From 52080de763adc68b87e5f004360f40dbdf91dbdb Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 13 Aug 2025 21:31:14 -0400 Subject: [PATCH 01/11] =?UTF-8?q?=E2=9C=A8=20feat(roles):=20add=20default?= =?UTF-8?q?=20roles=20cicd-deployer,=20cluster-admin,=20db-admin?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 52 +++++++++++++- aws_data.tf | 7 ++ dba-clusterrole.tf | 24 +++++++ dba-rolebinding.tf | 40 +++++++++++ dba.iam.tf | 109 ++++++++++++++++++++++++++++ deployer-clusterrole.tf | 67 +++++++++++++++++ deployer-rolebinding.tf | 91 ++++++++++++++++++++++++ deployer.iam.tf | 154 ++++++++++++++++++++++++++++++++++++++++ main.tf | 33 +++++++++ prefixes.tf | 34 +++++++++ variables.tf | 87 +++++++++++++++++++++++ 11 files changed, 695 insertions(+), 3 deletions(-) create mode 100644 dba-clusterrole.tf create mode 100644 dba-rolebinding.tf create mode 100644 dba.iam.tf create mode 100644 deployer-clusterrole.tf create mode 100644 deployer-rolebinding.tf create mode 100644 deployer.iam.tf create mode 100644 prefixes.tf diff --git a/README.md b/README.md index 791afd8..a4de242 100644 --- a/README.md +++ b/README.md @@ -41,37 +41,78 @@ sys 0m2.015s | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.0.0 | -| [helm](#provider\_helm) | 3.0.1 | -| [kubernetes](#provider\_kubernetes) | 2.37.1 | +| [aws](#provider\_aws) | 6.8.0 | +| [helm](#provider\_helm) | 3.0.2 | +| [kubernetes](#provider\_kubernetes) | 2.38.0 | | [null](#provider\_null) | 3.2.4 | ## Modules | Name | Source | Version | |------|--------|---------| +| [awsauth\_cluster-roles](#module\_awsauth\_cluster-roles) | git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth | tf-upgrade | | [efs](#module\_efs) | git::https://github.e.it.census.gov/terraform-modules/aws-efs.git/ | master | +| [group\_cicd\_deployer](#module\_group\_cicd\_deployer) | git@github.e.it.census.gov:terraform-modules/aws-iam-group.git | n/a | +| [group\_dba\_administrator](#module\_group\_dba\_administrator) | git@github.e.it.census.gov:terraform-modules/aws-iam-group.git | n/a | +| [role\_cicd\_deployer](#module\_role\_cicd\_deployer) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade | +| [role\_dba\_administrator](#module\_role\_dba\_administrator) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade | +| [service\_cicd\_deployer](#module\_service\_cicd\_deployer) | git@github.e.it.census.gov:terraform-modules/aws-iam-user.git | tf-upgrade | ## Resources | Name | Type | |------|------| +| [aws_iam_policy.cicd_deployer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.dba_administrator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [helm_release.console_access](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [kubernetes_cluster_role.cicd_deployer_application_cluster_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | +| [kubernetes_cluster_role.cicd_deployer_istio_cluster_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | +| [kubernetes_cluster_role.cicd_deployer_istiosystem_cluster_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | +| [kubernetes_cluster_role.dba_administrator_cluster_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | +| [kubernetes_namespace.cicd_managed_namespaces](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_namespace.dba_managed_namespaces](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_namespace.telemetry](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_role_binding.dba_admin_rolebinding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | +| [kubernetes_role_binding.deployer_application_istio_rolebinding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | +| [kubernetes_role_binding.deployer_application_rolebinding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | +| [kubernetes_role_binding.deployer_istio_role_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | | [kubernetes_storage_class.ebs_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | | [kubernetes_storage_class.efs_sc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | | [kubernetes_storage_class.gp3_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | | [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | +| [aws_iam_policy.cicd_deployer_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy_document.cicd_deployer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cicd_deployer_allow_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.dba_administrator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.dba_administrator_allow_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [cicd\_k8s\_group\_name](#input\_cicd\_k8s\_group\_name) | The Group name of CICD Deployer belongs to (excluding prefix for service account and cluster) | `string` | `"cicd-deployer"` | no | +| [cicd\_k8s\_user\_name](#input\_cicd\_k8s\_user\_name) | The user name of CICD Deployer | `string` | `"cicd-deployer"` | no | +| [cicd\_managed\_namespaces](#input\_cicd\_managed\_namespaces) | Deployer managed namespaces that deploy can create resources in (excluding cluster name prefix) | `list(any)` | `[]` | no | | [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes | +| [dba\_admin\_rolebinding\_name](#input\_dba\_admin\_rolebinding\_name) | Role binding name of deployer that binding to role deployer\_application\_cluster\_role | `string` | `"dba-admin-rolebinding"` | no | +| [dba\_administrator\_role\_name](#input\_dba\_administrator\_role\_name) | The kubernetes cluster role name of DBA Administrator | `string` | `"dba-admin-role"` | no | +| [dba\_k8s\_group\_name](#input\_dba\_k8s\_group\_name) | The Group name of dba-admin belongs to (excluding prefix for service account and cluster) | `string` | `"dba-admin"` | no | +| [dba\_k8s\_user\_name](#input\_dba\_k8s\_user\_name) | the user name of DBA Administrator | `string` | `"dba-admin"` | no | +| [dba\_managed\_namespaces](#input\_dba\_managed\_namespaces) | DBA admin managed namespaces (excluding cluster name prefix) | `list(any)` | `[]` | no | +| [deployer\_application\_istio\_role\_name](#input\_deployer\_application\_istio\_role\_name) | The kubernetes cluster role name of CICD Deployer | `string` | `"deployer-application-istio-role"` | no | +| [deployer\_application\_istio\_rolebinding\_name](#input\_deployer\_application\_istio\_rolebinding\_name) | Role binding name of deployer that binding to role deployer\_application\_cluster\_role | `string` | `"deployer-application-istio-rolebinding"` | no | +| [deployer\_application\_role\_name](#input\_deployer\_application\_role\_name) | The kubernetes cluster role name of CICD Deployer | `string` | `"deployer-application-role"` | no | +| [deployer\_application\_rolebinding\_name](#input\_deployer\_application\_rolebinding\_name) | Role binding name of deployer that binding to role deployer\_application\_cluster\_role | `string` | `"deployer-application-rolebinding"` | no | +| [deployer\_istiosystem\_role\_name](#input\_deployer\_istiosystem\_role\_name) | The kubernetes cluster role name of CIDR Deployer | `string` | `"deployer-istiosystem-role"` | no | +| [istio\_installed\_namespace](#input\_istio\_installed\_namespace) | Namespace that Istio installed | `string` | `"istio-system"` | no | | [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no | +| [profile](#input\_profile) | AWS config profile | `string` | n/a | yes | | [region](#input\_region) | AWS region | `string` | n/a | yes | | [security\_group\_all\_worker\_mgmt\_id](#input\_security\_group\_all\_worker\_mgmt\_id) | The security group representing all of the worker nodes in the cluster. | `string` | n/a | yes | | [subnets](#input\_subnets) | Specify the subnets used by this cluster | `list(string)` | n/a | yes | @@ -84,8 +125,13 @@ sys 0m2.015s | Name | Description | |------|-------------| +| [info\_cicd\_deployer](#output\_info\_cicd\_deployer) | CID Deployer IAM details | +| [info\_dba\_administrator](#output\_info\_dba\_administrator) | DBA Adminstrator IAM details | | [module\_name](#output\_module\_name) | The name of this module. | | [module\_version](#output\_module\_version) | The version of this module. | +| [role\_dba\_administrator\_arn](#output\_role\_dba\_administrator\_arn) | DBA Adminstrator role ARN | | [rwo\_storage\_class](#output\_rwo\_storage\_class) | Kubernetes storage class that supports read/write once. | | [rwx\_storage\_class](#output\_rwx\_storage\_class) | Kubernetes storage class that supports read/write many. | +| [service\_cicd\_deployer\_arn](#output\_service\_cicd\_deployer\_arn) | CICD Deployer user ARN | +| [service\_cicd\_deployer\_username](#output\_service\_cicd\_deployer\_username) | CICD Deployer username | diff --git a/aws_data.tf b/aws_data.tf index 96cd77c..eb70e88 100644 --- a/aws_data.tf +++ b/aws_data.tf @@ -3,3 +3,10 @@ data "aws_ebs_default_kms_key" "current" {} data "aws_kms_key" "ebs_key" { key_id = data.aws_ebs_default_kms_key.current.key_arn } +data "aws_caller_identity" "current" {} + +data "aws_region" "current" {} + +data "aws_arn" "current" { + arn = data.aws_caller_identity.current.arn +} diff --git a/dba-clusterrole.tf b/dba-clusterrole.tf new file mode 100644 index 0000000..e60e7b5 --- /dev/null +++ b/dba-clusterrole.tf @@ -0,0 +1,24 @@ +resource "kubernetes_cluster_role" "dba_administrator_cluster_role" { + metadata { + name = var.dba_administrator_role_name + } + aggregation_rule { + cluster_role_selectors { + match_labels = { + "rbac.authorization.k8s.io/aggregate-to-admin" = "true" + } + } + } + + rule { + api_groups = ["cert-manager.io", "acme.cert-manager.io"] + resources = ["certificates", "challenges", "orders", "certificaterequests", "issuers"] + verbs = ["get", "list", "watch", "create", "update", "patch"] + } + + rule { + verbs = ["get", "list", "watch", "create", "update", "patch"] + api_groups = ["networking.istio.io", "security.istio.io"] + resources = ["virtualservices", "authorizationpolicies", "destinationrules", "peerauthentications", "requestauthentications"] + } +} diff --git a/dba-rolebinding.tf b/dba-rolebinding.tf new file mode 100644 index 0000000..1a5fb54 --- /dev/null +++ b/dba-rolebinding.tf @@ -0,0 +1,40 @@ +locals { + dba_managed_namespaces = formatlist("%v-%v", var.cluster_name, var.dba_managed_namespaces) + dba_k8s_group_name = format("%v%v-%v", local.prefixes["eks-user"], var.cluster_name, var.dba_k8s_group_name) +} + +resource "kubernetes_namespace" "dba_managed_namespaces" { + for_each = toset(local.dba_managed_namespaces) + metadata { + name = each.key + labels = { + istio-injection = "enabled" + } + } +} + +resource "kubernetes_role_binding" "dba_admin_rolebinding" { + # for_each = toset(local.dba_managed_namespaces) + for_each = kubernetes_namespace.dba_managed_namespaces + + metadata { + name = var.dba_admin_rolebinding_name + namespace = each.key + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = var.dba_administrator_role_name + } + subject { + kind = "User" + name = var.dba_k8s_user_name + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "Group" + name = local.dba_k8s_group_name + api_group = "rbac.authorization.k8s.io" + } + # depends_on = [kubernetes_namespace.dba_managed_namespaces] +} diff --git a/dba.iam.tf b/dba.iam.tf new file mode 100644 index 0000000..740664e --- /dev/null +++ b/dba.iam.tf @@ -0,0 +1,109 @@ +locals { + policy_dba_k8s_group_name = replace(local.dba_k8s_group_name, local.prefixes["eks-user"], local.prefixes["eks-policy"]) + role_dba_k8s_group_name = format("%v%v-%v", local.prefixes["eks"], var.cluster_name, var.dba_k8s_group_name) +} + +module "role_dba_administrator" { + source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade" + + role_name = local.role_dba_k8s_group_name + role_description = "Role for EKS cluster ${var.cluster_name} for access by ${var.dba_k8s_group_name}" + enable_ldap_creation = false + assume_policy_document = data.aws_iam_policy_document.dba_administrator_allow_sts.json + attached_policies = [aws_iam_policy.dba_administrator.arn] + +} + +resource "aws_iam_policy" "dba_administrator" { + name = local.policy_dba_k8s_group_name + path = "/" + description = "Policy for EKS ${var.cluster_name} IAM access ${var.dba_k8s_group_name}" + policy = data.aws_iam_policy_document.dba_administrator.json +} + +locals { + dba_administrator_policy_statements = { + ECRRead = { + actions = [ + "ecr:Describe*", + "ecr:Get*", + "ecr:ListImages", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + ] + resources = ["*"] + } + EKSRead = { + actions = [ + "eks:ListClusters", + ] + resources = ["*"] + } + EKSReadMyClusters = { + actions = [ + "eks:DescribeCluster", + "eks:AccessKubernetesApi", + ] + resources = [format(local.common_arn, "eks", format("%v/%v", "cluster", var.cluster_name))] + } + STSAssumeRole = { + actions = ["sts:AssumeRole"] + resources = [module.role_dba_administrator.role_arn] + } + } +} + +data "aws_iam_policy_document" "dba_administrator" { + dynamic "statement" { + for_each = local.dba_administrator_policy_statements + iterator = s + content { + sid = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key) + effect = lookup(s.value, "effect", "Allow") + actions = lookup(s.value, "actions", []) + resources = lookup(s.value, "resources", []) + not_resources = lookup(s.value, "not_resources", []) + } + } +} + +# allow anyone in this account to assume the role, if they have the permission to do so +data "aws_iam_policy_document" "dba_administrator_allow_sts" { + statement { + sid = "AllowSTSAssume" + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + type = "AWS" + identifiers = [ + format(local.iam_arn, "root"), + ] + } + } +} + +output "role_dba_administrator_arn" { + description = "DBA Adminstrator role ARN" + value = module.role_dba_administrator.role_arn +} + +module "group_dba_administrator" { + # tflint-ignore: terraform_module_version + # tflint-ignore: terraform_module_pinned_source + source = "git@github.e.it.census.gov:terraform-modules/aws-iam-group.git" + + group_name = local.role_dba_k8s_group_name + attached_policies = [aws_iam_policy.dba_administrator.arn] + +} + +output "info_dba_administrator" { + description = "DBA Adminstrator IAM details" + value = { + role_name = module.role_dba_administrator.role_name + role_arn = module.role_dba_administrator.role_arn + group_name = module.group_dba_administrator.group_name + group_arn = module.group_dba_administrator.group_arn + } +} diff --git a/deployer-clusterrole.tf b/deployer-clusterrole.tf new file mode 100644 index 0000000..7cede6e --- /dev/null +++ b/deployer-clusterrole.tf @@ -0,0 +1,67 @@ +resource "kubernetes_cluster_role" "cicd_deployer_istiosystem_cluster_role" { + metadata { + name = var.deployer_istiosystem_role_name + } + + rule { + api_groups = ["acme.cert-manager.io"] + resources = ["challenges", "orders", "certificaterequests"] + verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"] + } + + rule { + api_groups = ["cert-manager.io"] + resources = ["certificates"] + verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"] + } + + + rule { + verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"] + api_groups = ["networking.istio.io"] + resources = ["gateways"] + } +} + +resource "kubernetes_cluster_role" "cicd_deployer_istio_cluster_role" { + metadata { + name = var.deployer_application_istio_role_name + } + rule { + api_groups = ["security.istio.io"] + verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"] + resources = ["requestauthentications", "authorizationpolicies", "peerauthentications"] + } + + rule { + verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"] + api_groups = ["networking.istio.io"] + resources = ["virtualservices", "destinationrules", "gateways"] + } +} + +resource "kubernetes_cluster_role" "cicd_deployer_application_cluster_role" { + metadata { + name = var.deployer_application_role_name + } + aggregation_rule { + cluster_role_selectors { + match_labels = { + "rbac.authorization.k8s.io/aggregate-to-edit" = "true" + } + } + } + + rule { + api_groups = ["acme.cert-manager.io"] + resources = ["challenges", "orders", "certificaterequests"] + verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"] + } + + rule { + api_groups = ["cert-manager.io"] + resources = ["certificates"] + verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"] + } + +} diff --git a/deployer-rolebinding.tf b/deployer-rolebinding.tf new file mode 100644 index 0000000..c4c0e14 --- /dev/null +++ b/deployer-rolebinding.tf @@ -0,0 +1,91 @@ +resource "kubernetes_role_binding" "deployer_istio_role_binding" { + metadata { + name = "deployer_istiosystem_role_binding" + namespace = var.istio_installed_namespace + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = var.deployer_istiosystem_role_name + } + subject { + kind = "User" + name = var.cicd_k8s_user_name + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "Group" + # name = format("%v%v-%v", local.prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name) + name = local.cicd_k8s_iam_username + api_group = "rbac.authorization.k8s.io" + } +} + +locals { + cicd_managed_namespaces = formatlist("%v-%v", var.cluster_name, var.cicd_managed_namespaces) + cicd_k8s_iam_username = format("%v%v-%v", local.prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name) + cicd_k8s_group_name = format("%v%v-%v", local.prefixes["eks"], var.cluster_name, var.cicd_k8s_group_name) +} + +resource "kubernetes_namespace" "cicd_managed_namespaces" { + for_each = toset(local.cicd_managed_namespaces) + metadata { + name = each.key + labels = { + istio-injection = "enabled" + } + } +} + + +resource "kubernetes_role_binding" "deployer_application_istio_rolebinding" { + # for_each = toset(local.cicd_managed_namespaces) + for_each = kubernetes_namespace.cicd_managed_namespaces + + metadata { + name = var.deployer_application_istio_rolebinding_name + namespace = each.key + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = var.deployer_application_istio_role_name + } + subject { + kind = "User" + name = var.cicd_k8s_user_name + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "Group" + name = local.cicd_k8s_iam_username + api_group = "rbac.authorization.k8s.io" + } + # depends_on = [kubernetes_namespace.cicd_managed_namespaces] +} + +resource "kubernetes_role_binding" "deployer_application_rolebinding" { + # for_each = toset(local.cicd_managed_namespaces) + for_each = kubernetes_namespace.cicd_managed_namespaces + + metadata { + name = var.deployer_application_rolebinding_name + namespace = each.key + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = var.deployer_application_role_name + } + subject { + kind = "User" + name = var.cicd_k8s_user_name + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "Group" + name = local.cicd_k8s_iam_username + api_group = "rbac.authorization.k8s.io" + } + # depends_on = [kubernetes_namespace.cicd_managed_namespaces] +} diff --git a/deployer.iam.tf b/deployer.iam.tf new file mode 100644 index 0000000..962d525 --- /dev/null +++ b/deployer.iam.tf @@ -0,0 +1,154 @@ +locals { + policy_cicd_k8s_group_name = replace(local.cicd_k8s_iam_username, local.prefixes["eks-user"], local.prefixes["eks-policy"]) + role_cicd_k8s_group_name = replace(local.cicd_k8s_iam_username, local.prefixes["eks-user"], "") + iam_policies_cicd = ["p-inf-manage-access-keys"] +} + +data "aws_iam_policy" "cicd_deployer_policies" { + for_each = toset(local.iam_policies_cicd) + name = each.key +} + +module "service_cicd_deployer" { + source = "git@github.e.it.census.gov:terraform-modules/aws-iam-user.git?ref=tf-upgrade" + + iam_username = local.cicd_k8s_iam_username + username = "" + email_address = "" + groups = ["g-inf-ip-restriction"] + generate_password = false + service_account = true + enable_sending_mail = false + create_access_keys = false + profile = var.profile + pgp_key_file = "./init/tf-gpg-key.b64" + + attached_policies = flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn])) + +} +module "role_cicd_deployer" { + source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade" + + role_name = local.role_cicd_k8s_group_name + role_description = "Role for EKS cluster ${var.cluster_name} for access by ${var.cicd_k8s_group_name}" + enable_ldap_creation = false + assume_policy_document = data.aws_iam_policy_document.cicd_deployer_allow_sts.json + # attached_policies = flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn])) + attached_policies = [aws_iam_policy.cicd_deployer.arn] + +} + +resource "aws_iam_policy" "cicd_deployer" { + name = local.policy_cicd_k8s_group_name + path = "/" + description = "Policy for EKS ${var.cluster_name} IAM access ${var.cicd_k8s_group_name}" + policy = data.aws_iam_policy_document.cicd_deployer.json +} + +locals { + cicd_deployer_policy_statements = { + ECRRead = { + actions = [ + "ecr:Describe*", + "ecr:Get*", + "ecr:ListImages", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + ] + resources = ["*"] + } + ECRWrite = { + # effect = "Deny" + actions = [ + "ecr:BatchDeleteImage", + "ecr:CompleteLayerUpload", + "ecr:CreateRepository", + "ecr:DeleteRepository", + "ecr:InitiateLayerUpload", + "ecr:PutImage", + "ecr:UploadLayerPart" + ] + # not_resources = [format(local.common_arn, "ecr", format("repository/eks/%v/*", var.cluster_name))] + not_resources = [format(local.common_arn, "ecr", "repository/eks/*")] + } + EKSRead = { + actions = [ + "eks:ListClusters", + ] + resources = ["*"] + } + EKSReadMyClusters = { + actions = [ + "eks:AccessKubernetesApi", + "eks:DescribeCluster", + ] + resources = [format(local.common_arn, "eks", format("%v/%v", "cluster", var.cluster_name))] + } + # IAMRead = { + # actions = [ + # "iam:ListRoles", + # ] + # resources = ["*"] + # } + } +} + +data "aws_iam_policy_document" "cicd_deployer" { + dynamic "statement" { + for_each = local.cicd_deployer_policy_statements + iterator = s + content { + sid = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key) + effect = lookup(s.value, "effect", "Allow") + actions = lookup(s.value, "actions", []) + resources = lookup(s.value, "resources", []) + not_resources = lookup(s.value, "not_resources", []) + } + } +} + +# allow anyone in this account to assume the role, if they have the permission to do so +data "aws_iam_policy_document" "cicd_deployer_allow_sts" { + statement { + sid = "AllowSTSAssume" + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + type = "AWS" + identifiers = [ + format(local.iam_arn, "root"), + ] + } + } +} + +output "service_cicd_deployer_arn" { + description = "CICD Deployer user ARN" + value = module.service_cicd_deployer.user_arn +} + +output "service_cicd_deployer_username" { + description = "CICD Deployer username" + value = module.service_cicd_deployer.user_name +} + +module "group_cicd_deployer" { + # tflint-ignore: terraform_module_version + # tflint-ignore: terraform_module_pinned_source + source = "git@github.e.it.census.gov:terraform-modules/aws-iam-group.git" + + group_name = local.cicd_k8s_group_name + attached_policies = flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn])) + +} + +output "info_cicd_deployer" { + description = "CID Deployer IAM details" + value = { + user_name = module.service_cicd_deployer.user_name + user_arn = module.service_cicd_deployer.user_arn + group_name = module.group_cicd_deployer.group_name + group_arn = module.group_cicd_deployer.group_arn + } +} diff --git a/main.tf b/main.tf index 2dc98d4..0732776 100644 --- a/main.tf +++ b/main.tf @@ -1,4 +1,6 @@ locals { + iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) + common_arn = format("arn:%v:%%v:%v:%v:%%v", data.aws_arn.current.partition, data.aws_region.current.id, data.aws_caller_identity.current.account_id) base_tags = { "eks-cluster-name" = var.cluster_name "boc:tf_module_version" = local.module_version @@ -92,3 +94,34 @@ resource "kubernetes_namespace" "telemetry" { } } } + +locals { + aws_auth_users = [ + { + userarn = module.service_cicd_deployer.user_arn + aws_username = "" + username = var.cicd_k8s_user_name + groups = [local.cicd_k8s_group_name] + }, + ] + aws_auth_roles = [ + { + rolearn : module.role_dba_administrator.role_arn + aws_rolename : "" + username : var.dba_k8s_user_name + groups = [local.dba_k8s_group_name] + }, + ] +} + +module "awsauth_cluster-roles" { + source = "git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth?ref=tf-upgrade" + + region = var.region + profile = var.profile + cluster_name = var.cluster_name + aws_auth_users = local.aws_auth_users + aws_auth_roles = local.aws_auth_roles + + keep_temporary_files = false +} diff --git a/prefixes.tf b/prefixes.tf new file mode 100644 index 0000000..4e2709e --- /dev/null +++ b/prefixes.tf @@ -0,0 +1,34 @@ +locals { + prefixes = { + "efs" = "v-efs-" + "s3" = "v-s3-" + "ebs" = "v-ebs-" + "kms" = "k-kms-" + "role" = "r-" + "policy" = "p-" + "group" = "g-" + "security-group" = "" # "sg-" + # VPC + "vpc" = "" + "dhcp-options" = "" + "vpc-peer" = "vpcp-" + "route-table" = "route-" + "subnet" = "" + "vpc-endpoint" = "vpce-" + "elastic-ip" = "eip-" + "nat-gateway" = "nat-" + "internet-gateway" = "igw-" + "network-acl" = "nacl-" + "customer-gateway" = "cgw-" + "vpn-gateway" = "vpcg-" + "vpn-connection" = "vpn_" + "log-group" = "lg-" + "log-stream" = "lgs-" + # EKS + "eks" = "eks-" + "eks-user" = "s-eks-" + "eks-role" = "r-eks-" + "eks-policy" = "p-eks-" + "eks-security-group" = "eks-sg-" # "sg-eks-" + } +} diff --git a/variables.tf b/variables.tf index b755841..0d430bf 100644 --- a/variables.tf +++ b/variables.tf @@ -9,6 +9,11 @@ variable "region" { type = string } +variable "profile" { + description = "AWS config profile" + type = string +} + variable "vpc_id" { description = "Specify the VPC id that is used by this cluster" type = string @@ -47,3 +52,85 @@ variable "tags" { type = map(string) default = {} } + +variable "deployer_istiosystem_role_name" { + description = "The kubernetes cluster role name of CIDR Deployer" + type = string + default = "deployer-istiosystem-role" +} + +variable "deployer_application_role_name" { + description = "The kubernetes cluster role name of CICD Deployer" + type = string + default = "deployer-application-role" +} + +variable "deployer_application_istio_role_name" { + description = "The kubernetes cluster role name of CICD Deployer" + type = string + default = "deployer-application-istio-role" +} + +variable "dba_administrator_role_name" { + description = "The kubernetes cluster role name of DBA Administrator" + type = string + default = "dba-admin-role" +} + +variable "istio_installed_namespace" { + description = "Namespace that Istio installed" + type = string + default = "istio-system" +} + +variable "cicd_k8s_user_name" { + description = "The user name of CICD Deployer" + type = string + default = "cicd-deployer" +} +variable "cicd_k8s_group_name" { + description = "The Group name of CICD Deployer belongs to (excluding prefix for service account and cluster)" + type = string + default = "cicd-deployer" +} + +variable "dba_k8s_user_name" { + description = "the user name of DBA Administrator" + type = string + default = "dba-admin" +} +variable "dba_k8s_group_name" { + description = "The Group name of dba-admin belongs to (excluding prefix for service account and cluster)" + type = string + default = "dba-admin" +} + +variable "deployer_application_rolebinding_name" { + description = "Role binding name of deployer that binding to role deployer_application_cluster_role" + type = string + default = "deployer-application-rolebinding" +} + +variable "deployer_application_istio_rolebinding_name" { + description = "Role binding name of deployer that binding to role deployer_application_cluster_role" + type = string + default = "deployer-application-istio-rolebinding" +} + +variable "dba_admin_rolebinding_name" { + description = "Role binding name of deployer that binding to role deployer_application_cluster_role" + type = string + default = "dba-admin-rolebinding" +} + +variable "cicd_managed_namespaces" { + description = "Deployer managed namespaces that deploy can create resources in (excluding cluster name prefix)" + type = list(any) + default = [] +} + +variable "dba_managed_namespaces" { + description = "DBA admin managed namespaces (excluding cluster name prefix)" + type = list(any) + default = [] +} From eab9f0b459255f08561d9dc90a69270ffeefb574 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 27 Aug 2025 20:44:45 -0400 Subject: [PATCH 02/11] =?UTF-8?q?=F0=9F=90=9B=20fix([roles]):=20comment=20?= =?UTF-8?q?out=20cicd-deployer=20and=20dba=20roles?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 45 ----- aws_data.tf | 10 +- dba-clusterrole.tf => dba-clusterrole.tf.off | 0 dba-rolebinding.tf => dba-rolebinding.tf.off | 0 dba.iam.tf => dba.iam.tf.off | 0 ...sterrole.tf => deployer-clusterrole.tf.off | 0 ...ebinding.tf => deployer-rolebinding.tf.off | 0 deployer.iam.tf => deployer.iam.tf.off | 0 main.tf | 58 +++---- prefixes.tf => prefixes.tf.off | 0 variables.tf | 163 +++++++++--------- 11 files changed, 116 insertions(+), 160 deletions(-) rename dba-clusterrole.tf => dba-clusterrole.tf.off (100%) rename dba-rolebinding.tf => dba-rolebinding.tf.off (100%) rename dba.iam.tf => dba.iam.tf.off (100%) rename deployer-clusterrole.tf => deployer-clusterrole.tf.off (100%) rename deployer-rolebinding.tf => deployer-rolebinding.tf.off (100%) rename deployer.iam.tf => deployer.iam.tf.off (100%) rename prefixes.tf => prefixes.tf.off (100%) diff --git a/README.md b/README.md index a4de242..6941171 100644 --- a/README.md +++ b/README.md @@ -50,67 +50,27 @@ sys 0m2.015s | Name | Source | Version | |------|--------|---------| -| [awsauth\_cluster-roles](#module\_awsauth\_cluster-roles) | git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth | tf-upgrade | | [efs](#module\_efs) | git::https://github.e.it.census.gov/terraform-modules/aws-efs.git/ | master | -| [group\_cicd\_deployer](#module\_group\_cicd\_deployer) | git@github.e.it.census.gov:terraform-modules/aws-iam-group.git | n/a | -| [group\_dba\_administrator](#module\_group\_dba\_administrator) | git@github.e.it.census.gov:terraform-modules/aws-iam-group.git | n/a | -| [role\_cicd\_deployer](#module\_role\_cicd\_deployer) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade | -| [role\_dba\_administrator](#module\_role\_dba\_administrator) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade | -| [service\_cicd\_deployer](#module\_service\_cicd\_deployer) | git@github.e.it.census.gov:terraform-modules/aws-iam-user.git | tf-upgrade | ## Resources | Name | Type | |------|------| -| [aws_iam_policy.cicd_deployer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.dba_administrator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [helm_release.console_access](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | -| [kubernetes_cluster_role.cicd_deployer_application_cluster_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | -| [kubernetes_cluster_role.cicd_deployer_istio_cluster_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | -| [kubernetes_cluster_role.cicd_deployer_istiosystem_cluster_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | -| [kubernetes_cluster_role.dba_administrator_cluster_role](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | -| [kubernetes_namespace.cicd_managed_namespaces](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | -| [kubernetes_namespace.dba_managed_namespaces](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_namespace.telemetry](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | -| [kubernetes_role_binding.dba_admin_rolebinding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | -| [kubernetes_role_binding.deployer_application_istio_rolebinding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | -| [kubernetes_role_binding.deployer_application_rolebinding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | -| [kubernetes_role_binding.deployer_istio_role_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | | [kubernetes_storage_class.ebs_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | | [kubernetes_storage_class.efs_sc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | | [kubernetes_storage_class.gp3_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | | [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | -| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | -| [aws_iam_policy.cicd_deployer_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | -| [aws_iam_policy_document.cicd_deployer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.cicd_deployer_allow_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.dba_administrator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.dba_administrator_allow_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [cicd\_k8s\_group\_name](#input\_cicd\_k8s\_group\_name) | The Group name of CICD Deployer belongs to (excluding prefix for service account and cluster) | `string` | `"cicd-deployer"` | no | -| [cicd\_k8s\_user\_name](#input\_cicd\_k8s\_user\_name) | The user name of CICD Deployer | `string` | `"cicd-deployer"` | no | -| [cicd\_managed\_namespaces](#input\_cicd\_managed\_namespaces) | Deployer managed namespaces that deploy can create resources in (excluding cluster name prefix) | `list(any)` | `[]` | no | | [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes | -| [dba\_admin\_rolebinding\_name](#input\_dba\_admin\_rolebinding\_name) | Role binding name of deployer that binding to role deployer\_application\_cluster\_role | `string` | `"dba-admin-rolebinding"` | no | -| [dba\_administrator\_role\_name](#input\_dba\_administrator\_role\_name) | The kubernetes cluster role name of DBA Administrator | `string` | `"dba-admin-role"` | no | -| [dba\_k8s\_group\_name](#input\_dba\_k8s\_group\_name) | The Group name of dba-admin belongs to (excluding prefix for service account and cluster) | `string` | `"dba-admin"` | no | -| [dba\_k8s\_user\_name](#input\_dba\_k8s\_user\_name) | the user name of DBA Administrator | `string` | `"dba-admin"` | no | -| [dba\_managed\_namespaces](#input\_dba\_managed\_namespaces) | DBA admin managed namespaces (excluding cluster name prefix) | `list(any)` | `[]` | no | -| [deployer\_application\_istio\_role\_name](#input\_deployer\_application\_istio\_role\_name) | The kubernetes cluster role name of CICD Deployer | `string` | `"deployer-application-istio-role"` | no | -| [deployer\_application\_istio\_rolebinding\_name](#input\_deployer\_application\_istio\_rolebinding\_name) | Role binding name of deployer that binding to role deployer\_application\_cluster\_role | `string` | `"deployer-application-istio-rolebinding"` | no | -| [deployer\_application\_role\_name](#input\_deployer\_application\_role\_name) | The kubernetes cluster role name of CICD Deployer | `string` | `"deployer-application-role"` | no | -| [deployer\_application\_rolebinding\_name](#input\_deployer\_application\_rolebinding\_name) | Role binding name of deployer that binding to role deployer\_application\_cluster\_role | `string` | `"deployer-application-rolebinding"` | no | -| [deployer\_istiosystem\_role\_name](#input\_deployer\_istiosystem\_role\_name) | The kubernetes cluster role name of CIDR Deployer | `string` | `"deployer-istiosystem-role"` | no | -| [istio\_installed\_namespace](#input\_istio\_installed\_namespace) | Namespace that Istio installed | `string` | `"istio-system"` | no | | [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no | | [profile](#input\_profile) | AWS config profile | `string` | n/a | yes | | [region](#input\_region) | AWS region | `string` | n/a | yes | @@ -125,13 +85,8 @@ sys 0m2.015s | Name | Description | |------|-------------| -| [info\_cicd\_deployer](#output\_info\_cicd\_deployer) | CID Deployer IAM details | -| [info\_dba\_administrator](#output\_info\_dba\_administrator) | DBA Adminstrator IAM details | | [module\_name](#output\_module\_name) | The name of this module. | | [module\_version](#output\_module\_version) | The version of this module. | -| [role\_dba\_administrator\_arn](#output\_role\_dba\_administrator\_arn) | DBA Adminstrator role ARN | | [rwo\_storage\_class](#output\_rwo\_storage\_class) | Kubernetes storage class that supports read/write once. | | [rwx\_storage\_class](#output\_rwx\_storage\_class) | Kubernetes storage class that supports read/write many. | -| [service\_cicd\_deployer\_arn](#output\_service\_cicd\_deployer\_arn) | CICD Deployer user ARN | -| [service\_cicd\_deployer\_username](#output\_service\_cicd\_deployer\_username) | CICD Deployer username | diff --git a/aws_data.tf b/aws_data.tf index eb70e88..bb1ee27 100644 --- a/aws_data.tf +++ b/aws_data.tf @@ -3,10 +3,10 @@ data "aws_ebs_default_kms_key" "current" {} data "aws_kms_key" "ebs_key" { key_id = data.aws_ebs_default_kms_key.current.key_arn } -data "aws_caller_identity" "current" {} +# data "aws_caller_identity" "current" {} -data "aws_region" "current" {} +# data "aws_region" "current" {} -data "aws_arn" "current" { - arn = data.aws_caller_identity.current.arn -} +# data "aws_arn" "current" { +# arn = data.aws_caller_identity.current.arn +# } diff --git a/dba-clusterrole.tf b/dba-clusterrole.tf.off similarity index 100% rename from dba-clusterrole.tf rename to dba-clusterrole.tf.off diff --git a/dba-rolebinding.tf b/dba-rolebinding.tf.off similarity index 100% rename from dba-rolebinding.tf rename to dba-rolebinding.tf.off diff --git a/dba.iam.tf b/dba.iam.tf.off similarity index 100% rename from dba.iam.tf rename to dba.iam.tf.off diff --git a/deployer-clusterrole.tf b/deployer-clusterrole.tf.off similarity index 100% rename from deployer-clusterrole.tf rename to deployer-clusterrole.tf.off diff --git a/deployer-rolebinding.tf b/deployer-rolebinding.tf.off similarity index 100% rename from deployer-rolebinding.tf rename to deployer-rolebinding.tf.off diff --git a/deployer.iam.tf b/deployer.iam.tf.off similarity index 100% rename from deployer.iam.tf rename to deployer.iam.tf.off diff --git a/main.tf b/main.tf index 0732776..5bd657a 100644 --- a/main.tf +++ b/main.tf @@ -1,6 +1,6 @@ locals { - iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) - common_arn = format("arn:%v:%%v:%v:%v:%%v", data.aws_arn.current.partition, data.aws_region.current.id, data.aws_caller_identity.current.account_id) + # iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) + # common_arn = format("arn:%v:%%v:%v:%v:%%v", data.aws_arn.current.partition, data.aws_region.current.id, data.aws_caller_identity.current.account_id) base_tags = { "eks-cluster-name" = var.cluster_name "boc:tf_module_version" = local.module_version @@ -95,33 +95,33 @@ resource "kubernetes_namespace" "telemetry" { } } -locals { - aws_auth_users = [ - { - userarn = module.service_cicd_deployer.user_arn - aws_username = "" - username = var.cicd_k8s_user_name - groups = [local.cicd_k8s_group_name] - }, - ] - aws_auth_roles = [ - { - rolearn : module.role_dba_administrator.role_arn - aws_rolename : "" - username : var.dba_k8s_user_name - groups = [local.dba_k8s_group_name] - }, - ] -} +# locals { +# aws_auth_users = [ +# { +# userarn = module.service_cicd_deployer.user_arn +# aws_username = "" +# username = var.cicd_k8s_user_name +# groups = [local.cicd_k8s_group_name] +# }, +# ] +# aws_auth_roles = [ +# { +# rolearn : module.role_dba_administrator.role_arn +# aws_rolename : "" +# username : var.dba_k8s_user_name +# groups = [local.dba_k8s_group_name] +# }, +# ] +# } -module "awsauth_cluster-roles" { - source = "git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth?ref=tf-upgrade" +# module "awsauth_cluster-roles" { +# source = "git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth?ref=tf-upgrade" - region = var.region - profile = var.profile - cluster_name = var.cluster_name - aws_auth_users = local.aws_auth_users - aws_auth_roles = local.aws_auth_roles +# region = var.region +# profile = var.profile +# cluster_name = var.cluster_name +# aws_auth_users = local.aws_auth_users +# aws_auth_roles = local.aws_auth_roles - keep_temporary_files = false -} +# keep_temporary_files = false +# } diff --git a/prefixes.tf b/prefixes.tf.off similarity index 100% rename from prefixes.tf rename to prefixes.tf.off diff --git a/variables.tf b/variables.tf index 0d430bf..3fb6c32 100644 --- a/variables.tf +++ b/variables.tf @@ -9,6 +9,7 @@ variable "region" { type = string } +# tflint-ignore: terraform_unused_declarations variable "profile" { description = "AWS config profile" type = string @@ -53,84 +54,84 @@ variable "tags" { default = {} } -variable "deployer_istiosystem_role_name" { - description = "The kubernetes cluster role name of CIDR Deployer" - type = string - default = "deployer-istiosystem-role" -} - -variable "deployer_application_role_name" { - description = "The kubernetes cluster role name of CICD Deployer" - type = string - default = "deployer-application-role" -} - -variable "deployer_application_istio_role_name" { - description = "The kubernetes cluster role name of CICD Deployer" - type = string - default = "deployer-application-istio-role" -} - -variable "dba_administrator_role_name" { - description = "The kubernetes cluster role name of DBA Administrator" - type = string - default = "dba-admin-role" -} - -variable "istio_installed_namespace" { - description = "Namespace that Istio installed" - type = string - default = "istio-system" -} - -variable "cicd_k8s_user_name" { - description = "The user name of CICD Deployer" - type = string - default = "cicd-deployer" -} -variable "cicd_k8s_group_name" { - description = "The Group name of CICD Deployer belongs to (excluding prefix for service account and cluster)" - type = string - default = "cicd-deployer" -} - -variable "dba_k8s_user_name" { - description = "the user name of DBA Administrator" - type = string - default = "dba-admin" -} -variable "dba_k8s_group_name" { - description = "The Group name of dba-admin belongs to (excluding prefix for service account and cluster)" - type = string - default = "dba-admin" -} - -variable "deployer_application_rolebinding_name" { - description = "Role binding name of deployer that binding to role deployer_application_cluster_role" - type = string - default = "deployer-application-rolebinding" -} - -variable "deployer_application_istio_rolebinding_name" { - description = "Role binding name of deployer that binding to role deployer_application_cluster_role" - type = string - default = "deployer-application-istio-rolebinding" -} - -variable "dba_admin_rolebinding_name" { - description = "Role binding name of deployer that binding to role deployer_application_cluster_role" - type = string - default = "dba-admin-rolebinding" -} - -variable "cicd_managed_namespaces" { - description = "Deployer managed namespaces that deploy can create resources in (excluding cluster name prefix)" - type = list(any) - default = [] -} - -variable "dba_managed_namespaces" { - description = "DBA admin managed namespaces (excluding cluster name prefix)" - type = list(any) - default = [] -} +# variable "deployer_istiosystem_role_name" { +# description = "The kubernetes cluster role name of CIDR Deployer" +# type = string +# default = "deployer-istiosystem-role" +# } + +# variable "deployer_application_role_name" { +# description = "The kubernetes cluster role name of CICD Deployer" +# type = string +# default = "deployer-application-role" +# } + +# variable "deployer_application_istio_role_name" { +# description = "The kubernetes cluster role name of CICD Deployer" +# type = string +# default = "deployer-application-istio-role" +# } + +# variable "dba_administrator_role_name" { +# description = "The kubernetes cluster role name of DBA Administrator" +# type = string +# default = "dba-admin-role" +# } + +# variable "istio_installed_namespace" { +# description = "Namespace that Istio installed" +# type = string +# default = "istio-system" +# } + +# variable "cicd_k8s_user_name" { +# description = "The user name of CICD Deployer" +# type = string +# default = "cicd-deployer" +# } +# variable "cicd_k8s_group_name" { +# description = "The Group name of CICD Deployer belongs to (excluding prefix for service account and cluster)" +# type = string +# default = "cicd-deployer" +# } + +# variable "dba_k8s_user_name" { +# description = "the user name of DBA Administrator" +# type = string +# default = "dba-admin" +# } +# variable "dba_k8s_group_name" { +# description = "The Group name of dba-admin belongs to (excluding prefix for service account and cluster)" +# type = string +# default = "dba-admin" +# } + +# variable "deployer_application_rolebinding_name" { +# description = "Role binding name of deployer that binding to role deployer_application_cluster_role" +# type = string +# default = "deployer-application-rolebinding" +# } + +# variable "deployer_application_istio_rolebinding_name" { +# description = "Role binding name of deployer that binding to role deployer_application_cluster_role" +# type = string +# default = "deployer-application-istio-rolebinding" +# } + +# variable "dba_admin_rolebinding_name" { +# description = "Role binding name of deployer that binding to role deployer_application_cluster_role" +# type = string +# default = "dba-admin-rolebinding" +# } + +# variable "cicd_managed_namespaces" { +# description = "Deployer managed namespaces that deploy can create resources in (excluding cluster name prefix)" +# type = list(any) +# default = [] +# } + +# variable "dba_managed_namespaces" { +# description = "DBA admin managed namespaces (excluding cluster name prefix)" +# type = list(any) +# default = [] +# } From a85485626e38dbb835fdbfc22901857ec65b8a10 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 10 Oct 2025 18:56:10 -0400 Subject: [PATCH 03/11] enable injection in operators --- main.