diff --git a/README.md b/README.md
index 927b215..45d069c 100644
--- a/README.md
+++ b/README.md
@@ -116,9 +116,6 @@ efs-csi-controller 0 5m
| [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v20.37.2 |
| [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
| [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
-| [role\_cluster-admin](#module\_role\_cluster-admin) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade |
-| [role\_eks-cluster](#module\_role\_eks-cluster) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade |
-| [role\_eks-nodegroup](#module\_role\_eks-nodegroup) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade |
| [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
## Resources
@@ -128,8 +125,13 @@ efs-csi-controller 0 5m
| [aws_ec2_tag.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
| [aws_iam_policy.cloudwatch-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.cluster-admin-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.cluster-admin_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.nlb-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy_attachment.cluster-admin-attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
+| [aws_iam_role.role_cluster-admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.role_eks-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.eks-cluster-cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.eks-cluster-managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.eks-cluster-nlb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_security_group.additional_eks_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.extra_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
@@ -143,12 +145,9 @@ efs-csi-controller 0 5m
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
| [aws_iam_policy.cluster_managed_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
-| [aws_iam_policy.nodegroup_managed_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
| [aws_iam_policy_document.allow_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cloudwatch-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cluster-admin-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.cluster-admin_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.ec2_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.eks_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.nlb-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
@@ -220,9 +219,6 @@ efs-csi-controller 0 5m
| [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group |
| [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) |
| [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | The ARN of the OIDC Provider if `enable_irsa = true` |
-| [role\_cluster-admin-role\_arn](#output\_role\_cluster-admin-role\_arn) | Role ARN for EKS Cluster Admin Role |
-| [role\_eks-cluster\_arn](#output\_role\_eks-cluster\_arn) | Role ARN for EKS Cluster Role |
-| [role\_eks-nodegroup-role\_arn](#output\_role\_eks-nodegroup-role\_arn) | Role ARN for EKS Cluster Nodegroup Role |
| [security\_group\_all\_worker\_mgmt\_id](#output\_security\_group\_all\_worker\_mgmt\_id) | The security group to manage all of the worker nodes. |
| [self\_managed\_node\_groups](#output\_self\_managed\_node\_groups) | Map of attribute maps for all self managed node groups created |
| [self\_managed\_node\_groups\_autoscaling\_group\_names](#output\_self\_managed\_node\_groups\_autoscaling\_group\_names) | List of the autoscaling group names created by self-managed node groups |
diff --git a/policy.tf b/cluster-admin.tf
similarity index 63%
rename from policy.tf
rename to cluster-admin.tf
index bac89b8..3f0efa5 100644
--- a/policy.tf
+++ b/cluster-admin.tf
@@ -1,70 +1,6 @@
-resource "aws_iam_policy" "nlb-policy" {
- name = format("%v%v-nlb", local.prefixes["eks-policy"], var.cluster_name)
