SCT-Engineering · morga471 · Aug 23, 2024 · Aug 6, 2024 · Aug 7, 2024 · Aug 21, 2024
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,38 @@
-.terraform/
-.terraform.lock.hcl
-.terragrunt-cache/
+# Local .terraform directories
+**/.terraform/*
+**/.terragrunt-cache/*
+
+# terraform lock file.
+**/.terraform.lock.hcl
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data,
+# such as password, private keys, and other secrets. These should not be
+# part of version control as they are data points which are potentially
+# sensitive and subject to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources
+# locally and so are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
diff --git a/README.md b/README.md
@@ -18,22 +18,55 @@ Addons installed:
 ### Apply
 Successful completion should show:
 ```terraform
-Apply complete! Resources: 74 added, 0 changed, 0 destroyed.
-
-And should take around:
-real    11m32.883s
-user    0m18.010s
-sys     0m2.131s
+Apply complete! Resources: 80 added, 0 changed, 0 destroyed.
+real    12m24.922s
+user    0m17.709s
+sys     0m2.079s
 ```
 
 ### Destroy
 Successful destroy should show:
 ```terraform
-Destroy complete! Resources: 74 destroyed.
-real    11m22.795s
-user    0m18.300s
-sys     0m2.160s
+Destroy complete! Resources: 80 destroyed.
+real    10m48.444s
+user    0m17.624s
+sys     0m2.040s
+```
+
+### Verification
+
+To verify the nodes were created, use kubectl like
+`kubectl get nodes` which should ouput:
+
+```bash
+[morga471@iebcloud terraform]$ k get nodes
+NAME                                              STATUS   ROLES    AGE    VERSION
+ip-10-129-62-142.us-gov-east-1.compute.internal   Ready    <none>   4m7s   v1.30.1-eks-e564799
+```
+
+To verify the pods for the base cluster were created, use kubectl like
+`k get pods -A`
+
+```bash
+[morga471@iebcloud terraform]$ k get pods -A
+NAMESPACE           NAME                                                              READY   STATUS    RESTARTS   AGE
+amazon-cloudwatch   amazon-cloudwatch-observability-controller-manager-5c9d9677h2xf   1/1     Running   0          2m58s
+amazon-cloudwatch   cloudwatch-agent-95g5j                                            1/1     Running   0          2m52s
+amazon-cloudwatch   fluent-bit-cnp45                                                  1/1     Running   0          2m58s
+kube-system         aws-node-dsdqg                                                    2/2     Running   0          3m8s
+kube-system         coredns-5479bb6d65-c6x79                                          1/1     Running   0          3m11s
+kube-system         coredns-5479bb6d65-j74cm                                          1/1     Running   0          3m11s
+kube-system         ebs-csi-controller-7cd8c597d7-96j7p                               6/6     Running   0          3m10s
+kube-system         ebs-csi-controller-7cd8c597d7-m48j8                               6/6     Running   0          3m9s
+kube-system         ebs-csi-node-x555s                                                3/3     Running   0          3m10s
+kube-system         efs-csi-controller-85c5486b89-rdjk8                               3/3     Running   0          3m9s
+kube-system         efs-csi-controller-85c5486b89-v6fx2                               3/3     Running   0          3m9s
+kube-system         efs-csi-node-tz47s                                                3/3     Running   0          3m9s
+kube-system         kube-proxy-qbgbk                                                  1/1     Running   0          4m12s
+kube-system         snapshot-controller-7f8d9b84dd-7w7qz                              1/1     Running   0          3m10s
+kube-system         snapshot-controller-7f8d9b84dd-nqqsb                              1/1     Running   0          3m10s
 ```
+
 #### Changelog
 Change logs are auto-generated with commitizen.
 
@@ -87,6 +120,7 @@ Change logs are auto-generated with commitizen.
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
+| [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
@@ -129,6 +163,7 @@ Change logs are auto-generated with commitizen.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_access_entries"></a> [access\_entries](#output\_access\_entries) | the access entries created in the cluster |
 | <a name="output_cloudwatch_log_group_arn"></a> [cloudwatch\_log\_group\_arn](#output\_cloudwatch\_log\_group\_arn) | Arn of cloudwatch log group created |
 | <a name="output_cloudwatch_log_group_name"></a> [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | Name of cloudwatch log group created |
 | <a name="output_cluster_addons"></a> [cluster\_addons](#output\_cluster\_addons) | Map of attribute maps for all EKS cluster addons enabled |

diff --git a/main.tf b/main.tf
@@ -27,6 +27,11 @@ data "aws_kms_key" "ebs_key" {
   key_id = data.aws_ebs_default_kms_key.current.key_arn
 }
 
+data "aws_iam_roles" "roles" {
+  name_regex  = "AWSReservedSSO_inf-admin.*"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
+
 locals {
   vpc_id         = data.aws_vpc.eks_vpc.id
   vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block
@@ -47,16 +52,10 @@ locals {
 
   tags = merge(local.base_tags, var.tags)
 
-  # Access entries are the latest AWS model for managing cluster access: https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html
-  # They make reference to depricating the aws-auth ConfigMap, but this baseline enables access management with both EKS API and ConfigMap
-  # This is done especially since access entries are fairly course grained, especially given the granularity we can achieve via EKS native
-  # RBAC constructs in Roles and ClusterRoles and bindings.
-  # This below is just an example, in practice we'd notionally be creating a role (or multiple) specific to the cluster and setting policy
-  # to allow the cluster users to assume said role; but we need to spend some time parsing what exactly are the permissions we plan to hand
-  # out to these clusters.
   access_entries = {
-    inf-admin-t2 = {
-      principal_arn     = "arn:aws-us-gov:iam::224384469011:role/aws-reserved/sso.amazonaws.com/us-gov-east-1/AWSReservedSSO_inf-admin-t2_f3912d726991bbfa"
+    for index, arn in tolist(data.aws_iam_roles.roles.arns) :
+    format("inf-terraform-t%d", index + 1) => {
+      principal_arn     = arn
       kubernetes_groups = []
       policy_associations = {
         admin = {
@@ -68,6 +67,28 @@ locals {
       }
     }
   }
+
+  # Access entries are the latest AWS model for managing cluster access: https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html
+  # They make reference to depricating the aws-auth ConfigMap, but this baseline enables access management with both EKS API and ConfigMap
+  # This is done especially since access entries are fairly course grained, especially given the granularity we can achieve via EKS native
+  # RBAC constructs in Roles and ClusterRoles and bindings.
+  # This below is just an example, in practice we'd notionally be creating a role (or multiple) specific to the cluster and setting policy
+  # to allow the cluster users to assume said role; but we need to spend some time parsing what exactly are the permissions we plan to hand
+  # out to these clusters.
+  # access_entries = {
+  #   inf-admin-t2 = {
+  #     principal_arn     = "arn:aws-us-gov:iam::224384469011:role/aws-reserved/sso.amazonaws.com/us-gov-east-1/AWSReservedSSO_inf-admin-t2_f3912d726991bbfa"
+  #     kubernetes_groups = []
+  #     policy_associations = {
+  #       admin = {
+  #         policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+  #         access_scope = {
+  #           type = "cluster"
+  #         }
+  #       }
+  #     }
+  #   }
+  # }
 }
 
 module "cluster" {

diff --git a/outputs.tf b/outputs.tf
@@ -284,3 +284,8 @@ output "node_group_name" {
   description = "name of the node group created for use by karpenter"
   value       = local.ng_name
 }
+
+output "access_entries" {
+  description = "the access entries created in the cluster"
+  value       = local.access_entries
+}