From eb06774b5e286e7f524610eb9dc8375e5defa9f4 Mon Sep 17 00:00:00 2001 From: Jim Enright Date: Thu, 18 Jul 2024 16:39:17 +0100 Subject: [PATCH] Add input for RAZ role to GCP and AWS CDP deploy submodules (#70) Signed-off-by: Jim Enright --- modules/terraform-cdp-deploy/README.md | 2 ++ .../examples/ex01-aws-basic/main.tf | 1 + .../examples/ex03-gcp-basic/main.tf | 1 + modules/terraform-cdp-deploy/main.tf | 2 ++ modules/terraform-cdp-deploy/modules/aws/main.tf | 2 +- .../modules/aws/variables.tf | 9 ++++++++- modules/terraform-cdp-deploy/modules/gcp/main.tf | 2 +- .../modules/gcp/variables.tf | 7 +++++++ modules/terraform-cdp-deploy/variables.tf | 16 ++++++++++++++++ 9 files changed, 39 insertions(+), 3 deletions(-) diff --git a/modules/terraform-cdp-deploy/README.md b/modules/terraform-cdp-deploy/README.md index b319421..db26b6c 100644 --- a/modules/terraform-cdp-deploy/README.md +++ b/modules/terraform-cdp-deploy/README.md @@ -56,6 +56,7 @@ No resources. | [aws\_private\_subnet\_ids](#input\_aws\_private\_subnet\_ids) | List of private subnet ids. Required for CDP deployment on AWS. | `list(string)` | `null` | no | | [aws\_public\_subnet\_ids](#input\_aws\_public\_subnet\_ids) | List of public subnet ids. Required for CDP deployment on AWS. | `list(string)` | `null` | no | | [aws\_ranger\_audit\_role\_arn](#input\_aws\_ranger\_audit\_role\_arn) | Ranger Audit Role ARN. Required for CDP deployment on AWS. | `string` | `null` | no | +| [aws\_raz\_role\_arn](#input\_aws\_raz\_role\_arn) | ARN for Ranger Authorization Service (RAZ) role. Only applicable for CDP deployment on AWS. | `string` | `null` | no | | [aws\_security\_access\_cidr](#input\_aws\_security\_access\_cidr) | CIDR range for inbound traffic. With this option security groups will be automatically created. Only used for CDP deployment on AWS. Note it is recommended to specify pre-existing security groups instead of this option. | `string` | `null` | no | | [aws\_security\_group\_default\_id](#input\_aws\_security\_group\_default\_id) | ID of the Default Security Group for CDP environment. Required for CDP deployment on AWS. | `string` | `null` | no | | [aws\_security\_group\_knox\_id](#input\_aws\_security\_group\_knox\_id) | ID of the Knox Security Group for CDP environment. Required for CDP deployment on AWS. | `string` | `null` | no | @@ -128,6 +129,7 @@ No resources. | [gcp\_network\_name](#input\_gcp\_network\_name) | GCP Network VPC name. Required for CDP deployment on GCP. | `string` | `null` | no | | [gcp\_project\_id](#input\_gcp\_project\_id) | GCP project to deploy CDP environment. Required for CDP deployment on GCP. | `string` | `null` | no | | [gcp\_ranger\_audit\_service\_account\_email](#input\_gcp\_ranger\_audit\_service\_account\_email) | Email id of the service account for Ranger Audit. Required for CDP deployment on GCP. | `string` | `null` | no | +| [gcp\_raz\_service\_account\_email](#input\_gcp\_raz\_service\_account\_email) | Email id of the service account for Ranger Authorization Service (RAZ). Only applicable for CDP deployment on GCP. | `string` | `null` | no | | [gcp\_xaccount\_service\_account\_private\_key](#input\_gcp\_xaccount\_service\_account\_private\_key) | Base64 encoded private key of the GCP Cross Account Service Account Key. Required for CDP deployment