- path = "/"
- description = "Allow configuration of the ELB"
- policy = data.aws_iam_policy_document.nlb-policy.json
-
-}
-
-# Q: why CreateSecurityGroup
-# TBD: refine resources to limit only to eks configurations
-data "aws_iam_policy_document" "nlb-policy" {
- statement {
- sid = "EKSNLBConfiguration"
- effect = "Allow"
- actions = [
- "elasticloadbalancing:*",
- "ec2:CreateSecurityGroup",
- "ec2:Describe*",
- ]
- resources = ["*"]
- }
-}
-
-resource "aws_iam_policy" "cloudwatch-policy" {
- name = format("%v%v-cloudwatch", local.prefixes["eks-policy"], var.cluster_name)
- path = "/"
- description = "Allow sending metric data to cloudwatch"
- policy = data.aws_iam_policy_document.cloudwatch-policy.json
-
-}
-
-# TBD: refine resources to limit only to eks configurations
-data "aws_iam_policy_document" "cloudwatch-policy" {
- statement {
- sid = "EKSCloudwatchMetrics"
- effect = "Allow"
- actions = [
- "cloudwatch:PutMetricData",
- ]
- resources = ["*"]
- }
-}
-
#---
-# cluster admin policy
+# cluster-admin
#---
-resource "aws_iam_policy" "cluster-admin-policy" {
- name = format("%v%v-cluster-admin", local.prefixes["eks-policy"], var.cluster_name)
- path = "/"
- description = "Allow for administration of the cluster ${var.cluster_name} using AWS resources"
- policy = data.aws_iam_policy_document.cluster-admin-policy.json
-
-}
-
-data "aws_iam_policy_document" "cluster-admin-policy" {
- dynamic "statement" {
- for_each = local.admin_policy_statements
- iterator = s
- content {
- sid = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key)
- effect = lookup(s.value, "effect", "Allow")
- actions = lookup(s.value, "actions", [])
- resources = lookup(s.value, "resources", [])
- }
- }
-}
-
locals {
iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
common_arn = format("arn:%v:%%v:%v:%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id)
@@ -141,27 +77,62 @@ locals {
}
}
+resource "aws_iam_role" "role_cluster-admin" {
+ name = format("%v%v-cluster-admin", local.prefixes["eks"], var.cluster_name)
+ description = "SAML EKS Cluster Admin Role for ${var.cluster_name}"
+
+ assume_role_policy = data.aws_iam_policy_document.allow_sts.json
+ force_detach_policies = true
+ tags = var.tags
+}
+
+resource "aws_iam_policy_attachment" "cluster-admin-attach" {
+ name = format("%v%v-cluster-admin-attach", local.prefixes["eks"], var.cluster_name)
+ policy_arn = aws_iam_policy.cluster-admin-policy.arn
+ roles = [aws_iam_role.role_cluster-admin.name]
+}
#---
-# cluster admin assume policy
+# cluster admin policy
#---
-resource "aws_iam_policy" "cluster-admin_assume_policy" {
- name = format("%v%v-cluster-admin-assume", local.prefixes["eks-policy"], var.cluster_name)
+resource "aws_iam_policy" "cluster-admin-policy" {
+ name = format("%v%v-cluster-admin", local.prefixes["eks-policy"], var.cluster_name)
path = "/"
- description = "Allow for assume role to the cluster-admin role for ${var.cluster_name}"
- policy = data.aws_iam_policy_document.cluster-admin_assume_policy.json
+ description = "Allow for administration of the cluster ${var.cluster_name} using AWS resources"
+ policy = data.aws_iam_policy_document.cluster-admin-policy.json
tags = merge(
local.base_tags,
- tomap({ "Name" = format("%v%v-cluster-admin-assume", local.prefixes["eks-policy"], var.cluster_name) }),
+ var.tags
)
}
-data "aws_iam_policy_document" "cluster-admin_assume_policy" {
+data "aws_iam_policy_document" "cluster-admin-policy" {
+ dynamic "statement" {
+ for_each = local.admin_policy_statements
+ iterator = s
+ content {
+ sid = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key)
+ effect = lookup(s.value, "effect", "Allow")
+ actions = lookup(s.value, "actions", [])
+ resources = lookup(s.value, "resources", [])
+ }
+ }
+}
+
+#---
+# cluster admin assume policy
+#---
+data "aws_iam_policy_document" "allow_sts" {
