feat: Add support for CloudKeeper Anyscale services (#69)

* feat: Add support for CloudKeeper Anyscale services

- Moved Anyscale Services V2 policy to a new template
- Added support for CloudKeeper Anyscale services
- Added flag to enable/disable the creation of the ELB Service Linked Role

On branch brent/upd-iam-serv-perm
Changes to be committed:
	modified:   CHANGELOG.md
	modified:   README.md
	modified:   getting-started.md
	modified:   main.tf
	modified:   modules/aws-anyscale-iam/README.md
	new file:   modules/aws-anyscale-iam/anyscale-control_plane-services-v2.tmpl
	modified:   modules/aws-anyscale-iam/iam-policies-data.tf
	modified:   modules/aws-anyscale-iam/variables.tf
	modified:   variables.tf

* upd: IAM Role descriptions

Remove the region from the IAM Role descriptions.
With the new AWS provider, the call to the data source to return the region introduced
a deprecation warning. As this is rarely required, it is being removed and the region
will not be part of the IAM Role descriptions.

Changes to be committed:
	modified:   modules/aws-anyscale-iam/README.md
	modified:   modules/aws-anyscale-iam/eks-iam-main.tf
	modified:   modules/aws-anyscale-iam/main.tf

* upd: add tflint rule to skip tmpl files

Changes to be committed:
	modified:   .tflint.hcl

Author: brent-anyscale

.tflint.hcl

@@ -7,6 +7,7 @@ plugin "aws" {
 config {
   call_module_type = "local"
   force            = false
+  exclude = ["**/*.tmpl"]
 }
 
 rule "terraform_required_providers" {

CHANGELOG.md

@@ -1,5 +1,12 @@
+## (NEXT)
+NOTES:
+
 FEATURES:
 - Removed null provider and updated validation of required variables to variables.tf
+- Added additional IAM policies for CloudKeeper deployments of Anyscale Services
+  - Anyscale Services v2 originally managed the deployment and load balancers via Cloudformation. This had inherrent limitations.
+  - Anyscale Services will now be fully managed via the Control Plane via AWS APIs. This requires small adjustments to the IAM policies in use.
+  - A future version will remove the Cloudformation IAM policies.
 
 BUG FIXES:
 - When passing in an organization id as well as the external id, if a cloud ID was also provided, it would not prioritize the correct local value for the external ID.

README.md

@@ -233,6 +233,7 @@ We use GitHub [Issues] to track community reported issues and missing features.
 | <a name="input_anyscale_s3_server_side_encryption"></a> [anyscale\_s3\_server\_side\_encryption](#input\_anyscale\_s3\_server\_side\_encryption) | (Optional) S3 Bucket Server Side Encryption.<br/><br/>Configuration to enforce server side encryption (KMS or AES256).<br/>If you are using KMS, you must proivde the KMS Key ID.<br/><br/>ex using KMS:<pre>anyscale_s3_server_side_encryption = {<br/>  kms_master_key_id = "1234abcd-12ab-34cd-56ef-1234567890ab"<br/>  sse_algorithm     = "aws:kms"<br/>}</pre>ex using AES256:<pre>anyscale_s3_server_side_encryption = {<br/>  sse_algorithm = "AES256"<br/>}</pre> | `map(string)` | <pre>{<br/>  "sse_algorithm": "AES256"<br/>}</pre> | no |
 | <a name="input_anyscale_s3_tags"></a> [anyscale\_s3\_tags](#input\_anyscale\_s3\_tags) | (Optional) A map of tags for S3 resources.<br/><br/>Duplicate tags found in the "tags" variable will get duplicated on the resource.<br/><br/>ex:<pre>anyscale_iam_tags = {<br/>  "purpose" : "storage",<br/>  "criticality" : "critical"<br/>}</pre> | `map(string)` | `{}` | no |
 | <a name="input_anyscale_securitygroup_tags"></a> [anyscale\_securitygroup\_tags](#input\_anyscale\_securitygroup\_tags) | (Optional) A map of tags for Security Group resources.<br/><br/>Duplicate tags found in the "tags" variable will get duplicated on the resource.<br/><br/>ex:<pre>anyscale_securitygroup_tags = {<br/>  "purpose" : "security",<br/>  "criticality" : "critical"<br/>}</pre>Default is an empty map. | `map(string)` | `{}` | no |
+| <a name="input_anyscale_servicesv2_create_elb_service_linked_role"></a> [anyscale\_servicesv2\_create\_elb\_service\_linked\_role](#input\_anyscale\_servicesv2\_create\_elb\_service\_linked\_role) | (Optional) Determines if the ELB service linked role is created.<br/><br/>ex:<pre>anyscale_servicesv2_create_elb_service_linked_role = true</pre> | `bool` | `true` | no |
 | <a name="input_anyscale_vpc_cidr_block"></a> [anyscale\_vpc\_cidr\_block](#input\_anyscale\_vpc\_cidr\_block) | (Optional) The IPv4 CIDR block for the VPC.<br/>The CIDR block can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id`.<br/><br/>ex:<pre>anyscale_vpc_cidr_block = "10.0.0.0/16"</pre> | `string` | `"10.0.0.0/16"` | no |
 | <a name="input_anyscale_vpc_name"></a> [anyscale\_vpc\_name](#input\_anyscale\_vpc\_name) | (Optional) VPC name.<br/><br/>If provided, will create a VPC with this name.<br/>Defaults to `vpc_<anyscale_cloud_id>` in a local variable if not provided.<br/><br/>ex:<pre>anyscale_vpc_name = "anyscale-vpc"</pre> | `string` | `null` | no |
 | <a name="input_anyscale_vpc_private_subnet_tags"></a> [anyscale\_vpc\_private\_subnet\_tags](#input\_anyscale\_vpc\_private\_subnet\_tags) | (Optional) A map of tags for private subnets.<br/><br/>Duplicate tags found in the `tags` or `anyscale_vpc_tags` variables will get duplicated on the resource.<br/><br/>ex:<pre>anyscale_vpc_private_subnet_tags = {<br/>  "purpose" : "networking",<br/>  "criticality" : "critical"<br/>}</pre> | `map(string)` | `{}` | no |

