Skip to content

Commit

Permalink
Merge pull request #786 from meshcloud/develop
Browse files Browse the repository at this point in the history 
develop
  • Loading branch information
@github-actions
github-actions[bot] authored Apr 17, 2024
2 parents f0d6b5f + 7a388a7 commit 71f8b80
Show file tree
Hide file tree
Showing 25 changed files with 634 additions and 462 deletions.
31 changes: 31 additions & 0 deletions docs/meshstack.email.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,3 +77,34 @@ The following configuration options are available at `mesh.meshfed.mail`:
}
```
<!--END_DOCUSAURUS_CODE_TABS-->

## FAQ

### Which mails is meshStack sending out and to whom?

Application Team receive mails when

- Workspace created
- Workspace permissions created, updated or removed
- Project permissions created, updated or removed
- Project Payment Method Assignment missing
- Budget exceeded
- Executing Building Block succeeded

Platform Operators receive mails when

- Building Block requires input (Recipients are defined per Building Block definition)

Optionally meshStack sends out mails to fixed set of recipients configured in dhall when

- Tenant marked for deletion
- Tenant created
- Replication failed

### Can the style of the mails be influenced? For example via HTML?

Button color and logo are configurable. The `theme.messages` templates support HTML elements like `<br>`.

### Can BCC be added

No. meshStack does not support adding addresses on BCC.
40 changes: 39 additions & 1 deletion docs/meshstack.how-to.integrate-meshplatform-aws-manually.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,39 @@ Platform Operators should generate a unique and random value for `EXTERNAL_ID`,

Platform Operators need to securely inject the generated credentials and `EXTERNAL_ID` into the configuration of the AWS Connector.

### Workload Identity Federation

Instead of using explicit credentials you can also configure identity federation to allow specific identities representing meshStack access to the role assumption policy you created in the previous step.

First, setup an identity provider in the meshcloud AWS account (IAM → access management → identity providers).
Select "OpenID Connect" and enter "provider URL" (issuer) and "audience" values as they are shown by meshStack when selecting "Workload Identity Federation" for authentication during AWS platform config.

Create a role with the role assumption policy from the previous step and assign the following trust policy.
We'll call it the identity federation role:

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "<meshStack identity provider ARN>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<meshStack identity provider name>:sub": "<replicator subject from meshStack>",
"<meshStack identity provider name>:aud": "<audience from meshStack>"
}
}
}
]
}
```

This allows one specific identity (the replicator subject) with a specific audience to assume this role.

## Set up AWS Account 2: Management

> Security Note: The demonstrated IAM Policies implement the minimum of configuration required to produce
Expand Down Expand Up @@ -139,6 +172,9 @@ The following trust relationship needs to be attached to the MeshfedServiceRole
}
```

> When using workload identity federation the principal must be set to the identity federation role instead: `arn:aws:iam::<<MESHCLOUD_ACCOUNT_ID>>:role/<IDENTITY_FEDERATION_ROLE>`

Replace `MESHCLOUD_ACCOUNT_ID` with the dedicated meshcloud AWS account id where the `meshfed-service-user` lives. Replace `EXTERNAL_ID` accordingly as well.

> For Enrollment with AWS Control Tower, the `MeshfedServiceRole` needs to have extra permissions to invoke the Account Factory.
Expand Down Expand Up @@ -195,6 +231,8 @@ The following policy and trust relationship should be attached to the role so th
```
<!--END_DOCUSAURUS_CODE_TABS-->

> When using workload identity federation the trusted principal must be set to the identity federation role instead: `arn:aws:iam::<<MESHCLOUD_ACCOUNT_ID>>:role/<IDENTITY_FEDERATION_ROLE>`
In order to roll out CloudFormation Stack Instances in the newly provisioned accounts, create the `AWSCloudFormationStackSetAdministrationRole` as specified in the [documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs-self-managed.html) and attach the following policy and trust relationship.

