diff --git a/examples/create_rosa_cluster/create_rosa_sts_cluster/main.tf b/examples/create_rosa_cluster/create_rosa_sts_cluster/main.tf index 30ea82c..7586678 100644 --- a/examples/create_rosa_cluster/create_rosa_sts_cluster/main.tf +++ b/examples/create_rosa_cluster/create_rosa_sts_cluster/main.tf @@ -66,7 +66,7 @@ data "ocm_rosa_operator_roles" "operator_roles" { } module operator_roles { - source = "git::https://github.com/openshift-online/terraform-provider-ocm.git//modules/operator_roles" + source = "git::https://github.com/openshift-online/terraform-provider-ocm.git//modules/aws_roles" cluster_id = ocm_cluster_rosa_classic.rosa_sts_cluster.id rh_oidc_provider_thumbprint = ocm_cluster_rosa_classic.rosa_sts_cluster.sts.thumbprint diff --git a/examples/create_rosa_cluster/create_rosa_sts_cluster/variables.tf b/examples/create_rosa_cluster/create_rosa_sts_cluster/variables.tf index 6011bf3..f22f81b 100644 --- a/examples/create_rosa_cluster/create_rosa_sts_cluster/variables.tf +++ b/examples/create_rosa_cluster/create_rosa_sts_cluster/variables.tf @@ -9,6 +9,7 @@ variable operator_role_prefix { variable account_role_prefix { type = string + default = "" } variable url { diff --git a/modules/aws_roles/README.md b/modules/aws_roles/README.md index 3f56b81..31c8f96 100644 --- a/modules/aws_roles/README.md +++ b/modules/aws_roles/README.md @@ -19,7 +19,7 @@ This terraform module tries to replicate rosa CLI roles creation so that: ## Prerequisites -* AWS Admin Account +* AWS Admin Account configured by using AWS CLI in AWS configuration file * OCM Account and OCM CLI * ROSA CLI diff --git a/modules/aws_roles/operator_roles/variables.tf b/modules/aws_roles/operator_roles/variables.tf index 3c3dc6b..a051ef2 100644 --- a/modules/aws_roles/operator_roles/variables.tf +++ b/modules/aws_roles/operator_roles/variables.tf @@ -10,7 +10,7 @@ variable rh_oidc_provider_url { } variable rh_oidc_provider_thumbprint { - description = "Thumbprint for https://rh-oidc.s3.us-east-1.amazonaws.com" + description = "Thumbprint for the variable `rh_oidc_provider_url`" type = string default = "917e732d330f9a12404f73d8bea36948b929dffc" } diff --git a/provider/cluster_rosa_classic_resource.go b/provider/cluster_rosa_classic_resource.go index 3e492c9..91009ce 100644 --- a/provider/cluster_rosa_classic_resource.go +++ b/provider/cluster_rosa_classic_resource.go @@ -35,10 +35,9 @@ import ( ) const ( - awsCloudProvider = "aws" - rosaProduct = "rosa" - serviceAccountFmt = "system:serviceaccount:%s:%s" - MinVersion = "4.10" + awsCloudProvider = "aws" + rosaProduct = "rosa" + MinVersion = "4.10" ) type ClusterRosaClassicResourceType struct { @@ -707,8 +706,14 @@ func (r *ClusterRosaClassicResource) populateState(ctx context.Context, object * } } - state.Sts.OperatorRolePrefix = types.String{ - Value: sts.OperatorRolePrefix(), + // TODO: fix a bug in uhc-cluster-services + if state.Sts.OperatorRolePrefix.Unknown || state.Sts.OperatorRolePrefix.Null { + operatorRolePrefix, ok := sts.GetOperatorRolePrefix() + if ok { + state.Sts.OperatorRolePrefix = types.String{ + Value: operatorRolePrefix, + } + } } thumbprint, err := getThumbprint(sts.OIDCEndpointURL()) if err != nil { diff --git a/provider/rosa_operator_roles_data_source.go b/provider/rosa_operator_roles_data_source.go