getting-started.md

@@ -119,8 +119,14 @@ anyscale cloud register --provider aws  \
 --s3-bucket-id anyscale-tf-test-1-fw  \
 --external-id org_1234567890abcdef-example_id
 ```
-
-### 12. Clean up resources (optional):
+### 12. Re-run the Terraform Module with Anyscale cloud ID (optional):
+To enable consistent tagging for billing or to support tag-based conditions in the
+IAM policies for the control plane, set the `anyscale_cloud_id` variable and re-run the Terraform modules.
+This will:
+- Apply consistent tags to all newly created resources
+- Add tag-based conditions and restrictions to IAM policies
+
+### Clean up resources (optional):
 Once you are done, you can destroy the resources created by Terraform:
 ```
 terraform destroy -var-file="terraform.tfvars"

main.tf

@@ -102,6 +102,7 @@ module "aws_anyscale_iam" {
   anyscale_access_servicesv2_policy_name        = local.iam_servicesv2_policy_name
   anyscale_access_servicesv2_policy_prefix      = local.iam_servicesv2_policy_prefix
   anyscale_access_servicesv2_policy_description = var.anyscale_access_servicesv2_policy_description
+  create_elb_service_linked_role                = var.anyscale_servicesv2_create_elb_service_linked_role
 
   anyscale_trusted_role_arns = var.anyscale_access_role_trusted_role_arns
 

modules/aws-anyscale-iam/README.md

@@ -77,7 +77,6 @@ No modules.
 | [aws_iam_policy_document.iam_anyscale_s3_bucket_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.iam_anyscale_services_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.iam_anyscale_steadystate_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
@@ -157,6 +156,7 @@ No modules.
 | <a name="input_create_cluster_node_instance_profile"></a> [create\_cluster\_node\_instance\_profile](#input\_create\_cluster\_node\_instance\_profile) | (Optional) Determines whether to create an instance profile role.<br/><br/>ex:<pre>create_cluster_node_instance_profile = true</pre> | `bool` | `true` | no |
 | <a name="input_create_eks_ebs_csi_driver_role"></a> [create\_eks\_ebs\_csi\_driver\_role](#input\_create\_eks\_ebs\_csi\_driver\_role) | (Optional) Determines whether to create the EKS EBS CSI driver role.<br/><br/>ex:<pre>create_eks_ebs_csi_driver_role = true</pre> | `bool` | `false` | no |
 | <a name="input_create_eks_efs_csi_driver_role"></a> [create\_eks\_efs\_csi\_driver\_role](#input\_create\_eks\_efs\_csi\_driver\_role) | (Optional) Determines whether to create the EKS EFS CSI driver role.<br/><br/>ex:<pre>create_eks_efs_csi_driver_role = true</pre> | `bool` | `false` | no |
+| <a name="input_create_elb_service_linked_role"></a> [create\_elb\_service\_linked\_role](#input\_create\_elb\_service\_linked\_role) | (Optional) Determines if the ELB service linked role is created.<br/><br/>ex:<pre>create_elb_service_linked_role = true</pre> | `bool` | `true` | no |
 | <a name="input_create_iam_s3_policy"></a> [create\_iam\_s3\_policy](#input\_create\_iam\_s3\_policy) | (Optional) Determines whether to create the S3 Access Policy for IAM roles.<br/>Requires anyscale\_s3\_bucket\_arn (below).<br/><br/>ex:<pre>create_iam_s3_policy = true</pre> | `bool` | `true` | no |
 | <a name="input_efs_file_system_arn"></a> [efs\_file\_system\_arn](#input\_efs\_file\_system\_arn) | (Optional) The EFS File System ARN that the IAM Roles need access to.<br/><br/>Required if `create_eks_efs_csi_driver_role` is set to `true`.<br/><br/>ex:<pre>efs_file_system_arn = "arn:aws:efs:us-east-1:123456789012:file-system/fs-12345678"</pre> | `string` | `null` | no |
 | <a name="input_eks_ebs_csi_role_description"></a> [eks\_ebs\_csi\_role\_description](#input\_eks\_ebs\_csi\_role\_description) | (Optional) IAM Role description.<br/><br/>If left `null`, will default to `Anyscale EKS EBS CSI Role`.<br/><br/>ex:<pre>eks_ebs_csi_role_description = "Anyscale EKS EBS CSI Role"</pre> | `string` | `null` | no |