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/main.tf b/main.tf index 5bd657a..c1d68ae 100644 --- a/main.tf +++ b/main.tf @@ -83,6 +83,9 @@ resource "kubernetes_storage_class" "efs_sc" { resource "kubernetes_namespace" "operators" { metadata { name = var.operators_ns + labels = { + istio-injection = "enabled" + } } } From e5226be712f769511b76d0c6e9690f4a1a832b42 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 10 Oct 2025 19:01:56 -0400 Subject: [PATCH 04/11] add cluster issuer --- README.md | 5 ++++ cert-mgr-cluster-issuer.tf | 53 ++++++++++++++++++++++++++++++++++++++ variables.tf | 12 +++++++++ 3 files changed, 70 insertions(+) create mode 100644 cert-mgr-cluster-issuer.tf diff --git a/README.md b/README.md index 6941171..2a8d7dc 100644 --- a/README.md +++ b/README.md @@ -51,14 +51,17 @@ sys 0m2.015s | Name | Source | Version | |------|--------|---------| | [efs](#module\_efs) | git::https://github.e.it.census.gov/terraform-modules/aws-efs.git/ | master | +| [subordinate\_ca](#module\_subordinate\_ca) | git::https://github.e.it.census.gov/terraform-modules/aws-certificates//acmpca-eks-cert-manager | n/a | ## Resources | Name | Type | |------|------| +| [helm_release.clusterissuer](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [helm_release.console_access](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_namespace.telemetry](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_secret.ca_key_pair](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource | | [kubernetes_storage_class.ebs_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | | [kubernetes_storage_class.efs_sc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | | [kubernetes_storage_class.gp3_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | @@ -70,7 +73,9 @@ sys 0m2.015s | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [cluster\_mailing\_list](#input\_cluster\_mailing\_list) | The mailing list for cluster notifications | `string` | `"cluster@example.com"` | no | | [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes | +| [namespace](#input\_namespace) | The namespace to deploy cert-manager resources into | `string` | `"cert-manager"` | no | | [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no | | [profile](#input\_profile) | AWS config profile | `string` | n/a | yes | | [region](#input\_region) | AWS region | `string` | n/a | yes | diff --git a/cert-mgr-cluster-issuer.tf b/cert-mgr-cluster-issuer.tf new file mode 100644 index 0000000..41d8dad --- /dev/null +++ b/cert-mgr-cluster-issuer.tf @@ -0,0 +1,53 @@ +locals { + common_tags = { + "boc:created_by" = "terraform" + } +} + +# Create a subordinate cert for the cert-manager clusterissuer. +module "subordinate_ca" { + # tflint-ignore: terraform_module_pinned_source + source = "git::https://github.e.it.census.gov/terraform-modules/aws-certificates//acmpca-eks-cert-manager" + + cluster_name = var.cluster_name + contact_email = var.cluster_mailing_list + validity_days = 30 + + tags = merge( + local.common_tags, + ) +} + +resource "kubernetes_secret" "ca_key_pair" { + metadata { + name = "ca-key-pair" + # namespace = var.cluster_issuer_name + namespace = var.namespace + } + + binary_data = { + "tls.key" = module.subordinate_ca.certificate_tls_key + "tls.crt" = module.subordinate_ca.certificate_tls_crt + } +} + +resource "helm_release" "clusterissuer" { + name = "clusterissuer" + chart = "./clusterissuer" + namespace = var.namespace + + set = [ + { + name = "name" + value = "clusterissuer" + }, + { + name = "apiVersion" + value = "cert-manager.io/v1" + }, + { + name = "secretName" + value = kubernetes_secret.ca_key_pair.metadata[0].name + } + ] +} diff --git a/variables.tf b/variables.tf index 3fb6c32..6872c2c 100644 --- a/variables.tf +++ b/variables.tf @@ -135,3 +135,15 @@ variable "tags" { # type = list(any) # default = [] # } + +variable "namespace" { + description = "The namespace to deploy cert-manager resources into" + type = string + default = "cert-manager" +} + +variable "cluster_mailing_list" { + description = "The mailing list for cluster notifications" + type = string + default = "cluster@example.com" +} From 0926bce276cc7cc5ba2a87e7dc33fafd0ed7ddd2 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 21 Oct 2025 16:48:51 -0400 Subject: [PATCH 05/11] =?UTF-8?q?=E2=9C=A8=20feat(clusterissuer):=20reloca?= =?UTF-8?q?te=20chart=20for=20cert-mgr?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- clusterissuer/Chart.yaml | 3 +++ clusterissuer/templates/clusterissuer.yaml | 7 +++++++ 2 files changed, 10 insertions(+) create mode 100644 clusterissuer/Chart.yaml create mode 100644 clusterissuer/templates/clusterissuer.yaml diff --git a/clusterissuer/Chart.yaml b/clusterissuer/Chart.yaml new file mode 100644 index 0000000..425addf --- /dev/null +++ b/clusterissuer/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +name: clusterissuer +version: 0.1.0 diff --git a/clusterissuer/templates/clusterissuer.yaml b/clusterissuer/templates/clusterissuer.yaml new file mode 100644 index 0000000..ed51be9 --- /dev/null +++ b/clusterissuer/templates/clusterissuer.yaml @@ -0,0 +1,7 @@ +apiVersion: {{ .Values.apiVersion }} +kind: ClusterIssuer +metadata: + name: {{ .Values.name }} +spec: + ca: + secretName: {{ .Values.secretName }} From adbd01e62f87d29c5ede7713a0f1317d9edb3874 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 23 Oct 2025 20:11:28 -0400 Subject: [PATCH 06/11] updated working --- README.md | 2 +- cert-mgr-cluster-issuer.tf | 6 +++--- clusterissuer/Chart.yaml | 3 --- clusterissuer/templates/clusterissuer.yaml | 7 ------- requirements.tf | 2 +- 5 files changed, 5 insertions(+), 15 deletions(-) delete mode 100644 clusterissuer/Chart.yaml delete mode 100644 clusterissuer/templates/clusterissuer.yaml diff --git a/README.md b/README.md index 2a8d7dc..a1120f2 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ sys 0m2.015s | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | >= 5.14.0 | +| [aws](#requirement\_aws) | ~> 6.0 | | [helm](#requirement\_helm) | >= 2.11.0 | | [kubernetes](#requirement\_kubernetes) | >= 2.23.0 | | [null](#requirement\_null) | >= 3.2.1 | diff --git a/cert-mgr-cluster-issuer.tf b/cert-mgr-cluster-issuer.tf index 41d8dad..ee8c466 100644 --- a/cert-mgr-cluster-issuer.tf +++ b/cert-mgr-cluster-issuer.tf @@ -11,7 +11,7 @@ module "subordinate_ca" { cluster_name = var.cluster_name contact_email = var.cluster_mailing_list - validity_days = 30 + validity_days = 365 tags = merge( local.common_tags, @@ -20,8 +20,7 @@ module "subordinate_ca" { resource "kubernetes_secret" "ca_key_pair" { metadata { - name = "ca-key-pair" - # namespace = var.cluster_issuer_name + name = "ca-key-pair" namespace = var.namespace } @@ -35,6 +34,7 @@ resource "helm_release" "clusterissuer" { name = "clusterissuer" chart = "./clusterissuer" namespace = var.namespace + atomic = true set = [ { diff --git a/clusterissuer/Chart.yaml b/clusterissuer/Chart.yaml deleted file mode 100644 index 425addf..0000000 --- a/clusterissuer/Chart.yaml +++ /dev/null @@ -1,3 +0,0 @@ -apiVersion: v2 -name: clusterissuer -version: 0.1.0 diff --git a/clusterissuer/templates/clusterissuer.yaml b/clusterissuer/templates/clusterissuer.yaml deleted file mode 100644 index ed51be9..0000000 --- a/clusterissuer/templates/clusterissuer.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: {{ .Values.apiVersion }} -kind: ClusterIssuer -metadata: - name: {{ .Values.name }} -spec: - ca: - secretName: {{ .Values.secretName }} diff --git a/requirements.tf b/requirements.tf index 32e5c6f..23f9f8e 100644 --- a/requirements.tf +++ b/requirements.