Merge pull request #25 from SCT-Engineering/subchart_version

add default roles and clusterissuer

CHANGELOG.md

@@ -14,3 +14,7 @@
 ### fix
 
 - **main.tf**: add operators ns here
+
+
+
+- change to trigger action

README.md

@@ -32,7 +32,7 @@ sys     0m2.015s
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.14.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 6.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.11.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1 |
@@ -41,24 +41,27 @@ sys     0m2.015s
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.0.0 |
-| <a name="provider_helm"></a> [helm](#provider\_helm) | 3.0.1 |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.37.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.8.0 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | 3.0.2 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.38.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | 3.2.4 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_efs"></a> [efs](#module\_efs) | git::https://github.e.it.census.gov/terraform-modules/aws-efs.git/ | master |
+| <a name="module_subordinate_ca"></a> [subordinate\_ca](#module\_subordinate\_ca) | git::https://github.e.it.census.gov/terraform-modules/aws-certificates//acmpca-eks-cert-manager | n/a |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [helm_release.console_access](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_manifest.cluster_issuer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
 | [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.telemetry](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_secret.ca_key_pair](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
 | [kubernetes_storage_class.ebs_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [kubernetes_storage_class.efs_sc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [kubernetes_storage_class.gp3_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
@@ -70,12 +73,14 @@ sys     0m2.015s
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_cluster_mailing_list"></a> [cluster\_mailing\_list](#input\_cluster\_mailing\_list) | The mailing list for cluster notifications | `string` | `"cluster@example.com"` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
+| <a name="input_namespace"></a> [namespace](#input\_namespace) | The namespace to deploy cert-manager resources into | `string` | `"cert-manager"` | no |
 | <a name="input_operators_ns"></a> [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no |
+| <a name="input_profile"></a> [profile](#input\_profile) | AWS config profile | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | AWS region | `string` | n/a | yes |
 | <a name="input_security_group_all_worker_mgmt_id"></a> [security\_group\_all\_worker\_mgmt\_id](#input\_security\_group\_all\_worker\_mgmt\_id) | The security group representing all of the worker nodes in the cluster. | `string` | n/a | yes |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | Specify the subnets used by this cluster | `list(string)` | n/a | yes |
-| <a name="input_tag_costallocation"></a> [tag\_costallocation](#input\_tag\_costallocation) | Tag CostAllocation (default) | `string` | `"csvd:infrastructure"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
 | <a name="input_telemetry_ns"></a> [telemetry\_ns](#input\_telemetry\_ns) | Namespace to create where telemetry will be installed. | `string` | `"telemetry"` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | Specify the VPC id that is used by this cluster | `string` | n/a | yes |

cert-mgr-cluster-issuer.tf

@@ -0,0 +1,36 @@
+# Create a subordinate cert for the cert-manager clusterissuer.
+module "subordinate_ca" {
+  # tflint-ignore: terraform_module_pinned_source
+  source = "git::https://github.e.it.census.gov/terraform-modules/aws-certificates//acmpca-eks-cert-manager"
+
+  cluster_name  = var.cluster_name
+  contact_email = var.cluster_mailing_list
+  validity_days = 365
+}
+
+resource "kubernetes_secret" "ca_key_pair" {
+  metadata {
+    name      = "ca-key-pair"
+    namespace = var.namespace
+  }
+
+  binary_data = {
+    "tls.key" = module.subordinate_ca.certificate_tls_key
+    "tls.crt" = module.subordinate_ca.certificate_tls_crt
+  }
+}
+
+resource "kubernetes_manifest" "cluster_issuer" {
+  manifest = {
+    "apiVersion" = "cert-manager.io/v1"
+    "kind"       = "ClusterIssuer"
+    "metadata" = {
+      "name" = "clusterissuer"
+    }
+    "spec" = {
+      "ca" = {
+        "secretName" = kubernetes_secret.ca_key_pair.metadata[0].name
+      }
+    }
+  }
+}

dba-clusterrole.tf.off

@@ -0,0 +1,24 @@
+resource "kubernetes_cluster_role" "dba_administrator_cluster_role" {
+  metadata {
+    name = var.dba_administrator_role_name
+  }
+  aggregation_rule {
+    cluster_role_selectors {
+      match_labels = {
+        "rbac.authorization.k8s.io/aggregate-to-admin" = "true"
+      }
+    }
+  }
+
+  rule {
+    api_groups = ["cert-manager.io", "acme.cert-manager.io"]
+    resources  = ["certificates", "challenges", "orders", "certificaterequests", "issuers"]
+    verbs      = ["get", "list", "watch", "create", "update", "patch"]
+  }
+
+  rule {
+    verbs      = ["get", "list", "watch", "create", "update", "patch"]
+    api_groups = ["networking.istio.io", "security.istio.io"]
+    resources  = ["virtualservices", "authorizationpolicies", "destinationrules", "peerauthentications", "requestauthentications"]
+  }
+}

dba-rolebinding.tf.off

@@ -0,0 +1,40 @@
+locals {
+  dba_managed_namespaces = formatlist("%v-%v", var.cluster_name, var.dba_managed_namespaces)
+  dba_k8s_group_name     = format("%v%v-%v", local.prefixes["eks-user"], var.cluster_name, var.dba_k8s_group_name)
+}
+
+resource "kubernetes_namespace" "dba_managed_namespaces" {
+  for_each = toset(local.dba_managed_namespaces)
+  metadata {
+    name = each.key
+    labels = {
+      istio-injection = "enabled"
+    }
+  }
+}
+
+resource "kubernetes_role_binding" "dba_admin_rolebinding" {
+  #  for_each = toset(local.dba_managed_namespaces)
+  for_each = kubernetes_namespace.dba_managed_namespaces
+
+  metadata {
+    name      = var.dba_admin_rolebinding_name
+    namespace = each.key
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = var.dba_administrator_role_name
+  }
+  subject {
+    kind      = "User"
+    name      = var.dba_k8s_user_name
+    api_group = "rbac.authorization.k8s.io"
+  }
+  subject {
+    kind      = "Group"
+    name      = local.dba_k8s_group_name
+    api_group = "rbac.authorization.k8s.io"
+  }
+  #  depends_on = [kubernetes_namespace.dba_managed_namespaces]
+}

