@@ -7,10 +7,14 @@ RSC requires permissions to operate and as new features are added to RSC the set
7
7
guide explains how Terraform can be used to keep this set of permissions up to date.
8
8
9
9
## AWS
10
- For AWS this is managed through a CloudFormation stack. When the status of an account feature is ` missing-permissions `
11
- the CloudFormation stack must be updated for the feature to continue to function. This can be managed by setting the
12
- ` permissions ` argument to ` update ` .
13
- ``` hcl
10
+ There are two ways to onboard AWS accounts to RSC, using a CloudFormation stack or not. Depending on the way an account
11
+ is onboarded, permissions are managed in different ways.
12
+
13
+ ### Using a CloudFormation Stack
14
+ When an account is onboarded using a CloudFormation stack, the permissions are managed through the stack. When the
15
+ status of an account feature is ` MISSING_PERMISSIONS ` the CloudFormation stack must be updated for the RSC feature to
16
+ continue to function. This can be managed by setting the ` permissions ` argument to ` update ` .
17
+ ``` terraform
14
18
resource "polaris_aws_account" "default" {
15
19
profile = "default"
16
20
permissions = "update"
@@ -22,55 +26,98 @@ resource "polaris_aws_account" "default" {
22
26
}
23
27
}
24
28
```
25
- This will generate a diff when the status of at least one feature is ` missing-permissions ` . Applying the account
26
- resource for this diff will update the CloudFormation stack. If the ` permissions ` argument is not specified the
29
+ This will generate a diff when the status of at least one feature is in the ` MISSING_PERMISSIONS ` state . Applying the
30
+ account resource for this diff will update the CloudFormation stack. If the ` permissions ` argument is not specified the
27
31
provider will not attempt to update the CloudFormation stack.
28
32
33
+ ### Not Using a CloudFormation Stack
34
+ When an account is onboarded without using a CloudFormation stack, the permissions can be managed using the
35
+ ` polaris_aws_cnp_artifacts ` and ` polaris_aws_cnp_permissions ` data sources and the
36
+ [ aws] ( https://registry.terraform.io/providers/hashicorp/aws/latest ) provider, using IAM roles. Please see the
37
+ [ AWS CNP Account] ( aws_cnp_account.md ) guide for more information on how create IAM roles using the data sources.
38
+
29
39
## Azure
30
- For Azure permissions are managed through a service principal. When the status of a subscription feature is
31
- ` missing-permissions ` the permissions of the service principal must be updated for the feature to continue to
32
- function. This can be managed by Terraform using the
33
- [ azurerm] ( https://registry.terraform.io/providers/hashicorp/azurerm/latest ) provider:
34
- ``` hcl
35
- data "polaris_azure_permissions" "default" {
36
- features = [
37
- "cloud-native-protection",
38
- "exocompute",
39
- ]
40
+ For Azure permissions are managed through the subscription. When the status of a subscription feature is
41
+ ` MISSING_PERMISSIONS ` the permissions must be updated for the feature to continue to function. This can be managed by
42
+ Terraform using the [ azurerm] ( https://registry.terraform.io/providers/hashicorp/azurerm/latest ) provider:
43
+ ``` terraform
44
+ variable "features" {
45
+ type = set(string)
46
+ description = "List of RSC features to enable for subscription."
