✨ feat(roles): add default roles cicd-deployer, cluster-admin, db-admin

SCT-Engineering · Aug 14, 2025 · 870fe7c · 870fe7c
1 parent 6a808d9
commit 870fe7c
Show file tree

Hide file tree

Showing 11 changed files with 695 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -41,37 +41,78 @@ sys     0m2.015s
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.0.0 |
-| <a name="provider_helm"></a> [helm](#provider\_helm) | 3.0.1 |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.37.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.8.0 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | 3.0.2 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.38.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | 3.2.4 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_awsauth_cluster-roles"></a> [awsauth\_cluster-roles](#module\_awsauth\_cluster-roles) | git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth | tf-upgrade |
 | <a name="module_efs"></a> [efs](#module\_efs) | git::https://github.e.it.census.gov/terraform-modules/aws-efs.git/ | master |
+| <a name="module_group_cicd_deployer"></a> [group\_cicd\_deployer](#module\_group\_cicd\_deployer) | git@github.e.it.census.gov:terraform-modules/aws-iam-group.git | n/a |
+| <a name="module_group_dba_administrator"></a> [group\_dba\_administrator](#module\_group\_dba\_administrator) | git@github.e.it.census.gov:terraform-modules/aws-iam-group.git | n/a |
+| <a name="module_role_cicd_deployer"></a> [role\_cicd\_deployer](#module\_role\_cicd\_deployer) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade |
+| <a name="module_role_dba_administrator"></a> [role\_dba\_administrator](#module\_role\_dba\_administrator) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade |
+| <a name="module_service_cicd_deployer"></a> [service\_cicd\_deployer](#module\_service\_cicd\_deployer) | git@github.e.it.census.gov:terraform-modules/aws-iam-user.git | tf-upgrade |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [aws_iam_policy.cicd_deployer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.dba_administrator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [helm_release.console_access](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_cluster_role.cicd_deployer_application_cluster_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
+| [kubernetes_cluster_role.cicd_deployer_istio_cluster_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
+| [kubernetes_cluster_role.cicd_deployer_istiosystem_cluster_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
+| [kubernetes_cluster_role.dba_administrator_cluster_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
+| [kubernetes_namespace.cicd_managed_namespaces](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.dba_managed_namespaces](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.telemetry](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_role_binding.dba_admin_rolebinding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource |
+| [kubernetes_role_binding.deployer_application_istio_rolebinding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource |
+| [kubernetes_role_binding.deployer_application_rolebinding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource |
+| [kubernetes_role_binding.deployer_istio_role_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource |
 | [kubernetes_storage_class.ebs_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [kubernetes_storage_class.efs_sc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [kubernetes_storage_class.gp3_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
+| [aws_iam_policy.cicd_deployer_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy_document.cicd_deployer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cicd_deployer_allow_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.dba_administrator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.dba_administrator_allow_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_cicd_k8s_group_name"></a> [cicd\_k8s\_group\_name](#input\_cicd\_k8s\_group\_name) | The Group name of CICD Deployer belongs to (excluding prefix for service account and cluster) | `string` | `"cicd-deployer"` | no |
