diff --git a/README.md b/README.md
index 791afd8..a4de242 100644
--- a/README.md
+++ b/README.md
@@ -41,37 +41,78 @@ sys 0m2.015s
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 6.0.0 |
-| [helm](#provider\_helm) | 3.0.1 |
-| [kubernetes](#provider\_kubernetes) | 2.37.1 |
+| [aws](#provider\_aws) | 6.8.0 |
+| [helm](#provider\_helm) | 3.0.2 |
+| [kubernetes](#provider\_kubernetes) | 2.38.0 |
| [null](#provider\_null) | 3.2.4 |
## Modules
| Name | Source | Version |
|------|--------|---------|
+| [awsauth\_cluster-roles](#module\_awsauth\_cluster-roles) | git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth | tf-upgrade |
| [efs](#module\_efs) | git::https://github.e.it.census.gov/terraform-modules/aws-efs.git/ | master |
+| [group\_cicd\_deployer](#module\_group\_cicd\_deployer) | git@github.e.it.census.gov:terraform-modules/aws-iam-group.git | n/a |
+| [group\_dba\_administrator](#module\_group\_dba\_administrator) | git@github.e.it.census.gov:terraform-modules/aws-iam-group.git | n/a |
+| [role\_cicd\_deployer](#module\_role\_cicd\_deployer) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade |
+| [role\_dba\_administrator](#module\_role\_dba\_administrator) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade |
+| [service\_cicd\_deployer](#module\_service\_cicd\_deployer) | git@github.e.it.census.gov:terraform-modules/aws-iam-user.git | tf-upgrade |
## Resources
| Name | Type |
|------|------|
+| [aws_iam_policy.cicd_deployer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.dba_administrator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [helm_release.console_access](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_cluster_role.cicd_deployer_application_cluster_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
+| [kubernetes_cluster_role.cicd_deployer_istio_cluster_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
+| [kubernetes_cluster_role.cicd_deployer_istiosystem_cluster_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
+| [kubernetes_cluster_role.dba_administrator_cluster_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
+| [kubernetes_namespace.cicd_managed_namespaces](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.dba_managed_namespaces](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.telemetry](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_role_binding.dba_admin_rolebinding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource |
+| [kubernetes_role_binding.deployer_application_istio_rolebinding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource |
+| [kubernetes_role_binding.deployer_application_rolebinding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource |
+| [kubernetes_role_binding.deployer_istio_role_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource |
| [kubernetes_storage_class.ebs_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
| [kubernetes_storage_class.efs_sc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
| [kubernetes_storage_class.gp3_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
| [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
+| [aws_iam_policy.cicd_deployer_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy_document.cicd_deployer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cicd_deployer_allow_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.dba_administrator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.dba_administrator_allow_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [cicd\_k8s\_group\_name](#input\_cicd\_k8s\_group\_name) | The Group name of CICD Deployer belongs to (excluding prefix for service account and cluster) | `string` | `"cicd-deployer"` | no |
+| [cicd\_k8s\_user\_name](#input\_cicd\_k8s\_user\_name) | The user name of CICD Deployer | `string` | `"cicd-deployer"` | no |
