From 3b4cb2f6d512f3348c7a79c0d78d1c9eb88eee9d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 10 Sep 2024 12:49:12 -0400 Subject: [PATCH 1/8] =?UTF-8?q?=F0=9F=90=9B=20fix(cluster=5Faccess):=20upd?= =?UTF-8?q?ate=20access=20entries=20for=20sso=20and=20non-sso=20roles?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 9 +++++---- main.tf | 41 ++++++++++++----------------------------- 2 files changed, 17 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index 22a3077..c8ab9d5 100644 --- a/README.md +++ b/README.md @@ -85,10 +85,10 @@ Change logs are auto-generated with commitizen. | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.64.0 | -| [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.64.0 | -| [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.64.0 | -| [aws.self](#provider\_aws.self) | 5.64.0 | +| [aws](#provider\_aws) | 5.66.0 | +| [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.66.0 | +| [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.66.0 | +| [aws.self](#provider\_aws.self) | 5.66.0 | | [null](#provider\_null) | 3.2.2 | ## Modules @@ -120,6 +120,7 @@ Change logs are auto-generated with commitizen. | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | +| [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | diff --git a/main.tf b/main.tf index 68e7374..8a9bb30 100644 --- a/main.tf +++ b/main.tf @@ -27,11 +27,15 @@ data "aws_kms_key" "ebs_key" { key_id = data.aws_ebs_default_kms_key.current.key_arn } -data "aws_iam_roles" "roles" { - name_regex = "AWSReservedSSO_inf-admin.*" +data "aws_iam_roles" "sso_admins" { + name_regex = "AWSReservedSSO_inf-admin-t(2|3|4)" path_prefix = "/aws-reserved/sso.amazonaws.com/" } +data "aws_iam_roles" "roles" { + name_regex = "r-inf-terrafor(m|m-eks)" +} + locals { vpc_id = data.aws_vpc.eks_vpc.id vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block @@ -53,7 +57,7 @@ locals { tags = merge(local.base_tags, var.tags) access_entries = { - for index, arn in tolist(data.aws_iam_roles.roles.arns) : + for index, arn in tolist(concat(data.aws_iam_roles.roles.arns, data.aws_iam_roles.sso_admins.arns)) : format("inf-terraform-t%d", index + 1) => { principal_arn = arn kubernetes_groups = [] @@ -67,28 +71,6 @@ locals { } } } - - # Access entries are the latest AWS model for managing cluster access: https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html - # They make reference to depricating the aws-auth ConfigMap, but this baseline enables access management with both EKS API and ConfigMap - # This is done especially since access entries are fairly course grained, especially given the granularity we can achieve via EKS native - # RBAC constructs in Roles and ClusterRoles and bindings. - # This below is just an example, in practice we'd notionally be creating a role (or multiple) specific to the cluster and setting policy - # to allow the cluster users to assume said role; but we need to spend some time parsing what exactly are the permissions we plan to hand - # out to these clusters. - # access_entries = { - # inf-admin-t2 = { - # principal_arn = "arn:aws-us-gov:iam::224384469011:role/aws-reserved/sso.amazonaws.com/us-gov-east-1/AWSReservedSSO_inf-admin-t2_f3912d726991bbfa" - # kubernetes_groups = [] - # policy_associations = { - # admin = { - # policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" - # access_scope = { - # type = "cluster" - # } - # } - # } - # } - # } } module "cluster" { @@ -112,6 +94,9 @@ module "cluster" { subnet_ids = local.subnets cluster_addons = { + adot = { + most_recent = true + } amazon-cloudwatch-observability = { most_recent = true service_account_role_arn = module.cloudwatch_observability_irsa_role.iam_role_arn @@ -168,10 +153,8 @@ module "cluster" { xvda = { device_name = "/dev/xvda" ebs = { - volume_size = var.eks_instance_disk_size - volume_type = "gp3" - # iops = 3000 - # throughput = 125 + volume_size = var.eks_instance_disk_size + volume_type = "gp3" encrypted = true delete_on_termination = true kms_key_id = data.aws_kms_key.ebs_key.arn From d36b829952b8d8f711360d7c9d97c2d7ffcb31b2 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 10 Sep 2024 13:31:16 -0400 Subject: [PATCH 2/8] =?UTF-8?q?=F0=9F=90=9B=20fix(adot):=20removed=20adot?= =?UTF-8?q?=20addon=20as=20it=20requires=20pre-existing=20cluster=20cert-m?= =?UTF-8?q?anager?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/main.tf b/main.tf index 8a9bb30..d8a5b10 100644 --- a/main.tf +++ b/main.tf @@ -94,9 +94,6 @@ module "cluster" { subnet_ids = local.subnets cluster_addons = { - adot = { - most_recent = true - } amazon-cloudwatch-observability = { most_recent = true service_account_role_arn = module.cloudwatch_observability_irsa_role.iam_role_arn From 95cc8cb573dcf20a29102fd1e3da13f0ccda45c3 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 10 Sep 2024 14:25:03 -0400 Subject: [PATCH 3/8] =?UTF-8?q?=F0=9F=90=9B=20fix(access=5Fentries):=20rev?= =?UTF-8?q?erse=20tolist=20concat=20into=20concat=20tolist?