feat: Add Support for Alternative Partitions in ARNs (like govcloud) (#1815)

jokreliable · web-flow · commit 0ba06c87cd39 · 2022-03-10T12:30:39.000+01:00
* arn partition is not always aws

* correct typo

* missed a variable handoff

* missing CR at the end

* updates to formatting and docs from tflint and terraform-docs
diff --git a/README.md b/README.md
@@ -395,6 +395,7 @@ In case the setup does not work as intended follow the trace of events:
 |------|-------------|------|---------|:--------:|
 | <a name="input_ami_filter"></a> [ami\_filter](#input\_ami\_filter) | List of maps used to create the AMI filter for the action runner AMI. By default amazon linux 2 is used. | `map(list(string))` | `null` | no |
 | <a name="input_ami_owners"></a> [ami\_owners](#input\_ami\_owners) | The list of owners used to select the AMI of action runner instances. | `list(string)` | <pre>[<br>  "amazon"<br>]</pre> | no |
+| <a name="input_aws_partition"></a> [aws\_partition](#input\_aws\_partition) | (optiona) partition in the arn namespace to use if not 'aws' | `string` | `"aws"` | no |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region. | `string` | n/a | yes |
 | <a name="input_block_device_mappings"></a> [block\_device\_mappings](#input\_block\_device\_mappings) | The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops` | `map(string)` | `{}` | no |
 | <a name="input_cloudwatch_config"></a> [cloudwatch\_config](#input\_cloudwatch\_config) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | `string` | `null` | no |
diff --git a/main.tf b/main.tf
@@ -83,11 +83,12 @@ module "webhook" {
 module "runners" {
   source = "./modules/runners"
 
-  aws_region  = var.aws_region
-  vpc_id      = var.vpc_id
-  subnet_ids  = var.subnet_ids
-  environment = var.environment
-  tags        = local.tags
+  aws_region    = var.aws_region
+  aws_partition = var.aws_partition
+  vpc_id        = var.vpc_id
+  subnet_ids    = var.subnet_ids
+  environment   = var.environment
+  tags          = local.tags
 
   s3_bucket_runner_binaries   = module.runner_binaries.bucket
   s3_location_runner_binaries = local.s3_action_runner_url
diff --git a/modules/runners/README.md b/modules/runners/README.md
@@ -115,6 +115,7 @@ yarn run dist
 |------|-------------|------|---------|:--------:|
 | <a name="input_ami_filter"></a> [ami\_filter](#input\_ami\_filter) | Map of lists used to create the AMI filter for the action runner AMI. | `map(list(string))` | `null` | no |
 | <a name="input_ami_owners"></a> [ami\_owners](#input\_ami\_owners) | The list of owners used to select the AMI of action runner instances. | `list(string)` | <pre>[<br>  "amazon"<br>]</pre> | no |
+| <a name="input_aws_partition"></a> [aws\_partition](#input\_aws\_partition) | (optional) partition for the base arn if not 'aws' | `string` | `"aws"` | no |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region. | `string` | n/a | yes |
 | <a name="input_block_device_mappings"></a> [block\_device\_mappings](#input\_block\_device\_mappings) | The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops` | `map(string)` | `{}` | no |
 | <a name="input_cloudwatch_config"></a> [cloudwatch\_config](#input\_cloudwatch\_config) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | `string` | `null` | no |
diff --git a/modules/runners/policies-runner.tf b/modules/runners/policies-runner.tf
@@ -26,8 +26,8 @@ resource "aws_iam_role_policy" "ssm_parameters" {
   role = aws_iam_role.runner.name
   policy = templatefile("${path.module}/policies/instance-ssm-parameters-policy.json",
     {
-      arn_ssm_parameters_prefix = "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}-*"
-      arn_ssm_parameters_path   = "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*"
+      arn_ssm_parameters_prefix = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}-*"
+      arn_ssm_parameters_path   = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*"
     }
   )
 }
diff --git a/modules/runners/policies/service-linked-role-create-policy.json b/modules/runners/policies/service-linked-role-create-policy.json
@@ -4,7 +4,7 @@
     {
       "Effect": "Allow",
       "Action": "iam:CreateServiceLinkedRole",
-      "Resource": "arn:aws:iam::*:role/aws-service-role/*"
+      "Resource": "arn:${aws_partition}:iam::*:role/aws-service-role/*"
     }
   ]
 }
diff --git a/modules/runners/pool.tf b/modules/runners/pool.tf
@@ -44,4 +44,6 @@ module "pool" {
     tags       = local.tags
   }
 