<!--DOCUSAURUS_CODE_TABS-->
Expand Down Expand Up @@ -443,7 +481,7 @@ graph LR;
replicatorUser--Trusted Entity with External-id-->meshfedAutomationRole
```

For the purpose of metering, meshStack requires the AWS Access Key and Secret Key of a user created in the `meshcloud` AWS account.
For the purpose of metering, meshStack requires a user created in the `meshcloud` AWS account (same process as [here](#set-up-aws-account-1-meshcloud)).
A role should be created in the AWS `management account` which has the following policies attached (This role will be referred to as `MeteringRole` from now on).

1. **MeshCostExplorerServiceRole's Access Policy**: This policy allows the Metering IAM user to call the AWS Cost Explorer API to read data required for metering. Note that Savings Plan and Reserved Instance related permissions are needed only if you have specific meshWorkspaces buying those directly, and you need to implement a cash-flow based Chargeback process for those. See [Reserved Reserved Instances & Savings Plans Guide](./meshstack.aws.reserved-instance-guide.md) for more details.
Expand Down
8 changes: 6 additions & 2 deletions docs/meshstack.how-to.integrate-meshplatform-azure-manually.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,9 @@ az ad sp create-for-rbac --name ${desired-name-for-your-azure-app}
6. It can take some time to show up in the overview, but then please write down its Object ID (will later correspond to `objectId`) and Application (client) ID (will later correspond to `client-id`).
7. In the AAD overview now go to **App registrations** (the created app should show up there as well).
8. Click on the app.
9. Add a client secret under **Certificates &amp; secrets**. Write it down (it is the `client-secret`).
9. Add either a client secret or federated credentials.
- **Client secret**: generate a client secret and note it down as well.
- **Federated credentials**: the `federated credential scenario` should be set to "Other issuer". The values for `Issuer` and `Subject identifier` will be shown by the panel during platform configuration after selecting "Workload Identity Federation" as the authentication type.
10. Under **API permissions****Add a permission****Microsoft Graph API** (not Azure AD Graph API) → **Application permissions**:
- `Directory.Read.All` - this permission is required to search the directory for existing users, groups and service principals
- `Group.ReadWrite.All` this permissions is required to create new groups
Expand Down Expand Up @@ -267,7 +269,9 @@ If your company has a Customer Agreement with Microsoft you can also use an auto
#### Create Source Tenant Principal

1. On the tenant that contains your billing account create a new Enterprise Application.
2. Add credentials to it and note down the `Directory (tenant) ID`, `Application (client) ID`, `Object ID` and the `secret` just generated by you.
2. Add either a client secret or federated credentials to it and note down the `Directory (tenant) ID`, `Application (client) ID`, `Object ID`.
- **Client secret**: generate a client secret and note it down as well.
- **Federated credentials**: the `federated credential scenario` should be set to "Other issuer". The values for `Issuer` and `Subject identifier` will be shown by the panel during platform configuration after selecting "Workload Identity Federation" as the authentication type.
3. Select the billing profile or invoice section under which you want to create the subscriptions by following the [documentation](https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/programmatically-create-subscription-microsoft-customer-agreement?tabs=rest#find-billing-profiles--invoice-sections-to-create-subscriptions) from Microsoft. Write down the ID that looks something like this `/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx`.
4. Go to the billing account and give the newly generated principal one of those roles there: `Owner`, `Contributer`, `Azure Subscription Creator` on an invoice section or `Owner` or `Contributor` on a billing profile or billing account. This allows the principal to generate new Subscriptions.

Expand Down
37 changes: 30 additions & 7 deletions docs/meshstack.how-to.integrate-meshplatform-gcp-manually.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,16 +49,39 @@ Enable the following APIs on the `meshstack-root` project from the API Library
### Create meshfed-service Service Account

Create a `meshfed-service` [Service Account](https://cloud.google.com/iam/docs/service-accounts) in the `meshstack-root` project.

- Enable the Service Account for “G Suite Domain-wide Delegation” and note the generated `Client Id`
- Generate and Download a [Service Account Key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys)

Enable the Service Account for “G Suite Domain-wide Delegation” and note the generated `Client Id`.
The Service Account will be identified by an email address like

