FEATURE ASH-28: Enable role prefix and assume policy override (#51)

Co-authored-by: Marko Fabry <marko.fabry@vertice.one>

Author: kristian-lesko

README.md

@@ -120,6 +120,7 @@ No providers.
 | <a name="input_data_export_s3_prefix"></a> [data\_export\_s3\_prefix](#input\_data\_export\_s3\_prefix) | The prefix for the S3 bucket path where the AWS Data Export data will be saved. | `string` | no |
 | <a name="input_data_export_table_config"></a> [data\_export\_table\_config](#input\_data\_export\_table\_config) | COR table configurations; see https://docs.aws.amazon.com/cur/latest/userguide/table-dictionary-cor.html for details. | <pre>object({<br>    INCLUDE_ALL_RECOMMENDATIONS = string<br>    FILTER                      = string<br>  })</pre> | no |
 | <a name="input_governance_role_additional_policy_json"></a> [governance\_role\_additional\_policy\_json](#input\_governance\_role\_additional\_policy\_json) | Custom additional policy in JSON format to attach to VerticeGovernance role. Default is null for no additional policy. | `string` | no |
+| <a name="input_governance_role_assume_policy_json"></a> [governance\_role\_assume\_policy\_json](#input\_governance\_role\_assume\_policy\_json) | Optional override for VerticeGovernanceRole assume policy. Default assume role policy is constructed if this is not provided. | `string` | no |
 | <a name="input_governance_role_enabled"></a> [governance\_role\_enabled](#input\_governance\_role\_enabled) | Whether to enable the module that creates VerticeGovernance role for the Cloud Cost Optimization. | `bool` | no |
 | <a name="input_governance_role_external_id"></a> [governance\_role\_external\_id](#input\_governance\_role\_external\_id) | STS external ID value to require for assuming the governance role. Required if the governance IAM role is to be created. You will receive this from Vertice. | `string` | no |
 | <a name="input_vertice_account_ids"></a> [vertice\_account\_ids](#input\_vertice\_account\_ids) | List of Account IDs, which are allowed to access the Vertice cross account role. | `list(string)` | no |

main.tf

@@ -7,6 +7,7 @@ module "vertice_governance_role" {
   vertice_account_ids                    = var.vertice_account_ids
   account_type                           = var.account_type
   governance_role_external_id            = var.governance_role_external_id
+  governance_role_assume_policy_json     = var.governance_role_assume_policy_json
   governance_role_additional_policy_json = var.governance_role_additional_policy_json
   billing_policy_addons                  = var.billing_policy_addons
 }

modules/vertice-governance-role/README.md

@@ -51,7 +51,9 @@ No modules.
 | <a name="input_cur_bucket_name"></a> [cur\_bucket\_name](#input\_cur\_bucket\_name) | The name of the bucket which will be used to store the CUR data for Vertice. | `string` | `null` | no |
 | <a name="input_data_export_enabled"></a> [data\_export\_enabled](#input\_data\_export\_enabled) | Include policy enabling access to AWS Data Exports. | `bool` | `false` | no |
 | <a name="input_governance_role_additional_policy_json"></a> [governance\_role\_additional\_policy\_json](#input\_governance\_role\_additional\_policy\_json) | Custom additional policy in JSON format to attach to VerticeGovernance role. Default is `null` for no additional policy. | `string` | `null` | no |
+| <a name="input_governance_role_assume_policy_json"></a> [governance\_role\_assume\_policy\_json](#input\_governance\_role\_assume\_policy\_json) | Optional override for VerticeGovernanceRole assume policy. Default assume role policy is constructed if this is not provided. | `string` | `null` | no |
 | <a name="input_governance_role_external_id"></a> [governance\_role\_external\_id](#input\_governance\_role\_external\_id) | STS external ID value to require for assuming the governance role. Required if the governance IAM role is to be created. You will receive this from Vertice. | `string` | `""` | no |
+| <a name="input_governance_role_name_prefix"></a> [governance\_role\_name\_prefix](#input\_governance\_role\_name\_prefix) | Prefix of the VerticeGovernance role name and names of its policies. For testing purposes. It is discouraged to set / change this. | `string` | `""` | no |
 | <a name="input_vertice_account_ids"></a> [vertice\_account\_ids](#input\_vertice\_account\_ids) | List of Account IDs, which are allowed to access the Vertice cross account role. | `list(string)` | <pre>[<br>  "642184526628",<br>  "762729743961"<br>]</pre> | no |
 
 ## Outputs

modules/vertice-governance-role/iam_policies.tf

@@ -63,7 +63,7 @@ data "aws_iam_policy_document" "vertice_cur_bucket_access" {
 resource "aws_iam_policy" "vertice_cur_bucket_access" {
   count = local.billing_access_enabled ? 1 : 0
 