dba.iam.tf.off

@@ -0,0 +1,109 @@
+locals {
+  policy_dba_k8s_group_name = replace(local.dba_k8s_group_name, local.prefixes["eks-user"], local.prefixes["eks-policy"])
+  role_dba_k8s_group_name   = format("%v%v-%v", local.prefixes["eks"], var.cluster_name, var.dba_k8s_group_name)
+}
+
+module "role_dba_administrator" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
+
+  role_name              = local.role_dba_k8s_group_name
+  role_description       = "Role for EKS cluster ${var.cluster_name} for access by ${var.dba_k8s_group_name}"
+  enable_ldap_creation   = false
+  assume_policy_document = data.aws_iam_policy_document.dba_administrator_allow_sts.json
+  attached_policies      = [aws_iam_policy.dba_administrator.arn]
+
+}
+
+resource "aws_iam_policy" "dba_administrator" {
+  name        = local.policy_dba_k8s_group_name
+  path        = "/"
+  description = "Policy for EKS ${var.cluster_name} IAM access ${var.dba_k8s_group_name}"
+  policy      = data.aws_iam_policy_document.dba_administrator.json
+}
+
+locals {
+  dba_administrator_policy_statements = {
+    ECRRead = {
+      actions = [
+        "ecr:Describe*",
+        "ecr:Get*",
+        "ecr:ListImages",
+        "ecr:BatchGetImage",
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:GetDownloadUrlForLayer",
+      ]
+      resources = ["*"]
+    }
+    EKSRead = {
+      actions = [
+        "eks:ListClusters",
+      ]
+      resources = ["*"]
+    }
+    EKSReadMyClusters = {
+      actions = [
+        "eks:DescribeCluster",
+        "eks:AccessKubernetesApi",
+      ]
+      resources = [format(local.common_arn, "eks", format("%v/%v", "cluster", var.cluster_name))]
+    }
+    STSAssumeRole = {
+      actions   = ["sts:AssumeRole"]
+      resources = [module.role_dba_administrator.role_arn]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "dba_administrator" {
+  dynamic "statement" {
+    for_each = local.dba_administrator_policy_statements
+    iterator = s
+    content {
+      sid           = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key)
+      effect        = lookup(s.value, "effect", "Allow")
+      actions       = lookup(s.value, "actions", [])
+      resources     = lookup(s.value, "resources", [])
+      not_resources = lookup(s.value, "not_resources", [])
+    }
+  }
+}
+
+# allow anyone in this account to assume the role, if they have the permission to do so
+data "aws_iam_policy_document" "dba_administrator_allow_sts" {
+  statement {
+    sid     = "AllowSTSAssume"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(local.iam_arn, "root"),
+      ]
+    }
+  }
+}
+
+output "role_dba_administrator_arn" {
+  description = "DBA Adminstrator role ARN"
+  value       = module.role_dba_administrator.role_arn
+}
+
+module "group_dba_administrator" {
+  # tflint-ignore: terraform_module_version
+  # tflint-ignore: terraform_module_pinned_source
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-group.git"
+
+  group_name        = local.role_dba_k8s_group_name
+  attached_policies = [aws_iam_policy.dba_administrator.arn]
+
+}
+
+output "info_dba_administrator" {
+  description = "DBA Adminstrator IAM details"
+  value = {
+    role_name  = module.role_dba_administrator.role_name
+    role_arn   = module.role_dba_administrator.role_arn
+    group_name = module.group_dba_administrator.group_name
+    group_arn  = module.group_dba_administrator.group_arn
+  }
+}

deployer-clusterrole.tf.off

@@ -0,0 +1,67 @@
+resource "kubernetes_cluster_role" "cicd_deployer_istiosystem_cluster_role" {
+  metadata {
+    name = var.deployer_istiosystem_role_name
+  }
+
+  rule {
+    api_groups = ["acme.cert-manager.io"]
+    resources  = ["challenges", "orders", "certificaterequests"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+  }
+
+  rule {
+    api_groups = ["cert-manager.io"]
+    resources  = ["certificates"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+  }
+
+
+  rule {
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+    api_groups = ["networking.istio.io"]
+    resources  = ["gateways"]
+  }
+}
+
+resource "kubernetes_cluster_role" "cicd_deployer_istio_cluster_role" {
+  metadata {
+    name = var.deployer_application_istio_role_name
+  }
+  rule {
+    api_groups = ["security.istio.io"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+    resources  = ["requestauthentications", "authorizationpolicies", "peerauthentications"]
+  }
+
+  rule {
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+    api_groups = ["networking.istio.io"]
+    resources  = ["virtualservices", "destinationrules", "gateways"]
+  }
+}
+
+resource "kubernetes_cluster_role" "cicd_deployer_application_cluster_role" {
+  metadata {
+    name = var.deployer_application_role_name
+  }
+  aggregation_rule {
+    cluster_role_selectors {
+      match_labels = {
+        "rbac.authorization.k8s.io/aggregate-to-edit" = "true"
+      }
+    }
+  }
+
+  rule {
+    api_groups = ["acme.cert-manager.io"]
+    resources  = ["challenges", "orders", "certificaterequests"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+  }
+
+  rule {
+    api_groups = ["cert-manager.io"]
+    resources  = ["certificates"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+  }
+
+}