DOM-54018 Allow GCP access to flyte-dataplane IAM

 - Allow GCP tokens with a custom audience matching the string
   {deploy_id}-flyte-gcp-{random_id} to access Flyte blobs

   Inspired by policy definition at
   https://jason-umiker.medium.com/cross-cloud-identities-between-gcp-and-aws-from-gke-and-or-eks-182652bddadb

   NOTE: jwt validation usually takes into account several factors

   - issuer
   - audience
   - signature
   - subject
   - scope
   - custom claims

   This policy verifies only the "aud" claim in the token, which in
   theory is spoofable by anyone using GCP to produce tokens. Therefore,
   include a random piece of data in the "aud" value that only the
   control plane will know. When generating executions on remote data
   planes (by dispatcher / workload operator), this value will be passed
   so that tokens produced from GCP will have this shared value.

   To do so requires exporting the value from the terraform code into
   the catalog and through to Nucleus

Author: ddl-ebrown

modules/flyte/README.md

@@ -14,6 +14,7 @@
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
 
 ## Modules
 
@@ -36,6 +37,7 @@ No modules.
 | [aws_s3_bucket_policy.flyte_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.flye_metadata_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.flyte_data_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [random_id.server](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
 | [aws_caller_identity.aws_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.flyte_controlplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.flyte_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

modules/flyte/iam.tf

@@ -56,6 +56,15 @@ resource "aws_iam_role_policy_attachment" "flyte_controlplane" {
   policy_arn = aws_iam_policy.flyte_controlplane.arn
 }
 
+resource "random_id" "server" {
+  keepers = {
+    # Generate a new id each time there's a new deploy id (which should never occur)
+    deploy_id = local.deploy_id
+  }
+
+  byte_length = 8
+}
+
 resource "aws_iam_role" "flyte_dataplane" {
   name = "${local.deploy_id}-flyte-dataplane"
   assume_role_policy = jsonencode({
@@ -91,6 +100,18 @@ resource "aws_iam_role" "flyte_dataplane" {
           }
         }
       },
+      {
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Effect = "Allow"
+        Principal = {
+          Federated = "accounts.google.com"
+        }
+        Condition : {
+          StringEquals : {
+            "accounts.google.com:aud" : "${local.deploy_id}-flyte-gcp-${random_id.server.hex}"
+          }
+        }
+      },
     ]
   })
 }

modules/flyte/outputs.tf

@@ -5,5 +5,6 @@ output "eks" {
     data_bucket           = aws_s3_bucket.flyte_data.bucket
     controlplane_role_arn = aws_iam_role.flyte_controlplane.arn
     dataplane_role_arn    = aws_iam_role.flyte_dataplane.arn
+    gcp_token_audience    = "${local.deploy_id}-flyte-gcp-${random_id.server.hex}"
   }
 }

modules/flyte/versions.tf

@@ -9,5 +9,9 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 5.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.0"
+    }
   }
 }