+| [cicd\_managed\_namespaces](#input\_cicd\_managed\_namespaces) | Deployer managed namespaces that deploy can create resources in (excluding cluster name prefix) | `list(any)` | `[]` | no |
| [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
+| [dba\_admin\_rolebinding\_name](#input\_dba\_admin\_rolebinding\_name) | Role binding name of deployer that binding to role deployer\_application\_cluster\_role | `string` | `"dba-admin-rolebinding"` | no |
+| [dba\_administrator\_role\_name](#input\_dba\_administrator\_role\_name) | The kubernetes cluster role name of DBA Administrator | `string` | `"dba-admin-role"` | no |
+| [dba\_k8s\_group\_name](#input\_dba\_k8s\_group\_name) | The Group name of dba-admin belongs to (excluding prefix for service account and cluster) | `string` | `"dba-admin"` | no |
+| [dba\_k8s\_user\_name](#input\_dba\_k8s\_user\_name) | the user name of DBA Administrator | `string` | `"dba-admin"` | no |
+| [dba\_managed\_namespaces](#input\_dba\_managed\_namespaces) | DBA admin managed namespaces (excluding cluster name prefix) | `list(any)` | `[]` | no |
+| [deployer\_application\_istio\_role\_name](#input\_deployer\_application\_istio\_role\_name) | The kubernetes cluster role name of CICD Deployer | `string` | `"deployer-application-istio-role"` | no |
+| [deployer\_application\_istio\_rolebinding\_name](#input\_deployer\_application\_istio\_rolebinding\_name) | Role binding name of deployer that binding to role deployer\_application\_cluster\_role | `string` | `"deployer-application-istio-rolebinding"` | no |
+| [deployer\_application\_role\_name](#input\_deployer\_application\_role\_name) | The kubernetes cluster role name of CICD Deployer | `string` | `"deployer-application-role"` | no |
+| [deployer\_application\_rolebinding\_name](#input\_deployer\_application\_rolebinding\_name) | Role binding name of deployer that binding to role deployer\_application\_cluster\_role | `string` | `"deployer-application-rolebinding"` | no |
+| [deployer\_istiosystem\_role\_name](#input\_deployer\_istiosystem\_role\_name) | The kubernetes cluster role name of CIDR Deployer | `string` | `"deployer-istiosystem-role"` | no |
+| [istio\_installed\_namespace](#input\_istio\_installed\_namespace) | Namespace that Istio installed | `string` | `"istio-system"` | no |
| [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no |
+| [profile](#input\_profile) | AWS config profile | `string` | n/a | yes |
| [region](#input\_region) | AWS region | `string` | n/a | yes |
| [security\_group\_all\_worker\_mgmt\_id](#input\_security\_group\_all\_worker\_mgmt\_id) | The security group representing all of the worker nodes in the cluster. | `string` | n/a | yes |
| [subnets](#input\_subnets) | Specify the subnets used by this cluster | `list(string)` | n/a | yes |
@@ -84,8 +125,13 @@ sys 0m2.015s
| Name | Description |
|------|-------------|
+| [info\_cicd\_deployer](#output\_info\_cicd\_deployer) | CID Deployer IAM details |
+| [info\_dba\_administrator](#output\_info\_dba\_administrator) | DBA Adminstrator IAM details |
| [module\_name](#output\_module\_name) | The name of this module. |
| [module\_version](#output\_module\_version) | The version of this module. |
+| [role\_dba\_administrator\_arn](#output\_role\_dba\_administrator\_arn) | DBA Adminstrator role ARN |
| [rwo\_storage\_class](#output\_rwo\_storage\_class) | Kubernetes storage class that supports read/write once. |
| [rwx\_storage\_class](#output\_rwx\_storage\_class) | Kubernetes storage class that supports read/write many. |
+| [service\_cicd\_deployer\_arn](#output\_service\_cicd\_deployer\_arn) | CICD Deployer user ARN |
+| [service\_cicd\_deployer\_username](#output\_service\_cicd\_deployer\_username) | CICD Deployer username |
diff --git a/aws_data.tf b/aws_data.tf
index 96cd77c..eb70e88 100644
--- a/aws_data.tf
+++ b/aws_data.tf
@@ -3,3 +3,10 @@ data "aws_ebs_default_kms_key" "current" {}
data "aws_kms_key" "ebs_key" {