+| <a name="input_cicd_k8s_user_name"></a> [cicd\_k8s\_user\_name](#input\_cicd\_k8s\_user\_name) | The user name of CICD Deployer | `string` | `"cicd-deployer"` | no |
+| <a name="input_cicd_managed_namespaces"></a> [cicd\_managed\_namespaces](#input\_cicd\_managed\_namespaces) | Deployer managed namespaces that deploy can create resources in (excluding cluster name prefix) | `list(any)` | `[]` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
+| <a name="input_dba_admin_rolebinding_name"></a> [dba\_admin\_rolebinding\_name](#input\_dba\_admin\_rolebinding\_name) | Role binding name of deployer that binding to role deployer\_application\_cluster\_role | `string` | `"dba-admin-rolebinding"` | no |
+| <a name="input_dba_administrator_role_name"></a> [dba\_administrator\_role\_name](#input\_dba\_administrator\_role\_name) | The kubernetes cluster role name of DBA Administrator | `string` | `"dba-admin-role"` | no |
+| <a name="input_dba_k8s_group_name"></a> [dba\_k8s\_group\_name](#input\_dba\_k8s\_group\_name) | The Group name of dba-admin belongs to (excluding prefix for service account and cluster) | `string` | `"dba-admin"` | no |
+| <a name="input_dba_k8s_user_name"></a> [dba\_k8s\_user\_name](#input\_dba\_k8s\_user\_name) | the user name of DBA Administrator | `string` | `"dba-admin"` | no |
+| <a name="input_dba_managed_namespaces"></a> [dba\_managed\_namespaces](#input\_dba\_managed\_namespaces) | DBA admin managed namespaces (excluding cluster name prefix) | `list(any)` | `[]` | no |
+| <a name="input_deployer_application_istio_role_name"></a> [deployer\_application\_istio\_role\_name](#input\_deployer\_application\_istio\_role\_name) | The kubernetes cluster role name of CICD Deployer | `string` | `"deployer-application-istio-role"` | no |
+| <a name="input_deployer_application_istio_rolebinding_name"></a> [deployer\_application\_istio\_rolebinding\_name](#input\_deployer\_application\_istio\_rolebinding\_name) | Role binding name of deployer that binding to role deployer\_application\_cluster\_role | `string` | `"deployer-application-istio-rolebinding"` | no |
+| <a name="input_deployer_application_role_name"></a> [deployer\_application\_role\_name](#input\_deployer\_application\_role\_name) | The kubernetes cluster role name of CICD Deployer | `string` | `"deployer-application-role"` | no |
+| <a name="input_deployer_application_rolebinding_name"></a> [deployer\_application\_rolebinding\_name](#input\_deployer\_application\_rolebinding\_name) | Role binding name of deployer that binding to role deployer\_application\_cluster\_role | `string` | `"deployer-application-rolebinding"` | no |
+| <a name="input_deployer_istiosystem_role_name"></a> [deployer\_istiosystem\_role\_name](#input\_deployer\_istiosystem\_role\_name) | The kubernetes cluster role name of CIDR Deployer | `string` | `"deployer-istiosystem-role"` | no |
+| <a name="input_istio_installed_namespace"></a> [istio\_installed\_namespace](#input\_istio\_installed\_namespace) | Namespace that Istio installed | `string` | `"istio-system"` | no |
 | <a name="input_operators_ns"></a> [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no |
+| <a name="input_profile"></a> [profile](#input\_profile) | AWS config profile | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | AWS region | `string` | n/a | yes |
 | <a name="input_security_group_all_worker_mgmt_id"></a> [security\_group\_all\_worker\_mgmt\_id](#input\_security\_group\_all\_worker\_mgmt\_id) | The security group representing all of the worker nodes in the cluster. | `string` | n/a | yes |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | Specify the subnets used by this cluster | `list(string)` | n/a | yes |
@@ -84,8 +125,13 @@ sys     0m2.015s
 
 | Name | Description |
 |------|-------------|
+| <a name="output_info_cicd_deployer"></a> [info\_cicd\_deployer](#output\_info\_cicd\_deployer) | CID Deployer IAM details |
+| <a name="output_info_dba_administrator"></a> [info\_dba\_administrator](#output\_info\_dba\_administrator) | DBA Adminstrator IAM details |
 | <a name="output_module_name"></a> [module\_name](#output\_module\_name) | The name of this module. |
 | <a name="output_module_version"></a> [module\_version](#output\_module\_version) | The version of this module. |