on GCP. | `string` | `null` | no | | [keypair\_name](#input\_keypair\_name) | SSH Keypair name in Cloud Service Provider. For CDP deployment on AWS, either 'keypair\_name' or 'public\_key\_text' needs to be set. | `string` | `null` | no | | [multiaz](#input\_multiaz) | Flag to specify that the FreeIPA and DataLake instances will be deployed across multi-availability zones. | `bool` | `true` | no | diff --git a/modules/terraform-cdp-deploy/examples/ex01-aws-basic/main.tf b/modules/terraform-cdp-deploy/examples/ex01-aws-basic/main.tf index c04a3c9..6c38773 100644 --- a/modules/terraform-cdp-deploy/examples/ex01-aws-basic/main.tf +++ b/modules/terraform-cdp-deploy/examples/ex01-aws-basic/main.tf @@ -70,6 +70,7 @@ module "cdp_deploy" { aws_xaccount_role_arn = module.cdp_aws_prereqs.aws_xaccount_role_arn aws_datalake_admin_role_arn = module.cdp_aws_prereqs.aws_datalake_admin_role_arn aws_ranger_audit_role_arn = module.cdp_aws_prereqs.aws_ranger_audit_role_arn + aws_raz_role_arn = module.cdp_aws_prereqs.aws_datalake_admin_role_arn aws_log_instance_profile_arn = module.cdp_aws_prereqs.aws_log_instance_profile_arn aws_idbroker_instance_profile_arn = module.cdp_aws_prereqs.aws_idbroker_instance_profile_arn diff --git a/modules/terraform-cdp-deploy/examples/ex03-gcp-basic/main.tf b/modules/terraform-cdp-deploy/examples/ex03-gcp-basic/main.tf index a0acbea..0121a30 100755 --- a/modules/terraform-cdp-deploy/examples/ex03-gcp-basic/main.tf +++ b/modules/terraform-cdp-deploy/examples/ex03-gcp-basic/main.tf @@ -65,6 +65,7 @@ module "cdp_deploy" { gcp_datalake_admin_service_account_email = module.cdp_gcp_prereqs.gcp_datalake_admin_service_account_email gcp_ranger_audit_service_account_email = module.cdp_gcp_prereqs.gcp_ranger_audit_service_account_email gcp_log_service_account_email = module.cdp_gcp_prereqs.gcp_log_service_account_email + gcp_raz_service_account_email = module.cdp_gcp_prereqs.gcp_datalake_admin_service_account_email # Tags to apply resources (omitted by default) env_tags = var.env_tags diff --git a/modules/terraform-cdp-deploy/main.tf b/modules/terraform-cdp-deploy/main.tf index 1818c83..3b53649 100644 --- a/modules/terraform-cdp-deploy/main.tf +++ b/modules/terraform-cdp-deploy/main.tf @@ -64,6 +64,7 @@ module "cdp_on_aws" { xaccount_role_arn = var.aws_xaccount_role_arn datalake_admin_role_arn = var.aws_datalake_admin_role_arn ranger_audit_role_arn = var.aws_ranger_audit_role_arn + raz_role_arn = var.aws_raz_role_arn idbroker_instance_profile_arn = var.aws_idbroker_instance_profile_arn log_instance_profile_arn = var.aws_log_instance_profile_arn @@ -236,6 +237,7 @@ module "cdp_on_gcp" { ranger_audit_service_account_email = var.gcp_ranger_audit_service_account_email datalake_admin_service_account_email = var.gcp_datalake_admin_service_account_email log_service_account_email = var.gcp_log_service_account_email + raz_service_account_email = var.gcp_raz_service_account_email datalake_custom_instance_groups = var.datalake_custom_instance_groups datalake_image = var.datalake_image diff --git a/modules/terraform-cdp-deploy/modules/aws/main.tf b/modules/terraform-cdp-deploy/modules/aws/main.tf index 6308874..1838a02 100644 --- a/modules/terraform-cdp-deploy/modules/aws/main.tf +++ b/modules/terraform-cdp-deploy/modules/aws/main.tf @@ -109,7 +109,7 @@ resource "cdp_environments_id_broker_mappings" "cdp_idbroker" { ranger_audit_role = var.ranger_audit_role_arn data_access_role = var.datalake_admin_role_arn - ranger_cloud_access_authorizer_role = var.enable_raz ? var.datalake_admin_role_arn : null + ranger_cloud_access_authorizer_role = var.enable_raz ? var.raz_role_arn : null mappings = [{ accessor_crn = cdp_iam_group.cdp_admin_group.crn diff --git a/modules/terraform-cdp-deploy/modules/aws/variables.tf b/modules/terraform-cdp-deploy/modules/aws/variables.tf index 1b8e3c0..6304ff7 100644 --- a/modules/terraform-cdp-deploy/modules/aws/variables.tf +++ b/modules/terraform-cdp-deploy/modules/aws/variables.tf @@ -413,4 +413,11 @@ variable "idbroker_instance_profile_arn" { error_message = "Valid values for var: idbroker_instance_profile_arn must be a valid ARN for IDBroker Instance Profile." } -} \ No newline at end of file +} + +variable "raz_role_arn" { + type = string + + description = "ARN for Ranger Authorization Service (RAZ) role." + +} diff --git a/modules/terraform-cdp-deploy/modules/gcp/main.tf b/modules/terraform-cdp-deploy/modules/gcp/main.tf index 66ba45c..9b698ef 100644 --- a/modules/terraform-cdp-deploy/modules/gcp/main.tf +++ b/modules/terraform-cdp-deploy/modules/gcp/main.tf @@ -105,7 +105,7 @@ resource "cdp_environments_id_broker_mappings" "cdp_idbroker" { ranger_audit_role = var.ranger_audit_service_account_email data_access_role = var.datalake_admin_service_account_email - ranger_cloud_access_authorizer_role = var.enable_raz ? var.datalake_admin_service_account_email : null + ranger_cloud_access_authorizer_role = var.enable_raz ? var.raz_service_account_email : null mappings = [{ accessor_crn = cdp_iam_group.cdp_admin_group.crn diff --git a/modules/terraform-cdp-deploy/modules/gcp/variables.tf b/modules/terraform-cdp-deploy/modules/gcp/variables.tf index 114d0f7..673b45a 100644 --- a/modules/terraform-cdp-deploy/modules/gcp/variables.tf +++ b/modules/terraform-cdp-deploy/modules/gcp/variables.tf @@ -398,4 +398,11 @@ variable "datalake_admin_service_account_email" { error_message = "Valid values for var: datalake_admin_service_account_email must be a valid Email id for the GCP Datalake Admin Service Account." } +} + +variable "raz_service_account_email" { + type = string + + description = "Email id of the service account for Ranger Authorization Service (RAZ)." + } \ No newline at end of file diff --git a/modules/terraform-cdp-deploy/variables.tf b/modules/terraform-cdp-deploy/variables.tf index bd3b015..3f65873 100644 --- a/modules/terraform-cdp-deploy/variables.tf +++ b/modules/terraform-cdp-deploy/variables.tf @@ -518,6 +518,14 @@ variable "aws_idbroker_instance_profile_arn" { default = null } +variable "aws_raz_role_arn" { + type = string + + description = "ARN for Ranger Authorization Service (RAZ) role. Only applicable for CDP deployment on AWS." + + default = null +} + # ------- Cloud Service Provider Settings - Azure specific ------- variable "azure_subscription_id" { type = string @@ -816,4 +824,12 @@ variable "gcp_encryption_key" { default = null +} + +variable "gcp_raz_service_account_email" { + type = string + + description = "Email id of the service account for Ranger Authorization Service (RAZ). Only applicable for CDP deployment on GCP." + + default = null } \ No newline at end of file