key_id = data.aws_ebs_default_kms_key.current.key_arn
}
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
+data "aws_arn" "current" {
+ arn = data.aws_caller_identity.current.arn
+}
diff --git a/dba-clusterrole.tf b/dba-clusterrole.tf
new file mode 100644
index 0000000..e60e7b5
--- /dev/null
+++ b/dba-clusterrole.tf
@@ -0,0 +1,24 @@
+resource "kubernetes_cluster_role" "dba_administrator_cluster_role" {
+ metadata {
+ name = var.dba_administrator_role_name
+ }
+ aggregation_rule {
+ cluster_role_selectors {
+ match_labels = {
+ "rbac.authorization.k8s.io/aggregate-to-admin" = "true"
+ }
+ }
+ }
+
+ rule {
+ api_groups = ["cert-manager.io", "acme.cert-manager.io"]
+ resources = ["certificates", "challenges", "orders", "certificaterequests", "issuers"]
+ verbs = ["get", "list", "watch", "create", "update", "patch"]
+ }
+
+ rule {
+ verbs = ["get", "list", "watch", "create", "update", "patch"]
+ api_groups = ["networking.istio.io", "security.istio.io"]
+ resources = ["virtualservices", "authorizationpolicies", "destinationrules", "peerauthentications", "requestauthentications"]
+ }
+}
diff --git a/dba-rolebinding.tf b/dba-rolebinding.tf
new file mode 100644
index 0000000..1a5fb54
--- /dev/null
+++ b/dba-rolebinding.tf
@@ -0,0 +1,40 @@
+locals {
+ dba_managed_namespaces = formatlist("%v-%v", var.cluster_name, var.dba_managed_namespaces)
+ dba_k8s_group_name = format("%v%v-%v", local.prefixes["eks-user"], var.cluster_name, var.dba_k8s_group_name)
+}
+
+resource "kubernetes_namespace" "dba_managed_namespaces" {
+ for_each = toset(local.dba_managed_namespaces)
+ metadata {
+ name = each.key
+ labels = {
+ istio-injection = "enabled"
+ }
+ }
+}
+
+resource "kubernetes_role_binding" "dba_admin_rolebinding" {
+ # for_each = toset(local.dba_managed_namespaces)
+ for_each = kubernetes_namespace.dba_managed_namespaces
+
+ metadata {
+ name = var.dba_admin_rolebinding_name
+ namespace = each.key
+ }
+ role_ref {
+ api_group = "rbac.authorization.k8s.io"
+ kind = "ClusterRole"
+ name = var.dba_administrator_role_name
+ }
+ subject {
+ kind = "User"
+ name = var.dba_k8s_user_name
+ api_group = "rbac.authorization.k8s.io"
+ }
+ subject {
+ kind = "Group"
+ name = local.dba_k8s_group_name
+ api_group = "rbac.authorization.k8s.io"
+ }
+ # depends_on = [kubernetes_namespace.dba_managed_namespaces]
+}
diff --git a/dba.iam.tf b/dba.iam.tf
new file mode 100644
index 0000000..740664e
--- /dev/null
+++ b/dba.iam.tf
@@ -0,0 +1,109 @@
+locals {
+ policy_dba_k8s_group_name = replace(local.dba_k8s_group_name, local.prefixes["eks-user"], local.prefixes["eks-policy"])
+ role_dba_k8s_group_name = format("%v%v-%v", local.prefixes["eks"], var.cluster_name, var.dba_k8s_group_name)
+}
+
+module "role_dba_administrator" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
+
+ role_name = local.role_dba_k8s_group_name
+ role_description = "Role for EKS cluster ${var.cluster_name} for access by ${var.dba_k8s_group_name}"
+ enable_ldap_creation = false
+ assume_policy_document = data.aws_iam_policy_document.dba_administrator_allow_sts.json
+ attached_policies = [aws_iam_policy.dba_administrator.arn]
+
+}
+
+resource "aws_iam_policy" "dba_administrator" {
+ name = local.policy_dba_k8s_group_name
+ path = "/"
+ description = "Policy for EKS ${var.cluster_name} IAM access ${var.dba_k8s_group_name}"
+ policy = data.aws_iam_policy_document.dba_administrator.json
+}
+
+locals {
+ dba_administrator_policy_statements = {
+ ECRRead = {
+ actions = [
+ "ecr:Describe*",
+ "ecr:Get*",
+ "ecr:ListImages",
+ "ecr:BatchGetImage",
+ "ecr:BatchCheckLayerAvailability",
+ "ecr:GetDownloadUrlForLayer",
+ ]
+ resources = ["*"]
+ }
+ EKSRead = {
+ actions = [
+ "eks:ListClusters",
+ ]
+ resources = ["*"]
+ }
+ EKSReadMyClusters = {
+ actions = [
+ "eks:DescribeCluster",
+ "eks:AccessKubernetesApi",
+ ]
+ resources = [format(local.common_arn, "eks", format("%v/%v", "cluster", var.cluster_name))]
