From e0ad8053992f13c675fef15292a4d924b1b6d43a Mon Sep 17 00:00:00 2001 From: Matthew Creal Morgan Date: Wed, 11 Sep 2024 08:18:28 -0700 Subject: [PATCH] Access Entries (#18) --- README.md | 10 +++++---- main.tf | 63 +++++++++++++++++++++++++++++-------------------------- 2 files changed, 39 insertions(+), 34 deletions(-) diff --git a/README.md b/README.md index 22a3077..5b25973 100644 --- a/README.md +++ b/README.md @@ -85,10 +85,10 @@ Change logs are auto-generated with commitizen. | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.64.0 | -| [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.64.0 | -| [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.64.0 | -| [aws.self](#provider\_aws.self) | 5.64.0 | +| [aws](#provider\_aws) | 5.66.0 | +| [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.66.0 | +| [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.66.0 | +| [aws.self](#provider\_aws.self) | 5.66.0 | | [null](#provider\_null) | 3.2.2 | ## Modules @@ -120,6 +120,8 @@ Change logs are auto-generated with commitizen. | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | +| [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | +| [aws_iam_roles.view_arns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | diff --git a/main.tf b/main.tf index 68e7374..31a6df7 100644 --- a/main.tf +++ b/main.tf @@ -27,8 +27,17 @@ data "aws_kms_key" "ebs_key" { key_id = data.aws_ebs_default_kms_key.current.key_arn } +data "aws_iam_roles" "sso_admins" { + name_regex = "AWSReservedSSO_inf-admin-t(2|3|4)" + path_prefix = "/aws-reserved/sso.amazonaws.com/" +} + data "aws_iam_roles" "roles" { - name_regex = "AWSReservedSSO_inf-admin.*" + name_regex = "r-inf-terraform(-eks)" +} + +data "aws_iam_roles" "view_arns" { + name_regex = "AWSReservedSSO_inf-admin-t1" path_prefix = "/aws-reserved/sso.amazonaws.com/" } @@ -52,11 +61,11 @@ locals { tags = merge(local.base_tags, var.tags) - access_entries = { - for index, arn in tolist(data.aws_iam_roles.roles.arns) : - format("inf-terraform-t%d", index + 1) => { + admins = { + for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns)) : + arn => { principal_arn = arn - kubernetes_groups = [] + kubernetes_groups = ["eks-console-dashboard-full-access-group"] policy_associations = { admin = { policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" @@ -68,27 +77,23 @@ locals { } } - # Access entries are the latest AWS model for managing cluster access: https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html - # They make reference to depricating the aws-auth ConfigMap, but this baseline enables access management with both EKS API and ConfigMap - # This is done especially since access entries are fairly course grained, especially given the granularity we can achieve via EKS native - # RBAC constructs in Roles and ClusterRoles and bindings. - # This below is just an example, in practice we'd notionally be creating a role (or multiple) specific to the cluster and setting policy - # to allow the cluster users to assume said role; but we need to spend some time parsing what exactly are the permissions we plan to hand - # out to these clusters. - # access_entries = { - # inf-admin-t2 = { - # principal_arn = "arn:aws-us-gov:iam::224384469011:role/aws-reserved/sso.amazonaws.com/us-gov-east-1/AWSReservedSSO_inf-admin-t2_f3912d726991bbfa" - # kubernetes_groups = [] - # policy_associations = { - # admin = { - # policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" - # access_scope = { - # type = "cluster" - # } - # } - # } - # } - # } + viewers = { + for arn in tolist(data.aws_iam_roles.view_arns.arns) : + arn => { + principal_arn = arn + kubernetes_groups = ["eks-console-dashboard-restricted-access-group"] + policy_associations = { + admin = { + policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" + access_scope = { + type = "cluster" + } + } + } + } + } + + access_entries = merge(local.admins, local.viewers) } module "cluster" { @@ -168,10 +173,8 @@ module "cluster" { xvda = { device_name = "/dev/xvda" ebs = { - volume_size = var.eks_instance_disk_size - volume_type = "gp3" - # iops = 3000 - # throughput = 125 + volume_size = var.eks_instance_disk_size + volume_type = "gp3" encrypted = true delete_on_termination = true kms_key_id = data.aws_kms_key.ebs_key.arn