47
+ }
48
+
49
+ data "polaris_azure_permissions" "features" {
50
+ for_each = var.features
51
+ feature = each.key
40
52
}
41
53
42
- resource "azurerm_role_definition" "default" {
43
- name = "terraform"
44
- scope = data.azurerm_subscription.default.id
54
+ resource "azurerm_role_definition" "subscription" {
55
+ for_each = data.polaris_azure_permissions.features
56
+ name = "RSC - Subscription Level - ${each.value.feature}"
57
+ scope = data.azurerm_subscription.subscription.id
45
58
46
59
permissions {
47
- actions = data.polaris_azure_permissions.default.actions
48
- data_actions = data.polaris_azure_permissions.default.data_actions
49
- not_actions = data.polaris_azure_permissions.default.not_actions
50
- not_data_actions = data.polaris_azure_permissions.default.not_data_actions
60
+ actions = each.value.subscription_actions
61
+ data_actions = each.value.subscription_data_actions
62
+ not_actions = each.value.subscription_not_actions
63
+ not_data_actions = each.value.subscription_not_data_actions
51
64
}
52
65
}
53
66
54
- resource "azurerm_role_assignment" "default" {
67
+ resource "azurerm_role_assignment" "subscription" {
68
+ for_each = data.polaris_azure_permissions.features
55
69
principal_id = "9e7f3952-1fc1-11ec-b57a-972144d12d97"
56
- role_definition_id = azurerm_role_definition.default .role_definition_resource_id
57
- scope = data.azurerm_subscription.default .id
70
+ role_definition_id = azurerm_role_definition.subscription[each.key] .role_definition_resource_id
71
+ scope = data.azurerm_subscription.subscription .id
58
72
}
59
73
60
- resource "polaris_azure_service_principal" "default" {
61
- sdk_auth = "${path.module}/sdk-service-principal.json"
62
- tenant_domain = "mydomain.onmicrosoft.com"
63
- permissions_hash = data.polaris_azure_permissions.default.hash
74
+ resource "azurerm_role_definition" "resource_group" {
75
+ for_each = data.polaris_azure_permissions.features
76
+ name = "RSC - Resource Group Level - ${each.value.feature}"
77
+ scope = data.azurerm_resource_group.resource_group.id
78
+
79
+ permissions {
80
+ actions = each.value.resource_group_actions
81
+ data_actions = each.value.resource_group_data_actions
82
+ not_actions = each.value.resource_group_not_actions
83
+ not_data_actions = each.value.resource_group_not_data_actions
84
+ }
85
+ }
86
+
87
+ resource "azurerm_role_assignment" "resource_group" {
88
+ for_each = data.polaris_azure_permissions.features
89
+ principal_id = "9e7f3952-1fc1-11ec-b57a-972144d12d97"
90
+ role_definition_id = azurerm_role_definition.resource_group[each.key].role_definition_resource_id
91
+ scope = data.azurerm_resource_group.resource_group.id
92
+ }
93
+
94
+ resource "polaris_azure_service_principal" "service_principal" {
95
+ ...
96
+ }
97
+
98
+ resource "polaris_azure_subscription" "subscription" {
99
+ subscription_id = data.azurerm_subscription.subscription.subscription_id
100
+ subscription_name = data.azurerm_subscription.subscription.display_name
101
+ tenant_domain = polaris_azure_service_principal.service_principal.tenant_domain
102
+
103
+ cloud_native_protection {
104
+ permissions = data.polaris_azure_permissions.features["CLOUD_NATIVE_PROTECTION"].id
105
+ resource_group_name = data.azurerm_resource_group.resource_group.name
106
+ resource_group_region = data.azurerm_resource_group.resource_group.location
107
+ regions = ["eastus2"]
108
+ }
109
+
110
+ ...
64
111
65
112
depends_on = [
66
- azurerm_role_definition.default ,
67
- azurerm_role_assignment.default ,
113
+ azurerm_role_definition.subscription ,
114
+ azurerm_role_definition.resource_group ,
68
115
]
69
116
}
70
117
```
71
118
When the permissions for a feature changes the permissions data source will reflect this generating a diff for the
72
- role definition and service principal resources. Applying the diff will first update the permissions of the service
73
- principal's role definition and then notify RSC about the update.
119
+ role definitions and subscription resources. Applying the diff will first update the permissions of the role
120
+ definitions, then notify RSC about the update.
74
121
75
122
## GCP
76
123
For GCP permissions are managed through a service account. When the status of a project feature is ` missing-permissions `
0 commit comments