Merge branch 'feature/support-init-sn-volume-access-bak' into feature/support-init-sn-volume-access

Author: tuteng

examples/volume-access/main.tf

@@ -0,0 +1,20 @@
+provider "aws" {
+  region = "us-west-2"
+}
+
+module "sn_managed_cloud" {
+  source = "github.com/streamnative/terraform-managed-cloud//modules/aws/volume-access"
+
+  external_id = "max"
+  bucket      = "test-ursa-storage"
+  path        = "ursa"
+
+  oidc_providers = [
+    "oidc.eks.us-east-2.amazonaws.com/id/B1C90381FF99EB05EDE1C8E2C2884166",
+    "oidc.eks.us-east-2.amazonaws.com/id/9ACC7EF87FC7333990CF6BEFA7CEA816"
+  ]
+
+  streamnative_vendor_access_role_arns = [
+    "arn:aws:iam::738562057640:role/cloud-manager"
+  ]
+}

modules/aws/volume-access/files/sn_volume_s3_bucket.json.tpl

@@ -0,0 +1,35 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "arn:aws:s3:::${bucket}"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:PutObject",
+                "s3:GetObject",
+                "s3:DeleteObject"
+            ],
+            "Resource": [
+                "arn:aws:s3:::${bucket}/${path}/*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:PutLifecycleConfiguration",
+                "s3:GetLifecycleConfiguration"
+            ],
+            "Resource": [
+                "arn:aws:s3:::${bucket}/${path}"
+            ]
+        }
+    ]
+}

modules/aws/volume-access/main.tf

@@ -0,0 +1,112 @@
+data "aws_caller_identity" "current" {}
+locals {
+  account_id                = data.aws_caller_identity.current.account_id
+  external_id               = (var.external_id != "" ? [{ test : "StringEquals", variable : "sts:ExternalId", values : [var.external_id] }] : [])
+  assume_conditions         = concat(local.external_id, local.source_identity, local.principal_check, local.vendor_federation)
+  support_assume_conditions = concat(local.external_id, local.source_identity)
+  source_identity           = (length(var.source_identities) > 0 ? [{ test : var.source_identity_test, variable : "sts:SourceIdentity", values : var.source_identities }] : [])
+  oidc_providers            = distinct(concat(var.oidc_providers, local.default_oidc_providers))
+  principal_check           = (length(var.streamnative_principal_ids) > 0 ? [{ test : "StringLike", variable : "aws:PrincipalArn", values : var.streamnative_principal_ids }] : [])
+  tag_set                   = merge({ Vendor = "StreamNative", Module = "StreamNative Volume", SNVersion = var.sn_policy_version }, var.tags)
+  vendor_federation         = (var.enforce_vendor_federation ? [{ test : "StringLike", variable : "aws:FederatedProvider", values : ["accounts.google.com"] }] : [])
+  # Add streamnative default eks oidc provider
+  default_oidc_providers = compact([
+
+  ])
+  conditions = [
+    for value in local.oidc_providers :
+    [
+      {
+        provider : "${value}",
+        test : "StringEquals",
+        variable : "${value}:aud",
+        values : ["sts.amazonaws.com"]
+      },
+      {
+        provider : "${value}",
+        test : "StringEquals",
+        variable : "${value}:sub",
+        values : [format("system:serviceaccount:%s:*", var.external_id)]
+      }
+    ]
+  ]
+}
+
+resource "aws_iam_openid_connect_provider" "streamnative_oidc_providers" {
+  count          = length(local.oidc_providers)
+  url            = "https://${var.oidc_providers[count.index]}"
+  client_id_list = ["sts.amazonaws.com"]
+  tags           = local.tag_set
+}
+
+data "aws_iam_policy_document" "streamnative_management_access" {
+  statement {
+    sid     = "AllowStreamNativeControlPlaneAccess"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = var.streamnative_vendor_access_role_arns
+    }
+    dynamic "condition" {
+      for_each = local.assume_conditions
+      content {
+        test     = condition.value["test"]
+        values   = condition.value["values"]
+        variable = condition.value["variable"]
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = local.conditions
+    content {
+      effect  = "Allow"
+      actions = ["sts:AssumeRoleWithWebIdentity"]
+
+      principals {
+        type        = "Federated"
+        identifiers = [for provider in local.oidc_providers : "arn:aws:iam::${local.account_id}:oidc-provider/${provider}" if "${provider}" == statement.value[0].provider]
+      }
+
+      dynamic "condition" {
+        for_each = toset(statement.value)
+        content {
+          test     = condition.value["test"]
+          values   = condition.value["values"]
+          variable = condition.value["variable"]
+        }
+      }
+    }
+  }
+}
+
+######
+#-- Create the IAM role for the the StreamNative Cloud data access to s3 bucket
+######
+resource "aws_iam_policy" "access_bucket_role" {
+  name        = "sn-${var.external_id}-${var.bucket}-${var.path}"
+  description = "This policy sets the limits for the access s3 bucket for StreamNative's vendor access."
+  path        = "/StreamNative/"
+  policy = templatefile("${path.module}/files/sn_volume_s3_bucket.json.tpl",
+    {
+      bucket = var.bucket
+      path   = var.path
+  })
+  tags = local.tag_set
+}
+
+resource "aws_iam_role" "access_bucket_role" {
+  name                 = "sn-${var.external_id}-${var.bucket}-${var.path}"
+  description          = "This role is used by StreamNative for the access s3 bucket."
+  assume_role_policy   = data.aws_iam_policy_document.streamnative_management_access.json
+  path                 = "/StreamNative/"
+  tags                 = local.tag_set
+  max_session_duration = 43200
+}
+
+resource "aws_iam_role_policy_attachment" "access_bucket_role" {
+  policy_arn = aws_iam_policy.access_bucket_role.arn
+  role       = aws_iam_role.access_bucket_role.name
+}

