Skip to content
This repository was archived by the owner on Dec 15, 2022. It is now read-only.

feat(pc): add assumeRoleARN to providerConfig like "native" provider-aws #160

Merged
muvaf merged 1 commit into from
Feb 28, 2022
+156 −242
Merged

feat(pc): add assumeRoleARN to providerConfig like "native" provider-aws #160

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions AUTHENTICATION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
## How can assumeRoleARN be used with provider-jet-aws ?
Copy link
Member

@muvaf muvaf Feb 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to just redirect people to https://github.com/crossplane/provider-aws/blob/master/AUTHENTICATION.md ? I think we fully cover all methods now, right?

Copy link
Member Author

@haarchri haarchri Feb 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes could be also one option externalID is missing since we will add this with v0.24 ;) but then yes

Copy link
Member Author

@haarchri haarchri Feb 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@muvaf so i can remove the md and add a link in readme ?

Copy link

@vara-bonthu vara-bonthu Feb 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to avoid confusion, I think it's better to have this doc in this repo instead of redirecting the users to different repo.

Copy link
Member

@muvaf muvaf Feb 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vara-bonthu Good point. We can possibly copy the doc from there and change all provider-aws references to provider-jet-aws because it's more extensive and covers more cases.


provider-jet-aws will be configured to connect to AWS Account A via `InjectedIdentity` or `Secret` , request security credentials, and then `assumeRoleARN` to assume a role in AWS Account B to manage the resources within AWS Account B.

The first thing that needs to be done is to create an IAM role within AWS Account B that provider-jet-aws will `assumeRoleARN` into.

- From within the AWS console of AWS Account B, navigate to IAM > Roles > Create role > Another AWS account.

- Enter the Account ID of Account A (the account provider-jet-aws will call `assumeRoleARN` from).

Next, the provider-jet-aws must be configured to use `assumeRoleARN`. The code snippet below shows how to configure provider-jet-aws to connect to AWS Account A and assumeRoleARN into a role within AWS Account B.

```bash
cat > provider-config.yaml <<EOF
apiVersion: aws.jet.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
name: account-b
spec:
assumeRoleARN: "arn:aws:iam::999999999999:role/account-b"
credentials:
source: InjectedIdentity
EOF
```
4 changes: 4 additions & 0 deletions apis/v1alpha1/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@ import (
type ProviderConfigSpec struct {
// Credentials required to authenticate to this provider.
Credentials ProviderCredentials `json:"credentials"`

// AssumeRoleARN to assume with provider credentials
// +optional
AssumeRoleARN *string `json:"assumeRoleARN,omitempty"`
}

// ProviderCredentials required to authenticate.
Expand Down
5 changes: 5 additions & 0 deletions apis/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 13 additions & 0 deletions examples/ec2/vpc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,16 @@ spec:
cidrBlock: 172.16.0.0/16
tags:
Name: DemoVpc
---
apiVersion: ec2.aws.jet.crossplane.io/v1alpha2
kind: VPC
metadata:
name: sample-vpc-account-b
spec:
forProvider:
region: us-west-1
cidrBlock: 172.16.0.0/16
tags:
Name: AccountB
providerConfigRef:
name: aws-jet-provider-account-b
7 changes: 7 additions & 0 deletions examples/provider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-aws
spec:
package: crossplane/provider-jet-aws:main
13 changes: 13 additions & 0 deletions examples/providerconfig/assumeRoleARN.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
---
apiVersion: aws.jet.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
name: aws-jet-provider-account-b
spec:
assumeRoleARN: "arn:aws:iam::999999999999:role/account_b"
credentials:
source: Secret
secretRef:
name: example-aws-jet-creds
namespace: crossplane-system
key: credentials
4 changes: 2 additions & 2 deletions examples/tfaws/providerconfig.yaml → examples/providerconfig/providerconfig.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: example-creds
name: example-aws-jet-creds
namespace: crossplane-system
type: Opaque
data:
Expand All @@ -15,6 +15,6 @@ spec:
credentials:
source: Secret
secretRef:
name: example-creds
name: example-aws-jet-creds
namespace: crossplane-system
key: credentials
13 changes: 13 additions & 0 deletions examples/providerconfig/setup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
# This is a helper script that uses the AWS CLI configuration to construct an
# JET-AWS ProviderConfig.