+| <a name="output_role_dba_administrator_arn"></a> [role\_dba\_administrator\_arn](#output\_role\_dba\_administrator\_arn) | DBA Adminstrator role ARN |
 | <a name="output_rwo_storage_class"></a> [rwo\_storage\_class](#output\_rwo\_storage\_class) | Kubernetes storage class that supports read/write once. |
 | <a name="output_rwx_storage_class"></a> [rwx\_storage\_class](#output\_rwx\_storage\_class) | Kubernetes storage class that supports read/write many. |
+| <a name="output_service_cicd_deployer_arn"></a> [service\_cicd\_deployer\_arn](#output\_service\_cicd\_deployer\_arn) | CICD Deployer user ARN |
+| <a name="output_service_cicd_deployer_username"></a> [service\_cicd\_deployer\_username](#output\_service\_cicd\_deployer\_username) | CICD Deployer username |
 <!-- END_TF_DOCS -->
diff --git a/aws_data.tf b/aws_data.tf
@@ -3,3 +3,10 @@ data "aws_ebs_default_kms_key" "current" {}
 data "aws_kms_key" "ebs_key" {
   key_id = data.aws_ebs_default_kms_key.current.key_arn
 }
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
+data "aws_arn" "current" {
+  arn = data.aws_caller_identity.current.arn
+}
diff --git a/dba-clusterrole.tf b/dba-clusterrole.tf
@@ -0,0 +1,24 @@
+resource "kubernetes_cluster_role" "dba_administrator_cluster_role" {
+  metadata {
+    name = var.dba_administrator_role_name
+  }
+  aggregation_rule {
+    cluster_role_selectors {
+      match_labels = {
+        "rbac.authorization.k8s.io/aggregate-to-admin" = "true"
+      }
+    }
+  }
+
+  rule {
+    api_groups = ["cert-manager.io", "acme.cert-manager.io"]
+    resources  = ["certificates", "challenges", "orders", "certificaterequests", "issuers"]
+    verbs      = ["get", "list", "watch", "create", "update", "patch"]
+  }
+
+  rule {
+    verbs      = ["get", "list", "watch", "create", "update", "patch"]
+    api_groups = ["networking.istio.io", "security.istio.io"]
+    resources  = ["virtualservices", "authorizationpolicies", "destinationrules", "peerauthentications", "requestauthentications"]
+  }
+}
diff --git a/dba-rolebinding.tf b/dba-rolebinding.tf
@@ -0,0 +1,40 @@
+locals {
+  dba_managed_namespaces = formatlist("%v-%v", var.cluster_name, var.dba_managed_namespaces)
+  dba_k8s_group_name     = format("%v%v-%v", local.prefixes["eks-user"], var.cluster_name, var.dba_k8s_group_name)
+}
+
+resource "kubernetes_namespace" "dba_managed_namespaces" {
+  for_each = toset(local.dba_managed_namespaces)
+  metadata {
+    name = each.key
+    labels = {
+      istio-injection = "enabled"
+    }
+  }
+}
+
+resource "kubernetes_role_binding" "dba_admin_rolebinding" {
+  #  for_each = toset(local.dba_managed_namespaces)
+  for_each = kubernetes_namespace.dba_managed_namespaces
+
+  metadata {
+    name      = var.dba_admin_rolebinding_name
+    namespace = each.key
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = var.dba_administrator_role_name
+  }
+  subject {
+    kind      = "User"
+    name      = var.dba_k8s_user_name
+    api_group = "rbac.authorization.k8s.io"
+  }
+  subject {
+    kind      = "Group"
+    name      = local.dba_k8s_group_name
+    api_group = "rbac.authorization.k8s.io"
+  }
+  #  depends_on = [kubernetes_namespace.dba_managed_namespaces]
+}
diff --git a/dba.iam.tf b/dba.iam.tf
@@ -0,0 +1,109 @@
+locals {
+  policy_dba_k8s_group_name = replace(local.dba_k8s_group_name, local.prefixes["eks-user"], local.prefixes["eks-policy"])
+  role_dba_k8s_group_name   = format("%v%v-%v", local.prefixes["eks"], var.cluster_name, var.dba_k8s_group_name)
+}
+
+module "role_dba_administrator" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
+
+  role_name              = local.role_dba_k8s_group_name
+  role_description       = "Role for EKS cluster ${var.cluster_name} for access by ${var.dba_k8s_group_name}"
+  enable_ldap_creation   = false
+  assume_policy_document = data.aws_iam_policy_document.dba_administrator_allow_sts.json
+  attached_policies      = [aws_iam_policy.dba_administrator.arn]
+
+}
+
+resource "aws_iam_policy" "dba_administrator" {
+  name        = local.policy_dba_k8s_group_name
+  path        = "/"
+  description = "Policy for EKS ${var.cluster_name} IAM access ${var.dba_k8s_group_name}"
+  policy      = data.aws_iam_policy_document.dba_administrator.json