statement {
- sid = "AllowSTSAssumeClusterAdminRole"
- effect = "Allow"
- actions = ["sts:AssumeRole"]
- resources = [module.role_cluster-admin.role_arn]
+ sid = "AllowSTSAssume"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "AWS"
+ identifiers = [
+ format(local.iam_arn, "root"),
+ ]
+ }
}
}
diff --git a/cluster-role.tf b/cluster-role.tf
new file mode 100644
index 0000000..7347e64
--- /dev/null
+++ b/cluster-role.tf
@@ -0,0 +1,92 @@
+#---
+# cluster
+#---
+locals {
+ cluster_managed_policy_list = [
+ "AmazonEKSClusterPolicy",
+ "AmazonEC2FullAccess",
+ "CloudWatchLogsFullAccess",
+ ]
+ cluster_managed_policies = [for p in data.aws_iam_policy.cluster_managed_policies : p.arn]
+}
+
+data "aws_iam_policy" "cluster_managed_policies" {
+ for_each = toset(local.cluster_managed_policy_list)
+ name = each.key
+}
+
+resource "aws_iam_policy" "nlb-policy" {
+ name = format("%v%v-nlb", local.prefixes["eks-policy"], var.cluster_name)
+ path = "/"
+ description = "Allow configuration of the ELB"
+ policy = data.aws_iam_policy_document.nlb-policy.json
+
+}
+
+# Q: why CreateSecurityGroup
+# TBD: refine resources to limit only to eks configurations
+data "aws_iam_policy_document" "nlb-policy" {
+ statement {
+ sid = "EKSNLBConfiguration"
+ effect = "Allow"
+ actions = [
+ "elasticloadbalancing:*",
+ "ec2:CreateSecurityGroup",
+ "ec2:Describe*",
+ ]
+ resources = ["*"]
+ }
+}
+
+resource "aws_iam_policy" "cloudwatch-policy" {
+ name = format("%v%v-cloudwatch", local.prefixes["eks-policy"], var.cluster_name)
+ path = "/"
+ description = "Allow sending metric data to cloudwatch"
+ policy = data.aws_iam_policy_document.cloudwatch-policy.json
+
+}
+
+# TBD: refine resources to limit only to eks configurations
+data "aws_iam_policy_document" "cloudwatch-policy" {
+ statement {
+ sid = "EKSCloudwatchMetrics"
+ effect = "Allow"
+ actions = [
+ "cloudwatch:PutMetricData",
+ ]
+ resources = ["*"]
+ }
+}
+
+resource "aws_iam_role" "role_eks-cluster" {
+ name = format("%v%v-cluster", local.prefixes["eks"], var.cluster_name)
+ description = "EKS Cluster Role for ${var.cluster_name}"
+ assume_role_policy = data.aws_iam_policy_document.eks_assume.json
+}
+
+resource "aws_iam_role_policy_attachment" "eks-cluster-nlb" {
+ role = aws_iam_role.role_eks-cluster.name
+ policy_arn = aws_iam_policy.nlb-policy.arn
+}
+resource "aws_iam_role_policy_attachment" "eks-cluster-cloudwatch" {
+ role = aws_iam_role.role_eks-cluster.name
+ policy_arn = aws_iam_policy.cloudwatch-policy.arn
+}
+resource "aws_iam_role_policy_attachment" "eks-cluster-managed" {
+ for_each = toset(local.cluster_managed_policies)
+ role = aws_iam_role.role_eks-cluster.name
+ policy_arn = each.key
+}
+
+data "aws_iam_policy_document" "eks_assume" {
+ statement {
+ sid = "EKSAssumeRole"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "Service"
+ identifiers = ["eks.amazonaws.com"]
+ }
+ }
+}
diff --git a/role.tf b/role.tf
deleted file mode 100644
index 060a45a..0000000
--- a/role.tf
+++ /dev/null
@@ -1,155 +0,0 @@
-#---
-# cluster
-#---
-locals {
- cluster_managed_policy_list = [
- "AmazonEKSClusterPolicy",
- "AmazonEC2FullAccess",
- "CloudWatchLogsFullAccess",
- ]
- cluster_managed_policies = [for p in data.aws_iam_policy.cluster_managed_policies : p.arn]
-}
-
-data "aws_iam_policy" "cluster_managed_policies" {
- for_each = toset(local.cluster_managed_policy_list)
- name = each.key
-}
-
-# this needs the two policies nlb-policy and cloudwatch-policy, created first
-
-module "role_eks-cluster" {
- source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
- # providers = {
- # ldap = ldap.bocas
- # }
-
- role_name = format("%v%v-cluster", local.prefixes["eks"], var.cluster_name)
- role_description = "EKS Cluster Role for ${var.cluster_name}"
- enable_ldap_creation = false
- assume_policy_document = data.aws_iam_policy_document.eks_assume.json
