Add input for RAZ role to GCP and AWS CDP deploy submodules (#70)

Signed-off-by: Jim Enright <[email protected]>

modules/terraform-cdp-deploy/README.md

@@ -56,6 +56,7 @@ No resources.
 | <a name="input_aws_private_subnet_ids"></a> [aws\_private\_subnet\_ids](#input\_aws\_private\_subnet\_ids) | List of private subnet ids. Required for CDP deployment on AWS. | `list(string)` | `null` | no |
 | <a name="input_aws_public_subnet_ids"></a> [aws\_public\_subnet\_ids](#input\_aws\_public\_subnet\_ids) | List of public subnet ids. Required for CDP deployment on AWS. | `list(string)` | `null` | no |
 | <a name="input_aws_ranger_audit_role_arn"></a> [aws\_ranger\_audit\_role\_arn](#input\_aws\_ranger\_audit\_role\_arn) | Ranger Audit Role ARN. Required for CDP deployment on AWS. | `string` | `null` | no |
+| <a name="input_aws_raz_role_arn"></a> [aws\_raz\_role\_arn](#input\_aws\_raz\_role\_arn) | ARN for Ranger Authorization Service (RAZ) role. Only applicable for CDP deployment on AWS. | `string` | `null` | no |
 | <a name="input_aws_security_access_cidr"></a> [aws\_security\_access\_cidr](#input\_aws\_security\_access\_cidr) | CIDR range for inbound traffic. With this option security groups will be automatically created. Only used for CDP deployment on AWS. Note it is recommended to specify pre-existing security groups instead of this option. | `string` | `null` | no |
 | <a name="input_aws_security_group_default_id"></a> [aws\_security\_group\_default\_id](#input\_aws\_security\_group\_default\_id) | ID of the Default Security Group for CDP environment. Required for CDP deployment on AWS. | `string` | `null` | no |
 | <a name="input_aws_security_group_knox_id"></a> [aws\_security\_group\_knox\_id](#input\_aws\_security\_group\_knox\_id) | ID of the Knox Security Group for CDP environment. Required for CDP deployment on AWS. | `string` | `null` | no |
@@ -128,6 +129,7 @@ No resources.
 | <a name="input_gcp_network_name"></a> [gcp\_network\_name](#input\_gcp\_network\_name) | GCP Network VPC name. Required for CDP deployment on GCP. | `string` | `null` | no |
 | <a name="input_gcp_project_id"></a> [gcp\_project\_id](#input\_gcp\_project\_id) | GCP project to deploy CDP environment. Required for CDP deployment on GCP. | `string` | `null` | no |
 | <a name="input_gcp_ranger_audit_service_account_email"></a> [gcp\_ranger\_audit\_service\_account\_email](#input\_gcp\_ranger\_audit\_service\_account\_email) | Email id of the service account for Ranger Audit. Required for CDP deployment on GCP. | `string` | `null` | no |
+| <a name="input_gcp_raz_service_account_email"></a> [gcp\_raz\_service\_account\_email](#input\_gcp\_raz\_service\_account\_email) | Email id of the service account for Ranger Authorization Service (RAZ). Only applicable for CDP deployment on GCP. | `string` | `null` | no |
 | <a name="input_gcp_xaccount_service_account_private_key"></a> [gcp\_xaccount\_service\_account\_private\_key](#input\_gcp\_xaccount\_service\_account\_private\_key) | Base64 encoded private key of the GCP Cross Account Service Account Key. Required for CDP deployment on GCP. | `string` | `null` | no |
 | <a name="input_keypair_name"></a> [keypair\_name](#input\_keypair\_name) | SSH Keypair name in Cloud Service Provider. For CDP deployment on AWS, either 'keypair\_name' or 'public\_key\_text' needs to be set. | `string` | `null` | no |
 | <a name="input_multiaz"></a> [multiaz](#input\_multiaz) | Flag to specify that the FreeIPA and DataLake instances will be deployed across multi-availability zones. | `bool` | `true` | no |

modules/terraform-cdp-deploy/examples/ex01-aws-basic/main.tf

@@ -70,6 +70,7 @@ module "cdp_deploy" {
   aws_xaccount_role_arn       = module.cdp_aws_prereqs.aws_xaccount_role_arn
   aws_datalake_admin_role_arn = module.cdp_aws_prereqs.aws_datalake_admin_role_arn
   aws_ranger_audit_role_arn   = module.cdp_aws_prereqs.aws_ranger_audit_role_arn
+  aws_raz_role_arn            = module.cdp_aws_prereqs.aws_datalake_admin_role_arn
 
   aws_log_instance_profile_arn      = module.cdp_aws_prereqs.aws_log_instance_profile_arn
   aws_idbroker_instance_profile_arn = module.cdp_aws_prereqs.aws_idbroker_instance_profile_arn

modules/terraform-cdp-deploy/examples/ex03-gcp-basic/main.tf

@@ -65,6 +65,7 @@ module "cdp_deploy" {
   gcp_datalake_admin_service_account_email = module.cdp_gcp_prereqs.gcp_datalake_admin_service_account_email
   gcp_ranger_audit_service_account_email   = module.cdp_gcp_prereqs.gcp_ranger_audit_service_account_email
   gcp_log_service_account_email            = module.cdp_gcp_prereqs.gcp_log_service_account_email
+  gcp_raz_service_account_email            = module.cdp_gcp_prereqs.gcp_datalake_admin_service_account_email
 
