add support for cross account access to system schema (#194)

Co-authored-by: Raj Poluri <[email protected]>
ExpediaGroup · Jul 8, 2021 · 1b5debe · 1b5debe
1 parent 7db672e
commit 1b5debe
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [6.9.1] - 2021-06-17
+### Added
+- Add support for cross account access to system schema.
+
 ## [6.9.0] - 2021-06-22
 ### Added
 - Added apiary_consumer_iamroles variable to grant cross account access to IAM roles.

diff --git a/VARIABLES.md b/VARIABLES.md
@@ -79,6 +79,7 @@
 | s3\_logs\_sqs\_visibility\_timeout\_seconds | Time in seconds after which message will be returned to the queue if it is not deleted. | `number` | `3600` | no |
 | s3_storage_class | Destination S3 storage class for transition in the lifecycle policy. | string  | `INTELLIGENT_TIERING` | no |
 | secondary_vpcs | List of VPCs to associate with Service Discovery namespace. | list | `<list>` | no |
+| system_schema_customer_accounts | AWS account IDs allowed to access system database. | list | - | no |
 | table_param_filter | A regular expression for selecting necessary table parameters for the SNS listener. If the value isn't set, then no table parameters are selected. | string | `` | no |
 | vpc_id | VPC ID. | string | - | yes |
 

diff --git a/s3-other.tf b/s3-other.tf
@@ -220,6 +220,26 @@ resource "aws_s3_bucket" "apiary_system" {
 {
   "Version":"2012-10-17",
   "Statement":[
+%{if length(var.system_schema_customer_accounts) > 0}
+    {
+        "Sid": "system schema customer account permissions",
+        "Effect": "Allow",
+        "Principal": {
+          "AWS": [ "${join("\",\"", formatlist("arn:aws:iam::%s:root", var.system_schema_customer_accounts))}" ]
+        },
+        "Action": [
+            "s3:GetBucketLocation",
+            "s3:GetObject",
+            "s3:GetObjectAcl",
+            "s3:GetBucketAcl",
+            "s3:ListBucket"
+        ],
+        "Resource": [
+            "arn:aws:s3:::${local.apiary_system_bucket}",
+            "arn:aws:s3:::${local.apiary_system_bucket}/*"
+        ]
+    },
+%{endif}
     {
       "Sid": "DenyUnSecureCommunications",
       "Effect": "Deny",

diff --git a/variables.tf b/variables.tf
@@ -499,6 +499,13 @@ variable "system_schema_name" {
   default     = "apiary_system"
 }
 
+variable "system_schema_customer_accounts" {
+  description = "AWS account IDs allowed to access system database."
+  type        = list(string)
+  default     = []
+}
+
+
 variable "rds_max_allowed_packet" {
   description = "RDS/MySQL setting for parameter 'max_allowed_packet' in bytes. Default is 128MB (Note that MySQL default is 4MB)."
   type        = number