acwatson
commented
7 months ago Hi hvegav. The IAM role used for provisioning resources in the target account / region is defined in the same directory as the environment provider.
For example, the serverless provider's provisioning role is defined here in the OPA GitHub repo: iac/roots/opa-serverless-environment/src/constructs/serverless-api-env-provisioning-role-construct.ts
This provisioning role is assumed by the CICD pipeline to provision resources in the provider account/region.
Note that there is also an operations role (e.g. iac/roots/opa-serverless-environment/src/constructs/serverless-api-env-operations-role-construct.ts) that is used by Backstage itself to take actions on behalf of users.
When you deploy the OPA platform, it will create a Git repository called "backstage-reference" that contains all of the environment provider templates. When you create a new environment provider from Backstage, it will use the environment provider template files from this repository to set up the provider. So, if you modify files in the backstage reference repo, you can affect all providers that get created from that moment on.
Here is where you could find the serverless provider's provisioning IAM role within the backstage-reference repo: environments/opa-serverless-environment/src/constructs/serverless-api-env-provisioning-role-construct.ts
If you modify files in this repo and commit the changes to Git, then create a new environment provider, OPA will use your latest changes.
If you would prefer to just modify the provisioning role for a provider that you have already created, you can find the ARN of that provisioning role by looking at the outputs from the CloudFormation stack that was created when you created your provider. In the AWS console, you can find the CloudFormation stack and then click on the Outputs tab. You should see an entry called "ProvisioningRole" and another one called "ProvisioningRoleARN". The values for these entries are SSM Parameter store keys. To find their values in the parameter store from the AWS console, go to the Systems Manager service, then click on Parameter Store and then search for the key.
When you deploy an environment provider from Backstage, a new Git repo will be created for that provider. The repo will contain all of the infrastructure as code (CDK in this case) that is used for that provider instance. The best way to modify the IAM role for an existing provider is to modify the IaC in the provider's repo. This will limit your changes to the specific provider and such changes won't impact other existing providers. Remember that the provider repo has a CICD pipeline that will automatically run the IaC when you merge any changes into the provider repo. To find the provisioning role inside a serverless provider repo, look here: .iac/opa-serverless-environment/src/constructs
Hope this helps!
I want to know The IAM role to be used for provisioning AWS resources in the target account and region. Do you have any template? I don't know what to put on principal for the role that is going to create the serverless environment provider.
A template would be ideal. In the documentation says that a template should be created but It seems that it was not created during the process