Support for additional allowed principals configuration

[raelga]

When you need access to an ROSA HCP based cluster API from other AWS accounts, you need to be able to set additional principals to the cluster as adding ingress rules to the default VPCe security group is no allowed by the ROSA team:

This requires adding additional principals, via CLI, manually setting up VPC Endpoints in each account and a private Route53 zone to route the traffic.

We achieve it using a local-exec resource, but native support in the provider will be much better.

resource "null_resource" "rosa_cli_additional_allowed_principals" {
  provisioner "local-exec" {
    command = format(
      "rosa edit cluster -c %s --additional-allowed-principals %s",
      resource.rhcs_cluster_rosa_hcp.rosa_cluster_hcp.name,
       join(",",[
        "arn:aws:iam::${data.aws_caller_identity.dev.account_id}:role/terraform",
        "arn:aws:iam::${data.aws_caller_identity.stg.account_id}:role/terraform",
        "arn:aws:iam::${data.aws_caller_identity.pro.account_id}:role/terraform"
       ])
    )
  }
}

[gdbranco]

This is a required feature for hcp shared vpc arch and will be included in the release v1.6.9, expected for end of the year