🐛 fix([cluster-role.tf]): refactor roles.tf to separate out cluster-role

README.md

@@ -116,9 +116,6 @@ efs-csi-controller    0         5m
 | <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v20.37.2 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_role_cluster-admin"></a> [role\_cluster-admin](#module\_role\_cluster-admin) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade |
-| <a name="module_role_eks-cluster"></a> [role\_eks-cluster](#module\_role\_eks-cluster) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade |
-| <a name="module_role_eks-nodegroup"></a> [role\_eks-nodegroup](#module\_role\_eks-nodegroup) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
 
 ## Resources
@@ -128,8 +125,13 @@ efs-csi-controller    0         5m
 | [aws_ec2_tag.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
 | [aws_iam_policy.cloudwatch-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.cluster-admin-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.cluster-admin_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.nlb-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy_attachment.cluster-admin-attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
+| [aws_iam_role.role_cluster-admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.role_eks-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.eks-cluster-cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.eks-cluster-managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.eks-cluster-nlb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_security_group.additional_eks_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.extra_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
@@ -143,12 +145,9 @@ efs-csi-controller    0         5m
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
 | [aws_iam_policy.cluster_managed_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
-| [aws_iam_policy.nodegroup_managed_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy_document.allow_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudwatch-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cluster-admin-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.cluster-admin_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.ec2_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.eks_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.nlb-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
@@ -220,9 +219,6 @@ efs-csi-controller    0         5m
 | <a name="output_node_security_group_id"></a> [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group |
 | <a name="output_oidc_provider"></a> [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) |
 | <a name="output_oidc_provider_arn"></a> [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | The ARN of the OIDC Provider if `enable_irsa = true` |
-| <a name="output_role_cluster-admin-role_arn"></a> [role\_cluster-admin-role\_arn](#output\_role\_cluster-admin-role\_arn) | Role ARN for EKS Cluster Admin Role |
-| <a name="output_role_eks-cluster_arn"></a> [role\_eks-cluster\_arn](#output\_role\_eks-cluster\_arn) | Role ARN for EKS Cluster Role |
-| <a name="output_role_eks-nodegroup-role_arn"></a> [role\_eks-nodegroup-role\_arn](#output\_role\_eks-nodegroup-role\_arn) | Role ARN for EKS Cluster Nodegroup Role |
 | <a name="output_security_group_all_worker_mgmt_id"></a> [security\_group\_all\_worker\_mgmt\_id](#output\_security\_group\_all\_worker\_mgmt\_id) | The security group to manage all of the worker nodes. |
 | <a name="output_self_managed_node_groups"></a> [self\_managed\_node\_groups](#output\_self\_managed\_node\_groups) | Map of attribute maps for all self managed node groups created |
 | <a name="output_self_managed_node_groups_autoscaling_group_names"></a> [self\_managed\_node\_groups\_autoscaling\_group\_names](#output\_self\_managed\_node\_groups\_autoscaling\_group\_names) | List of the autoscaling group names created by self-managed node groups |

policy.tf → cluster-admin.tf

@@ -1,70 +1,6 @@
-resource "aws_iam_policy" "nlb-policy" {
-  name        = format("%v%v-nlb", local.prefixes["eks-policy"], var.cluster_name)
-  path        = "/"
-  description = "Allow configuration of the ELB"
-  policy      = data.aws_iam_policy_document.nlb-policy.json
-
-}
-
-# Q: why CreateSecurityGroup
-# TBD: refine resources to limit only to eks configurations
-data "aws_iam_policy_document" "nlb-policy" {
-  statement {
-    sid    = "EKSNLBConfiguration"
-    effect = "Allow"
-    actions = [
-      "elasticloadbalancing:*",
-      "ec2:CreateSecurityGroup",
-      "ec2:Describe*",
-    ]
-    resources = ["*"]
-  }
-}
-
-resource "aws_iam_policy" "cloudwatch-policy" {
-  name        = format("%v%v-cloudwatch", local.prefixes["eks-policy"], var.cluster_name)
-  path        = "/"
-  description = "Allow sending metric data to cloudwatch"
-  policy      = data.aws_iam_policy_document.cloudwatch-policy.json
-
-}
-
-# TBD: refine resources to limit only to eks configurations
-data "aws_iam_policy_document" "cloudwatch-policy" {
-  statement {
-    sid    = "EKSCloudwatchMetrics"
-    effect = "Allow"
-    actions = [
-      "cloudwatch:PutMetricData",
-    ]
-    resources = ["*"]
-  }
-}
-
 #---
-# cluster admin policy
+# cluster-admin
 #---
-resource "aws_iam_policy" "cluster-admin-policy" {
-  name        = format("%v%v-cluster-admin", local.prefixes["eks-policy"], var.cluster_name)
-  path        = "/"
-  description = "Allow for administration of the cluster ${var.cluster_name} using AWS resources"
-  policy      = data.aws_iam_policy_document.cluster-admin-policy.json
-
-}
-
-data "aws_iam_policy_document" "cluster-admin-policy" {
-  dynamic "statement" {
-    for_each = local.admin_policy_statements
-    iterator = s
-    content {
-      sid       = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key)
-      effect    = lookup(s.value, "effect", "Allow")
-      actions   = lookup(s.value, "actions", [])
-      resources = lookup(s.value, "resources", [])
-    }
-  }
-}
-
 locals {
   iam_arn       = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
   common_arn    = format("arn:%v:%%v:%v:%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id)
@@ -141,27 +77,62 @@ locals {
   }
 }
 
