-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[OPAL-7906] Support AWS accounts in Terraform #24
[OPAL-7906] Support AWS accounts in Terraform #24
Conversation
OPAL-7906 [P1] - Sophos | AWS Organizations - Terraform fails for Opal AWS IAM Role Resource
Terraform is failing for AWS Organizations using AWS IAM Roles: TF update, I've tried to get the IAM Roles added via TF and get an error "Error: opal api error: 400 Bad Request: account_id is required for aws sso app" Looking at the API docs there is an option to add account_id for AWS_IAM_ROLE type Opal resource, https://docs.opal.dev/reference/createresource
Please can we get this added to the remaining TF provider work along with getting the "AWS_ACCOUNT" Opal resource type available in the TF provider, as they're both in the same area, thanks. |
356075f
to
d54835e
Compare
d54835e
to
c2d860e
Compare
c2d860e
to
661382d
Compare
1901ab6
to
15a80e7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one question - do we want to support reading out the remote info for other AWS resources?
terraform-provider-opal/opal/resource.go
Lines 414 to 436 in 24eb7c5
if resource.Metadata != nil { | |
remoteInfoIList := make([]any, 0, 1) | |
switch *resource.ResourceType { | |
case opal.RESOURCETYPEENUM_AWS_SSO_PERMISSION_SET: | |
// TODO: Handle other AWS Orgs resource types | |
var metadata opal.AwsPermissionSetMetadata | |
if err := json.Unmarshal([]byte(*resource.Metadata), &metadata); err != nil { | |
return diagFromErr(ctx, err) | |
} | |
permissionSetIList := make([]any, 0, 1) | |
permissionSetIList = append(permissionSetIList, map[string]any{ | |
"arn": metadata.AwsPermissionSet.Arn, | |
"account_id": metadata.AwsPermissionSet.AccountId, | |
}) | |
remoteInfoIList = append(remoteInfoIList, map[string]any{ | |
"aws_permission_set": permissionSetIList, | |
}) | |
} | |
if len(remoteInfoIList) == 1 { | |
d.Set("remote_info", remoteInfoIList) | |
} | |
} |
some more context here: https://github.com/opalsecurity/terraform-provider-opal/pull/19/files#r1205825077
48f9ed7
to
86b9fe5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with one comment on validating the import + plan workflow
3ee8f54
to
74643c6
Compare
74643c6
to
0f8eb10
Compare
Description of the change
We were out of parity with the SDK, this supports it.
Test AWS accounts:
Test AWS role:
Checklist