modules/aws-anyscale-iam/anyscale-control_plane-services-v2.tmpl

@@ -0,0 +1,287 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "CloudformationDescribeGet",
+      "Effect": "Allow",
+      "Action": [
+        "cloudformation:CreateStack",
+        "cloudformation:DescribeStackEvents",
+        "cloudformation:DescribeStackResources",
+        "cloudformation:DescribeStacks",
+        "cloudformation:GetTemplate"
+      ],
+      "Resource": [
+        "arn:aws:cloudformation:*:${account_id}:stack/*"
+      ]
+    },
+    {
+      "Sid": "EC2Describe",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DescribeVpcs",
+        "ec2:DescribeInternetGateways"
+      ],
+      "Resource": ["*"]
+    },
+%{ if cloud_id_provided == false ~}
+    {
+      "Sid": "CloudformationWrite",
+      "Effect": "Allow",
+      "Action": [
+        "cloudformation:TagResource",
+        "cloudformation:UntagResource",
+        "cloudformation:UpdateStack"
+      ],
+      "Resource": [
+        "arn:aws:cloudformation:*:${account_id}:stack/*"
+      ]
+    },
+%{ endif ~}
+%{ if cloud_id_provided == true ~}
+    {
+      "Sid": "CloudformationWrite",
+      "Effect": "Allow",
+      "Action": [
+        "cloudformation:TagResource",
+        "cloudformation:UntagResource",
+        "cloudformation:UpdateStack",
+        "cloudformation:DeleteStack"
+      ],
+      "Resource": [
+        "arn:aws:cloudformation:*:${account_id}:stack/*"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "aws:ResourceTag/anyscale-cloud-id": "${anyscale_cloud_id}"
+        }
+      }
+    },
+%{ endif ~}
+%{ if cloud_id_provided == false ~}
+    {
+      "Sid": "CloudformationDelete",
+      "Effect": "Allow",
+      "Action": [
+        "cloudformation:DeleteStack"
+      ],
+      "Resource": [
+        "arn:aws:cloudformation:*:${account_id}:stack/anyscale*"
+      ]
+    },
+%{ endif ~}
+%{ if create_elb_service_linked_role == true ~}
+    {
+      "Sid": "CreateELBServiceLinkedRole",
+      "Effect": "Allow",
+      "Action": [
+        "iam:CreateServiceLinkedRole"
+      ],
+      "Resource": [
+        "arn:aws:iam::${account_id}:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"
+      ],
+      "Condition": {
+        "StringLike": {
+          "iam:AWSServiceName": ["elasticloadbalancing.amazonaws.com"]
+        }
+      }
+    },
+%{ endif ~}
+    {
+      "Sid": "ELBRead",
+      "Effect": "Allow",
+      "Action": [
+        "elasticloadbalancing:DescribeListeners",
+        "elasticloadbalancing:DescribeLoadBalancers",
+        "elasticloadbalancing:DescribeLoadBalancerAttributes",
+        "elasticloadbalancing:DescribeRules",
+        "elasticloadbalancing:DescribeTargetGroups",
+        "elasticloadbalancing:DescribeTargetGroupAttributes",
+        "elasticloadbalancing:DescribeTargetHealth",
+        "elasticloadbalancing:DescribeListenerCertificates",
+        "elasticloadbalancing:DescribeTags"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "ACMAllResources",
+      "Effect": "Allow",
+      "Action": [
+        "acm:ListCertificates",
+        "acm:RequestCertificate",
+        "acm:DescribeCertificate"
+      ],
+      "Resource": "*"
+    },
+%{ if cloud_id_provided == false ~}
+    {