- attached_policies = concat([aws_iam_policy.nlb-policy.arn, aws_iam_policy.cloudwatch-policy.arn], local.cluster_managed_policies)
-
-
-}
-
-data "aws_iam_policy_document" "eks_assume" {
- statement {
- sid = "EKSAssumeRole"
- effect = "Allow"
- actions = ["sts:AssumeRole"]
-
- principals {
- type = "Service"
- identifiers = ["eks.amazonaws.com"]
- }
- }
-}
-
-output "role_eks-cluster_arn" {
- description = "Role ARN for EKS Cluster Role"
- value = module.role_eks-cluster.role_arn
-}
-
-#---
-# nodegroup
-#---
-locals {
- nodegroup_managed_policy_list = [
- "AmazonEKSWorkerNodePolicy",
- "AmazonEKS_CNI_Policy",
- "AmazonEC2ContainerRegistryPowerUser",
- "AmazonEC2ContainerRegistryReadOnly",
- "CloudWatchLogsFullAccess",
- "AmazonS3FullAccess",
- "AmazonSSMManagedInstanceCore",
- "AmazonEC2RoleforSSM",
- ]
- nodegroup_managed_policies = [for p in data.aws_iam_policy.nodegroup_managed_policies : p.arn]
-}
-
-data "aws_iam_policy" "nodegroup_managed_policies" {
- for_each = toset(local.nodegroup_managed_policy_list)
- name = each.key
-}
-
-module "role_eks-nodegroup" {
- source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
- # providers = {
- # ldap = ldap.bocas
- # }
-
- role_name = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name)
- role_description = "EKS Nodegroup Role for ${var.cluster_name}"
- enable_ldap_creation = false
- assume_policy_document = data.aws_iam_policy_document.ec2_assume.json
- attached_policies = concat(local.nodegroup_managed_policies)
-
-
-}
-
-#----
-# STS: ec2 assume
-#---
-data "aws_iam_policy_document" "ec2_assume" {
- statement {
- sid = "EKSAssumeRole"
- effect = "Allow"
- actions = ["sts:AssumeRole"]
-
- principals {
- type = "Service"
- identifiers = ["ec2.amazonaws.com"]
- }
- }
-}
-
-output "role_eks-nodegroup-role_arn" {
- description = "Role ARN for EKS Cluster Nodegroup Role"
- value = module.role_eks-nodegroup.role_arn
-}
-
-#---
-# cluster-admin
-#---
-module "role_cluster-admin" {
- source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
- # providers = {
- # ldap = ldap.bocas
- # }
-
- role_name = format("%v%v-cluster-admin", local.prefixes["eks"], var.cluster_name)
- role_description = "SAML EKS cluster admin Role for ${var.cluster_name}"
- enable_ldap_creation = false
- assume_policy_document = data.aws_iam_policy_document.allow_sts.json
- # assume_policy_document = data.aws_iam_policy_document.cluster-admin_combined.json
- attached_policies = [aws_iam_policy.cluster-admin-policy.arn]
-
-
-}
-
-output "role_cluster-admin-role_arn" {
- description = "Role ARN for EKS Cluster Admin Role"
- value = module.role_cluster-admin.role_arn
-}
-
-data "aws_iam_policy_document" "allow_sts" {
- statement {
- sid = "AllowSTSAssume"
- effect = "Allow"
- actions = ["sts:AssumeRole"]
- principals {
- type = "AWS"
- identifiers = [
- format(local.iam_arn, "root"),
- ]
- }
- }
-}
-
-# data "aws_iam_policy_document" "cluster-admin_combined"
-# source_policy_documents = [
-# data.aws_iam_policy_document.allow_sts.json
-# data.aws_iam_policy_document.saml_assume.json,
-# ]
-# }
-#
diff --git a/variables.tf b/variables.tf
index 8a9fb29..6f6b292 100644
--- a/variables.tf
+++ b/variables.tf
@@ -11,8 +11,8 @@ variable "cluster_version" {
description = "Kubernetes version to use for the EKS cluster"
type = string
validation {
- condition = can(regex("^[0-9]+\\.[0-9]+$", var.cluster_version)) && contains(["1.27", "1.28", "1.29", "1.30", "1.31", "1.32"], var.cluster_version)
- error_message = "Cluster version must be in the format 'x.y' (e.g., '1.27') and must be one of: 1.27, 1.28, 1.29, 1.30, 1.31, 1.32"
+ condition = can(regex("^[0-9]+\\.[0-9]+$", var.cluster_version)) && contains(["1.31", "1.32", "1.33"], var.cluster_version)
+ error_message = "Cluster version must be in the format 'x.y' (e.g., '1.33') and must be one of: 1.31, 1.32, 1.33"
}
}