From 84fb70b207eca69b953b6d6b1e225cae266d0387 Mon Sep 17 00:00:00 2001
From: iuri aranda <iuri@giantswarm.io>
Date: Fri, 20 Dec 2024 16:15:40 +0100
Subject: [PATCH] Separate AWS partitions in different tofu workspaces

Different AWS partitions use completely different AWS credentials sets, so it would make sense to separate them in different tofu runs / workspaces, so we can still apply to one partition even if we don't have credentials for the other.
---
 aws-account-setup/main.tf      | 17 +++++++++++++----
 aws-account-setup/variables.tf | 17 +++++++++++++++++
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/aws-account-setup/main.tf b/aws-account-setup/main.tf
index 0f964e8..1ada79f 100644
--- a/aws-account-setup/main.tf
+++ b/aws-account-setup/main.tf
@@ -8,7 +8,15 @@ terraform {
 }
 
 locals {
-  gs_user_account = "084190472784"
+  gs_user_accounts_map = {
+    "aws" = "084190472784"
+    "aws-cn" = "306934455918"
+  }
+
+  workspace_partition_map = {
+    "default" = "aws"
+    "china" = "aws-cn"
+  }
 
   mc_account_flat = flatten([
     for mc_name, mc in var.management_clusters : [
@@ -16,7 +24,7 @@ locals {
         name = mc_name
         aws_account = account
         oidc_provider_domain = mc.oidc_provider_domain
-      }
+      } if local.workspace_partition_map[terraform.workspace] == account.aws_partition
     ]
   ])
 
@@ -44,6 +52,7 @@ provider "aws" {
   alias = "main"
   region = "eu-west-1" # Irrelevant as we are only creating IAM stuff
   for_each = local.aws_account_map
+  profile = each.value == "aws" ? var.aws_profile : var.aws_cn_profile
 
   assume_role {
     role_arn = "arn:${each.value}:iam::${each.key}:role/GiantSwarmAdmin"
@@ -63,7 +72,7 @@ provider "aws" {
 #     aws = aws.main[each.key]
 #   }
 
-#   gs_user_account = local.gs_user_account
+#   gs_user_account = local.gs_user_accounts_map[each.value]
 #   aws_partition = each.value
 # }
 
@@ -77,7 +86,7 @@ module "capa_controller_role" {
   installation_name = each.value.name
   management_cluster_oidc_provider_domain = each.value.oidc_provider_domain
   byovpc = each.value.aws_account.byovpc
-  gs_user_account = local.gs_user_account
+  gs_user_account = local.gs_user_accounts_map[each.value.aws_account.aws_partition]
   aws_partition = each.value.aws_account.aws_partition
 
   # TBD
diff --git a/aws-account-setup/variables.tf b/aws-account-setup/variables.tf
index 2c6a4e6..2385a9b 100644
--- a/aws-account-setup/variables.tf
+++ b/aws-account-setup/variables.tf
@@ -9,4 +9,21 @@ variable "management_clusters" {
     })),
     oidc_provider_domain = string
   }))
+
+  validation {
+    condition = alltrue(flatten([for name, m in var.management_clusters : [for a in m.aws_account : can(regex("^aws(-cn)?$", a.aws_partition))]]))
+    error_message = "The only AWS partitions supported are `aws` and `aws-cn`"
+  }
+}
+
+variable "aws_profile" {
+  type = string
+  description = "AWS CLI profile to use for initializing the AWS provider. This profile will be used to assume the GiantSwarmAdmin IAM role in each account."
+  default = "giantswarm"
+}
+
+variable "aws_cn_profile" {
+  type = string
+  description = "AWS CLI profile to use for initializing the AWS provider in the aws-cn (China) partition. This profile will be used to assume the GiantSwarmAdmin IAM role in each account."
+  default = "giantswarm-cn"
 }