
+		},
+		MarkdownDescription: common.RESOURCE_PREFIX_DESCRIPTION,
+	}
+}
+
 var endpointAttribute = rschema.NestedAttributeObject{
 	Attributes: map[string]rschema.Attribute{
 		"service_name": rschema.StringAttribute{
diff --git a/internal/provider/modifiers/inmutable_string.go b/internal/provider/modifiers/inmutable_string.go
@@ -32,6 +32,11 @@ func (m immutableStringModifier) PlanModifyString(ctx context.Context, req planm
 		return
 	}
 
+	// Skip check if the property is not present in the current configuration
+	if req.ConfigValue.IsNull() {
+		return
+	}
+
 	if req.StateValue.ValueString() != req.PlanValue.ValueString() {
 		resp.Diagnostics.AddAttributeError(path.Root(m.AttributeName), "Immutable Attribute", fmt.Sprintf("%s is immutable and cannot be modified after creation.", m.AttributeName))
 		return
diff --git a/internal/sdk/client/client_gen.go b/internal/sdk/client/client_gen.go
diff --git a/internal/sdk/client/graphql.schema b/internal/sdk/client/graphql.schema
diff --git a/internal/sdk/client/model_gen.go b/internal/sdk/client/model_gen.go
diff --git a/internal/sdk/client/schema_aws_env.graphql b/internal/sdk/client/schema_aws_env.graphql
