diff --git a/cluster_admin_group.tf.disable b/cluster_admin_group.tf.disable deleted file mode 100644 index 1312c25..0000000 --- a/cluster_admin_group.tf.disable +++ /dev/null @@ -1,11 +0,0 @@ -module "group_cluster-admin" { - source = "git@github.e.it.census.gov:terraform-modules/aws-iam-group.git" - - group_name = format("%v%v-cluster-admin", local._prefixes["eks"], var.cluster_name) - attached_policies = [aws_iam_policy.cluster-admin-policy.arn, aws_iam_policy.cluster-admin_assume_policy.arn] - - tags = merge( - local.base_tags, - var.tags, - ) -} diff --git a/cluster_admin_policies.tf.disable b/cluster_admin_policies.tf.disable deleted file mode 100644 index 9040354..0000000 --- a/cluster_admin_policies.tf.disable +++ /dev/null @@ -1,128 +0,0 @@ -#--- -# cluster admin policy -#--- -locals { - eks_resources = ["cluster", "addon", "nodegroup", "identityproviderconfig"] - - admin_policy_statements = { - ECRRead = { - actions = [ - "ecr:Describe*", - "ecr:Get*", - "ecr:ListImages", - "ecr:BatchGetImage", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - ] - resources = ["*"] - } - ECRWrite = { - actions = [ - "ecr:BatchDeleteImage", - "ecr:CompleteLayerUpload", - "ecr:CreateRepository", - "ecr:DeleteRepository", - "ecr:InitiateLayerUpload", - "ecr:PutImage", - "ecr:UploadLayerPart" - ] - resources = [format(local.common_arn, "ecr", format("repository/eks/%v/* ", var.cluster_name))] - } - EKSRead = { - actions = [ - "eks:ListClusters", - "eks:ListAddons", - "eks:ListNodegroups", - "eks:DescribeCluster", - "eks:DescribeAddon*", - "eks:DescribeNodegroup", - ] - resources = [ - format(local.common_arn, "eks", "cluster/*"), - format(local.common_arn, "eks", "addon/*"), - format(local.common_arn, "eks", "addons/*"), - format(local.common_arn, "eks", "/addons/*"), - format(local.common_arn, "eks", "nodegroup/*"), - ] - } - IAMRead = { - actions = [ - "iam:ListRoles", - ] - resources = ["*"] - } - SSMGet = { - actions = [ - "ssm:GetParameter", - ] - resources = [ - format("arn:%v:%v:%v:%v:%v", data.aws_arn.current.partition, "ssm", data.aws_region.current.name, "", "parameter/aws/service/eks/*") - ] - } - EKSReadMyClusters = { - actions = [ - "eks:List*", - "eks:Read*", - "eks:Describe*", - "eks:AccessKubernetesApi", - ] - resources = flatten(concat( - tolist([format(local.common_arn, "eks", format("/clusters/%v/addons", var.cluster_name))]), - [for r in local.eks_resources : tolist([ - format(local.common_arn, "eks", format("%v/%v", r, var.cluster_name)), - format(local.common_arn, "eks", format("%v/%v/*", r, var.cluster_name)) - ])])) - } - } -} - -data "aws_iam_policy_document" "cluster-admin-policy" { - dynamic "statement" { - for_each = local.admin_policy_statements - iterator = s - content { - sid = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key) - effect = lookup(s.value, "effect", "Allow") - actions = lookup(s.value, "actions", []) - resources = lookup(s.value, "resources", []) - } - } -} - -resource "aws_iam_policy" "cluster-admin-policy" { - name = format("%v%v-cluster-admin", local._prefixes["eks-policy"], var.cluster_name) - path = "/" - description = "Allow for administration of the cluster ${var.cluster_name} using AWS resources" - policy = data.aws_iam_policy_document.cluster-admin-policy.json - - tags = merge( - local.base_tags, - var.tags, - ) -} - -#--- -# cluster admin assume policy -#--- -resource "aws_iam_policy" "cluster-admin_assume_policy" { - name = format("%v%v-cluster-admin-assume", local._prefixes["eks-policy"], var.cluster_name) - path = "/" - description = "Allow for assume role to the cluster-admin role for ${var.cluster_name}" - policy = data.aws_iam_policy_document.cluster-admin_assume_policy.json - - tags = merge( - local.base_tags, - var.tags, - var.application_tags, - tomap({ "Name" = format("%v%v-cluster-admin-assume", local._prefixes["eks-policy"], var.cluster_name) }), - ) -} - -data "aws_iam_policy_document" "cluster-admin_assume_policy" { - statement { - sid = "AllowSTSAssumeClusterAdminRole" - effect = "Allow" - actions = ["sts:AssumeRole"] - resources = [module.role_cluster-admin.role_arn] - } -} diff --git a/cluster_admin_roles.tf.disable b/cluster_admin_roles.tf.disable deleted file mode 100644 index 4cdcf8e..0000000 --- a/cluster_admin_roles.tf.disable +++ /dev/null @@ -1,25 +0,0 @@ -#--- -# cluster-admin -#--- -module "role_cluster-admin" { - source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" - - role_name = format("%v%v-cluster-admin", local._prefixes["eks"], var.cluster_name) - role_description = "SAML EKS cluster admin Role for ${var.cluster_name}" - enable_ldap_creation = false - assume_policy_document = data.aws_iam_policy_document.allow_sts.json - # assume_policy_document = data.aws_iam_policy_document.cluster-admin_combined.json - attached_policies = [aws_iam_policy.cluster-admin-policy.arn] - - tags = merge( - local.base_tags, - local.common_tags, - var.tags, - var.application_tags, - ) -} - -output "role_cluster-admin-role_arn" { - description = "Role ARN for EKS Cluster Admin Role" - value = module.role_cluster-admin.role_arn -} diff --git a/istio_ports.tf.disable b/istio_ports.tf.disable deleted file mode 100644 index 7351588..0000000 --- a/istio_ports.tf.disable +++ /dev/null @@ -1,84 +0,0 @@ -locals { - istio_ports = [ - { - description = "Envoy admin port / outbound" - from_port = 15000 - to_port = 15001 - }, - { - description = "Debug port" - from_port = 15004 - to_port = 15004 - }, - { - description = "Envoy inbound" - from_port = 15006 - to_port = 15006 - }, - { - description = "HBONE mTLS tunnel port / secure networks XDS and CA services (Plaintext)" - from_port = 15008 - to_port = 15010 - }, - { - description = "XDS and CA services (TLS and mTLS)" - from_port = 15012 - to_port = 15012 - }, - { - description = "Control plane monitoring" - from_port = 15014 - to_port = 15014 - }, - { - description = "Control plane monitoring" - from_port = 15017 - to_port = 15017 - }, - { - description = "Merged Prometheus telemetry data from Istio agent, Envoy, and application, Health checks" - from_port = 15020 - to_port = 15021 - }, - { - description = "DNS port" - from_port = 15053 - to_port = 15053 - }, - { - description = "Envoy Prometheus telemetry" - from_port = 15090 - to_port = 15090 - }, - { - description = "aws-load-balancer-controller" - from_port = 9443 - to_port = 9443 - }, - ] - - ingress_rules = { - for ikey, ivalue in local.istio_ports : - "${ikey}_ingress" => { - description = ivalue.description - protocol = "tcp" - from_port = ivalue.from_port - to_port = ivalue.to_port - type = "ingress" - self = true - } - } - - egress_rules = { - for ekey, evalue in local.istio_ports : - "${ekey}_egress" => { - description = evalue.description - protocol = "tcp" - from_port = evalue.from_port - to_port = evalue.to_port - type = "egress" - self = true - } - } - -} diff --git a/node_ports.tf.disable b/node_ports.tf.disable deleted file mode 100644 index 1c2c550..0000000 --- a/node_ports.tf.disable +++ /dev/null @@ -1,45 +0,0 @@ -locals { - ingress_rules { - ingress_nodes_ephemeral = { - "description" = "Node to node ingress on ephemeral ports" - "protocol" = -1 - "from_port" = 0 - "to_port" = 0 - "type" = "ingress" - "self" = true - } - } -# ingress_nodes_ephemeral = { -# "description": "Node to node ingress on ephemeral ports custom", -# "protocol": -1, -# "from_port": 0, -# "to_port": 0, -# "type": "ingress", -# "self": true -# } -} - - - # { - # "cidr_blocks": [], - # "description": "Envoy inbound", - # "from_port": 15006, - # "ipv6_cidr_blocks": [], - # "prefix_list_ids": [], - # "protocol": "tcp", - # "security_groups": [], - # "self": true, - # "to_port": 15006 - # }, - -# ingress_rules = { -# for ikey, ivalue in local.istio_ports : -# "${ikey}_ingress" => { -# description = ivalue.description -# protocol = "tcp" -# from_port = ivalue.from_port -# to_port = ivalue.to_port -# type = "ingress" -# self = true -# } -# }