|
| 1 | +--- |
| 2 | +page_title: "Manage Permissions" |
| 3 | +--- |
| 4 | + |
| 5 | +# Manage Permissions |
| 6 | +Polaris requires permissions to operate and as new features are added to Polaris the set of required permissions |
| 7 | +changes. This guide explains how Terraform can be used to keep this set of permissions up to date. |
| 8 | + |
| 9 | +## AWS |
| 10 | +For AWS this is managed through a CloudFormation stack. When the status of an account feature is `missing-permissions` |
| 11 | +the CloudFormation stack must be updated for the feature to continue to function. This can be managed by setting the |
| 12 | +`permissions` argument to `update`. |
| 13 | +```hcl |
| 14 | +resource "polaris_aws_account" "default" { |
| 15 | + profile = "default" |
| 16 | + permissions = "update" |
| 17 | +
|
| 18 | + cloud_native_protection { |
| 19 | + regions = [ |
| 20 | + "us-east-2", |
| 21 | + ] |
| 22 | + } |
| 23 | +} |
| 24 | +``` |
| 25 | +This will generate a diff when the status of at least one feature is `missing-permissions`. Applying the account |
| 26 | +resource for this diff will update the CloudFormation stack. If the `permissions` argument is not specified the |
| 27 | +provider will not attempt to update the CloudFormation stack. |
| 28 | + |
| 29 | +## Azure |
| 30 | +For Azure permissions are managed through a service principal. When the status of a subscription feature is |
| 31 | +`missing-permissions` the permissions of the service principal must be updated for the feature to continue to |
| 32 | +function. This can be managed by Terraform using the |
| 33 | +[azurerm](https://registry.terraform.io/providers/hashicorp/azurerm/latest) provider: |
| 34 | +```hcl |
| 35 | +data "polaris_azure_permissions" "default" { |
| 36 | + features = [ |
| 37 | + "cloud-native-protection", |
| 38 | + "exocompute", |
| 39 | + ] |
| 40 | +} |
| 41 | +
|
| 42 | +resource "azurerm_role_definition" "default" { |
| 43 | + name = "terraform" |
| 44 | + scope = data.azurerm_subscription.default.id |
| 45 | +
|
| 46 | + permissions { |
| 47 | + actions = data.polaris_azure_permissions.default.actions |
| 48 | + data_actions = data.polaris_azure_permissions.default.data_actions |
| 49 | + not_actions = data.polaris_azure_permissions.default.not_actions |
| 50 | + not_data_actions = data.polaris_azure_permissions.default.not_data_actions |
| 51 | + } |
| 52 | +} |
| 53 | +
|
| 54 | +resource "azurerm_role_assignment" "default" { |
| 55 | + principal_id = "9e7f3952-1fc1-11ec-b57a-972144d12d97" |
| 56 | + role_definition_id = azurerm_role_definition.default.role_definition_resource_id |
| 57 | + scope = data.azurerm_subscription.default.id |
| 58 | +} |
| 59 | +
|
| 60 | +resource "polaris_azure_service_principal" "default" { |
| 61 | + sdk_auth = "${path.module}/sdk-service-principal.json" |
| 62 | + tenant_domain = "mydomain.onmicrosoft.com" |
| 63 | + permissions_hash = data.polaris_azure_permissions.default.hash |
| 64 | +
|
| 65 | + depends_on = [ |
| 66 | + azurerm_role_definition.default, |
| 67 | + azurerm_role_assignment.default, |
| 68 | + ] |
| 69 | +} |
| 70 | +``` |
| 71 | +When the permissions for a feature changes the permissions data source will reflect this generating a diff for the |
| 72 | +role definition and service principal resources. Applying the diff will first update the permissions of the service |
| 73 | +principal's role definition and then notify Polaris about the update. |
| 74 | + |
| 75 | +## GCP |
| 76 | +For GCP permissions are managed through a service account. When the status of a project feature is `missing-permissions` |
| 77 | +the permissions of the service account must be updated for the feature to continue to function. This can be managed by |
| 78 | +Terraform using the [google](https://registry.terraform.io/providers/hashicorp/google/latest) provider. |
| 79 | + |
| 80 | +### Project Service Account |
| 81 | +When the service account is specified as part of the project resource: |
| 82 | + |
| 83 | +```terraform |
| 84 | +data "polaris_gcp_permissions" "default" { |
| 85 | + features = [ |
| 86 | + "cloud-native-protection", |
| 87 | + ] |
| 88 | +} |
| 89 | +
|
| 90 | +resource "google_project_iam_custom_role" "default" { |
| 91 | + role_id = "terraform" |
| 92 | + title = "Terraform" |
| 93 | + permissions = data.polaris_gcp_permissions.default.permissions |
| 94 | +} |
| 95 | +
|
| 96 | +resource "google_project_iam_member" "default" { |
| 97 | + role = google_project_iam_custom_role.default.id |
| 98 | + member = "serviceAccount:[email protected]" |
| 99 | +} |
| 100 | +
|
| 101 | +resource "polaris_gcp_project" "default" { |
| 102 | + credentials = "${path.module}//my-project-d978f94d6c4d.json" |
| 103 | + permissions_hash = data.polaris_gcp_permissions.default.hash |
| 104 | +
|
| 105 | + cloud_native_protection { |
| 106 | + } |
| 107 | +
|
| 108 | + depends_on = [ |
| 109 | + google_project_iam_custom_role.default, |
| 110 | + google_project_iam_member.default, |
| 111 | + ] |
| 112 | +} |
| 113 | +``` |
| 114 | +When the permissions for a feature changes the permissions data source will reflect this generating a diff for the |
| 115 | +custom role and the project resources. Applying the diff will first update the permissions of the service account's |
| 116 | +custom role and then notify Polaris about the update. |
| 117 | + |
| 118 | +### Default Service Account |
| 119 | +When the service account is specified as part of the service account resource: |
| 120 | +```terraform |
| 121 | +data "polaris_gcp_permissions" "default" { |
| 122 | + features = [ |
| 123 | + "cloud-native-protection", |
| 124 | + ] |
| 125 | +} |
| 126 | +
|
| 127 | +resource "google_project_iam_custom_role" "default" { |
| 128 | + role_id = "terraform" |
| 129 | + title = "Terraform" |
| 130 | + permissions = data.polaris_gcp_permissions.default.permissions |
| 131 | +} |
| 132 | +
|
| 133 | +resource "google_project_iam_member" "default" { |
| 134 | + role = google_project_iam_custom_role.default.id |
| 135 | + member = "serviceAccount:[email protected]" |
| 136 | +} |
| 137 | +
|
| 138 | +resource "polaris_gcp_service_account" "default" { |
| 139 | + credentials = "${path.module}/my-project-d978f94d6c4d.json" |
| 140 | + permissions_hash = data.polaris_gcp_permissions.default.hash |
| 141 | +
|
| 142 | + depends_on = [ |
| 143 | + google_project_iam_custom_role.default, |
| 144 | + google_project_iam_member.default, |
| 145 | + ] |
| 146 | +} |
| 147 | +``` |
| 148 | +When the permissions for a feature changes the permissions data source will reflect this generating a diff for the |
| 149 | +custom role and the project resources. Applying the diff will first update the permissions of the service account's |
| 150 | +custom role and then notify Polaris about the update. |
0 commit comments