Skip to content

feat: Add options for disabling direct cross-account bucket policy and limiting cross-account assumerole #216

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 5, 2025
Merged

feat: Add options for disabling direct cross-account bucket policy and limiting cross-account assumerole #216

merged 2 commits into from
Jun 5, 2025

Conversation

eshiferax
Copy link
Contributor

@eshiferax eshiferax commented Jun 5, 2025
edited
Loading

Adding two options to rift_compute module:

  1. controlplane_access_only -- When true, this removes legacy 153453085158 account from trust policy for cross-account role. This works for all newer accounts that only rely on access from roles in the control-plane account directly.
  2. include_crossaccount_bucket_access -- When true, does not add bucket policy to offline-store bucket for direct cross-account access. This is OK for dataplane Rift, where all access to the offline-store will come through the assumed role in dataplane. Reference

Setting defaults for both of these appropriately in dataplane_rift and dataplane_rift_with_emr module. Control plane rift/existing direct users of deployment module won't see a change, this only affects the 'new' modules/ users and will be default going forward.

Tested with internal state, results in this type of change:

  # module.tecton.aws_iam_role.cross_account_role will be updated in-place
  ~ resource "aws_iam_role" "cross_account_role" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ AWS = [
                              - "arn:aws:iam::<CTRL_PLANE_ACCOUNT_ID>:root",
                              - "arn:aws:iam::153453085158:root",
                            ] -> "arn:aws:iam::<CTRL_PLANE_ACCOUNT_ID>:root"
                        }
                        # (4 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        id                    = "<ACCOUNT>-cross-account-role"
        name                  = "<ACCOUNT>-cross-account-role"
        tags                  = {
            "tecton-accessible:<ACCOUNT>" = "true"
        }
        # (9 unchanged attributes hidden)
    }

  # module.tecton.aws_s3_bucket_policy.tecton[0] will be destroyed
  # (because index [0] is out of range for count)
  - resource "aws_s3_bucket_policy" "tecton" {
      - bucket = "<BUCKET>" -> null
      - id     = "<BUCKET>" -> null
      - policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:ListBucket"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::<ACCOUNT_ID>:root"
                        }
                      - Resource  = "arn:aws:s3:::<BUCKET>"
                      - Sid       = "S3Bucket"
                    },
                  - {
                      - Action    = [
                          - "s3:PutObject",
                          - "s3:GetObject",
                          - "s3:DeleteObject",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::<ACCOUNT_ID>:root"
                        }
                      - Resource  = "arn:aws:s3:::<BUCKET>/*"
                      - Sid       = "S3Object"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
    }

@eshiferax eshiferax marked this pull request as ready for review June 5, 2025 00:23
@eshiferax eshiferax requested review from a team and zhoujoetan June 5, 2025 00:23
@eshiferax eshiferax merged commit 72104dc into master Jun 5, 2025
1 check passed
@eshiferax eshiferax deleted the optional-crossaccount branch June 5, 2025 12:28
@github-actions github-actions bot mentioned this pull request Jun 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@taylord-tecton taylord-tecton taylord-tecton approved these changes

@zhoujoetan zhoujoetan Awaiting requested review from zhoujoetan

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eshiferax @taylord-tecton