+ }
+ STSAssumeRole = {
+ actions = ["sts:AssumeRole"]
+ resources = [module.role_dba_administrator.role_arn]
+ }
+ }
+}
+
+data "aws_iam_policy_document" "dba_administrator" {
+ dynamic "statement" {
+ for_each = local.dba_administrator_policy_statements
+ iterator = s
+ content {
+ sid = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key)
+ effect = lookup(s.value, "effect", "Allow")
+ actions = lookup(s.value, "actions", [])
+ resources = lookup(s.value, "resources", [])
+ not_resources = lookup(s.value, "not_resources", [])
+ }
+ }
+}
+
+# allow anyone in this account to assume the role, if they have the permission to do so
+data "aws_iam_policy_document" "dba_administrator_allow_sts" {
+ statement {
+ sid = "AllowSTSAssume"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "AWS"
+ identifiers = [
+ format(local.iam_arn, "root"),
+ ]
+ }
+ }
+}
+
+output "role_dba_administrator_arn" {
+ description = "DBA Adminstrator role ARN"
+ value = module.role_dba_administrator.role_arn
+}
+
+module "group_dba_administrator" {
+ # tflint-ignore: terraform_module_version
+ # tflint-ignore: terraform_module_pinned_source
+ source = "git@github.e.it.census.gov:terraform-modules/aws-iam-group.git"
+
+ group_name = local.role_dba_k8s_group_name
+ attached_policies = [aws_iam_policy.dba_administrator.arn]
+
+}
+
+output "info_dba_administrator" {
+ description = "DBA Adminstrator IAM details"
+ value = {
+ role_name = module.role_dba_administrator.role_name
+ role_arn = module.role_dba_administrator.role_arn
+ group_name = module.group_dba_administrator.group_name
+ group_arn = module.group_dba_administrator.group_arn
+ }
+}
diff --git a/deployer-clusterrole.tf b/deployer-clusterrole.tf
new file mode 100644
index 0000000..7cede6e
--- /dev/null
+++ b/deployer-clusterrole.tf
@@ -0,0 +1,67 @@
+resource "kubernetes_cluster_role" "cicd_deployer_istiosystem_cluster_role" {
+ metadata {
+ name = var.deployer_istiosystem_role_name
+ }
+
+ rule {
+ api_groups = ["acme.cert-manager.io"]
+ resources = ["challenges", "orders", "certificaterequests"]
+ verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+ }
+
+ rule {
+ api_groups = ["cert-manager.io"]
+ resources = ["certificates"]
+ verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+ }
+
+
+ rule {
+ verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+ api_groups = ["networking.istio.io"]
+ resources = ["gateways"]
+ }
+}
+
+resource "kubernetes_cluster_role" "cicd_deployer_istio_cluster_role" {
+ metadata {
+ name = var.deployer_application_istio_role_name
+ }
+ rule {
+ api_groups = ["security.istio.io"]
+ verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+ resources = ["requestauthentications", "authorizationpolicies", "peerauthentications"]
+ }
+
+ rule {
+ verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+ api_groups = ["networking.istio.io"]
+ resources = ["virtualservices", "destinationrules", "gateways"]
+ }
+}
+
+resource "kubernetes_cluster_role" "cicd_deployer_application_cluster_role" {
+ metadata {
+ name = var.deployer_application_role_name
+ }
+ aggregation_rule {
+ cluster_role_selectors {
+ match_labels = {
+ "rbac.authorization.k8s.io/aggregate-to-edit" = "true"
+ }
+ }
+ }
+
+ rule {
+ api_groups = ["acme.cert-manager.io"]
+ resources = ["challenges", "orders", "certificaterequests"]
+ verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+ }
+
+ rule {
+ api_groups = ["cert-manager.io"]
+ resources = ["certificates"]
+ verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+ }
+
+}
diff --git a/deployer-rolebinding.tf b/deployer-rolebinding.tf
new file mode 100644
index 0000000..c4c0e14
--- /dev/null
+++ b/deployer-rolebinding.tf
@@ -0,0 +1,91 @@
+resource "kubernetes_role_binding" "deployer_istio_role_binding" {
+ metadata {
+ name = "deployer_istiosystem_role_binding"
+ namespace = var.istio_installed_namespace
+ }
+ role_ref {
