Skip to content

Commit

Permalink
Add support for sovereign cloud ARN format. (#84)
Browse files Browse the repository at this point in the history 
* Add support for sovereign cloud ARN format.

* Fixing blank line.

* Fix spacing.

* Fix PR Terraform init check.

* Fix example TF versioning.

* Remove arn format from example.

* Add snowsql provider to example.

* Fix snowsql provider on example.
  • Loading branch information
@sfc-gh-bkou
sfc-gh-bkou authored Dec 17, 2024
1 parent 91354c5 commit d444afd
Show file tree
Hide file tree
Showing 10 changed files with 50 additions and 37 deletions.
2 changes: 1 addition & 1 deletion api_gateway.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ resource "aws_api_gateway_rest_api_policy" "ef_to_lambda" {
{
Effect = "Allow"
Principal = {
AWS = "arn:${var.arn_format}:sts::${local.account_id}:assumed-role/${local.api_gw_caller_role_name}/snowflake"
AWS = "arn:${local.aws_partition}:sts::${local.account_id}:assumed-role/${local.api_gw_caller_role_name}/snowflake"
}
Action = "execute-api:Invoke"
Resource = "${aws_api_gateway_rest_api.ef_to_lambda.execution_arn}/*/*/*"
Expand Down
2 changes: 1 addition & 1 deletion api_integration.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ resource "snowflake_api_integration" "geff_api_integration" {
enabled = true
api_provider = length(regexall(".*gov.*", local.aws_region)) > 0 ? "aws_gov_api_gateway" : "aws_api_gateway"
api_allowed_prefixes = [local.inferred_api_gw_invoke_url]
api_aws_role_arn = "arn:${var.arn_format}:iam::${local.account_id}:role/${local.api_gw_caller_role_name}"
api_aws_role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/${local.api_gw_caller_role_name}"
}

resource "snowflake_integration_grant" "geff_api_integration_grant" {
Expand Down
2 changes: 1 addition & 1 deletion examples/complete/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ module "geff" {
env = var.env

# AWS
arn_format = var.arn_format
aws_cloudwatch_metric_namespace = var.aws_cloudwatch_metric_namespace
aws_region = var.aws_region

Expand All @@ -27,6 +26,7 @@ module "geff" {
providers = {
snowflake.api_integration_role = snowflake.api_integration_role
snowflake.storage_integration_role = snowflake.storage_integration_role
snowsql.storage_integration_role = snowsql.storage_integration_role
aws = aws
}
}
7 changes: 7 additions & 0 deletions examples/complete/snowsql_provider.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
provider "snowsql" {
alias = "storage_integration_role"

account = var.snowflake_account
role = var.snowflake_storage_integration_owner_role
username = "example_user"
}
15 changes: 12 additions & 3 deletions examples/complete/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,24 @@
terraform {
required_version = "~> 1.4.6"
required_version = ">= 1.4.6"

required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.38.0"
version = "~> 5.72.0"
}

snowflake = {
source = "Snowflake-Labs/snowflake"
version = "~> 0.64.0"
version = "~> 0.73.0"
}

snowsql = {
source = "aidanmelen/snowsql"
version = ">= 1.3.3"

configuration_aliases = [
snowsql.storage_integration_role,
]
}
}
}
6 changes: 3 additions & 3 deletions iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ resource "aws_iam_role" "geff_api_gateway_assume_role" {

resource "aws_iam_role_policy_attachment" "gateway_logger_policy_attachment" {
role = aws_iam_role.geff_api_gateway_assume_role.id
policy_arn = "arn:${var.arn_format}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
policy_arn = "arn:${local.aws_partition}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
}

resource "aws_api_gateway_account" "api_gateway" {
Expand Down Expand Up @@ -100,7 +100,7 @@ data "aws_iam_policy_document" "geff_lambda_policy_doc" {
sid = "WriteCloudWatchLogs"
effect = "Allow"
resources = [
"arn:${var.arn_format}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${local.lambda_function_name}:*"
"arn:${local.aws_partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${local.lambda_function_name}:*"
]

actions = [
Expand Down Expand Up @@ -196,7 +196,7 @@ resource "aws_iam_role_policy" "geff_lambda_policy" {

