From 570a4476e5be5bfecd8385713a4aa90746142e6c Mon Sep 17 00:00:00 2001 From: Danny Schofield Date: Tue, 23 Apr 2024 15:41:15 -0400 Subject: [PATCH] resource stack: add AssumeRoleName to stack Use AssumeRoleName instead of AssumeRoleARN because we will be able to generate the ARN based on what account the stack is applied to. --- mintlifydocs/config/organization.mdx | 2 +- .../Assign-IaC-Blueprints-To-Accounts.mdx | 2 +- resource/stack.go | 38 +++++++++++++------ resourceoperation/cdk.go | 4 +- resourceoperation/terraform.go | 4 +- 5 files changed, 32 insertions(+), 18 deletions(-) diff --git a/mintlifydocs/config/organization.mdx b/mintlifydocs/config/organization.mdx index 060e228..ec9e1e8 100644 --- a/mintlifydocs/config/organization.mdx +++ b/mintlifydocs/config/organization.mdx @@ -103,7 +103,7 @@ Stacks: - Path: # (Required) Path to CDK or Terraform project. This must be a directory. Type: # (Required) "CDK" or "Terraform". Name: # (Optional) Apply only CDK stack with this name. By default, all CDK stacks are applied. (CDK Only) - RoleOverrideARN: # (Optional) Force CDK and Terraform to us a specific role when applying a stack. The default role is the account's `AssumeRoleName`. + AssumeRoleName: # (Optional) Force CDK and Terraform to us a specific role when applying a stack. The default role is the account's `AssumeRoleName` which is typically the `OrganizationAccountAccessRole`. Region: # (Optional) What region the stack's resources will be provisioned in. Region can be a comma separated list of regions or "all" to apply to all regions in an account. Workspace: # (Optional) Specify a Terraform workspace to use. ``` diff --git a/mintlifydocs/features/Assign-IaC-Blueprints-To-Accounts.mdx b/mintlifydocs/features/Assign-IaC-Blueprints-To-Accounts.mdx index ece6316..999231d 100644 --- a/mintlifydocs/features/Assign-IaC-Blueprints-To-Accounts.mdx +++ b/mintlifydocs/features/Assign-IaC-Blueprints-To-Accounts.mdx @@ -45,7 +45,7 @@ Stacks: - Path: # (Required) Path to CDK or Terraform project. This must be a directory. Type: # (Required) "CDK" or "Terraform". Name: # (Optional) Apply only CDK stack with this name. By default, all CDK stacks are applied. (CDK Only) - RoleOverrideARN: # (Optional) Force CDK and Terraform to us a specific role when applying a stack. The default role is the account's `AssumeRoleName`. + AssumeRoleName: # (Optional) Force CDK and Terraform to us a specific role when applying a stack. The default role is the account's `AssumeRoleName` which is typically the `OrganizationAccountAccessRole`. Region: # (Optional) What region the stack's resources will be provisioned in. Region can be a comma separated list of regions or "all" to apply to all regions in an account. Workspace: # (Optional) Specify a Terraform workspace to use. ``` \ No newline at end of file diff --git a/resource/stack.go b/resource/stack.go index b018e89..8ffbfc8 100644 --- a/resource/stack.go +++ b/resource/stack.go @@ -1,27 +1,41 @@ package resource import ( + "fmt" + "github.com/samsarahq/go/oops" ) type Stack struct { - Name string `yaml:"Name"` - Type string `yaml:"Type"` - Path string `yaml:"Path"` - Region string `yaml:"Region,omitempty"` - RoleOverrideARN string `yaml:"RoleOverrideARN,omitempty"` - Workspace string `yaml:"Workspace,omitempty"` + // When adding a new type to the struct, make sure you add it to the `NewForRegion` method. + Name string `yaml:"Name"` + Type string `yaml:"Type"` + Path string `yaml:"Path"` + Region string `yaml:"Region,omitempty"` + RoleOverrideARNDeprecated string `yaml:"RoleOverrideARN,omitempty"` // Deprecated + AssumeRoleName string `yaml:"AssumeRoleName,omitempty"` + Workspace string `yaml:"Workspace,omitempty"` } func (s Stack) NewForRegion(region string) Stack { return Stack{ - Name: s.Name, - Type: s.Type, - Path: s.Path, - Region: region, - RoleOverrideARN: s.RoleOverrideARN, - Workspace: s.Workspace, + Name: s.Name, + Type: s.Type, + Path: s.Path, + Region: region, + RoleOverrideARNDeprecated: s.RoleOverrideARNDeprecated, + AssumeRoleName: s.AssumeRoleName, + Workspace: s.Workspace, + } +} + +func (s Stack) RoleARN(acct Account) *string { + if s.AssumeRoleName != "" { + result := fmt.Sprintf("arn:aws:iam::%s:role/%s", acct.AccountID, s.AssumeRoleName) + return &result } + + return nil } func (s Stack) AWSRegionEnv() *string { diff --git a/resourceoperation/cdk.go b/resourceoperation/cdk.go index a5e5e3b..7f9ea9d 100644 --- a/resourceoperation/cdk.go +++ b/resourceoperation/cdk.go @@ -58,8 +58,8 @@ func (co *cdkOperation) Call(ctx context.Context) error { } // We use the stack role if it set after we have bootstrapped. - if co.Stack.RoleOverrideARN != "" { - opRole, _, err = authAWS(*co.Account, co.Stack.RoleOverrideARN, co.OutputUI) + if roleArn := co.Stack.RoleARN(*co.Account); roleArn != nil { + opRole, _, err = authAWS(*co.Account, *roleArn, co.OutputUI) if err != nil { return err } diff --git a/resourceoperation/terraform.go b/resourceoperation/terraform.go index 67b7ad9..dbab7cf 100644 --- a/resourceoperation/terraform.go +++ b/resourceoperation/terraform.go @@ -48,8 +48,8 @@ func (to *tfOperation) Call(ctx context.Context) error { var stackRole *sts.AssumeRoleOutput var assumeRoleErr error if to.Account.AccountID != "" { - if to.Stack.RoleOverrideARN != "" { - stackRole, _, assumeRoleErr = authAWS(*to.Account, to.Stack.RoleOverrideARN, to.OutputUI) + if roleArn := to.Stack.RoleARN(*to.Account); roleArn != nil { + stackRole, _, assumeRoleErr = authAWS(*to.Account, *roleArn, to.OutputUI) } else { stackRole, _, assumeRoleErr = authAWS(*to.Account, to.Account.AssumeRoleARN(), to.OutputUI) }