+  aws_partition = var.aws_partition
+
 }
diff --git a/modules/runners/pool/main.tf b/modules/runners/pool/main.tf
@@ -82,7 +82,7 @@ resource "aws_iam_role_policy" "pool_logging" {
 resource "aws_iam_role_policy_attachment" "pool_vpc_execution_role" {
   count      = length(var.config.lambda.subnet_ids) > 0 ? 1 : 0
   role       = aws_iam_role.pool.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
 }
 
 data "aws_iam_policy_document" "lambda_assume_role_policy" {
diff --git a/modules/runners/pool/variables.tf b/modules/runners/pool/variables.tf
@@ -50,3 +50,9 @@ variable "config" {
     role_path                 = string
   })
 }
+
+variable "aws_partition" {
+  description = "(optional) partition for the arn if not 'aws'"
+  type        = string
+  default     = "aws"
+}
diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf
@@ -97,5 +97,5 @@ resource "aws_iam_role_policy" "scale_down_logging" {
 resource "aws_iam_role_policy_attachment" "scale_down_vpc_execution_role" {
   count      = length(var.lambda_subnet_ids) > 0 ? 1 : 0
   role       = aws_iam_role.scale_down.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
 }
diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf
@@ -99,11 +99,11 @@ resource "aws_iam_role_policy" "service_linked_role" {
   count  = var.create_service_linked_role_spot ? 1 : 0
   name   = "${var.environment}-service_linked_role"
   role   = aws_iam_role.scale_up.name
-  policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", {})
+  policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", { aws_partition = var.aws_partition })
 }
 
 resource "aws_iam_role_policy_attachment" "scale_up_vpc_execution_role" {
   count      = length(var.lambda_subnet_ids) > 0 ? 1 : 0
   role       = aws_iam_role.scale_up.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
 }
diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf
@@ -306,6 +306,12 @@ variable "create_service_linked_role_spot" {
   default     = false
 }
 
+variable "aws_partition" {
+  description = "(optional) partition for the base arn if not 'aws'"
+  type        = string
+  default     = "aws"
+}
+
 variable "runner_iam_role_managed_policy_arns" {
   description = "Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role"
   type        = list(string)
diff --git a/modules/setup-iam-permissions/README.md b/modules/setup-iam-permissions/README.md
@@ -70,6 +70,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | The module allows to switch to the created role from the provided account id. | `string` | n/a | yes |
+| <a name="input_aws_partition"></a> [aws\_partition](#input\_aws\_partition) | (optional) partition in the arn namespace if not aws | `string` | `"aws"` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes |
 | <a name="input_namespaces"></a> [namespaces](#input\_namespaces) | The role will be only allowed to create roles, policies and instance profiles in the given namespace / path. All policies in the boundaries namespace cannot be modified by this role. | <pre>object({<br>    boundary_namespace         = string<br>    role_namespace             = string<br>    policy_namespace           = string<br>    instance_profile_namespace = string<br>  })</pre> | n/a | yes |
 
diff --git a/modules/setup-iam-permissions/main.tf b/modules/setup-iam-permissions/main.tf
@@ -5,7 +5,8 @@ resource "aws_iam_role" "deploy" {
 
   permissions_boundary = aws_iam_policy.deploy_boundary.arn
   assume_role_policy = templatefile("${path.module}/policies/assume-role-for-account.json", {
-    account_id = var.account_id
+    account_id    = var.account_id
+    aws_partition = var.aws_partition
   })
 }
 
@@ -16,6 +17,7 @@ resource "aws_iam_policy" "boundary" {
   policy = templatefile("${path.module}/policies/boundary.json", {
     role_namespace = var.namespaces.role_namespace
     account_id     = data.aws_caller_identity.current.account_id
+    aws_partition  = var.aws_partition
   })
 }
 