+      "Sid": "ACMWrite",
+      "Effect": "Allow",
+      "Action": [
+        "acm:DeleteCertificate",
+        "acm:RenewCertificate",
+        "acm:AddTagsToCertificate",
+        "acm:GetCertificate",
+        "acm:ListTagsForCertificate"
+      ],
+      "Resource": ["arn:aws:acm:*:${account_id}:certificate/*"]
+    },
+%{ endif ~}
+%{ if cloud_id_provided == true ~}
+    {
+      "Sid": "ACMWrite",
+      "Effect": "Allow",
+      "Action": [
+        "acm:DeleteCertificate",
+        "acm:RenewCertificate",
+        "acm:AddTagsToCertificate",
+        "acm:GetCertificate",
+        "acm:ListTagsForCertificate"
+      ],
+      "Resource": ["arn:aws:acm:*:${account_id}:certificate/*"],
+      "Condition": {
+        "StringEquals": {
+          "aws:RequestTag/anyscale-cloud-id": "${anyscale_cloud_id}"
+        },
+        "ForAnyValue:StringEquals": {
+          "aws:TagKeys": ["anyscale-cloud-id"]
+        }
+      }
+    },
+%{ endif ~}
+    {
+      "Sid": "ELBWrite",
+      "Effect": "Allow",
+      "Action": [
+        "elasticloadbalancing:AddTags",
+        "elasticloadbalancing:RemoveTags",
+        "elasticloadbalancing:CreateRule",
+        "elasticloadbalancing:ModifyRule",
+        "elasticloadbalancing:DeleteRule",
+        "elasticloadbalancing:SetRulePriorities",
+        "elasticloadbalancing:CreateListener",
+        "elasticloadbalancing:ModifyListener",
+        "elasticloadbalancing:DeleteListener",
+        "elasticloadbalancing:CreateLoadBalancer",
+        "elasticloadbalancing:DeleteLoadBalancer",
+        "elasticloadbalancing:ModifyLoadBalancerAttributes",
+        "elasticloadbalancing:CreateTargetGroup",
+        "elasticloadbalancing:ModifyTargetGroup",
+        "elasticloadbalancing:DeleteTargetGroup",
+        "elasticloadbalancing:ModifyTargetGroupAttributes",
+        "elasticloadbalancing:AddListenerCertificates",
+        "elasticloadbalancing:RemoveListenerCertificates",
+        "elasticloadbalancing:SetIpAddressType",
+        "elasticloadbalancing:SetSecurityGroups",
+        "elasticloadbalancing:SetSubnets"
+      ],
+      "Resource": [
+        "arn:aws:elasticloadbalancing:*:${account_id}:loadbalancer/app/Anyscale*",
+        "arn:aws:elasticloadbalancing:*:${account_id}:listener/app/Anyscale*",
+        "arn:aws:elasticloadbalancing:*:${account_id}:listener-rule/app/Anyscale*",
+        "arn:aws:elasticloadbalancing:*:${account_id}:targetgroup/AnyscaleTarget*"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "aws:CalledViaFirst": ["cloudformation.amazonaws.com"]
+        }
+      }
+    },
+    {
+      "Sid": "ELBTargetRegistration",
+      "Effect": "Allow",
+      "Action": [
+        "elasticloadbalancing:RegisterTargets",
+        "elasticloadbalancing:DeregisterTargets"
+      ],
+      "Resource": [
+        "arn:aws:elasticloadbalancing:*:${account_id}:targetgroup/AnyscaleTarget*",
+        "arn:aws:elasticloadbalancing:*:${account_id}:targetgroup/anyscale*"
+      ]
+    },
+    {
+      "Sid": "ELBDirectCreate",
+      "Effect": "Allow",
+      "Action": [
+        "elasticloadbalancing:CreateRule",
+        "elasticloadbalancing:CreateListener",
+        "elasticloadbalancing:CreateLoadBalancer",
+        "elasticloadbalancing:CreateTargetGroup"
