Closed erikpaasonen closed 1 year ago
:tada: Thanks for opening your first issue here! Welcome to the community!
prismacloud_aws_cft_generator
data source and prismacloud_cloud_account_v2
resource introduced in v1.3.1.
@ftbrecordspan can you provide a working example of how to use the new data source? when we set the external_id
attribute of the aws
block as such:
data "prismacloud_aws_cft_generator" "test" {
account_type = "account"
account_id = var.account_id
}
resource "prismacloud_cloud_account" "test" {
...
aws {
...
external_id = data.prismacloud_aws_cft_generator.test.external_id
...
}
}
it creates the account entry in Cloud Accounts
in the Prisma Cloud console, however we get an error on Authentication
saying that the External ID is still invalid:
following the advice of this (somewhat outdated) KB article, we have confirmed that the second condition mentioned in the error message text (namely, "ensure Prisma Cloud account is added as Trusted entity") is correctly configured, with the proper account ID copied from the KB article found in the expected ARN: it seems the only potential problem left is the external ID value itself?
@erikpaasonen
Please review the AWS example provided for the prisma_cloud_account_v2 resource found here. Note that this process requires the AWS IAM role as defined by the prismacloud_aws_cft_generator data source. This will ensure that the AWS IAM role implements the required permissions based on the desired Prisma Cloud capabilities, and that the role ARN and external ID are configured properly.
@erikpaasonen
Please review the AWS example provided for the prisma_cloud_account_v2 resource found here. Note that this process requires the AWS IAM role as defined by the prismacloud_aws_cft_generator data source. This will ensure that the AWS IAM role implements the required permissions based on the desired Prisma Cloud capabilities, and that the role ARN and external ID are configured properly.
our organization's security team expressly prohibits the granting of certain permissions specified in your CFN template, so we create the IAM role manually. our team has both the AWS and Terraform expertise to get the trust policy and the permissions correct. this was made clear in the discussions when the pre-announcement for this API change was first made known to us. we will not be using the CFN template resource.
since the aws
block dropped support for the external_id
parameter, you have made our use case incompatible with prismacloud_cloud_account_v2
.
@erikpaasonen Understood. The permissions implemented by the IAM role can be modified to suit your security requirements, but the external ID and role ARN specified by Prisma Cloud must be used as specified. The removal of the external_id param from the cloud accounts resource reflects the requirement that this value, as specified by the prismacloud_cft_generator data source, must be applied within the IAM role's trust policy.
replying for completeness: I see now that the prismacloud_cloud_account_v2
doesn't directly require any outputs which only CloudFormation can provide, which disproves my point about our use case as incompatible with it. I refactored our code to use the _v2
and ran into the issue described in https://github.com/PaloAltoNetworks/terraform-provider-prismacloud/issues/216. but as far as this data source and integrating it with a cloud account; the requested guidance has been provided, so this issue can remain closed. thanks.
Thanks @erikpaasonen
Is your feature request related to a problem?
Regarding this quote from the documentation for a prismacloud_org_cloud_account (upcoming feature enhancement notes):
This seems to preclude AWS account onboarding from being completed end-to-end entirely within Terraform.
Describe the solution you'd like
Would like to see a new
prismacloud_aws_external_id
data source created, which hits the App Provisioner API to retrieve such a generated external ID. This data source could then be fed directly into theprismacloud_org_cloud_account
resource as a calculated value. Of course, thenprismacloud_org_cloud_account
would have to continue to accept theexternal_id
parameter as valid input (versus the upcoming ignore of this value per the notice).Describe alternatives you've considered
Having to set up additional infrastructure outside of Terraform when we already use the Terraform provider to complete the process end to end. Not palatable.
Additional context
Trying to accomplish onboarding of new AWS accounts into Prisma Cloud entirely via Infra-as-Code (preferably entirely via Terraform).