feat: add cloud connector ID to GCP Infrastructure Manager Terraform#3947
feat: add cloud connector ID to GCP Infrastructure Manager Terraform#3947amirbenun wants to merge 2 commits intoelastic:mainfrom
Conversation
|
This pull request does not have a backport label. Could you fix it @amirbenun? 🙏
|
There was a problem hiding this comment.
Pull request overview
This pull request adds a unique cloud connector identifier to the GCP Infrastructure Manager Terraform deployment to enable specific AWS role session binding for each connector. The change implements a security enhancement by appending a randomly-generated 16-character identifier to the AWS role session name, ensuring each GCP connector deployment can be bound to a unique AWS role session.
Changes:
- Added random provider configuration and generated a 16-character cloud_connector_id
- Updated AWS role session name format from
elastic_resource_idtoelastic_resource_id-cloud_connector_id - Added cloud_connector_id output for users to save and use when assuming AWS roles
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| deploy/infrastructure-manager/gcp-cloud-connectors/main.tf | Added random provider, created random_string resource for cloud_connector_id, and passed it to workload_identity module |
| deploy/infrastructure-manager/gcp-cloud-connectors/outputs.tf | Added cloud_connector_id output to expose the generated identifier |
| deploy/infrastructure-manager/gcp-cloud-connectors/variables.tf | Updated elastic_resource_id description to clarify it's the first part of the session name |
| deploy/infrastructure-manager/gcp-cloud-connectors/modules/workload_identity/variables.tf | Added cloud_connector_id variable with description |
| deploy/infrastructure-manager/gcp-cloud-connectors/modules/workload_identity/main.tf | Updated attribute_condition to require session name format elastic_resource_id-cloud_connector_id |
| deploy/infrastructure-manager/gcp-cloud-connectors/deploy.sh | Added documentation about cloud_connector_id output usage |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| resource "random_string" "cloud_connector_id" { | ||
| length = 16 | ||
| special = false |
There was a problem hiding this comment.
The random_string resource generates only alphanumeric characters (upper and lowercase) by default. AWS role session names support additional characters including hyphens. Consider adding upper = false to generate only lowercase alphanumeric characters for more consistent and predictable session names that avoid potential case-sensitivity issues in downstream systems.
| special = false | |
| special = false | |
| upper = false |
| @@ -1,3 +1,8 @@ | |||
| output "cloud_connector_id" { | |||
| description = "Unique identifier for the cloud connector deployment" | |||
| value = random_string.cloud_connector_id.result | |||
There was a problem hiding this comment.
Consider marking this output as sensitive since the cloud_connector_id is described as a binding key that should be saved securely. Adding sensitive = true would prevent it from being displayed in plain text in Terraform logs and console output. Users would still be able to retrieve it when needed using terraform output -raw cloud_connector_id.
| value = random_string.cloud_connector_id.result | |
| value = random_string.cloud_connector_id.result | |
| sensitive = true |
| variable "elastic_resource_id" { | ||
| description = "Unique identifier for the Elastic deployment (must match the AWS role session name)" | ||
| description = "Unique identifier for the Elastic deployment (first part of AWS role session name)" | ||
| type = string |
There was a problem hiding this comment.
AWS role session names have a maximum length of 64 characters. Since the cloud_connector_id is 16 characters and the format is elastic_resource_id-cloud_connector_id (17 characters overhead with the hyphen), the elastic_resource_id can be up to 47 characters. Consider adding a validation block to ensure elastic_resource_id doesn't exceed this limit to prevent runtime failures when assuming the AWS role.
| type = string | |
| type = string | |
| validation { | |
| condition = length(var.elastic_resource_id) <= 47 | |
| error_message = "elastic_resource_id must not exceed 47 characters to comply with AWS role session name length limits" | |
| } |
|
|
||
| resource "random_string" "cloud_connector_id" { | ||
| length = 16 | ||
| special = false |
There was a problem hiding this comment.
The random_string resource should include a keepers block or lifecycle configuration to prevent regeneration on each Terraform apply. Without this, the cloud_connector_id will change on updates (like when changing other variables), breaking the existing AWS role session bindings. Consider adding a lifecycle block with create_before_destroy = true and ignore_changes, or adding keepers to control when regeneration should occur.
| special = false | |
| special = false | |
| keepers = { | |
| # Regenerate only when the associated Elastic resource changes | |
| elastic_resource_id = var.elastic_resource_id | |
| } |
2 participants
Adds a unique cloud connector identifier to the GCP cloud connectors Terraform deployment so each connector can be bound to a specific AWS role session. The Terraform now generates a 16-character random string (cloud_connector_id), passes it into the workload identity module, and updates the Workload Identity Federation attribute condition to require the AWS role session name to be elastic_resource_id-cloud_connector_id. The cloud_connector_id is output by the deployment and documented in deploy.sh as the connector binding key to be saved securely and used when assuming the AWS role from Elastic Agent.