+}
+
+locals {
+  dba_administrator_policy_statements = {
+    ECRRead = {
+      actions = [
+        "ecr:Describe*",
+        "ecr:Get*",
+        "ecr:ListImages",
+        "ecr:BatchGetImage",
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:GetDownloadUrlForLayer",
+      ]
+      resources = ["*"]
+    }
+    EKSRead = {
+      actions = [
+        "eks:ListClusters",
+      ]
+      resources = ["*"]
+    }
+    EKSReadMyClusters = {
+      actions = [
+        "eks:DescribeCluster",
+        "eks:AccessKubernetesApi",
+      ]
+      resources = [format(local.common_arn, "eks", format("%v/%v", "cluster", var.cluster_name))]
+    }
+    STSAssumeRole = {
+      actions   = ["sts:AssumeRole"]
+      resources = [module.role_dba_administrator.role_arn]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "dba_administrator" {
+  dynamic "statement" {
+    for_each = local.dba_administrator_policy_statements
+    iterator = s
+    content {
+      sid           = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key)
+      effect        = lookup(s.value, "effect", "Allow")
+      actions       = lookup(s.value, "actions", [])
+      resources     = lookup(s.value, "resources", [])
+      not_resources = lookup(s.value, "not_resources", [])
+    }
+  }
+}
+
+# allow anyone in this account to assume the role, if they have the permission to do so
+data "aws_iam_policy_document" "dba_administrator_allow_sts" {
+  statement {
+    sid     = "AllowSTSAssume"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(local.iam_arn, "root"),
+      ]
+    }
+  }
+}
+
+output "role_dba_administrator_arn" {
+  description = "DBA Adminstrator role ARN"
+  value       = module.role_dba_administrator.role_arn
+}
+
+module "group_dba_administrator" {
+  # tflint-ignore: terraform_module_version
+  # tflint-ignore: terraform_module_pinned_source
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-group.git"
+
+  group_name        = local.role_dba_k8s_group_name
+  attached_policies = [aws_iam_policy.dba_administrator.arn]
+
+}
+
+output "info_dba_administrator" {
+  description = "DBA Adminstrator IAM details"
+  value = {
+    role_name  = module.role_dba_administrator.role_name
+    role_arn   = module.role_dba_administrator.role_arn
+    group_name = module.group_dba_administrator.group_name
+    group_arn  = module.group_dba_administrator.group_arn
+  }
+}
diff --git a/deployer-clusterrole.tf b/deployer-clusterrole.tf
@@ -0,0 +1,67 @@
+resource "kubernetes_cluster_role" "cicd_deployer_istiosystem_cluster_role" {
+  metadata {
+    name = var.deployer_istiosystem_role_name
+  }
+
+  rule {
+    api_groups = ["acme.cert-manager.io"]
+    resources  = ["challenges", "orders", "certificaterequests"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+  }
+
+  rule {
+    api_groups = ["cert-manager.io"]
+    resources  = ["certificates"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+  }
+
+
+  rule {
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+    api_groups = ["networking.istio.io"]
+    resources  = ["gateways"]
+  }
+}
+
+resource "kubernetes_cluster_role" "cicd_deployer_istio_cluster_role" {
+  metadata {
+    name = var.deployer_application_istio_role_name
+  }
+  rule {
+    api_groups = ["security.istio.io"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+    resources  = ["requestauthentications", "authorizationpolicies", "peerauthentications"]
+  }
+
+  rule {
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+    api_groups = ["networking.istio.io"]
+    resources  = ["virtualservices", "destinationrules", "gateways"]
+  }
+}
+
+resource "kubernetes_cluster_role" "cicd_deployer_application_cluster_role" {
+  metadata {
+    name = var.deployer_application_role_name
+  }
+  aggregation_rule {
+    cluster_role_selectors {
+      match_labels = {
+        "rbac.authorization.k8s.io/aggregate-to-edit" = "true"
+      }
+    }
+  }
+
+  rule {
+    api_groups = ["acme.cert-manager.io"]
+    resources  = ["challenges", "orders", "certificaterequests"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+  }
+
+  rule {
+    api_groups = ["cert-manager.io"]
+    resources  = ["certificates"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+  }
+
+}