+ api_group = "rbac.authorization.k8s.io"
+ kind = "ClusterRole"
+ name = var.deployer_istiosystem_role_name
+ }
+ subject {
+ kind = "User"
+ name = var.cicd_k8s_user_name
+ api_group = "rbac.authorization.k8s.io"
+ }
+ subject {
+ kind = "Group"
+ # name = format("%v%v-%v", local.prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name)
+ name = local.cicd_k8s_iam_username
+ api_group = "rbac.authorization.k8s.io"
+ }
+}
+
+locals {
+ cicd_managed_namespaces = formatlist("%v-%v", var.cluster_name, var.cicd_managed_namespaces)
+ cicd_k8s_iam_username = format("%v%v-%v", local.prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name)
+ cicd_k8s_group_name = format("%v%v-%v", local.prefixes["eks"], var.cluster_name, var.cicd_k8s_group_name)
+}
+
+resource "kubernetes_namespace" "cicd_managed_namespaces" {
+ for_each = toset(local.cicd_managed_namespaces)
+ metadata {
+ name = each.key
+ labels = {
+ istio-injection = "enabled"
+ }
+ }
+}
+
+
+resource "kubernetes_role_binding" "deployer_application_istio_rolebinding" {
+ # for_each = toset(local.cicd_managed_namespaces)
+ for_each = kubernetes_namespace.cicd_managed_namespaces
+
+ metadata {
+ name = var.deployer_application_istio_rolebinding_name
+ namespace = each.key
+ }
+ role_ref {
+ api_group = "rbac.authorization.k8s.io"
+ kind = "ClusterRole"
+ name = var.deployer_application_istio_role_name
+ }
+ subject {
+ kind = "User"
+ name = var.cicd_k8s_user_name
+ api_group = "rbac.authorization.k8s.io"
+ }
+ subject {
+ kind = "Group"
+ name = local.cicd_k8s_iam_username
+ api_group = "rbac.authorization.k8s.io"
+ }
+ # depends_on = [kubernetes_namespace.cicd_managed_namespaces]
+}
+
+resource "kubernetes_role_binding" "deployer_application_rolebinding" {
+ # for_each = toset(local.cicd_managed_namespaces)
+ for_each = kubernetes_namespace.cicd_managed_namespaces
+
+ metadata {
+ name = var.deployer_application_rolebinding_name
+ namespace = each.key
+ }
+ role_ref {
+ api_group = "rbac.authorization.k8s.io"
+ kind = "ClusterRole"
+ name = var.deployer_application_role_name
+ }
+ subject {
+ kind = "User"
+ name = var.cicd_k8s_user_name
+ api_group = "rbac.authorization.k8s.io"
+ }
+ subject {
+ kind = "Group"
+ name = local.cicd_k8s_iam_username
+ api_group = "rbac.authorization.k8s.io"
+ }
+ # depends_on = [kubernetes_namespace.cicd_managed_namespaces]
+}
diff --git a/deployer.iam.tf b/deployer.iam.tf
new file mode 100644
index 0000000..962d525
--- /dev/null
+++ b/deployer.iam.tf
@@ -0,0 +1,154 @@
+locals {
+ policy_cicd_k8s_group_name = replace(local.cicd_k8s_iam_username, local.prefixes["eks-user"], local.prefixes["eks-policy"])
+ role_cicd_k8s_group_name = replace(local.cicd_k8s_iam_username, local.prefixes["eks-user"], "")
+ iam_policies_cicd = ["p-inf-manage-access-keys"]
+}
+
+data "aws_iam_policy" "cicd_deployer_policies" {
+ for_each = toset(local.iam_policies_cicd)
+ name = each.key
+}
+
+module "service_cicd_deployer" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-iam-user.git?ref=tf-upgrade"
+
+ iam_username = local.cicd_k8s_iam_username
+ username = ""
+ email_address = ""
+ groups = ["g-inf-ip-restriction"]
+ generate_password = false
+ service_account = true
+ enable_sending_mail = false
+ create_access_keys = false
+ profile = var.profile
+ pgp_key_file = "./init/tf-gpg-key.b64"
+
+ attached_policies = flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn]))
+
+}
+module "role_cicd_deployer" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
+
+ role_name = local.role_cicd_k8s_group_name
+ role_description = "Role for EKS cluster ${var.cluster_name} for access by ${var.cicd_k8s_group_name}"
+ enable_ldap_creation = false
+ assume_policy_document = data.aws_iam_policy_document.cicd_deployer_allow_sts.json
+ # attached_policies = flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn]))
+ attached_policies = [aws_iam_policy.cicd_deployer.arn]
+
+}
+
