fix: make the KMS Okta App Integration module assume role part custom…

…izable (#697) * fix: create module for configuring an okta app with a kms key * fix: use right references here * retrigger gha * fix: create kms-okta-app readme to explain how to use the module * fix: update docs to reflect new parameters * fix: update okta link to a more relevant section for keys * fix: add another resource about jwt payload fields * fix: make params based on whether we want to write them or not * fix: make assume role part customizable
chanzuckerberg · Feb 14, 2025 · 1a31d4e · 1a31d4e
1 parent b8b303a
commit 1a31d4e
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 3 deletions.
diff --git a/kms-okta-app/get_jwks_for_okta.py b/kms-okta-app/get_jwks_for_okta.py
@@ -6,9 +6,10 @@
 aws_account_id = sys.argv[1]
 kms_key_id = sys.argv[2]
 region = sys.argv[3]
+assume_role_name = sys.argv[4]
 
 sts_client = boto3.client("sts", region_name=region)
-assume_role_client = sts_client.assume_role(RoleArn=f"arn:aws:iam::{aws_account_id}:role/tfe-si", RoleSessionName='FetchKMSInformation')
+assume_role_client = sts_client.assume_role(RoleArn=f"arn:aws:iam::{aws_account_id}:role/{assume_role_name}", RoleSessionName='FetchKMSInformation')
 credentials = assume_role_client["Credentials"]
 kms_session = boto3.Session(
     aws_access_key_id=credentials["AccessKeyId"],

diff --git a/kms-okta-app/main.tf b/kms-okta-app/main.tf
@@ -2,7 +2,7 @@ data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
 # uses a key in core-platform-infra to generate credentials for this workspace
 data "external" "jwks_info" {
-  program = ["bash", "${path.module}/run.sh", path.module, data.aws_caller_identity.current.account_id, var.kms_key_id, data.aws_region.current.name]
+  program = ["bash", "${path.module}/run.sh", path.module, data.aws_caller_identity.current.account_id, var.kms_key_id, data.aws_region.current.name, var.assume_role_name]
 }
 
 resource "okta_app_oauth" "idp_api" {

diff --git a/kms-okta-app/run.sh b/kms-okta-app/run.sh
@@ -2,4 +2,4 @@
 
 # need to install python-jose instead of jose: https://stackoverflow.com/a/65103147
 pip install boto3 cryptography python-jose  2>&1  > /dev/null
-python3 $1/get_jwks_for_okta.py $2 $3 $4
+python3 $1/get_jwks_for_okta.py $2 $3 $4 $5
diff --git a/kms-okta-app/variables.tf b/kms-okta-app/variables.tf
@@ -46,3 +46,8 @@ variable "tags" {
   These values are used to derive the path in the param store where to write the Okta App Configuration metadata.
   EOF
 }
+
+variable "assume_role_name" {
+  type = string
+  description = "Name of the role that your Terraform environment can assume."
+}