diff --git a/CHANGELOG.md b/CHANGELOG.md index e33f1d7..ca6d79c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Add support for removing some IAM permissions from the capa controller role in BYOVPC installations. - CAPA role CloudFormation template: switch from inline to managed policies for the CAPA IAM role. - Add CAPA permissions for ASG lifecycle hooks +- Add support for AWS China +- Add support for custom GS staff account ## [4.2.0] - 2024-09-04 diff --git a/README.md b/README.md index 9265be3..5e0a053 100644 --- a/README.md +++ b/README.md @@ -112,6 +112,8 @@ export INSTALLATION_NAME=test export MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN=irsa.test.gaws.gigantic.io # Optional: only set to true if this installation is going to be used exclusively to create WCs on existing VPCs and subnets # export BYOVPC=true +# Optional: only set this to aws-cn if the installation is in China +# export AWS_PARTITION=aws-cn chmod +x setup.sh ./setup.sh ``` diff --git a/admin-role/iam-giantswarm-cp.tf b/admin-role/iam-giantswarm-cp.tf index 8b11890..9ff316c 100644 --- a/admin-role/iam-giantswarm-cp.tf +++ b/admin-role/iam-giantswarm-cp.tf @@ -9,7 +9,7 @@ data "aws_iam_policy_document" "giantswarm-admin" { principals { type = "AWS" - identifiers = "arn:aws:iam::084190472784:root" + identifiers = "arn:${var.aws_partition}:iam::${var.gs_user_account}:root" } actions = ["sts:AssumeRole"] diff --git a/admin-role/variables.tf b/admin-role/variables.tf index cb7c981..10d3306 100644 --- a/admin-role/variables.tf +++ b/admin-role/variables.tf @@ -2,3 +2,15 @@ variable "admin_role_name" { type = string default = "GiantSwarmAdmin" } + +variable "aws_partition" { + type = string + description = "AWS partition used for ARN referencing, use aws-cn for China regions" + default = "aws" +} + +variable "gs_user_account" { + type = string + description = "AWS account where GS staff users are located" + default = "084190472784" +} diff --git a/capa-controller-role/cleanup.sh b/capa-controller-role/cleanup.sh index 688d6b9..3a05d14 100755 --- a/capa-controller-role/cleanup.sh +++ b/capa-controller-role/cleanup.sh @@ -9,9 +9,11 @@ NC='\033[0m' ROLE_NAME="giantswarm-${INSTALLATION_NAME}-capa-controller" AWS_ACCOUNT_ID="$(aws sts get-caller-identity --output text --query 'Account')" +AWS_PARTITION=${AWS_PARTITION:-aws} +GS_USER_ACCOUNT=${GS_USER_ACCOUNT:-"084190472784"} POL_TYPES=("capa-controller" "capa-controller-vpc" "dns-controller" "eks-controller" "iam-controller" "irsa-operator" "resolver-rules-operator" "network-topology-operator" "mc-bootstrap" "crossplane") -POL_ARN_PREFIX="arn:aws:iam::${AWS_ACCOUNT_ID}:policy" +POL_ARN_PREFIX="arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:policy" function echo_fail_or_success { s=$1 diff --git a/capa-controller-role/giantswarm-capa-role.tf b/capa-controller-role/giantswarm-capa-role.tf index 3eb2dcb..fc36b61 100644 --- a/capa-controller-role/giantswarm-capa-role.tf +++ b/capa-controller-role/giantswarm-capa-role.tf @@ -18,6 +18,8 @@ resource "aws_iam_role" "giantswarm-capa-controller-role" { INSTALLATION_NAME = var.installation_name AWS_ACCOUNT_ID = data.aws_caller_identity.current.account_id MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN = var.management_cluster_oidc_provider_domain + AWS_PARTITION = var.aws_partition + GS_USER_ACCOUNT = var.gs_user_account }) tags = local.tags } diff --git a/capa-controller-role/import.tf b/capa-controller-role/import.tf index fcdaa3a..b033a6f 100644 --- a/capa-controller-role/import.tf +++ b/capa-controller-role/import.tf @@ -11,107 +11,107 @@ import { import { for_each = local.existing_install_for_each to = aws_iam_policy.giantswarm-capa-controller-policy - id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-capa-controller-policy" + id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-capa-controller-policy" } import { for_each = local.existing_install_for_each to = aws_iam_role_policy_attachment.giantswarm-capa-controller-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-capa-controller-policy" + id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-capa-controller-policy" } import { for_each = local.existing_install_for_each to = aws_iam_policy.giantswarm-dns-controller-policy - id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-dns-controller-policy" + id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-dns-controller-policy" } import { for_each = local.existing_install_for_each to = aws_iam_role_policy_attachment.giantswarm-dns-controller-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-dns-controller-policy" + id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-dns-controller-policy" } import { for_each = local.existing_install_for_each to = aws_iam_policy.giantswarm-eks-controller-policy - id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-eks-controller-policy" + id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-eks-controller-policy" } import { for_each = local.existing_install_for_each to = aws_iam_role_policy_attachment.giantswarm-eks-controller-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-eks-controller-policy" + id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-eks-controller-policy" } import { for_each = local.existing_install_for_each to = aws_iam_policy.giantswarm-iam-controller-policy - id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-iam-controller-policy" + id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-iam-controller-policy" } import { for_each = local.existing_install_for_each to = aws_iam_role_policy_attachment.giantswarm-iam-controller-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-iam-controller-policy" + id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-iam-controller-policy" } import { for_each = local.existing_install_for_each to = aws_iam_policy.giantswarm-irsa-controller-policy - id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-irsa-controller-policy" + id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-irsa-controller-policy" } import { for_each = local.existing_install_for_each to = aws_iam_role_policy_attachment.giantswarm-irsa-controller-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-irsa-controller-policy" + id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-irsa-controller-policy" } import { for_each = local.existing_install_for_each to = aws_iam_policy.giantswarm-network-topology-controller-policy - id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-network-topology-controller-policy" + id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-network-topology-controller-policy" } import { for_each = local.existing_install_for_each to = aws_iam_role_policy_attachment.giantswarm-network-topology-controller-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-network-topology-controller-policy" + id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-network-topology-controller-policy" } import { for_each = local.existing_install_for_each to = aws_iam_policy.giantswarm-resolver-rules-operator-policy - id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-resolver-rules-operator-policy" + id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-resolver-rules-operator-policy" } import { for_each = local.existing_install_for_each to = aws_iam_role_policy_attachment.giantswarm-resolver-rules-operator-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-resolver-rules-operator-policy" + id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-resolver-rules-operator-policy" } import { for_each = local.existing_install_for_each to = aws_iam_policy.giantswarm-mc-bootstrap-policy - id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-mc-bootstrap-policy" + id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-mc-bootstrap-policy" } import { for_each = local.existing_install_for_each to = aws_iam_role_policy_attachment.giantswarm-mc-bootstrap-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-mc-bootstrap-policy" + id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-mc-bootstrap-policy" } import { for_each = local.existing_install_for_each to = aws_iam_policy.giantswarm-crossplane-policy - id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-crossplane-policy" + id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-crossplane-policy" } import { for_each = local.existing_install_for_each to = aws_iam_role_policy_attachment.giantswarm-crossplane-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-crossplane-policy" + id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-crossplane-policy" } diff --git a/capa-controller-role/setup.sh b/capa-controller-role/setup.sh index 293314c..b59402f 100755 --- a/capa-controller-role/setup.sh +++ b/capa-controller-role/setup.sh @@ -12,6 +12,8 @@ ROLE_NAME="giantswarm-${INSTALLATION_NAME}-capa-controller" POL_TYPES=("capa-controller" "dns-controller" "eks-controller" "iam-controller" "irsa-operator" "resolver-rules-operator" "network-topology-operator" "mc-bootstrap" "crossplane") TAGS="Key=installation,Value=${INSTALLATION_NAME}" BYOVPC=${BYOVPC:-false} +AWS_PARTITION=${AWS_PARTITION:-aws} +GS_USER_ACCOUNT=${GS_USER_ACCOUNT:-"084190472784"} if [ "$BYOVPC" == "false" ]; then # This policy is not needed in BYO VPC installations diff --git a/capa-controller-role/trusted-entities.json b/capa-controller-role/trusted-entities.json index 1135577..6a944ae 100644 --- a/capa-controller-role/trusted-entities.json +++ b/capa-controller-role/trusted-entities.json @@ -4,7 +4,7 @@ { "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::084190472784:user/${INSTALLATION_NAME}-capa-controller" + "AWS": "arn:${AWS_PARTITION}:iam::${GS_USER_ACCOUNT}:user/${INSTALLATION_NAME}-capa-controller" }, "Action": "sts:AssumeRole", "Condition": {} @@ -12,7 +12,7 @@ { "Effect": "Allow", "Principal": { - "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN}" + "Federated": "arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:oidc-provider/${MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { diff --git a/capa-controller-role/variables.tf b/capa-controller-role/variables.tf index fbaba5a..a916671 100644 --- a/capa-controller-role/variables.tf +++ b/capa-controller-role/variables.tf @@ -3,6 +3,18 @@ variable "installation_name" { description = "If you dont know what `installation_name` value is suppose to be, ask Giant Swarm staff and they will provide it." } +variable "aws_partition" { + type = string + description = "AWS partition used for ARN referencing, use aws-cn for China regions" + default = "aws" +} + +variable "gs_user_account" { + type = string + description = "AWS account where GS staff users are located" + default = "084190472784" +} + variable "management_cluster_oidc_provider_domain" { type = string description = "OIDC provider domain of the management cluster"