```text
[email protected]
```

Next, configure either a service account key or workload identity federation for authentication purposes.

#### Service Account Key

Generate and Download a [Service Account Key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) which will be used by meshStack.

#### Workload Identity Federation

Setting up [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) is more involved but allows meshStack to use short lived credentials without explicitly handing over any secrets or requiring manual rotation.

To use Workload Identity Federation you must create a Workload Identity Pool and Provider ([IAM → Workload Identity Federation](https://console.cloud.google.com/iam-admin/workload-identity-pools)) as part of the meshStack root project.

- For the provider, select "OpenID Connect" and add provider details for "Issuer" and "Allowed audiences" as they're specified by the panel when selecting "Workload Identity Federation" as authentication type for a GCP platform.
- Create an attribute condition to restrict access to replicator and/or metering service accounts: ```google.subject in ['<replicator_subject_from_panel>', '<kraken_subject_from_panel']```. Make sure to replace the placeholders.

After setting up identity pool and provider you need to grant access to the meshStack workload service accounts to access the GCP service accounts.

- Select the workload identity pool and click "grant access".
- Select the GCP service account (e.g. for replication).
- Define the appropriate principal by mapping "subject" to the subject name you received from the panel.
- When prompted, enter anything for OIDC ID token path and download the generated configuration file. Open it to get the `audience` value that is required by meshStack.

In addition to the permissions required to perform resource management or metering the replicator/metering service account must also be permitted to create ID tokens for itself.
ID tokens must be used when calling cloud functions and authentication via workload identity federation does not automatically create such tokens.
Add this permissions by assigning the roles `roles/iam.serviceAccountOpenIdTokenCreator` and `roles/iam.serviceAccountTokenCreator` to the the service account.

#### Grant Resource Permissions

The Service Account will be used by meshStack to perform project replication. Operators thus need to grant it the permissions of the
Expand Down Expand Up @@ -95,7 +118,7 @@ Following the principle of least privilege, operators should remove the `billing

In order to perform certain group related administrative tasks the previously created `meshfed-service` service account needs the "Groups Admin" role from the Admin Console (G Suite).

To authorize the Service Account **via the Google Admin Console** navigate to `@Account` in the sidebar and then `Admin Roles -> Groups Admin` and click `Assign Service Accounts`. In the prompt that appears, enter the service account email, which looks like `[email protected]`.
To authorize the Service Account **via the Google Admin Console** navigate to `@Account` in the sidebar and then `Admin Roles Groups Admin` and click `Assign Service Accounts`. In the prompt that appears, enter the service account email, which looks like `[email protected]`.

You can alternatively authorize the Service Account **via the Cloud Identity Groups API**. Please find the instructions in for this in the official [Google guide](https://cloud.google.com/identity/docs/how-to/setup#auth-no-dwd).

Expand Down Expand Up @@ -160,7 +183,7 @@ under 'Partition Time Column'.

Make sure that the `kraken-service` service account has permission on the table or view as described above.
Then, enter the BigQuery reference in the GCP meshPlatform configuration in meshStack, which you can find under
'Metering Configuration' -> 'BigQuery Table'.
'Metering Configuration' 'BigQuery Table'.

#### Example: multiple billing accounts for the same GCP organization

Expand Down Expand Up @@ -224,7 +247,7 @@ The actions of the `meshfed-service` User can be monitored via [Audit Logs](http
meshcloud recommends to enable Audit Logs on the organizational level for monitoring `meshfed-service` User. This is achivied by following these steps:

1. Navigate to the organizational level in [GCP Cloud Console](https://console.cloud.google.com/)
2. Navigate to [IAM & Admin --> Audit logs](https://console.cloud.google.com/iam-admin/audit)
2. Navigate to [IAM & Admin Audit logs](https://console.cloud.google.com/iam-admin/audit)
3. Filter the table for `Cloud Resource Manager API` and select the resulting entry
4. Enable all log types

Expand Down
10 changes: 6 additions & 4 deletions docs/meshstack.replication-configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,20 +11,22 @@ Some properties for the different platforms allow you to use string templates to
These string pattern work like the following example:

```text
#{customerIdentifier}.#{projectIdentifier:%.7s}-test.#{tenantPlatformNumber:%03d}
#{workspaceIdentifier}.#{projectIdentifier:%.7s}-test.#{tenantPlatformNumber:%03d}
```

The engine will substitute `#{PLACEHOLDER}` with the actual contextual value (see table below). Optionally you can provide a `String.format()` pattern after the `:` which will be used to transform the value provided for the placeholder. In the example `%.7s` will use the first seven characters of the project identifier of the current project. The above string would evaluate into this:
The engine will substitute `#{PLACEHOLDER}` with the actual contextual value (see table below). Optionally you can provide a `String.format()` pattern after the `:` which will be used to transform the value provided for the placeholder. Consider a case where the workspace ID is 'my-workspace', the project ID is 'my-project', and the tenantPlatformNumber is 4. In the example above `%.7s` will use the first seven characters of the project identifier of the current project and pattern `%03d` applied to 4 will produce 004. The above string would evaluate into this:

