From d8502f99d790033861529b4a3c1f648a08a8af43 Mon Sep 17 00:00:00 2001 From: Bora Kou Date: Mon, 16 Dec 2024 12:23:12 -0500 Subject: [PATCH 1/2] Add support for sovereign cloud. --- api_integration.tf | 2 +- grants.tf | 2 ++ iam.tf | 33 ++++++++++++++++++--------------- variables.tf | 13 ++++++------- 4 files changed, 27 insertions(+), 23 deletions(-) diff --git a/api_integration.tf b/api_integration.tf index 02be1b3..65f82ea 100644 --- a/api_integration.tf +++ b/api_integration.tf @@ -5,7 +5,7 @@ resource "snowflake_api_integration" "sentry_integration_api_integration" { enabled = true api_provider = length(regexall(".*gov.*", local.aws_region)) > 0 ? "aws_gov_api_gateway" : "aws_api_gateway" api_allowed_prefixes = [local.inferred_api_gw_invoke_url] - api_aws_role_arn = "arn:${var.arn_format}:iam::${local.account_id}:role/${local.api_gw_caller_role_name}" + api_aws_role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/${local.api_gw_caller_role_name}" } resource "snowflake_integration_grant" "sentry_integration_api_integration_grant" { diff --git a/grants.tf b/grants.tf index aebce04..045c557 100644 --- a/grants.tf +++ b/grants.tf @@ -1,4 +1,6 @@ resource "snowflake_function_grant" "send_to_sentry_function_grant_usage" { + count = length(var.send_to_sentry_function_user_roles) == 0 ? 0 : 1 + provider = snowflake.monitoring_role database_name = var.database diff --git a/iam.tf b/iam.tf index f2a2220..f74ae9d 100644 --- a/iam.tf +++ b/iam.tf @@ -25,7 +25,7 @@ resource "aws_iam_role" "sentry_integration_api_gateway_assume_role" { resource "aws_iam_role_policy_attachment" "gateway_logger_policy_attachment" { role = aws_iam_role.sentry_integration_api_gateway_assume_role.id - policy_arn = "arn:${var.arn_format}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" + policy_arn = "arn:${local.aws_partition}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" } resource "aws_api_gateway_account" "api_gateway" { @@ -100,7 +100,7 @@ data "aws_iam_policy_document" "sentry_integration_lambda_policy_doc" { sid = "WriteCloudWatchLogs" effect = "Allow" resources = [ - "arn:${var.arn_format}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${local.lambda_function_name}:*" + "arn:${local.aws_partition}:logs:${local.aws_region}:${local.account_id}:log-group:/aws/lambda/${local.lambda_function_name}:*" ] actions = [ @@ -143,7 +143,7 @@ resource "aws_iam_role_policy_attachment" "sentry_integration_lambda_vpc_policy_ count = var.deploy_lambda_in_vpc ? 1 : 0 role = aws_iam_role.sentry_integration_lambda_assume_role.name - policy_arn = "arn:${var.arn_format}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess" + policy_arn = "arn:${local.aws_partition}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess" } # ----------------------------------------------------------------------------------------------- @@ -250,7 +250,7 @@ data "aws_iam_policy_document" "sentry_backtraffic_proxy_lambda_policy_doc" { statement { sid = "WriteCloudWatchLogs" effect = "Allow" - resources = ["arn:${var.arn_format}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${local.lambda_backtraffic_function_name}:*"] + resources = ["arn:${local.aws_partition}:logs:${local.aws_region}:${local.account_id}:log-group:/aws/lambda/${local.lambda_backtraffic_function_name}:*"] actions = [ "logs:CreateLogStream", @@ -258,17 +258,20 @@ data "aws_iam_policy_document" "sentry_backtraffic_proxy_lambda_policy_doc" { ] } - statement { - sid = "AccessGetSecretVersions" - effect = "Allow" - resources = local.backtraffic_lambda_secrets_arns - actions = [ - "secretsmanager:GetResourcePolicy", - "secretsmanager:GetSecretValue", - "secretsmanager:DescribeSecret", - "secretsmanager:ListSecretVersionIds", - "secretsmanager:ListSecrets" - ] + dynamic "statement" { + for_each = length(local.backtraffic_lambda_secrets_arns) == 0 ? [] : [1] + content { + sid = "AccessGetSecretVersions" + effect = "Allow" + resources = local.backtraffic_lambda_secrets_arns + actions = [ + "secretsmanager:GetResourcePolicy", + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret", + "secretsmanager:ListSecretVersionIds", + "secretsmanager:ListSecrets" + ] + } } statement { diff --git a/variables.tf b/variables.tf index dd0f4d2..62679e2 100644 --- a/variables.tf +++ b/variables.tf @@ -121,12 +121,14 @@ data "aws_partition" "current" {} locals { - account_id = data.aws_caller_identity.current.account_id - aws_region = data.aws_region.current.name + account_id = data.aws_caller_identity.current.account_id + aws_region = data.aws_region.current.name + aws_partition = data.aws_partition.current.partition + aws_dns_suffix = data.aws_partition.current.dns_suffix } locals { - inferred_api_gw_invoke_url = "https://${aws_api_gateway_rest_api.ef_to_lambda.id}.execute-api.${local.aws_region}.amazonaws.com/" + inferred_api_gw_invoke_url = "https://${aws_api_gateway_rest_api.ef_to_lambda.id}.execute-api.${local.aws_region}.${local.aws_dns_suffix}/" sentry_integration_prefix = "${var.prefix}-sentry-integration" } @@ -140,8 +142,5 @@ locals { sentry_sns_policy_name = "${local.sentry_integration_prefix}-sns-policy" sentry_sns_topic_name = "${local.sentry_integration_prefix}-sns-topic" - backtraffic_lambda_secrets_arns = [ - var.jira_secrets_arn, - var.slack_secrets_arn, - ] + backtraffic_lambda_secrets_arns = [for i in [var.jira_secrets_arn, var.slack_secrets_arn]: i if i != null] } From b73004d842be03e22bdefd0f4c2bc3810f58457a Mon Sep 17 00:00:00 2001 From: Bora Kou Date: Mon, 16 Dec 2024 22:11:26 -0500 Subject: [PATCH 2/2] Fix colon spacing on the for statement. --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 62679e2..c81da01 100644 --- a/variables.tf +++ b/variables.tf @@ -142,5 +142,5 @@ locals { sentry_sns_policy_name = "${local.sentry_integration_prefix}-sns-policy" sentry_sns_topic_name = "${local.sentry_integration_prefix}-sns-topic" - backtraffic_lambda_secrets_arns = [for i in [var.jira_secrets_arn, var.slack_secrets_arn]: i if i != null] + backtraffic_lambda_secrets_arns = [for i in [var.jira_secrets_arn, var.slack_secrets_arn] : i if i != null] }