@@ -44,5 +46,6 @@ resource "aws_iam_policy" "deploy_boundary" {
     instance_profile_namespace = var.namespaces.instance_profile_namespace
     boundary_namespace         = var.namespaces.boundary_namespace
     permission_boundary        = aws_iam_policy.boundary.arn
+    aws_partition              = var.aws_partition
   })
 }
diff --git a/modules/setup-iam-permissions/policies/assume-role-for-account.json b/modules/setup-iam-permissions/policies/assume-role-for-account.json
@@ -3,7 +3,7 @@
   "Statement": [
     {
       "Action": "sts:AssumeRole",
-      "Principal": { "AWS": "arn:aws:iam::${account_id}:root" },
+      "Principal": { "AWS": "arn:${aws_partition}:iam::${account_id}:root" },
       "Effect": "Allow",
       "Sid": "",
       "Condition": {
diff --git a/modules/setup-iam-permissions/policies/boundary.json b/modules/setup-iam-permissions/policies/boundary.json
@@ -21,7 +21,7 @@
       "Sid": "RoleInNamespace",
       "Effect": "Allow",
       "Action": ["iam:PassRole"],
-      "Resource": "arn:aws:iam::${account_id}:role/${role_namespace}/*"
+      "Resource": "arn:${aws_partition}:iam::${account_id}:role/${role_namespace}/*"
     },
     {
       "Sid": "Decrypt",
diff --git a/modules/setup-iam-permissions/policies/deploy-boundary.json b/modules/setup-iam-permissions/policies/deploy-boundary.json
@@ -10,7 +10,7 @@
         "iam:PutRolePermissionsBoundary",
         "iam:PutRolePolicy"
       ],
-      "Resource": "arn:aws:iam::${account_id}:role/${role_namespace}/*",
+      "Resource": "arn:${aws_partition}:iam::${account_id}:role/${role_namespace}/*",
       "Condition": {
         "StringEquals": {
           "iam:PermissionsBoundary": "${permission_boundary}"
@@ -29,7 +29,7 @@
         "iam:DetachRolePolicy",
         "iam:DeleteRolePolicy"
       ],
-      "Resource": "arn:aws:iam::${account_id}:role/${role_namespace}/*"
+      "Resource": "arn:${aws_partition}:iam::${account_id}:role/${role_namespace}/*"
     },
     {
       "Sid": "PolicyInNamespace",
@@ -42,7 +42,7 @@
         "iam:GetPolicyVersion",
         "iam:SetDefaultPolicyVersion"
       ],
-      "Resource": "arn:aws:iam::${account_id}:policy/${policy_namespace}/*"
+      "Resource": "arn:${aws_partition}:iam::${account_id}:policy/${policy_namespace}/*"
     },
     {
       "Sid": "InstanceProfileInNamespace",
@@ -54,7 +54,7 @@
         "iam:AddRoleToInstanceProfile",
         "iam:GetInstanceProfile"
       ],
-      "Resource": "arn:aws:iam::${account_id}:instance-profile/${instance_profile_namespace}/*"
+      "Resource": "arn:${aws_partition}:iam::${account_id}:instance-profile/${instance_profile_namespace}/*"
     },
     {
       "Sid": "IamListActions",
@@ -78,7 +78,7 @@
         "iam:DeletePolicyVersion",
         "iam:SetDefaultPolicyVersion"
       ],
-      "Resource": "arn:aws:iam::${account_id}:policy/${boundary_namespace}/*"
+      "Resource": "arn:${aws_partition}:iam::${account_id}:policy/${boundary_namespace}/*"
     },
     {
       "Sid": "Services",
diff --git a/modules/setup-iam-permissions/variables.tf b/modules/setup-iam-permissions/variables.tf
@@ -18,3 +18,9 @@ variable "account_id" {
   type        = string
 
 }
+
+variable "aws_partition" {
+  description = "(optional) partition in the arn namespace if not aws"
+  type        = string
+  default     = "aws"
+}
diff --git a/variables.tf b/variables.tf
@@ -586,6 +586,12 @@ variable "pool_config" {
   default = []
 }
 
+variable "aws_partition" {
+  description = "(optiona) partition in the arn namespace to use if not 'aws'"
+  type        = string
+  default     = "aws"
+}
+
 variable "disable_runner_autoupdate" {
   description = "Disable the auto update of the github runner agent. Be-aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/)"
   type        = bool