cd "$(dirname "$0")"

set -e -o pipefail

AWS_PROFILE=${AWS_PROFILE:=default} # retrieve profile's credentials, save it under 'default' profile, and base64 encode it
BASE64ENCODED_AWS_ACCOUNT_CREDS=$(echo "[default]\naws_access_key_id = $(aws configure get aws_access_key_id --profile $AWS_PROFILE)\naws_secret_access_key = $(aws configure get aws_secret_access_key --profile $AWS_PROFILE)" | base64 | tr -d "\n")

cat providerconfig.yaml | sed "s/<REPLACEME>/${BASE64ENCODED_AWS_ACCOUNT_CREDS}/g" | kubectl apply -f -
4 changes: 2 additions & 2 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ module github.com/crossplane-contrib/provider-jet-aws
go 1.16

require (
github.com/aws/aws-sdk-go-v2 v0.23.0
github.com/aws/aws-sdk-go-v2 v1.11.0
github.com/crossplane/crossplane-runtime v0.15.1-0.20211004150827-579c1833b513
github.com/crossplane/crossplane-tools v0.0.0-20210916125540-071de511ae8e
github.com/crossplane/provider-aws v0.19.0
github.com/crossplane/provider-aws v0.23.0
github.com/crossplane/terrajet v0.4.0-rc.0.0.20220128111246-e5aaa1790fe6
github.com/hashicorp/terraform-plugin-sdk/v2 v2.7.0
github.com/pkg/errors v0.9.1
Expand Down
277 changes: 44 additions & 233 deletions go.sum
View file
Open in desktop

Large diffs are not rendered by default.

31 changes: 26 additions & 5 deletions internal/clients/aws.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,11 @@ import (
"fmt"

"github.com/aws/aws-sdk-go-v2/aws"

xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
"github.com/crossplane/crossplane-runtime/pkg/fieldpath"
"github.com/crossplane/crossplane-runtime/pkg/resource"
xpabeta1 "github.com/crossplane/provider-aws/apis/v1beta1"
xpawsclient "github.com/crossplane/provider-aws/pkg/clients"
"github.com/crossplane/terrajet/pkg/terraform"
"github.com/pkg/errors"
Expand Down Expand Up @@ -59,22 +61,41 @@ func TerraformSetupBuilder(version, providerSource, providerVersion string) terr
}

var cfg *aws.Config
xpapc := &xpabeta1.ProviderConfig{
Spec: xpabeta1.ProviderConfigSpec{
Credentials: xpabeta1.ProviderCredentials(pc.Spec.Credentials),
AssumeRoleARN: pc.Spec.AssumeRoleARN,
},
}
switch s := pc.Spec.Credentials.Source; s { //nolint:exhaustive
case xpv1.CredentialsSourceInjectedIdentity:
if cfg, err = xpawsclient.UsePodServiceAccount(ctx, []byte{}, xpawsclient.DefaultSection, region); err != nil {
return ps, errors.Wrap(err, "failed to use pod service account")
if pc.Spec.AssumeRoleARN != nil {
if cfg, err = xpawsclient.UsePodServiceAccountAssumeRole(ctx, []byte{}, xpawsclient.DefaultSection, region, xpapc); err != nil {
return ps, errors.Wrap(err, "failed to use pod service account assumeRoleARN")
}
} else {
if cfg, err = xpawsclient.UsePodServiceAccount(ctx, []byte{}, xpawsclient.DefaultSection, region); err != nil {
return ps, errors.Wrap(err, "failed to use pod service account")
}
}
default:
data, err := resource.CommonCredentialExtractor(ctx, s, client, pc.Spec.Credentials.CommonCredentialSelectors)
if err != nil {
return ps, errors.Wrap(err, "cannot get credentials")
}
if cfg, err = xpawsclient.UseProviderSecret(ctx, data, xpawsclient.DefaultSection, region); err != nil {
return ps, errors.Wrap(err, "failed to use provider secret")
if pc.Spec.AssumeRoleARN != nil {
if cfg, err = xpawsclient.UseProviderSecretAssumeRole(ctx, data, xpawsclient.DefaultSection, region, xpapc); err != nil {
return ps, errors.Wrap(err, "failed to use provider secret assumeRoleARN")
}
} else {
if cfg, err = xpawsclient.UseProviderSecret(ctx, data, xpawsclient.DefaultSection, region); err != nil {
return ps, errors.Wrap(err, "failed to use provider secret")
}
}
}
awsConf := xpawsclient.SetResolver(ctx, mg, cfg)
awsConf := xpawsclient.SetResolver(xpapc, cfg)
creds, err := awsConf.Credentials.Retrieve(ctx)

if err != nil {
return ps, errors.Wrap(err, "failed to retrieve aws credentials from aws config")
}
Expand Down
3 changes: 3 additions & 0 deletions package/crds/aws.jet.crossplane.io_providerconfigs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,9 @@ spec:
spec:
description: A ProviderConfigSpec defines the desired state of a ProviderConfig.
properties:
assumeRoleARN:
description: AssumeRoleARN to assume with provider credentials
type: string
credentials:
description: Credentials required to authenticate to this provider.
properties:
Expand Down