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.14.0" + version = "~> 6.0" } helm = { source = "hashicorp/helm" From b302d4e20869ae0e0d5a66c8134a79ed39ddc20f Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 23 Oct 2025 20:13:53 -0400 Subject: [PATCH 07/11] remove helm chart for manifest --- README.md | 2 +- cert-mgr-cluster-issuer.tf | 41 +++++++++++--------------------------- 2 files changed, 13 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index a1120f2..11c2a36 100644 --- a/README.md +++ b/README.md @@ -57,8 +57,8 @@ sys 0m2.015s | Name | Type | |------|------| -| [helm_release.clusterissuer](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [helm_release.console_access](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [kubernetes_manifest.cluster_issuer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | | [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_namespace.telemetry](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_secret.ca_key_pair](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource | diff --git a/cert-mgr-cluster-issuer.tf b/cert-mgr-cluster-issuer.tf index ee8c466..d33c51f 100644 --- a/cert-mgr-cluster-issuer.tf +++ b/cert-mgr-cluster-issuer.tf @@ -1,9 +1,3 @@ -locals { - common_tags = { - "boc:created_by" = "terraform" - } -} - # Create a subordinate cert for the cert-manager clusterissuer. module "subordinate_ca" { # tflint-ignore: terraform_module_pinned_source @@ -12,10 +6,6 @@ module "subordinate_ca" { cluster_name = var.cluster_name contact_email = var.cluster_mailing_list validity_days = 365 - - tags = merge( - local.common_tags, - ) } resource "kubernetes_secret" "ca_key_pair" { @@ -30,24 +20,17 @@ resource "kubernetes_secret" "ca_key_pair" { } } -resource "helm_release" "clusterissuer" { - name = "clusterissuer" - chart = "./clusterissuer" - namespace = var.namespace - atomic = true - - set = [ - { - name = "name" - value = "clusterissuer" - }, - { - name = "apiVersion" - value = "cert-manager.io/v1" - }, - { - name = "secretName" - value = kubernetes_secret.ca_key_pair.metadata[0].name +resource "kubernetes_manifest" "cluster_issuer" { + manifest = { + "apiVersion" = "cert-manager.io/v1" + "kind" = "ClusterIssuer" + "metadata" = { + "name" = "ca-cluster-issuer" + } + "spec" = { + "ca" = { + "secretName" = kubernetes_secret.ca_key_pair.metadata[0].name + } } - ] + } } From d971e70dabc6a3ca9d848ea8fbde3a8730b9109b Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 23 Oct 2025 20:18:50 -0400 Subject: [PATCH 08/11] rename --- aws_data.tf => aws-data.tf | 0 eks_console_access.tf => eks-console-access.tf | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename aws_data.tf => aws-data.tf (100%) rename eks_console_access.tf => eks-console-access.tf (100%) diff --git a/aws_data.tf b/aws-data.tf similarity index 100% rename from aws_data.tf rename to aws-data.tf diff --git a/eks_console_access.tf b/eks-console-access.tf similarity index 100% rename from eks_console_access.tf rename to eks-console-access.tf From 4a8a812e8f91f90e9e87ebf006417e0a66b3df26 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 27 Oct 2025 20:10:53 -0400 Subject: [PATCH 09/11] update clusterissuer name for upstream requirements --- cert-mgr-cluster-issuer.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cert-mgr-cluster-issuer.tf b/cert-mgr-cluster-issuer.tf index d33c51f..cc2729f 100644 --- a/cert-mgr-cluster-issuer.tf +++ b/cert-mgr-cluster-issuer.tf @@ -25,7 +25,7 @@ resource "kubernetes_manifest" "cluster_issuer" { "apiVersion" = "cert-manager.io/v1" "kind" = "ClusterIssuer" "metadata" = { - "name" = "ca-cluster-issuer" + "name" = "clusterissuer" } "spec" = { "ca" = { From 3da16a025615dcaa38e99359e492cbefa4d749a0 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 12 Jan 2026 19:30:06 -0500 Subject: [PATCH 10/11] retest --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d15e3e4..9de84c8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,3 +14,7 @@ ### fix - **main.tf**: add operators ns here + + + +- change to trigger action From 631ba6475ea3c6e8ea843d07fa460f64a6282179 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 15 Jan 2026 17:02:08 -0500 Subject: [PATCH 11/11] cleanup unusued code --- README.md | 1 - aws-data.tf | 7 ------- main.tf | 4 ---- prefixes.tf.off | 34 ---------------------------------- variables.tf | 6 ------ 5 files changed, 52 deletions(-) delete mode 100644 prefixes.tf.off diff --git a/README.md b/README.md index 11c2a36..1997042 100644 --- a/README.md +++ b/README.md @@ -81,7 +81,6 @@ sys 0m2.015s | [region](#input\_region) | AWS region | `string` | n/a | yes | | [security\_group\_all\_worker\_mgmt\_id](#input\_security\_group\_all\_worker\_mgmt\_id) | The security group representing all of the worker nodes in the cluster. | `string` | n/a | yes | | [subnets](#input\_subnets) | Specify the subnets used by this cluster | `list(string)` | n/a | yes | -| [tag\_costallocation](#input\_tag\_costallocation) | Tag CostAllocation (default) | `string` | `"csvd:infrastructure"` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no | | [telemetry\_ns](#input\_telemetry\_ns) | Namespace to create where telemetry will be installed. | `string` | `"telemetry"` | no | | [vpc\_id](#input\_vpc\_id) | Specify the VPC id that is used by this cluster | `string` | n/a | yes | diff --git a/aws-data.tf b/aws-data.tf index bb1ee27..96cd77c 100644 --- a/aws-data.tf +++ b/aws-data.tf @@ -3,10 +3,3 @@ data "aws_ebs_default_kms_key" "current" {} data "aws_kms_key" "ebs_key" { key_id = data.aws_ebs_default_kms_key.current.key_arn } -# data "aws_caller_identity" "current" {} - -# data "aws_region" "current" {} - -# data "aws_arn" "current" { -# arn = data.aws_caller_identity.current.arn -# } diff --git a/main.tf b/main.tf index c1d68ae..a56d603 100644 --- a/main.tf +++ b/main.tf @@ -1,11 +1,7 @@ locals { - # iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) - # common_arn = format("arn:%v:%%v:%v:%v:%%v", data.aws_arn.current.partition, data.aws_region.current.id, data.aws_caller_identity.current.account_id) base_tags = { - "eks-cluster-name" = var.cluster_name "boc:tf_module_version" = local.module_version "boc:created_by" = "terraform" - CostAllocation = var.tag_costallocation } tags = merge(local.base_tags, var.tags) diff --git a/prefixes.tf.off b/prefixes.tf.off deleted file mode 100644 index 4e2709e..0000000 --- a/prefixes.tf.off +++ /dev/null @@ -1,34 +0,0 @@ -locals { - prefixes = { - "efs" = "v-efs-" - "s3" = "v-s3-" - "ebs" = "v-ebs-" - "kms" = "k-kms-" - "role" = "r-" - "policy" = "p-" - "group" = "g-" - "security-group" = "" # "sg-" - # VPC - "vpc" = "" - "dhcp-options" = "" - "vpc-peer" = "vpcp-" - "route-table" = "route-" - "subnet" = "" - "vpc-endpoint" = "vpce-" - "elastic-ip" = "eip-" - "nat-gateway" = "nat-" - "internet-gateway" = "igw-" - "network-acl" = "nacl-" - "customer-gateway" = "cgw-" - "vpn-gateway" = "vpcg-" - "vpn-connection" = "vpn_" - "log-group" = "lg-" - "log-stream" = "lgs-" - # EKS - "eks" = "eks-" - "eks-user" = "s-eks-" - "eks-role" = "r-eks-" - "eks-policy" = "p-eks-" - "eks-security-group" = "eks-sg-" # "sg-eks-" - } -} diff --git a/variables.tf b/variables.tf index 6872c2c..6b74bc4 100644 --- a/variables.tf +++ b/variables.tf @@ -42,12 +42,6 @@ variable "telemetry_ns" { default = "telemetry" } -variable "tag_costallocation" { - description = "Tag CostAllocation (default)" - type = string - default = "csvd:infrastructure" -} - variable "tags" { description = "AWS Tags to apply to appropriate resources" type = map(string)