Backport to add support for CML backup trust policy to aws xaccount role

jimright · jimright · commit 406be68b8cf7 · 2025-01-30T22:22:27.000Z
Signed-off-by: Jim Enright &lt;jenright@cloudera.com&gt;
diff --git a/modules/terraform-cdp-aws-pre-reqs/README.md b/modules/terraform-cdp-aws-pre-reqs/README.md
@@ -112,7 +112,9 @@ In each directory an example `terraform.tfvars.sample` values file is included t
 | [aws_iam_policy_document.cdp_idbroker_role_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cdp_log_role_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cdp_ranger_audit_role_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cdp_xaccount_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cdp_xaccount_role_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cml_backup_assume_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_vpc_endpoint_service.gateway_endpoints](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/data-sources/vpc_endpoint_service) | data source |
 | [aws_vpc_endpoint_service.interface_endpoints](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/data-sources/vpc_endpoint_service) | data source |
 | [http_http.bucket_access_policy_doc](https://registry.terraform.io/providers/hashicorp/http/3.2.1/docs/data-sources/http) | data source |
@@ -187,6 +189,7 @@ In each directory an example `terraform.tfvars.sample` values file is included t
 | <a name="input_vpc_public_outbound_acl_rules"></a> [vpc\_public\_outbound\_acl\_rules](#input\_vpc\_public\_outbound\_acl\_rules) | Public subnets outbound network ACLs. Exposes default value of VPC module variable to allow for overriding. Only used when create\_vpc is true. | `list(map(string))` | <pre>[<br>  {<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_action": "allow",<br>    "rule_number": 100,<br>    "to_port": 0<br>  }<br>]</pre> | no |
 | <a name="input_vpc_public_subnets_map_public_ip_on_launch"></a> [vpc\_public\_subnets\_map\_public\_ip\_on\_launch](#input\_vpc\_public\_subnets\_map\_public\_ip\_on\_launch) | Auto-assign public IP on launch for instances created in Public Subnets.  Exposes default value of VPC module variable to allow for overriding. Only used when create\_vpc is true. | `bool` | `true` | no |
 | <a name="input_xaccount_account_policy_doc"></a> [xaccount\_account\_policy\_doc](#input\_xaccount\_account\_policy\_doc) | Contents of cross acount policy document | `string` | `null` | no |
+| <a name="input_xaccount_cml_backup_assume_role"></a> [xaccount\_cml\_backup\_assume\_role](#input\_xaccount\_cml\_backup\_assume\_role) | Add AWS Backup Service, required for CML Backup and Restore, to Cross Account Trust Relationship. | `bool` | `false` | no |
 | <a name="input_xaccount_policy_name"></a> [xaccount\_policy\_name](#input\_xaccount\_policy\_name) | Cross Account Policy name | `string` | `null` | no |
 | <a name="input_xaccount_role_name"></a> [xaccount\_role\_name](#input\_xaccount\_role\_name) | Cross account Assume role Name | `string` | `null` | no |
 
diff --git a/modules/terraform-cdp-aws-pre-reqs/main.tf b/modules/terraform-cdp-aws-pre-reqs/main.tf
@@ -476,12 +476,38 @@ data "aws_iam_policy_document" "cdp_xaccount_role_policy_doc" {
   }
 }
 
+# Optional assume role policy document for the CML Backup and Restore
+data "aws_iam_policy_document" "cml_backup_assume_policy_doc" {
+
+  count = var.xaccount_cml_backup_assume_role ? 1 : 0
+
+  version = "2012-10-17"
+
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["backup.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "cdp_xaccount_assume_role_policy" {
+
+  source_policy_documents = [
+    data.aws_iam_policy_document.cdp_xaccount_role_policy_doc.json,
+    try(data.aws_iam_policy_document.cml_backup_assume_policy_doc[0].json, "")
+  ]
+}
+
 # Create the IAM role that uses the above assume_role_policy document
 resource "aws_iam_role" "cdp_xaccount_role" {
   name        = local.xaccount_role_name
   description = "CDP Cross Account role for ${var.env_prefix}"
 
-  assume_role_policy = data.aws_iam_policy_document.cdp_xaccount_role_policy_doc.json
+  assume_role_policy = data.aws_iam_policy_document.cdp_xaccount_assume_role_policy.json
 
   tags = merge(local.env_tags, { Name = local.xaccount_role_name })
 }
diff --git a/modules/terraform-cdp-aws-pre-reqs/variables.tf b/modules/terraform-cdp-aws-pre-reqs/variables.tf
@@ -390,6 +390,15 @@ variable "create_extra_xaccount_policy" {
   default = true
 }
 
+# Add extra assume role policy for CML Backup and Restore
+variable "xaccount_cml_backup_assume_role" {
+  type = bool
+
+  description = "Add AWS Backup Service, required for CML Backup and Restore, to Cross Account Trust Relationship."
+
+  default = false
+}
+
 # CDP IDBroker Assume Role policy
 variable "idbroker_policy_name" {
   type        = string