Original file line number	Diff line number	Diff line change
`@@ -26,8 +26,8 @@ resource "aws_iam_role_policy" "ssm_parameters" {`
`26`	`26`	`role = aws_iam_role.runner.name`
`27`	`27`	`policy = templatefile("${path.module}/policies/instance-ssm-parameters-policy.json",`
`28`	`28`	`{`
`29`		`- arn_ssm_parameters_prefix = "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}-*"`
`30`		`- arn_ssm_parameters_path = "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*"`
	`29`	`+ arn_ssm_parameters_prefix = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}-*"`
	`30`	`+ arn_ssm_parameters_path = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*"`
`31`	`31`	`}`
`32`	`32`	`)`
`33`	`33`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`	`{`
`5`	`5`	`"Effect": "Allow",`
`6`	`6`	`"Action": "iam:CreateServiceLinkedRole",`
`7`		`- "Resource": "arn:aws:iam:::role/aws-service-role/"`
	`7`	`+ "Resource": "arn:${aws_partition}:iam:::role/aws-service-role/"`
`8`	`8`	`}`
`9`	`9`	`]`
`10`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,4 +44,6 @@ module "pool" {`
`44`	`44`	`tags = local.tags`
`45`	`45`	`}`
`46`	`46`
	`47`	`+ aws_partition = var.aws_partition`
	`48`	`+`
`47`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ resource "aws_iam_role_policy" "pool_logging" {`
`82`	`82`	`resource "aws_iam_role_policy_attachment" "pool_vpc_execution_role" {`
`83`	`83`	`count = length(var.config.lambda.subnet_ids) > 0 ? 1 : 0`
`84`	`84`	`role = aws_iam_role.pool.name`
`85`		`- policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"`
	`85`	`+ policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"`
`86`	`86`	`}`
`87`	`87`
`88`	`88`	`data "aws_iam_policy_document" "lambda_assume_role_policy" {`
Original file line number	Diff line number	Diff line change
`@@ -97,5 +97,5 @@ resource "aws_iam_role_policy" "scale_down_logging" {`
`97`	`97`	`resource "aws_iam_role_policy_attachment" "scale_down_vpc_execution_role" {`
`98`	`98`	`count = length(var.lambda_subnet_ids) > 0 ? 1 : 0`
`99`	`99`	`role = aws_iam_role.scale_down.name`
`100`		`- policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"`
	`100`	`+ policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"`
`101`	`101`	`}`
Original file line number	Diff line number	Diff line change
`@@ -99,11 +99,11 @@ resource "aws_iam_role_policy" "service_linked_role" {`
`99`	`99`	`count = var.create_service_linked_role_spot ? 1 : 0`
`100`	`100`	`name = "${var.environment}-service_linked_role"`
`101`	`101`	`role = aws_iam_role.scale_up.name`
`102`		`- policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", {})`
	`102`	`+ policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", { aws_partition = var.aws_partition })`
`103`	`103`	`}`
`104`	`104`
`105`	`105`	`resource "aws_iam_role_policy_attachment" "scale_up_vpc_execution_role" {`
`106`	`106`	`count = length(var.lambda_subnet_ids) > 0 ? 1 : 0`
`107`	`107`	`role = aws_iam_role.scale_up.name`
`108`		`- policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"`
	`108`	`+ policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"`
`109`	`109`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`"Statement": [`
`4`	`4`	`{`
`5`	`5`	`"Action": "sts:AssumeRole",`
`6`		`- "Principal": { "AWS": "arn:aws:iam::${account_id}:root" },`
	`6`	`+ "Principal": { "AWS": "arn:${aws_partition}:iam::${account_id}:root" },`
`7`	`7`	`"Effect": "Allow",`
`8`	`8`	`"Sid": "",`
`9`	`9`	`"Condition": {`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@`
`21`	`21`	`"Sid": "RoleInNamespace",`
`22`	`22`	`"Effect": "Allow",`
`23`	`23`	`"Action": ["iam:PassRole"],`
`24`		`- "Resource": "arn:aws:iam::${account_id}:role/${role_namespace}/*"`
	`24`	`+ "Resource": "arn:${aws_partition}:iam::${account_id}:role/${role_namespace}/*"`
`25`	`25`	`},`
`26`	`26`	`{`
`27`	`27`	`"Sid": "Decrypt",`
Original file line number	Diff line number	Diff line change
`@@ -18,3 +18,9 @@ variable "account_id" {`
`18`	`18`	`type = string`
`19`	`19`
`20`	`20`	`}`
	`21`	`+`
	`22`	`+variable "aws_partition" {`
	`23`	`+ description = "(optional) partition in the arn namespace if not aws"`
	`24`	`+ type = string`
	`25`	`+ default = "aws"`
	`26`	`+}`