-  name   = "CURBucketAccess"
+  name   = "${var.governance_role_name_prefix}CURBucketAccess"
   policy = data.aws_iam_policy_document.vertice_cur_bucket_access[0].json
 }
 
@@ -134,7 +134,7 @@ data "aws_iam_policy_document" "vertice_billing_access" {
 resource "aws_iam_policy" "vertice_billing_access" {
   count = local.billing_access_enabled ? 1 : 0
 
-  name   = "VerticeGovernanceRolePolicy"
+  name   = "${var.governance_role_name_prefix}VerticeGovernanceRolePolicy"
   policy = data.aws_iam_policy_document.vertice_billing_access[0].json
 }
 
@@ -208,7 +208,7 @@ data "aws_iam_policy_document" "vertice_core_access" {
 resource "aws_iam_policy" "vertice_core_access" {
   count = local.core_access_enabled ? 1 : 0
 
-  name   = "VerticeCoreAccess"
+  name   = "${var.governance_role_name_prefix}VerticeCoreAccess"
   policy = data.aws_iam_policy_document.vertice_core_access[0].json
 }
 
@@ -236,15 +236,15 @@ data "aws_iam_policy_document" "vertice_core_simulate_access" {
     ]
 
     resources = [
-      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/vertice/VerticeGovernanceRole"
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/vertice/${var.governance_role_name_prefix}VerticeGovernanceRole"
     ]
   }
 }
 
 resource "aws_iam_policy" "vertice_core_simulate_access" {
   count = local.simulate_access_enabled ? 1 : 0
 
-  name   = "VerticeCoreSimulate"
+  name   = "${var.governance_role_name_prefix}VerticeCoreSimulate"
   policy = data.aws_iam_policy_document.vertice_core_simulate_access[0].json
 }
 
@@ -262,7 +262,7 @@ resource "aws_iam_role_policy_attachment" "vertice_core_simulate_access" {
 resource "aws_iam_policy" "vertice_governance_role_additional_policy" {
   count = local.governance_role_additional_policy_enabled ? 1 : 0
 
-  name   = "VerticeAdditionalPolicy"
+  name   = "${var.governance_role_name_prefix}VerticeAdditionalPolicy"
   policy = var.governance_role_additional_policy_json
 }
 

modules/vertice-governance-role/main.tf

@@ -22,15 +22,18 @@ data "aws_iam_policy_document" "vertice_governance_assume_role" {
 }
 
 resource "aws_iam_role" "vertice_governance_role" {
-  name                 = "VerticeGovernanceRole"
+  name                 = "${var.governance_role_name_prefix}VerticeGovernanceRole"
   path                 = "/vertice/"
   max_session_duration = 60 * 60 * 12
 
-  assume_role_policy = data.aws_iam_policy_document.vertice_governance_assume_role.json
+  assume_role_policy = coalesce(
+    var.governance_role_assume_policy_json,
+    data.aws_iam_policy_document.vertice_governance_assume_role.json,
+  )
 
   lifecycle {
     precondition {
-      condition     = length(var.governance_role_external_id) > 0
+      condition     = length(var.governance_role_external_id) > 0 || var.governance_role_assume_policy_json != null
       error_message = "The ExternalId for governance role must be set."
     }
   }

modules/vertice-governance-role/variables.tf

@@ -22,6 +22,18 @@ variable "governance_role_external_id" {
   default     = ""
 }
 
+variable "governance_role_name_prefix" {
+  type        = string
+  description = "Prefix of the VerticeGovernance role name and names of its policies. For testing purposes. It is discouraged to set / change this."
+  default     = ""
+}
+
+variable "governance_role_assume_policy_json" {
+  type        = string
+  description = "Optional override for VerticeGovernanceRole assume policy. Default assume role policy is constructed if this is not provided."
+  default     = null
+}
+
 variable "governance_role_additional_policy_json" {
   type        = string
   description = "Custom additional policy in JSON format to attach to VerticeGovernance role. Default is `null` for no additional policy."

variables.tf

@@ -40,6 +40,12 @@ variable "governance_role_external_id" {
   default     = ""
 }
 
+variable "governance_role_assume_policy_json" {
+  type        = string
+  description = "Optional override for VerticeGovernanceRole assume policy. Default assume role policy is constructed if this is not provided."
+  default     = null
+}
+
 variable "governance_role_additional_policy_json" {
   type        = string
   description = "Custom additional policy in JSON format to attach to VerticeGovernance role. Default is null for no additional policy."