From 5c4adfa065471b8020a383cd44c8448cea54de34 Mon Sep 17 00:00:00 2001
From: Mattias Gees <mattias.gees@cyberark.com>
Date: Tue, 4 Feb 2025 17:23:15 +0000
Subject: [PATCH] Add Terraform work for X509 setup with AWS IAM Anywhere

---
 deploy/terraform/aws/jwt.tf       | 39 +++++++++++++++++++++++++++
 deploy/terraform/aws/main.tf      | 39 +--------------------------
 deploy/terraform/aws/variables.tf |  9 +++++++
 deploy/terraform/aws/x509.tf      | 44 +++++++++++++++++++++++++++++++
 4 files changed, 93 insertions(+), 38 deletions(-)
 create mode 100644 deploy/terraform/aws/jwt.tf
 create mode 100644 deploy/terraform/aws/x509.tf

diff --git a/deploy/terraform/aws/jwt.tf b/deploy/terraform/aws/jwt.tf
new file mode 100644
index 0000000..f418885
--- /dev/null
+++ b/deploy/terraform/aws/jwt.tf
@@ -0,0 +1,39 @@
+data "tls_certificate" "oidc-certificate" {
+  count = var.auth-type == "JWT" ? 1 : 0
+  url   = "https://${var.oidc-url}"
+}
+
+resource "aws_iam_openid_connect_provider" "oidc-spire" {
+  count = var.auth-type == "JWT" ? 1 : 0
+  url = "https://${var.oidc-url}"
+
+  client_id_list = [
+    "demo",
+  ]
+
+  thumbprint_list = [data.tls_certificate.oidc-certificate.certificates[0].sha1_fingerprint]
+}
+
+resource "aws_iam_role" "oidc-spire-role" {
+  count = var.auth-type == "JWT" ? 1 : 0
+  name = "demo-spiffe-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action = "sts:AssumeRoleWithWebIdentity",
+        Effect = "Allow",
+        Principal = {
+          Federated = aws_iam_openid_connect_provider.oidc-spire.arn,
+        },
+        Condition = {
+          StringEquals = {
+            "${var.oidc-url}:aud" = "demo",
+            "${var.oidc-url}:sub" = "${var.spiffe-id}"
+          }
+        }
+      },
+    ],
+  })
+}
\ No newline at end of file
diff --git a/deploy/terraform/aws/main.tf b/deploy/terraform/aws/main.tf
index 54f8059..d585c58 100644
--- a/deploy/terraform/aws/main.tf
+++ b/deploy/terraform/aws/main.tf
@@ -7,10 +7,6 @@ terraform {
   }
 }
 
-data "tls_certificate" "oidc-certificate" {
-  url = "https://${var.oidc-url}"
-}
-
 provider "aws" {
   region = var.aws-region
 }
@@ -24,42 +20,9 @@ resource "aws_s3_bucket" "oidc-test" {
   }
 }
 
-resource "aws_iam_openid_connect_provider" "oidc-spire" {
-  url = "https://${var.oidc-url}"
-
-  client_id_list = [
-    "demo",
-  ]
-
-  thumbprint_list = [data.tls_certificate.oidc-certificate.certificates[0].sha1_fingerprint]
-}
-
-resource "aws_iam_role" "oidc-spire-role" {
-  name = "demo-spiffe-role"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Action = "sts:AssumeRoleWithWebIdentity",
-        Effect = "Allow",
-        Principal = {
-          Federated = aws_iam_openid_connect_provider.oidc-spire.arn,
-        },
-        Condition = {
-          StringEquals = {
-            "${var.oidc-url}:aud" = "demo",
-            "${var.oidc-url}:sub" = "${var.spiffe-id}"
-          }
-        }
-      },
-    ],
-  })
-}
-
 resource "aws_iam_role_policy" "s3" {
   name = "demo-spiffe-policy"
-  role = aws_iam_role.oidc-spire-role.name
+  role = var.auth-type == "JWT" ? aws_iam_role.oidc-spire-role.name : aws_iam_role.x509-spire.name
 
   policy = <<EOF
 {
diff --git a/deploy/terraform/aws/variables.tf b/deploy/terraform/aws/variables.tf
index 34da04e..8f6bb72 100644
--- a/deploy/terraform/aws/variables.tf
+++ b/deploy/terraform/aws/variables.tf
@@ -13,3 +13,12 @@ variable "spiffe-id" {
 variable "aws-region" {
   default = "eu-west-2"
 }
+
+variable "auth-type" {
+  description = "Authentication type to use either pick JWT or X509"
+  default = "JWT"
+}
+
+variable "root-CA" {
+  default = "ROOT_CA"
+}
\ No newline at end of file
diff --git a/deploy/terraform/aws/x509.tf b/deploy/terraform/aws/x509.tf
new file mode 100644
index 0000000..3f0258e
--- /dev/null
+++ b/deploy/terraform/aws/x509.tf
@@ -0,0 +1,44 @@
+resource "aws_rolesanywhere_trust_anchor" "x509-spire" {
+  count = var.auth-type == "X509" ? 1 : 0
+  name    = "spire-root-ca"
+  enabled = true
+  source {
+    source_data {
+      x509_certificate_data = var.root-CA
+    }
+    source_type = "CERTIFICATE_BUNDLE"
+  }
+}
+
+resource "aws_rolesanywhere_profile" "x509-spire" {
+  count = var.auth-type == "X509" ? 1 : 0
+  name           = "spire-x509-profile"
+  enabled        = true
+  role_arns      = [aws_iam_role.otterize-credentials-operator.arn]
+}
+
+resource "aws_iam_role" "x509-spire-role" {
+  count = var.auth-type == "X509" ? 1 : 0
+  name = "demo-spiffe-role-x509"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action = ["sts:AssumeRole", "sts:TagSession", "sts:SetSourceIdentity"]
+        Effect = "Allow",
+        Principal = {
+          Service = "rolesanywhere.amazonaws.com",
+        },
+        Condition = {
+          StringLike = {
+            "aws:PrincipalTag/x509SAN/URI" = "${var.spiffe-id}",
+          }
+          ArnEquals = {
+            "aws:SourceArn" = aws_rolesanywhere_trust_anchor.x509-spire.arn
+          }
+        }
+      },
+    ],
+  })
+}
\ No newline at end of file