Merge pull request #29 from Snowflake-Labs/sovereign-cloud-support

Add support for sovereign cloud.
Snowflake-Labs · Dec 17, 2024 · ce65393 · ce65393
2 parents bf9a292 + b73004d
commit ce65393
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 23 deletions.
diff --git a/api_integration.tf b/api_integration.tf
@@ -5,7 +5,7 @@ resource "snowflake_api_integration" "sentry_integration_api_integration" {
   enabled              = true
   api_provider         = length(regexall(".*gov.*", local.aws_region)) > 0 ? "aws_gov_api_gateway" : "aws_api_gateway"
   api_allowed_prefixes = [local.inferred_api_gw_invoke_url]
-  api_aws_role_arn     = "arn:${var.arn_format}:iam::${local.account_id}:role/${local.api_gw_caller_role_name}"
+  api_aws_role_arn     = "arn:${local.aws_partition}:iam::${local.account_id}:role/${local.api_gw_caller_role_name}"
 }
 
 resource "snowflake_integration_grant" "sentry_integration_api_integration_grant" {

diff --git a/grants.tf b/grants.tf
@@ -1,4 +1,6 @@
 resource "snowflake_function_grant" "send_to_sentry_function_grant_usage" {
+  count = length(var.send_to_sentry_function_user_roles) == 0 ? 0 : 1
+
   provider = snowflake.monitoring_role
 
   database_name = var.database

diff --git a/iam.tf b/iam.tf
@@ -25,7 +25,7 @@ resource "aws_iam_role" "sentry_integration_api_gateway_assume_role" {
 
 resource "aws_iam_role_policy_attachment" "gateway_logger_policy_attachment" {
   role       = aws_iam_role.sentry_integration_api_gateway_assume_role.id
-  policy_arn = "arn:${var.arn_format}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
+  policy_arn = "arn:${local.aws_partition}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
 }
 
 resource "aws_api_gateway_account" "api_gateway" {
@@ -100,7 +100,7 @@ data "aws_iam_policy_document" "sentry_integration_lambda_policy_doc" {
     sid    = "WriteCloudWatchLogs"
     effect = "Allow"
     resources = [
-      "arn:${var.arn_format}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${local.lambda_function_name}:*"
+      "arn:${local.aws_partition}:logs:${local.aws_region}:${local.account_id}:log-group:/aws/lambda/${local.lambda_function_name}:*"
     ]
 
     actions = [
@@ -143,7 +143,7 @@ resource "aws_iam_role_policy_attachment" "sentry_integration_lambda_vpc_policy_
   count = var.deploy_lambda_in_vpc ? 1 : 0
 
   role       = aws_iam_role.sentry_integration_lambda_assume_role.name
-  policy_arn = "arn:${var.arn_format}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
+  policy_arn = "arn:${local.aws_partition}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
 }
 
 # -----------------------------------------------------------------------------------------------
@@ -250,25 +250,28 @@ data "aws_iam_policy_document" "sentry_backtraffic_proxy_lambda_policy_doc" {
   statement {
     sid       = "WriteCloudWatchLogs"
     effect    = "Allow"
-    resources = ["arn:${var.arn_format}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${local.lambda_backtraffic_function_name}:*"]
+    resources = ["arn:${local.aws_partition}:logs:${local.aws_region}:${local.account_id}:log-group:/aws/lambda/${local.lambda_backtraffic_function_name}:*"]
 
     actions = [
       "logs:CreateLogStream",
       "logs:PutLogEvents",
     ]
   }
 
-  statement {
-    sid       = "AccessGetSecretVersions"
-    effect    = "Allow"
-    resources = local.backtraffic_lambda_secrets_arns
-    actions = [
-      "secretsmanager:GetResourcePolicy",
-      "secretsmanager:GetSecretValue",
-      "secretsmanager:DescribeSecret",
-      "secretsmanager:ListSecretVersionIds",
-      "secretsmanager:ListSecrets"
-    ]
+  dynamic "statement" {
+    for_each = length(local.backtraffic_lambda_secrets_arns) == 0 ? [] : [1]
+    content {
+      sid       = "AccessGetSecretVersions"
+      effect    = "Allow"
+      resources = local.backtraffic_lambda_secrets_arns
+      actions = [
+        "secretsmanager:GetResourcePolicy",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:ListSecretVersionIds",
+        "secretsmanager:ListSecrets"
+      ]
+    }
   }
 
   statement {

diff --git a/variables.tf b/variables.tf
@@ -121,12 +121,14 @@ data "aws_partition" "current" {}
 
 
 locals {
-  account_id = data.aws_caller_identity.current.account_id
-  aws_region = data.aws_region.current.name
+  account_id     = data.aws_caller_identity.current.account_id
+  aws_region     = data.aws_region.current.name
+  aws_partition  = data.aws_partition.current.partition
+  aws_dns_suffix = data.aws_partition.current.dns_suffix
 }
 
 locals {
-  inferred_api_gw_invoke_url = "https://${aws_api_gateway_rest_api.ef_to_lambda.id}.execute-api.${local.aws_region}.amazonaws.com/"
+  inferred_api_gw_invoke_url = "https://${aws_api_gateway_rest_api.ef_to_lambda.id}.execute-api.${local.aws_region}.${local.aws_dns_suffix}/"
   sentry_integration_prefix  = "${var.prefix}-sentry-integration"
 }
 
@@ -140,8 +142,5 @@ locals {
   sentry_sns_policy_name = "${local.sentry_integration_prefix}-sns-policy"
   sentry_sns_topic_name  = "${local.sentry_integration_prefix}-sns-topic"
 
-  backtraffic_lambda_secrets_arns = [
-    var.jira_secrets_arn,
-    var.slack_secrets_arn,
-  ]
+  backtraffic_lambda_secrets_arns = [for i in [var.jira_secrets_arn, var.slack_secrets_arn] : i if i != null]
 }