   # Tags to apply resources (omitted by default)
   env_tags = var.env_tags

modules/terraform-cdp-deploy/main.tf

@@ -64,6 +64,7 @@ module "cdp_on_aws" {
   xaccount_role_arn       = var.aws_xaccount_role_arn
   datalake_admin_role_arn = var.aws_datalake_admin_role_arn
   ranger_audit_role_arn   = var.aws_ranger_audit_role_arn
+  raz_role_arn            = var.aws_raz_role_arn
 
   idbroker_instance_profile_arn = var.aws_idbroker_instance_profile_arn
   log_instance_profile_arn      = var.aws_log_instance_profile_arn
@@ -236,6 +237,7 @@ module "cdp_on_gcp" {
   ranger_audit_service_account_email   = var.gcp_ranger_audit_service_account_email
   datalake_admin_service_account_email = var.gcp_datalake_admin_service_account_email
   log_service_account_email            = var.gcp_log_service_account_email
+  raz_service_account_email            = var.gcp_raz_service_account_email
 
   datalake_custom_instance_groups = var.datalake_custom_instance_groups
   datalake_image                  = var.datalake_image

modules/terraform-cdp-deploy/modules/aws/main.tf

@@ -109,7 +109,7 @@ resource "cdp_environments_id_broker_mappings" "cdp_idbroker" {
 
   ranger_audit_role                   = var.ranger_audit_role_arn
   data_access_role                    = var.datalake_admin_role_arn
-  ranger_cloud_access_authorizer_role = var.enable_raz ? var.datalake_admin_role_arn : null
+  ranger_cloud_access_authorizer_role = var.enable_raz ? var.raz_role_arn : null
 
   mappings = [{
     accessor_crn = cdp_iam_group.cdp_admin_group.crn

modules/terraform-cdp-deploy/modules/aws/variables.tf

@@ -413,4 +413,11 @@ variable "idbroker_instance_profile_arn" {
     error_message = "Valid values for var: idbroker_instance_profile_arn must be a valid ARN for IDBroker Instance Profile."
   }
 
-}
+}
+
+variable "raz_role_arn" {
+  type = string
+
+  description = "ARN for Ranger Authorization Service (RAZ) role."
+
+}

modules/terraform-cdp-deploy/modules/gcp/main.tf

@@ -105,7 +105,7 @@ resource "cdp_environments_id_broker_mappings" "cdp_idbroker" {
 
   ranger_audit_role                   = var.ranger_audit_service_account_email
   data_access_role                    = var.datalake_admin_service_account_email
-  ranger_cloud_access_authorizer_role = var.enable_raz ? var.datalake_admin_service_account_email : null
+  ranger_cloud_access_authorizer_role = var.enable_raz ? var.raz_service_account_email : null
 
   mappings = [{
     accessor_crn = cdp_iam_group.cdp_admin_group.crn

modules/terraform-cdp-deploy/modules/gcp/variables.tf

@@ -398,4 +398,11 @@ variable "datalake_admin_service_account_email" {
     error_message = "Valid values for var: datalake_admin_service_account_email must be a valid Email id for the GCP Datalake Admin Service Account."
   }
 
+}
+
+variable "raz_service_account_email" {
+  type = string
+
+  description = "Email id of the service account for Ranger Authorization Service (RAZ)."
+
 }

modules/terraform-cdp-deploy/variables.tf

@@ -518,6 +518,14 @@ variable "aws_idbroker_instance_profile_arn" {
   default = null
 }
 
+variable "aws_raz_role_arn" {
+  type = string
+
+  description = "ARN for Ranger Authorization Service (RAZ) role. Only applicable for CDP deployment on AWS."
+
+  default = null
+}
+
 # ------- Cloud Service Provider Settings - Azure specific -------
 variable "azure_subscription_id" {
   type = string
@@ -816,4 +824,12 @@ variable "gcp_encryption_key" {
 
   default = null
 
+}
+
+variable "gcp_raz_service_account_email" {
+  type = string
+
+  description = "Email id of the service account for Ranger Authorization Service (RAZ). Only applicable for CDP deployment on GCP."
+
+  default = null
 }