Separate AWS partitions in different tofu workspaces

Different AWS partitions use completely different AWS credentials sets, so it would make sense to separate them in different tofu runs / workspaces, so we can still apply to one partition even if we don't have credentials for the other.
giantswarm · Dec 20, 2024 · 84fb70b · 84fb70b
1 parent 5dfcff3
commit 84fb70b
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 4 deletions.
diff --git a/aws-account-setup/main.tf b/aws-account-setup/main.tf
@@ -8,15 +8,23 @@ terraform {
 }
 
 locals {
-  gs_user_account = "084190472784"
+  gs_user_accounts_map = {
+    "aws" = "084190472784"
+    "aws-cn" = "306934455918"
+  }
+
+  workspace_partition_map = {
+    "default" = "aws"
+    "china" = "aws-cn"
+  }
 
   mc_account_flat = flatten([
     for mc_name, mc in var.management_clusters : [
       for account in mc.aws_account : {
         name = mc_name
         aws_account = account
         oidc_provider_domain = mc.oidc_provider_domain
-      }
+      } if local.workspace_partition_map[terraform.workspace] == account.aws_partition
     ]
   ])
 
@@ -44,6 +52,7 @@ provider "aws" {
   alias = "main"
   region = "eu-west-1" # Irrelevant as we are only creating IAM stuff
   for_each = local.aws_account_map
+  profile = each.value == "aws" ? var.aws_profile : var.aws_cn_profile
 
   assume_role {
     role_arn = "arn:${each.value}:iam::${each.key}:role/GiantSwarmAdmin"
@@ -63,7 +72,7 @@ provider "aws" {
 #     aws = aws.main[each.key]
 #   }
 
-#   gs_user_account = local.gs_user_account
+#   gs_user_account = local.gs_user_accounts_map[each.value]
 #   aws_partition = each.value
 # }
 
@@ -77,7 +86,7 @@ module "capa_controller_role" {
   installation_name = each.value.name
   management_cluster_oidc_provider_domain = each.value.oidc_provider_domain
   byovpc = each.value.aws_account.byovpc
-  gs_user_account = local.gs_user_account
+  gs_user_account = local.gs_user_accounts_map[each.value.aws_account.aws_partition]
   aws_partition = each.value.aws_account.aws_partition
 
   # TBD

diff --git a/aws-account-setup/variables.tf b/aws-account-setup/variables.tf
@@ -9,4 +9,21 @@ variable "management_clusters" {
     })),
     oidc_provider_domain = string
   }))
+
+  validation {
+    condition = alltrue(flatten([for name, m in var.management_clusters : [for a in m.aws_account : can(regex("^aws(-cn)?$", a.aws_partition))]]))
+    error_message = "The only AWS partitions supported are `aws` and `aws-cn`"
+  }
+}
+
+variable "aws_profile" {
+  type = string
+  description = "AWS CLI profile to use for initializing the AWS provider. This profile will be used to assume the GiantSwarmAdmin IAM role in each account."
+  default = "giantswarm"
+}
+
+variable "aws_cn_profile" {
+  type = string
+  description = "AWS CLI profile to use for initializing the AWS provider in the aws-cn (China) partition. This profile will be used to assume the GiantSwarmAdmin IAM role in each account."
+  default = "giantswarm-cn"
 }