```text
my-customer.my-proj-test.004
my-workspace.my-proj-test.004
```

For further details on the patterns supported by `String.format()`, please consult the Java official documentation.

The template engine allows you to use the following placeholders if not described otherwise in the corresponding documentation:

| Placeholder | Type | Description |
|----------------------| ------ | -------------------------------------------------------------------------------------------------------------------------------------- |
| customerIdentifier | string | Workspace Identifier |
| workspaceIdentifier | string | Workspace Identifier |
| projectIdentifier | string | Project Identifier |
| meshProjectId | number | Internal ID of the meshProject. Every project is guaranteed to have a unique ID, but tenants on different platforms can share this ID. |
| platform | string | Platform Identifier |
Expand Down
74 changes: 74 additions & 0 deletions website/blog/2024-04-17-Release-0.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
---
author: meshcloud
title: Release 2024.18.0
---

Release period: 2024-04-10 to 2024-04-17

This release includes the following issues:
* Fix Delayed Permission Update for SCIM
* Fix Workspace Role Expiration Date
* Fixes tenant details view for pending deletions
* Payment Method Enforcement
* Workload Identity Federation for AWS platforms
* View all Platform Types
* Improved whitespace handling for Building Block Definitions
<!--truncate-->

## Ticket Details
### Fix Delayed Permission Update for SCIM
**Audience:** Partner<br>

#### Description
Previously, SCIM group membership updates caused delays in updating user permissions in meshStack, resulting in new members lacking timely access to Workspaces and Projects. This issue has now been resolved.

### Fix Workspace Role Expiration Date
**Audience:** User, Customer, Partner<br>

#### Description
When creating a Workspace and assigning users, it was possible to remove the expiration date for the Workspace
role with a mandatory expiration date. This issue has been fixed now.

### Fixes tenant details view for pending deletions
**Audience:** Partner<br>

#### Description
This fixes the issue that a tenant who is in a pending deletion process could
did not properly display its details view in the Admin Area.

### Payment Method Enforcement
**Audience:** User<br>

#### Description
Previously, projects couldn't add services from the marketplace without active payment methods. Now,
our update allows to add services regardless of payment method status. Even if payment methods expire,
users can seamlessly manage and enhance project services, ensuring uninterrupted workflow and smoother
project management pending when a new payment method is added.

### Workload Identity Federation for AWS platforms
**Audience:** Customer, Partner, Operator<br>

#### Description
You can now configure Workload Identity Federation for the access configuration of AWS replicator and metering
platform configurations. This feature enables automatic rolling of credentials and you don't have to enter
any AWS platform credentials to meshStack anymore.

#### How to use
You can test it out by switching from the "Credentials" authentication type to "Workload Identity Federation" for all
access configurations you want to change the authentication type for (replicator and metering use separate access configurations).
You can find a description of what needs to be configured in meshPanel, when you select "Workload Identity Federation".

### View all Platform Types
**Audience:** Partner<br>

#### Description
Admin Area users can now view a list of all platform types and add new platform types. In a future release this is also where you will be able to edit and remove platform types.

### Improved whitespace handling for Building Block Definitions
**Audience:** Operator<br>

#### Description
When creating or editing a Building Block Definition, leading and trailing whitespaces are now cut off
automatically by meshStack. This prevents copy-and-paste issues, which can easily contain leading or
trailing whitespaces.

2 changes: 1 addition & 1 deletion website/static/api/api_index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -566,7 +566,7 @@ <h3 id="_index">Index</h3>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2024-04-10 11:10:59 UTC
Last updated 2024-04-17 14:10:11 UTC
</div>
</div>
</body>
Expand Down
2 changes: 1 addition & 1 deletion website/static/api/common_data_formats.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -542,7 +542,7 @@ <h3 id="tags">Tags</h3>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2024-04-10 11:10:59 UTC
Last updated 2024-04-17 14:10:11 UTC
</div>
</div>
</body>
Expand Down
Loading

0 comments on commit 71f8b80

Please sign in to comment.