Access entries (#19)

README.md

@@ -121,7 +121,8 @@ Change logs are auto-generated with commitizen.
 | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
 | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
-| [aws_iam_roles.view_arns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
+| [aws_iam_roles.sso_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
+| [aws_iam_session_context.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_session_context) | data source |
 | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |

access_entries.tf

@@ -0,0 +1,56 @@
+################################################################################
+# Access Entries
+################################################################################
+data "aws_iam_session_context" "current" {
+  arn = data.aws_caller_identity.current.arn
+}
+
+data "aws_iam_roles" "sso_admins" {
+  name_regex  = "AWSReservedSSO_inf-admin-t(2|3|4)"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
+
+data "aws_iam_roles" "roles" {
+  name_regex = "r-inf-terrafor(m|m-eks)"
+}
+
+data "aws_iam_roles" "sso_read" {
+  name_regex  = "AWSReservedSSO_inf-admin-t1"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
+
+locals {
+  access_entries = merge(local.admins, local.viewers)
+  arns           = [for arn in merge(data.aws_iam_roles.roles.arns, data.aws_iam_roles.sso_admins.arns) : arn if arn != data.aws_iam_session_context.current.issuer_arn]
+  admins = {
+    for arn in local.arns :
+    arn => {
+      principal_arn     = arn
+      kubernetes_groups = ["eks-console-dashboard-full-access-group"]
+      policy_associations = {
+        admin = {
+          policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+          access_scope = {
+            type = "cluster"
+          }
+        }
+      }
+    }
+  }
+
+  viewers = {
+    for arn in tolist(data.aws_iam_roles.sso_read.arns) :
+    arn => {
+      principal_arn     = arn
+      kubernetes_groups = ["eks-console-dashboard-restricted-access-group"]
+      policy_associations = {
+        view = {
+          policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
+          access_scope = {
+            type = "cluster"
+          }
+        }
+      }
+    }
+  }
+}

main.tf

@@ -27,73 +27,22 @@ data "aws_kms_key" "ebs_key" {
   key_id = data.aws_ebs_default_kms_key.current.key_arn
 }
 
-data "aws_iam_roles" "sso_admins" {
-  name_regex  = "AWSReservedSSO_inf-admin-t(2|3|4)"
-  path_prefix = "/aws-reserved/sso.amazonaws.com/"
-}
-
-data "aws_iam_roles" "roles" {
-  name_regex = "r-inf-terraform(-eks)"
-}
-
-data "aws_iam_roles" "view_arns" {
-  name_regex  = "AWSReservedSSO_inf-admin-t1"
-  path_prefix = "/aws-reserved/sso.amazonaws.com/"
-}
-
 locals {
-  vpc_id         = data.aws_vpc.eks_vpc.id
-  vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block
-  subnets        = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0]
-
+  additional_policies = {}
   base_tags = {
-    "eks-cluster-name"      = var.cluster_name
+    "boc:eks-cluster-name"  = var.cluster_name
     "boc:tf_module_name"    = local.module_name
     "boc:tf_module_version" = local.module_version
     "boc:created_by"        = "terraform"
     CostAllocation          = var.tag_costallocation
   }
+  ng_name        = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name)
+  subnets        = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0]
+  tags           = merge(local.base_tags, var.tags)
+  vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block
+  vpc_id         = data.aws_vpc.eks_vpc.id
 
-  additional_policies = {
-  }
-
-  ng_name = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name)
-
-  tags = merge(local.base_tags, var.tags)
-
-  admins = {
-    for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns)) :
-    arn => {
-      principal_arn     = arn
-      kubernetes_groups = ["eks-console-dashboard-full-access-group"]
-      policy_associations = {
-        admin = {
-          policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
-          access_scope = {
-            type = "cluster"
-          }
-        }
-      }
-    }
-  }
-
-  viewers = {
-    for arn in tolist(data.aws_iam_roles.view_arns.arns) :
-    arn => {
-      principal_arn     = arn
-      kubernetes_groups = ["eks-console-dashboard-restricted-access-group"]
-      policy_associations = {
-        admin = {
-          policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
-          access_scope = {
-            type = "cluster"
-          }
-        }
-      }
-    }
-  }
 
-  access_entries = merge(local.admins, local.viewers)
 }
 
 module "cluster" {

outputs.tf

@@ -129,6 +129,11 @@ output "cluster_status" {
   value       = module.cluster.cluster_status
 }
 
+output "access_entries" {
+  description = "The access_entries object added to cluster"
+  value       = local.access_entries
+}
+
 ################################################################################
 # KMS Key
 ################################################################################