+      ],
+      "Resource": [
+        "arn:aws:elasticloadbalancing:*:${account_id}:loadbalancer/app/anyscale*",
+        "arn:aws:elasticloadbalancing:*:${account_id}:listener/app/anyscale*",
+        "arn:aws:elasticloadbalancing:*:${account_id}:listener-rule/app/anyscale*",
+        "arn:aws:elasticloadbalancing:*:${account_id}:targetgroup/anyscale*"
+      ]
+    },
+%{ if cloud_id_provided == false ~}
+    {
+      "Sid": "ELBDirectWrite",
+      "Effect": "Allow",
+      "Action": [
+        "elasticloadbalancing:AddTags",
+        "elasticloadbalancing:RemoveTags",
+        "elasticloadbalancing:ModifyRule",
+        "elasticloadbalancing:DeleteRule",
+        "elasticloadbalancing:SetRulePriorities",
+        "elasticloadbalancing:ModifyListener",
+        "elasticloadbalancing:DeleteListener",
+        "elasticloadbalancing:DeleteLoadBalancer",
+        "elasticloadbalancing:ModifyLoadBalancerAttributes",
+        "elasticloadbalancing:ModifyTargetGroup",
+        "elasticloadbalancing:DeleteTargetGroup",
+        "elasticloadbalancing:ModifyTargetGroupAttributes",
+        "elasticloadbalancing:AddListenerCertificates",
+        "elasticloadbalancing:RemoveListenerCertificates",
+        "elasticloadbalancing:SetIpAddressType",
+        "elasticloadbalancing:SetSecurityGroups",
+        "elasticloadbalancing:SetSubnets"
+      ],
+      "Resource": [
+        "arn:aws:elasticloadbalancing:*:${account_id}:loadbalancer/app/anyscale*",
+        "arn:aws:elasticloadbalancing:*:${account_id}:listener/app/anyscale*",
+        "arn:aws:elasticloadbalancing:*:${account_id}:listener-rule/app/anyscale*",
+        "arn:aws:elasticloadbalancing:*:${account_id}:targetgroup/anyscale*"
+      ]
+    }
+%{ endif ~}
+%{ if cloud_id_provided == true ~}
+
+    {
+      "Sid": "ELBDirectModifyDelete",
+      "Effect": "Allow",
+      "Action": [
+        "elasticloadbalancing:AddTags",
+        "elasticloadbalancing:RemoveTags",
+        "elasticloadbalancing:ModifyRule",
+        "elasticloadbalancing:DeleteRule",
+        "elasticloadbalancing:SetRulePriorities",
+        "elasticloadbalancing:ModifyListener",
+        "elasticloadbalancing:DeleteListener",
+        "elasticloadbalancing:DeleteLoadBalancer",
+        "elasticloadbalancing:ModifyLoadBalancerAttributes",
+        "elasticloadbalancing:ModifyTargetGroup",
+        "elasticloadbalancing:DeleteTargetGroup",
+        "elasticloadbalancing:ModifyTargetGroupAttributes",
+        "elasticloadbalancing:AddListenerCertificates",
+        "elasticloadbalancing:RemoveListenerCertificates",
+        "elasticloadbalancing:SetIpAddressType",
+        "elasticloadbalancing:SetSecurityGroups",
+        "elasticloadbalancing:SetSubnets"
+      ],
+      "Resource": [
+        "arn:aws:elasticloadbalancing:*:${account_id}:loadbalancer/app/anyscale*",
+        "arn:aws:elasticloadbalancing:*:${account_id}:listener/app/anyscale*",
+        "arn:aws:elasticloadbalancing:*:${account_id}:listener-rule/app/anyscale*",
+        "arn:aws:elasticloadbalancing:*:${account_id}:targetgroup/anyscale*"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "aws:ResourceTag/anyscale-cloud-id": "${anyscale_cloud_id}"
+        }
+      }
+    }
+%{ endif ~}
+  ]
+}