+resource "aws_iam_policy" "cicd_deployer" {
+ name = local.policy_cicd_k8s_group_name
+ path = "/"
+ description = "Policy for EKS ${var.cluster_name} IAM access ${var.cicd_k8s_group_name}"
+ policy = data.aws_iam_policy_document.cicd_deployer.json
+}
+
+locals {
+ cicd_deployer_policy_statements = {
+ ECRRead = {
+ actions = [
+ "ecr:Describe*",
+ "ecr:Get*",
+ "ecr:ListImages",
+ "ecr:BatchGetImage",
+ "ecr:BatchCheckLayerAvailability",
+ "ecr:GetDownloadUrlForLayer",
+ ]
+ resources = ["*"]
+ }
+ ECRWrite = {
+ # effect = "Deny"
+ actions = [
+ "ecr:BatchDeleteImage",
+ "ecr:CompleteLayerUpload",
+ "ecr:CreateRepository",
+ "ecr:DeleteRepository",
+ "ecr:InitiateLayerUpload",
+ "ecr:PutImage",
+ "ecr:UploadLayerPart"
+ ]
+ # not_resources = [format(local.common_arn, "ecr", format("repository/eks/%v/*", var.cluster_name))]
+ not_resources = [format(local.common_arn, "ecr", "repository/eks/*")]
+ }
+ EKSRead = {
+ actions = [
+ "eks:ListClusters",
+ ]
+ resources = ["*"]
+ }
+ EKSReadMyClusters = {
+ actions = [
+ "eks:AccessKubernetesApi",
+ "eks:DescribeCluster",
+ ]
+ resources = [format(local.common_arn, "eks", format("%v/%v", "cluster", var.cluster_name))]
+ }
+ # IAMRead = {
+ # actions = [
+ # "iam:ListRoles",
+ # ]
+ # resources = ["*"]
+ # }
+ }
+}
+
+data "aws_iam_policy_document" "cicd_deployer" {
+ dynamic "statement" {
+ for_each = local.cicd_deployer_policy_statements
+ iterator = s
+ content {
+ sid = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key)
+ effect = lookup(s.value, "effect", "Allow")
+ actions = lookup(s.value, "actions", [])
+ resources = lookup(s.value, "resources", [])
+ not_resources = lookup(s.value, "not_resources", [])
+ }
+ }
+}
+
+# allow anyone in this account to assume the role, if they have the permission to do so
+data "aws_iam_policy_document" "cicd_deployer_allow_sts" {
+ statement {
+ sid = "AllowSTSAssume"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "AWS"
+ identifiers = [
+ format(local.iam_arn, "root"),
+ ]
+ }
+ }
+}
+
+output "service_cicd_deployer_arn" {
+ description = "CICD Deployer user ARN"
+ value = module.service_cicd_deployer.user_arn
+}
+
+output "service_cicd_deployer_username" {
+ description = "CICD Deployer username"
+ value = module.service_cicd_deployer.user_name
+}
+
+module "group_cicd_deployer" {
+ # tflint-ignore: terraform_module_version
+ # tflint-ignore: terraform_module_pinned_source
+ source = "git@github.e.it.census.gov:terraform-modules/aws-iam-group.git"
+
+ group_name = local.cicd_k8s_group_name
+ attached_policies = flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn]))
+
+}
+
+output "info_cicd_deployer" {
+ description = "CID Deployer IAM details"
+ value = {
+ user_name = module.service_cicd_deployer.user_name
+ user_arn = module.service_cicd_deployer.user_arn
+ group_name = module.group_cicd_deployer.group_name
+ group_arn = module.group_cicd_deployer.group_arn
+ }
+}
diff --git a/main.tf b/main.tf
index 2dc98d4..0732776 100644
--- a/main.tf
+++ b/main.tf
@@ -1,4 +1,6 @@
locals {
+ iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
+ common_arn = format("arn:%v:%%v:%v:%v:%%v", data.aws_arn.current.partition, data.aws_region.current.id, data.aws_caller_identity.current.account_id)
base_tags = {
"eks-cluster-name" = var.cluster_name
"boc:tf_module_version" = local.module_version
@@ -92,3 +94,34 @@ resource "kubernetes_namespace" "telemetry" {
}
}
}
+
+locals {
+ aws_auth_users = [
+ {
+ userarn = module.service_cicd_deployer.user_arn
+ aws_username = ""
+ username = var.cicd_k8s_user_name
+ groups = [local.cicd_k8s_group_name]
+ },
+ ]
+ aws_auth_roles = [
+ {
+ rolearn : module.role_dba_administrator.role_arn
+ aws_rolename : ""
+ username : var.dba_k8s_user_name
+ groups = [local.dba_k8s_group_name]
+ },
+ ]
+}
+
+module "awsauth_cluster-roles" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth?ref=tf-upgrade"
+
+ region = var.region