modules/aws/volume-access/variables.tf

@@ -0,0 +1,75 @@
+variable "sn_policy_version" {
+  description = "The value of SNVersion tag"
+  default     = "3.16.1" # {{ x-release-please-version }}
+  type        = string
+}
+
+variable "region" {
+  default     = "*"
+  description = "The AWS region where your instance of StreamNative Cloud is deployed. Defaults to all regions \"*\""
+  type        = string
+}
+
+variable "streamnative_vendor_access_role_arns" {
+  default     = ["arn:aws:iam::311022431024:role/cloud-manager"]
+  description = "This role for access customer s3 bucket on control plane."
+  type        = list(string)
+}
+
+variable "additional_federated_identifiers" {
+  default     = []
+  description = "This federated identified list for access customer s3 bucket on data plane."
+  type        = list(string)
+}
+
+variable "streamnative_principal_ids" {
+  default     = []
+  description = "When set, this applies an additional check for certain StreamNative principals to futher restrict access to which services / users can access an account."
+  type        = list(string)
+}
+
+variable "source_identities" {
+  default     = []
+  description = "Place an additional constraint on source identity, disabled by default and only to be used if specified by StreamNative"
+  type        = list(any)
+}
+
+variable "source_identity_test" {
+  default     = "ForAnyValue:StringLike"
+  description = "The test to use for source identity"
+  type        = string
+}
+
+variable "external_id" {
+  default     = ""
+  description = "A external ID that correspond to your Organization within StreamNative Cloud, used for all STS assume role calls to the IAM roles created by the module. This will be the organization ID in the StreamNative console, e.g. \"o-xhopj\"."
+  type        = string
+}
+
+variable "tags" {
+  default     = {}
+  description = "Extra tags to apply to the resources created by this module."
+  type        = map(string)
+}
+
+variable "enforce_vendor_federation" {
+  default     = false
+  description = "Do not enable this unless explicitly told to do so by StreamNative. Restrict access for the streamnative_vendor_access_role_arns to only federated Google accounts. Intended to be true by default in the future."
+  type        = bool
+}
+
+variable "bucket" {
+  description = "User bucket name"
+  type        = string
+}
+
+variable "path" {
+  description = "S3 bucket path"
+  type        = string
+}
+
+variable "oidc_providers" {
+  default     = []
+  description = "Your aws eks cluster OIDC Providers"
+  type        = list(string)
+}

modules/aws/volume-access/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.30"
+    }
+  }
+}