data "aws_iam_policy" "geff_lambda_vpc_policy" {
count = var.deploy_lambda_in_vpc ? 1 : 0
arn = "arn:${var.arn_format}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
arn = "arn:${local.aws_partition}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
}

resource "aws_iam_policy_attachment" "geff_lambda_vpc_policy_attachment" {
Expand Down
2 changes: 1 addition & 1 deletion kms.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ resource "aws_kms_key" "prod" {
Action = "kms:*"
Effect = "Allow"
Principal = {
AWS = "arn:${var.arn_format}:iam::${local.account_id}:root"
AWS = "arn:${local.aws_partition}:iam::${local.account_id}:root"
}
Resource = "*"
Sid = "Enable IAM User Permissions"
Expand Down
5 changes: 3 additions & 2 deletions storage_integration.tf
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,18 @@
module "storage_integration" {
source = "Snowflake-Labs/storage-integration-aws/snowflake"
source = "Snowflake-Labs/storage-integration-aws/snowflake"
version = "0.2.11"

# General
prefix = var.prefix
env = var.env

# AWS
arn_format = var.arn_format
data_bucket_arns = var.data_bucket_arns
snowflake_integration_user_roles = var.snowflake_integration_user_roles

providers = {
snowflake.storage_integration_role = snowflake.storage_integration_role
snowsql.storage_integration_role = snowsql.storage_integration_role
aws = aws
}
}
33 changes: 10 additions & 23 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,12 +88,6 @@ variable "sentry_driver_dsn" {
default = ""
}

variable "arn_format" {
type = string
description = "ARN format could be aws or aws-us-gov. Defaults to non-gov."
default = "aws"
}

variable "create_dynamodb_table" {
type = bool
description = "Boolean for if a DynamoDB table is to be created for batch locking."
Expand All @@ -117,25 +111,18 @@ data "aws_region" "current" {}
data "aws_partition" "current" {}

locals {
account_id = data.aws_caller_identity.current.account_id
aws_region = data.aws_region.current.name
}

locals {
lambda_image_repo = "${local.account_id}.dkr.ecr.${local.aws_region}.amazonaws.com/geff"
}
account_id = data.aws_caller_identity.current.account_id
aws_region = data.aws_region.current.name
aws_partition = data.aws_partition.current.partition
aws_dns_suffix = data.aws_partition.current.dns_suffix

locals {
lambda_image_repo = "${local.account_id}.dkr.ecr.${local.aws_region}.${local.aws_dns_suffix}/geff"
lambda_image_repo_version = "${local.lambda_image_repo}:${var.geff_image_version}"
}
lambda_function_name = "${local.geff_prefix}-lambda"

locals {
inferred_api_gw_invoke_url = "https://${aws_api_gateway_rest_api.ef_to_lambda.id}.execute-api.${local.aws_region}.amazonaws.com/"
geff_prefix = "${var.prefix}-geff"
}
geff_prefix = "${var.prefix}-geff"

locals {
lambda_function_name = "${local.geff_prefix}-lambda"
api_gw_caller_role_name = "${local.geff_prefix}-api-gateway-caller"
api_gw_logger_role_name = "${local.geff_prefix}-api-gateway-logger"
inferred_api_gw_invoke_url = "https://${aws_api_gateway_rest_api.ef_to_lambda.id}.execute-api.${local.aws_region}.${local.aws_dns_suffix}/"
api_gw_caller_role_name = "${local.geff_prefix}-api-gateway-caller"
api_gw_logger_role_name = "${local.geff_prefix}-api-gateway-logger"
}
13 changes: 11 additions & 2 deletions versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,26 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.38.0"
version = ">= 5.72.0"
}

snowflake = {
source = "Snowflake-Labs/snowflake"
version = ">= 0.64.0"
version = ">= 0.73.0"

configuration_aliases = [
snowflake.api_integration_role,
snowflake.storage_integration_role,
]
}

snowsql = {
source = "aidanmelen/snowsql"
version = ">= 1.3.3"

configuration_aliases = [
snowsql.storage_integration_role,
]
}
}
}

0 comments on commit d444afd

Please sign in to comment.