+ profile = var.profile
+ cluster_name = var.cluster_name
+ aws_auth_users = local.aws_auth_users
+ aws_auth_roles = local.aws_auth_roles
+
+ keep_temporary_files = false
+}
diff --git a/prefixes.tf b/prefixes.tf
new file mode 100644
index 0000000..4e2709e
--- /dev/null
+++ b/prefixes.tf
@@ -0,0 +1,34 @@
+locals {
+ prefixes = {
+ "efs" = "v-efs-"
+ "s3" = "v-s3-"
+ "ebs" = "v-ebs-"
+ "kms" = "k-kms-"
+ "role" = "r-"
+ "policy" = "p-"
+ "group" = "g-"
+ "security-group" = "" # "sg-"
+ # VPC
+ "vpc" = ""
+ "dhcp-options" = ""
+ "vpc-peer" = "vpcp-"
+ "route-table" = "route-"
+ "subnet" = ""
+ "vpc-endpoint" = "vpce-"
+ "elastic-ip" = "eip-"
+ "nat-gateway" = "nat-"
+ "internet-gateway" = "igw-"
+ "network-acl" = "nacl-"
+ "customer-gateway" = "cgw-"
+ "vpn-gateway" = "vpcg-"
+ "vpn-connection" = "vpn_"
+ "log-group" = "lg-"
+ "log-stream" = "lgs-"
+ # EKS
+ "eks" = "eks-"
+ "eks-user" = "s-eks-"
+ "eks-role" = "r-eks-"
+ "eks-policy" = "p-eks-"
+ "eks-security-group" = "eks-sg-" # "sg-eks-"
+ }
+}
diff --git a/variables.tf b/variables.tf
index b755841..0d430bf 100644
--- a/variables.tf
+++ b/variables.tf
@@ -9,6 +9,11 @@ variable "region" {
type = string
}
+variable "profile" {
+ description = "AWS config profile"
+ type = string
+}
+
variable "vpc_id" {
description = "Specify the VPC id that is used by this cluster"
type = string
@@ -47,3 +52,85 @@ variable "tags" {
type = map(string)
default = {}
}
+
+variable "deployer_istiosystem_role_name" {
+ description = "The kubernetes cluster role name of CIDR Deployer"
+ type = string
+ default = "deployer-istiosystem-role"
+}
+
+variable "deployer_application_role_name" {
+ description = "The kubernetes cluster role name of CICD Deployer"
+ type = string
+ default = "deployer-application-role"
+}
+
+variable "deployer_application_istio_role_name" {
+ description = "The kubernetes cluster role name of CICD Deployer"
+ type = string
+ default = "deployer-application-istio-role"
+}
+
+variable "dba_administrator_role_name" {
+ description = "The kubernetes cluster role name of DBA Administrator"
+ type = string
+ default = "dba-admin-role"
+}
+
+variable "istio_installed_namespace" {
+ description = "Namespace that Istio installed"
+ type = string
+ default = "istio-system"
+}
+
+variable "cicd_k8s_user_name" {
+ description = "The user name of CICD Deployer"
+ type = string
+ default = "cicd-deployer"
+}
+variable "cicd_k8s_group_name" {
+ description = "The Group name of CICD Deployer belongs to (excluding prefix for service account and cluster)"
+ type = string
+ default = "cicd-deployer"
+}
+
+variable "dba_k8s_user_name" {
+ description = "the user name of DBA Administrator"
+ type = string
+ default = "dba-admin"
+}
+variable "dba_k8s_group_name" {
+ description = "The Group name of dba-admin belongs to (excluding prefix for service account and cluster)"
+ type = string
+ default = "dba-admin"
+}
+
+variable "deployer_application_rolebinding_name" {
+ description = "Role binding name of deployer that binding to role deployer_application_cluster_role"
+ type = string
+ default = "deployer-application-rolebinding"
+}
+
+variable "deployer_application_istio_rolebinding_name" {
+ description = "Role binding name of deployer that binding to role deployer_application_cluster_role"
+ type = string
+ default = "deployer-application-istio-rolebinding"
+}
+
+variable "dba_admin_rolebinding_name" {
+ description = "Role binding name of deployer that binding to role deployer_application_cluster_role"
+ type = string
+ default = "dba-admin-rolebinding"
+}
+
+variable "cicd_managed_namespaces" {
+ description = "Deployer managed namespaces that deploy can create resources in (excluding cluster name prefix)"
+ type = list(any)
+ default = []
+}
+
+variable "dba_managed_namespaces" {
+ description = "DBA admin managed namespaces (excluding cluster name prefix)"
+ type = list(any)
+ default = []
+}