(1/4) Create an IAM Role with relevant permissions (IAM Policy)

[consideRatio]

This is task 1/4 in #4546, which is part of the big epic #4453.

In task 2/4 (#4548) we'll expose credentials to Grafana using an IAM Role with an attached IAM Policy granting relevant permissions for grafana to work against Athena. This task is to create such IAM Role with attached IAM Policy using terraform.

Create an IAM Role via terraform

In terraform/aws, create a new file named for example as grafana-athena-iam.tf or similar. Define a new aws_iam_role resource, for example by adjusting the basic example in the associated docs.

Make this resource be opt-in by introducing a terraform variable only terraform/aws/projects/openscapes.tfvars makes use of, so that other terraform projects are unaffected by this change.

Attach or inline an IAM Policy

For the IAM Policy declaring the permissions the IAM Role should be granted, make use the policy defined in the grafana-athena-datasource documentation at for now. Maybe it works out of the box, maybe it doesn't. Let's try to remember it may need to be tweaked in the future, but settle for this for now.

Create a terraform output for the IAM Role's ARN

We'll want to be able to reference the ARN (unique identifier) of the IAM Role later. To make that easy, define a terraform output (docs about it here).

I think aws_iam_role.<terraform resource name>.arn can be referenced to get the relevant arn.

Definition of done

• Verify terraform apply ... provided an arn output.
• Verify that terraform plan to a non-openscapes project isn't influenced by the changes and can keep functioning.
• Verify IAM Role creation and IAM Policy attachment via AWS web console
  If terraform apply succeeds, you should be able to see the IAM Role listed through the AWS web console (openscapes login here) by navigating to IAM -> Roles. Make sure you can see it listed here, and verify its associated with the IAM policy as well.

[sgibson91]

I am running into the following error trying to create the IAM role and policy

│ Error: creating IAM Role (openscapeshub-grafana-athena): operation error IAM: CreateRole, https response error StatusCode: 400, RequestID: 151441aa-978d-4917-bf8a-458c3fef361a, MalformedPolicyDocument: Has prohibited field Resource
│ 
│   with aws_iam_role.grafana_athena_role[0],
│   on grafana-athena-iam.tf line 1, in resource "aws_iam_role" "grafana_athena_role":
│    1: resource "aws_iam_role" "grafana_athena_role" {

I have tried adding "sts:AssumeRoleWithWebIdentity" to each Action section of the policy defined in the documentation but that hasn't solved the issue yet.

[sgibson91]

Solution may be to remove the Resource field where it doesn't apply. So I'm going to take each statement one-by-one and see where the error appears.

[sgibson91]

Removed resource from the first statement, and now terraform is saying I need a Principal and it cannot be empty - but I don't know what that should be.

│ Error: creating IAM Role (openscapeshub-grafana-athena): operation error IAM: CreateRole, https response error StatusCode: 400, RequestID: 2c4b479d-d408-4f24-a22e-543b386b7d69, MalformedPolicyDocument: Missing required field Principal
│ 
│   with aws_iam_role.grafana_athena_role[0],
│   on grafana-athena-iam.tf line 1, in resource "aws_iam_role" "grafana_athena_role":
│    1: resource "aws_iam_role" "grafana_athena_role" {

[sgibson91]

I'm getting the same set of errors on each item in the statement, so I'm going to stop working on this for now and not it in the bot stand-up.

[sgibson91]

One last thing I tried was a inline_policy block, but assume_role_policy is required and I don't know what should be in there

[GeorgianaElena]

@sgibson91, you're getting these errors when you're trying to apply right 🤔 ? Cause for me, the terraform plan looks clean.

COnfirmed that yes, they happen on apply

[GeorgianaElena]

I've added a few commits to #4560. The relevant ones:

• make the output conditional of the enabling of the enable_grafana_athena_iam
• maps the k8s service account created by the grafana chart (mentioned in (2/4) Make openscapes' grafana pod acquire credentials to assume the IAM Role #4548) with the new athena IAM role via IRSA

I'm not entirely sure that the irsa part works, as I copy-pasted from existing code and I'm not sure that I've got everything right. I guess, doing #4548 next might answer this question.

Terraform apply worked, and all the boxes in the definition of done can be checked, so I'll close this issue once I merged the PR and come back to it if it proves to not be working.