+resource "aws_iam_role" "role_cluster-admin" {
+  name        = format("%v%v-cluster-admin", local.prefixes["eks"], var.cluster_name)
+  description = "SAML EKS Cluster Admin Role for ${var.cluster_name}"
+
+  assume_role_policy    = data.aws_iam_policy_document.allow_sts.json
+  force_detach_policies = true
+  tags                  = var.tags
+}
+
+resource "aws_iam_policy_attachment" "cluster-admin-attach" {
+  name       = format("%v%v-cluster-admin-attach", local.prefixes["eks"], var.cluster_name)
+  policy_arn = aws_iam_policy.cluster-admin-policy.arn
+  roles      = [aws_iam_role.role_cluster-admin.name]
+}
 
 #---
-# cluster admin assume policy
+# cluster admin policy
 #---
-resource "aws_iam_policy" "cluster-admin_assume_policy" {
-  name        = format("%v%v-cluster-admin-assume", local.prefixes["eks-policy"], var.cluster_name)
+resource "aws_iam_policy" "cluster-admin-policy" {
+  name        = format("%v%v-cluster-admin", local.prefixes["eks-policy"], var.cluster_name)
   path        = "/"
-  description = "Allow for assume role to the cluster-admin role for ${var.cluster_name}"
-  policy      = data.aws_iam_policy_document.cluster-admin_assume_policy.json
+  description = "Allow for administration of the cluster ${var.cluster_name} using AWS resources"
+  policy      = data.aws_iam_policy_document.cluster-admin-policy.json
 
   tags = merge(
     local.base_tags,
-    tomap({ "Name" = format("%v%v-cluster-admin-assume", local.prefixes["eks-policy"], var.cluster_name) }),
+    var.tags
   )
 }
 
-data "aws_iam_policy_document" "cluster-admin_assume_policy" {
+data "aws_iam_policy_document" "cluster-admin-policy" {
+  dynamic "statement" {
+    for_each = local.admin_policy_statements
+    iterator = s
+    content {
+      sid       = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key)
+      effect    = lookup(s.value, "effect", "Allow")
+      actions   = lookup(s.value, "actions", [])
+      resources = lookup(s.value, "resources", [])
+    }
+  }
+}
+
+#---
+# cluster admin assume policy
+#---
+data "aws_iam_policy_document" "allow_sts" {
   statement {
-    sid       = "AllowSTSAssumeClusterAdminRole"
-    effect    = "Allow"
-    actions   = ["sts:AssumeRole"]
-    resources = [module.role_cluster-admin.role_arn]
+    sid     = "AllowSTSAssume"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(local.iam_arn, "root"),
+      ]
+    }
   }
 }

cluster-role.tf

@@ -0,0 +1,92 @@
+#---
+# cluster
+#---
+locals {
+  cluster_managed_policy_list = [
+    "AmazonEKSClusterPolicy",
+    "AmazonEC2FullAccess",
+    "CloudWatchLogsFullAccess",
+  ]
+  cluster_managed_policies = [for p in data.aws_iam_policy.cluster_managed_policies : p.arn]
+}
+
+data "aws_iam_policy" "cluster_managed_policies" {
+  for_each = toset(local.cluster_managed_policy_list)
+  name     = each.key
+}
+
+resource "aws_iam_policy" "nlb-policy" {
+  name        = format("%v%v-nlb", local.prefixes["eks-policy"], var.cluster_name)
+  path        = "/"
+  description = "Allow configuration of the ELB"
+  policy      = data.aws_iam_policy_document.nlb-policy.json
+
+}
+
+# Q: why CreateSecurityGroup
+# TBD: refine resources to limit only to eks configurations
+data "aws_iam_policy_document" "nlb-policy" {
+  statement {
+    sid    = "EKSNLBConfiguration"
+    effect = "Allow"
+    actions = [
+      "elasticloadbalancing:*",
+      "ec2:CreateSecurityGroup",
+      "ec2:Describe*",
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "cloudwatch-policy" {
+  name        = format("%v%v-cloudwatch", local.prefixes["eks-policy"], var.cluster_name)
+  path        = "/"
+  description = "Allow sending metric data to cloudwatch"
+  policy      = data.aws_iam_policy_document.cloudwatch-policy.json
+
+}
+
+# TBD: refine resources to limit only to eks configurations
+data "aws_iam_policy_document" "cloudwatch-policy" {
+  statement {
+    sid    = "EKSCloudwatchMetrics"
+    effect = "Allow"
+    actions = [
+      "cloudwatch:PutMetricData",
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_role" "role_eks-cluster" {
+  name               = format("%v%v-cluster", local.prefixes["eks"], var.cluster_name)
+  description        = "EKS Cluster Role for ${var.cluster_name}"
+  assume_role_policy = data.aws_iam_policy_document.eks_assume.json
+}
+
+resource "aws_iam_role_policy_attachment" "eks-cluster-nlb" {
+  role       = aws_iam_role.role_eks-cluster.name
+  policy_arn = aws_iam_policy.nlb-policy.arn
+}
+resource "aws_iam_role_policy_attachment" "eks-cluster-cloudwatch" {
+  role       = aws_iam_role.role_eks-cluster.name
+  policy_arn = aws_iam_policy.cloudwatch-policy.arn
+}
+resource "aws_iam_role_policy_attachment" "eks-cluster-managed" {
+  for_each   = toset(local.cluster_managed_policies)
+  role       = aws_iam_role.role_eks-cluster.name
+  policy_arn = each.key
+}
+
+data "aws_iam_policy_document" "eks_assume" {
+  statement {
+    sid     = "EKSAssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["eks.amazonaws.com"]
+    }
+  }
+}