diff --git a/google-workspace.tf b/google-workspace.tf index 1a6af88..ab910f0 100644 --- a/google-workspace.tf +++ b/google-workspace.tf @@ -7,7 +7,7 @@ provider "google" { module "worklytics_connectors_google_workspace" { - source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-google-workspace?ref=v0.6.2" + source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-google-workspace?ref=v0.6.3" google_workspace_connector_settings = var.google_workspace_connector_settings diff --git a/kms-cmek.tf b/kms-cmek.tf index c4d8aa5..fce83e3 100644 --- a/kms-cmek.tf +++ b/kms-cmek.tf @@ -13,15 +13,17 @@ #locals { # key_arn = aws_kms_key.example_key.arn # alternatively, use ar.project_aws_kms_key_arn # -# # TODO: can eliminate this if test tool doesn't assume role when uploading to bucket -# testing_policy_statements = var.provision_testing_infra ? [ +# upload_testing_policy_statements = length(module.psoxy.test_aws_principal_arns) > 0 ? [ # { -# "Sid": "Allow Test Users to Use Key", +# "Sid": "Allow Test Principals to Encrypt for Input Upload", # "Effect": "Allow", -# "Principal": { # tests -# "AWS": "arn:aws:iam::${var.aws_account_id}:role/${module.psoxy.caller_role_name}" +# "Principal": { +# "AWS": module.psoxy.test_aws_principal_arns # }, -# "Action": "kms:*", +# "Action": [ +# "kms:Encrypt", +# "kms:GenerateDataKey", +# ], # "Resource": local.key_arn # } # ] : [] @@ -93,7 +95,7 @@ # } # ], # local.bulk_writer_policy_statements, -# local.testing_policy_statements, +# local.upload_testing_policy_statements, # local.proxy_caller_policy_statements # ) # }) diff --git a/main.tf b/main.tf index b797c59..74f02fc 100644 --- a/main.tf +++ b/main.tf @@ -20,7 +20,7 @@ terraform { # general cases module "worklytics_connectors" { - source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors?ref=v0.6.2" + source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors?ref=v0.6.3" enabled_connectors = var.enabled_connectors connector_settings = var.connector_settings @@ -119,7 +119,7 @@ locals { } module "psoxy" { - source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-host?ref=v0.6.2" + source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-host?ref=v0.6.3" environment_name = var.environment_name aws_account_id = var.aws_account_id @@ -131,6 +131,7 @@ module "psoxy" { force_bundle = var.force_bundle caller_gcp_service_account_ids = var.caller_gcp_service_account_ids caller_aws_arns = var.caller_aws_arns + test_aws_principal_arns = var.test_aws_principal_arns non_production_connectors = var.non_production_connectors custom_api_connector_rules = var.custom_api_connector_rules lookup_table_builders = var.lookup_table_builders @@ -196,7 +197,7 @@ locals { module "connection_in_worklytics" { for_each = local.all_instances - source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-proxy-connection-aws?ref=v0.6.2" + source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-proxy-connection-aws?ref=v0.6.3" proxy_instance_id = each.key worklytics_host = var.worklytics_host diff --git a/msft-365.tf b/msft-365.tf index 2fcf1ac..3ea4a0d 100644 --- a/msft-365.tf +++ b/msft-365.tf @@ -1,7 +1,7 @@ # BEGIN MSFT module "worklytics_connectors_msft_365" { - source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-msft-365?ref=v0.6.2" + source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-msft-365?ref=v0.6.3" msft_365_connector_settings = var.msft_365_connector_settings @@ -50,7 +50,7 @@ data "aws_region" "current" { module "cognito_identity_pool" { count = local.msft_365_enabled ? 1 : 0 # only provision identity pool if MSFT-365 connectors are enabled - source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-cognito-pool?ref=v0.6.2" + source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-cognito-pool?ref=v0.6.3" developer_provider_name = local.developer_provider_name name = "${local.env_qualifier}-azure-ad-federation" @@ -72,10 +72,10 @@ locals { module "cognito_identity" { count = local.msft_365_enabled ? 1 : 0 # only provision identity pool if MSFT-365 connectors are enabled - source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-cognito-identity-cli?ref=v0.6.2" + source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-cognito-identity-cli?ref=v0.6.3" - aws_region = data.aws_region.current.id + aws_region = data.aws_region.current.region aws_role = var.aws_assume_role_arn identity_pool_id = module.cognito_identity_pool[0].pool_id login_ids = { @@ -109,7 +109,7 @@ locals { module "msft_connection_auth_federation" { for_each = local.provision_entraid_apps ? local.enabled_to_entraid_object : local.shared_to_entraid_object - source = "git::https://github.com/worklytics/psoxy//infra/modules/azuread-federated-credentials?ref=v0.6.2" + source = "git::https://github.com/worklytics/psoxy//infra/modules/azuread-federated-credentials?ref=v0.6.3" application_id = each.value.connector_id display_name = "${local.env_qualifier}AccessFromAWS" diff --git a/variables.tf b/variables.tf index 3ea485c..a8c2f01 100644 --- a/variables.tf +++ b/variables.tf @@ -141,6 +141,14 @@ variable "caller_aws_arns" { } +variable "test_aws_principal_arns" { + type = list(string) + description = "AWS principal ARNs allowed to test the deployment. When null and provision_testing_infra is true, defaults to the IAM principal running Terraform." + default = null + nullable = true +} + + variable "connector_display_name_suffix" { type = string description = "suffix to append to display_names of connector SAs; helpful to distinguish between various ones in testing/dev scenarios"