feat(aws): add IAM role with ExternalId requirement for e2e testing (#191)

* feat(aws): add IAM role with ExternalId requirement for e2e testing

This adds a new IAM role (keda-workload-external-id) that requires an
ExternalId to be assumed. This is used to test KEDA's pod identity
externalID support.

Changes:
- Add workload_external_id_name and workload_external_id_value to locals
- Add aws_iam_role.workload_external_id_role with ExternalId condition
- Add aws_iam_policy.workload_external_id_policy for SQS access
- Update main policy to deny direct access to external-id-queue-*
- Update main policy to allow assuming the new role
- Add outputs for the new role ARN and external ID value

Signed-off-by: ritesh.chaurasia1 <ritesh.chaurasia@devo.com>

* Add workflow to cleanup old Kind clusters on s390x (#193)

* Add workflow to cleanup old Kind clusters on s390x

Signed-off-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>

* Enhance logging in s390x-cleanup workflow

Signed-off-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>

---------

Signed-off-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>

* Fix terraform linting

Signed-off-by: ritesh.chaurasia1 <ritesh.chaurasia@devo.com>

---------

Signed-off-by: ritesh.chaurasia1 <ritesh.chaurasia@devo.com>
Signed-off-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
Co-authored-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>

Author: tangobango5

terraform/main.tf

@@ -473,6 +473,14 @@ module "github_secrets" {
       name  = "TF_AWS_WORKLOAD2_ROLE"
       value = module.aws_iam.workload2_role_arn
     },
+    {
+      name  = "TF_AWS_ROLE_ARN_EXTERNAL_ID"
+      value = module.aws_iam.workload_external_id_role_arn
+    },
+    {
+      name  = "TF_AWS_EXTERNAL_ID"
+      value = module.aws_iam.workload_external_id_value
+    },
     {
       name  = "TF_GCP_SA_CREDENTIALS"
       value = module.gcp_iam.e2e_user_credentials

terraform/modules/aws/iam/main.tf

@@ -1,8 +1,10 @@
 
 locals {
-  keda_role_name      = "keda-operator"
-  workload1_role_name = "keda-workload-1"
-  workload2_role_name = "keda-workload-2"
+  keda_role_name             = "keda-operator"
+  workload1_role_name        = "keda-workload-1"
+  workload2_role_name        = "keda-workload-2"
+  workload_external_id_name  = "keda-workload-external-id"
+  workload_external_id_value = "keda-e2e-external-id-test"
   keda_clusters_trusted_relations = jsonencode(
     [for index, provider in aws_iam_openid_connect_provider.oidc_providers :
       {
@@ -100,14 +102,16 @@ resource "aws_iam_policy" "policy" {
             "Effect": "Deny",
             "Action": "sqs:GetQueueAttributes",
             "Resource": [
-                "arn:aws:sqs:*:589761922677:assume-role-*"
+                "arn:aws:sqs:*:589761922677:assume-role-*",
+                "arn:aws:sqs:*:589761922677:external-id-queue-*"
             ]
         },
         {
             "Effect": "Allow",
             "Action": "sts:AssumeRole",
             "Resource": [
-                "arn:aws:iam::*:role/${local.workload1_role_name}"
+                "arn:aws:iam::*:role/${local.workload1_role_name}",
+                "arn:aws:iam::*:role/${local.workload_external_id_name}"
             ]
         }
     ]
@@ -193,3 +197,54 @@ resource "aws_iam_role_policy_attachment" "workload2_role_assignement" {
   role       = aws_iam_role.workload2_role.name
   policy_arn = aws_iam_policy.workload2_role_policy.arn
 }
+
+// This role requires an ExternalId to be assumed.
+// Used for testing the externalID support in KEDA's pod identity.
+resource "aws_iam_role" "workload_external_id_role" {
+  name = local.workload_external_id_name
+  tags = var.tags
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "AWS": "${aws_iam_role.keda_role.arn}"
+      },
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "${local.workload_external_id_value}"
+        }
+      }
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "workload_external_id_policy" {
+  name = "e2e-test-external-id-policy"
+  tags = var.tags
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "sqs:*",
+            "Resource": "arn:aws:sqs:*:589761922677:external-id-queue-*"
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "workload_external_id_role_assignement" {
+  role       = aws_iam_role.workload_external_id_role.name
+  policy_arn = aws_iam_policy.workload_external_id_policy.arn
+}

terraform/modules/aws/iam/outputs.tf

@@ -17,3 +17,12 @@ output "workload1_role_arn" {
 output "workload2_role_arn" {
   value = aws_iam_role.workload2_role.arn
 }
+
+output "workload_external_id_role_arn" {
+  value = aws_iam_role.workload_external_id_role.arn
+}
+
+output "workload_external_id_value" {
+  value     = local.workload_external_id_value
+  sensitive = true
+}