index 9816c0a..e601bce 100644 --- a/provider/rosa_operator_roles_data_source.go +++ b/provider/rosa_operator_roles_data_source.go @@ -37,7 +37,10 @@ type RosaOperatorRolesDataSource struct { awsInquiries *cmv1.AWSInquiriesClient } -const DefaultAccountRolePrefix = "ManagedOpenShift" +const ( + DefaultAccountRolePrefix = "ManagedOpenShift" + serviceAccountFmt = "system:serviceaccount:%s:%s" +) func (t *RosaOperatorRolesDataSourceType) GetSchema(ctx context.Context) (result tfsdk.Schema, diags diag.Diagnostics) { @@ -173,7 +176,7 @@ func (t *RosaOperatorRolesDataSource) Read(ctx context.Context, request tfsdk.Re sts, ok := object.AWS().GetSTS() if ok { accountRolePrefix := DefaultAccountRolePrefix - if !state.AccountRolePrefix.Unknown && !state.AccountRolePrefix.Null { + if !state.AccountRolePrefix.Unknown && !state.AccountRolePrefix.Null && state.AccountRolePrefix.Value != "" { accountRolePrefix = state.AccountRolePrefix.Value } @@ -191,12 +194,12 @@ func (t *RosaOperatorRolesDataSource) Read(ctx context.Context, request tfsdk.Re Value: operatorRole.RoleARN(), }, RoleName: types.String{ - Value: getRoleName(state.OperatorRolePrefix.Value, operatorRole.Namespace(), operatorRole.Name()), + Value: getRoleName(state.OperatorRolePrefix.Value, operatorRole), }, PolicyName: types.String{ - Value: getRoleName(accountRolePrefix, operatorRole.Namespace(), operatorRole.Name()), + Value: getPolicyName(accountRolePrefix, operatorRole.Namespace(), operatorRole.Name()), }, - ServiceAccounts: getServiceAccount(stsOperatorMap[operatorRole.Namespace()].ServiceAccounts(), operatorRole.Namespace()), + ServiceAccounts: buildServiceAccountsArray(stsOperatorMap[operatorRole.Namespace()].ServiceAccounts(), operatorRole.Namespace()), } state.OperatorIAMRoles = append(state.OperatorIAMRoles, &r) } @@ -207,15 +210,24 @@ func (t *RosaOperatorRolesDataSource) Read(ctx context.Context, request tfsdk.Re } // TODO: should be in a separate repo -func getRoleName(prefix string, namespace string, name string) string { - roleName := fmt.Sprintf("%s-%s-%s", prefix, namespace, name) - if len(roleName) > 64 { - roleName = roleName[0:64] +func getRoleName(rolePrefix string, operatorRole *cmv1.OperatorIAMRole) string { + role := fmt.Sprintf("%s-%s-%s", rolePrefix, operatorRole.Namespace(), operatorRole.Name()) + if len(role) > 64 { + role = role[0:64] + } + return role +} + +// TODO: should be in a separate repo +func getPolicyName(prefix string, namespace string, name string) string { + policy := fmt.Sprintf("%s-%s-%s", prefix, namespace, name) + if len(policy) > 64 { + policy = policy[0:64] } - return roleName + return policy } -func getServiceAccount(serviceAccountArr []string, operatorNamespace string) types.List { +func buildServiceAccountsArray(serviceAccountArr []string, operatorNamespace string) types.List { serviceAccounts := types.List{ ElemType: types.StringType, Elems: []attr.Value{}, diff --git a/provider/sts.go b/provider/sts.go index 686b869..64f0be2 100644 --- a/provider/sts.go +++ b/provider/sts.go @@ -44,7 +44,7 @@ func stsResource() tfsdk.NestedAttributes { Required: true, }, "operator_role_prefix": { - Description: "Account Role prefix", + Description: "Operator IAM Role prefix", Type: types.StringType, Required: true, },