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index d8a5b10..501240b 100644 --- a/main.tf +++ b/main.tf @@ -57,10 +57,10 @@ locals { tags = merge(local.base_tags, var.tags) access_entries = { - for index, arn in tolist(concat(data.aws_iam_roles.roles.arns, data.aws_iam_roles.sso_admins.arns)) : - format("inf-terraform-t%d", index + 1) => { + for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns)) : + arn => { principal_arn = arn - kubernetes_groups = [] + kubernetes_groups = ["system:masters", "eks-console-dashboard-full-access-group"] policy_associations = { admin = { policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" From 5619faa1382696558c95e1a1e3fcb327d655789f Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 10 Sep 2024 14:29:02 -0400 Subject: [PATCH 4/8] =?UTF-8?q?=F0=9F=90=9B=20fix(access=5Fentries):=20reg?= =?UTF-8?q?ex=20changed=20to=20exclude=20route53?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 501240b..d1562d5 100644 --- a/main.tf +++ b/main.tf @@ -33,7 +33,7 @@ data "aws_iam_roles" "sso_admins" { } data "aws_iam_roles" "roles" { - name_regex = "r-inf-terrafor(m|m-eks)" + name_regex = "r-inf-terraform(-eks)" } locals { From 365b4448f4aa3d654994a4d471e3273eaad60611 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 10 Sep 2024 14:37:09 -0400 Subject: [PATCH 5/8] =?UTF-8?q?=F0=9F=90=9B=20fix(access=5Fentries):=20rem?= =?UTF-8?q?oved=20system:masters=20as=20system=20is=20invalid?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index d1562d5..94a620b 100644 --- a/main.tf +++ b/main.tf @@ -60,7 +60,7 @@ locals { for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns)) : arn => { principal_arn = arn - kubernetes_groups = ["system:masters", "eks-console-dashboard-full-access-group"] + kubernetes_groups = ["eks-console-dashboard-full-access-group"] policy_associations = { admin = { policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" From 5a69d468004c2da9e4ee86caca5b5ed1c8e87652 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 10 Sep 2024 18:03:50 -0400 Subject: [PATCH 6/8] =?UTF-8?q?=E2=9C=A8=20feat(access=5Fentries):=20added?= =?UTF-8?q?=20inf-admin-t1=20to=20view=20access?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 1 + main.tf | 25 ++++++++++++++++++++++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c8ab9d5..5b25973 100644 --- a/README.md +++ b/README.md @@ -121,6 +121,7 @@ Change logs are auto-generated with commitizen. | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | +| [aws_iam_roles.view_arns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | diff --git a/main.tf b/main.tf index 94a620b..8749b5f 100644 --- a/main.tf +++ b/main.tf @@ -36,6 +36,11 @@ data "aws_iam_roles" "roles" { name_regex = "r-inf-terraform(-eks)" } +data "aws_iam_roles" "view_arns" { + name_regex = "AWSReservedSSO_inf-admin-t1" + path_prefix = "/aws-reserved/sso.amazonaws.com/" +} + locals { vpc_id = data.aws_vpc.eks_vpc.id vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block @@ -56,7 +61,7 @@ locals { tags = merge(local.base_tags, var.tags) - access_entries = { + sso_entries = { for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns)) : arn => { principal_arn = arn @@ -71,6 +76,24 @@ locals { } } } + + view_entries = { + for arn in tolist(data.aws_iam_roles.view_arns.arns) : + arn => { + principal_arn = arn + kubernetes_groups = ["eks-console-dashboard-read-only-group"] + policy_associations = { + admin = { + policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" + access_scope = { + type = "cluster" + } + } + } + } + } + + access_entries = merge(local.sso_entries, local.view_entries) } module "cluster" { From dbae07f60ad387e1c98198d2413a17916d76828d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 10 Sep 2024 19:16:21 -0400 Subject: [PATCH 7/8] =?UTF-8?q?=F0=9F=90=9B=20fix(view-access):=20fix=20ku?= =?UTF-8?q?bernetes=20groups=20to=20reference=20restrictedaccess=20group?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 8749b5f..0d96dcd 100644 --- a/main.tf +++ b/main.tf @@ -81,7 +81,7 @@ locals { for arn in tolist(data.aws_iam_roles.view_arns.arns) : arn => { principal_arn = arn - kubernetes_groups = ["eks-console-dashboard-read-only-group"] + kubernetes_groups = ["eks-console-dashboard-restricted-access-group"] policy_associations = { admin = { policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" From 667c118a82664eeb86c8652905f7f2dba72b3f1a Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 10 Sep 2024 19:19:05 -0400 Subject: [PATCH 8/8] =?UTF-8?q?=F0=9F=90=9B=20fix(access=5Fentries):=20upd?= =?UTF-8?q?ate=20var=20names=20to=20better?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 0d96dcd..31a6df7 100644 --- a/main.tf +++ b/main.tf @@ -61,7 +61,7 @@ locals { tags = merge(local.base_tags, var.tags) - sso_entries = { + admins = { for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns)) : arn => { principal_arn = arn @@ -77,7 +77,7 @@ locals { } } - view_entries = { + viewers = { for arn in tolist(data.aws_iam_roles.view_arns.arns) : arn => { principal_arn = arn @@ -93,7 +93,7 @@ locals { } } - access_entries = merge(local.sso_entries, local.view_entries) + access_entries = merge(local.admins, local.viewers) } module "cluster" {