diff --git a/.gitignore b/.gitignore index 7103c45..98d790c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,38 @@ -.terraform/ -.terraform.lock.hcl -.terragrunt-cache/ +# Local .terraform directories +**/.terraform/* +**/.terragrunt-cache/* + +# terraform lock file. +**/.terraform.lock.hcl + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, +# such as password, private keys, and other secrets. These should not be +# part of version control as they are data points which are potentially +# sensitive and subject to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources +# locally and so are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc diff --git a/README.md b/README.md index f023066..2f52761 100644 --- a/README.md +++ b/README.md @@ -18,22 +18,55 @@ Addons installed: ### Apply Successful completion should show: ```terraform -Apply complete! Resources: 74 added, 0 changed, 0 destroyed. - -And should take around: -real 11m32.883s -user 0m18.010s -sys 0m2.131s +Apply complete! Resources: 80 added, 0 changed, 0 destroyed. +real 12m24.922s +user 0m17.709s +sys 0m2.079s ``` ### Destroy Successful destroy should show: ```terraform -Destroy complete! Resources: 74 destroyed. -real 11m22.795s -user 0m18.300s -sys 0m2.160s +Destroy complete! Resources: 80 destroyed. +real 10m48.444s +user 0m17.624s +sys 0m2.040s +``` + +### Verification + +To verify the nodes were created, use kubectl like +`kubectl get nodes` which should ouput: + +```bash +[morga471@iebcloud terraform]$ k get nodes +NAME STATUS ROLES AGE VERSION +ip-10-129-62-142.us-gov-east-1.compute.internal Ready 4m7s v1.30.1-eks-e564799 +``` + +To verify the pods for the base cluster were created, use kubectl like +`k get pods -A` + +```bash +[morga471@iebcloud terraform]$ k get pods -A +NAMESPACE NAME READY STATUS RESTARTS AGE +amazon-cloudwatch amazon-cloudwatch-observability-controller-manager-5c9d9677h2xf 1/1 Running 0 2m58s +amazon-cloudwatch cloudwatch-agent-95g5j 1/1 Running 0 2m52s +amazon-cloudwatch fluent-bit-cnp45 1/1 Running 0 2m58s +kube-system aws-node-dsdqg 2/2 Running 0 3m8s +kube-system coredns-5479bb6d65-c6x79 1/1 Running 0 3m11s +kube-system coredns-5479bb6d65-j74cm 1/1 Running 0 3m11s +kube-system ebs-csi-controller-7cd8c597d7-96j7p 6/6 Running 0 3m10s +kube-system ebs-csi-controller-7cd8c597d7-m48j8 6/6 Running 0 3m9s +kube-system ebs-csi-node-x555s 3/3 Running 0 3m10s +kube-system efs-csi-controller-85c5486b89-rdjk8 3/3 Running 0 3m9s +kube-system efs-csi-controller-85c5486b89-v6fx2 3/3 Running 0 3m9s +kube-system efs-csi-node-tz47s 3/3 Running 0 3m9s +kube-system kube-proxy-qbgbk 1/1 Running 0 4m12s +kube-system snapshot-controller-7f8d9b84dd-7w7qz 1/1 Running 0 3m10s +kube-system snapshot-controller-7f8d9b84dd-nqqsb 1/1 Running 0 3m10s ``` + #### Changelog Change logs are auto-generated with commitizen. @@ -87,6 +120,7 @@ Change logs are auto-generated with commitizen. | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | +| [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | @@ -129,6 +163,7 @@ Change logs are auto-generated with commitizen. | Name | Description | |------|-------------| +| [access\_entries](#output\_access\_entries) | the access entries created in the cluster | | [cloudwatch\_log\_group\_arn](#output\_cloudwatch\_log\_group\_arn) | Arn of cloudwatch log group created | | [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | Name of cloudwatch log group created | | [cluster\_addons](#output\_cluster\_addons) | Map of attribute maps for all EKS cluster addons enabled | diff --git a/main.tf b/main.tf index f444ab0..f885509 100644 --- a/main.tf +++ b/main.tf @@ -27,6 +27,11 @@ data "aws_kms_key" "ebs_key" { key_id = data.aws_ebs_default_kms_key.current.key_arn } +data "aws_iam_roles" "roles" { + name_regex = "AWSReservedSSO_inf-admin.*" + path_prefix = "/aws-reserved/sso.amazonaws.com/" +} + locals { vpc_id = data.aws_vpc.eks_vpc.id vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block @@ -47,16 +52,10 @@ locals { tags = merge(local.base_tags, var.tags) - # Access entries are the latest AWS model for managing cluster access: https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html - # They make reference to depricating the aws-auth ConfigMap, but this baseline enables access management with both EKS API and ConfigMap - # This is done especially since access entries are fairly course grained, especially given the granularity we can achieve via EKS native - # RBAC constructs in Roles and ClusterRoles and bindings. - # This below is just an example, in practice we'd notionally be creating a role (or multiple) specific to the cluster and setting policy - # to allow the cluster users to assume said role; but we need to spend some time parsing what exactly are the permissions we plan to hand - # out to these clusters. access_entries = { - inf-admin-t2 = { - principal_arn = "arn:aws-us-gov:iam::224384469011:role/aws-reserved/sso.amazonaws.com/us-gov-east-1/AWSReservedSSO_inf-admin-t2_f3912d726991bbfa" + for index, arn in tolist(data.aws_iam_roles.roles.arns) : + format("inf-terraform-t%d", index + 1) => { + principal_arn = arn kubernetes_groups = [] policy_associations = { admin = { @@ -68,6 +67,28 @@ locals { } } } + + # Access entries are the latest AWS model for managing cluster access: https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html + # They make reference to depricating the aws-auth ConfigMap, but this baseline enables access management with both EKS API and ConfigMap + # This is done especially since access entries are fairly course grained, especially given the granularity we can achieve via EKS native + # RBAC constructs in Roles and ClusterRoles and bindings. + # This below is just an example, in practice we'd notionally be creating a role (or multiple) specific to the cluster and setting policy + # to allow the cluster users to assume said role; but we need to spend some time parsing what exactly are the permissions we plan to hand + # out to these clusters. + # access_entries = { + # inf-admin-t2 = { + # principal_arn = "arn:aws-us-gov:iam::224384469011:role/aws-reserved/sso.amazonaws.com/us-gov-east-1/AWSReservedSSO_inf-admin-t2_f3912d726991bbfa" + # kubernetes_groups = [] + # policy_associations = { + # admin = { + # policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + # access_scope = { + # type = "cluster" + # } + # } + # } + # } + # } } module "cluster" { diff --git a/outputs.tf b/outputs.tf index 15bc115..c55fe96 100644 --- a/outputs.tf +++ b/outputs.tf @@ -284,3 +284,8 @@ output "node_group_name" { description = "name of the node group created for use by karpenter" value = local.ng_name } + +output "access_entries" { + description = "the access entries created in the cluster" + value = local.access_entries +}