Access Entries

README.md

@@ -85,10 +85,10 @@ Change logs are auto-generated with commitizen.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.64.0 |
-| <a name="provider_aws.route53_main_east"></a> [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.64.0 |
-| <a name="provider_aws.route53_main_west"></a> [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.64.0 |
-| <a name="provider_aws.self"></a> [aws.self](#provider\_aws.self) | 5.64.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.66.0 |
+| <a name="provider_aws.route53_main_east"></a> [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.66.0 |
+| <a name="provider_aws.route53_main_west"></a> [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.66.0 |
+| <a name="provider_aws.self"></a> [aws.self](#provider\_aws.self) | 5.66.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | 3.2.2 |
 
 ## Modules
@@ -120,6 +120,8 @@ Change logs are auto-generated with commitizen.
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
 | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
+| [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
+| [aws_iam_roles.view_arns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |

main.tf

@@ -27,8 +27,17 @@ data "aws_kms_key" "ebs_key" {
   key_id = data.aws_ebs_default_kms_key.current.key_arn
 }
 
+data "aws_iam_roles" "sso_admins" {
+  name_regex  = "AWSReservedSSO_inf-admin-t(2|3|4)"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
+
 data "aws_iam_roles" "roles" {
-  name_regex  = "AWSReservedSSO_inf-admin.*"
+  name_regex = "r-inf-terraform(-eks)"
+}
+
+data "aws_iam_roles" "view_arns" {
+  name_regex  = "AWSReservedSSO_inf-admin-t1"
   path_prefix = "/aws-reserved/sso.amazonaws.com/"
 }
 
@@ -52,11 +61,11 @@ locals {
 
   tags = merge(local.base_tags, var.tags)
 
-  access_entries = {
-    for index, arn in tolist(data.aws_iam_roles.roles.arns) :
-    format("inf-terraform-t%d", index + 1) => {
+  admins = {
+    for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns)) :
+    arn => {
       principal_arn     = arn
-      kubernetes_groups = []
+      kubernetes_groups = ["eks-console-dashboard-full-access-group"]
       policy_associations = {
         admin = {
           policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
@@ -68,27 +77,23 @@ locals {
     }
   }
 
-  # Access entries are the latest AWS model for managing cluster access: https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html
-  # They make reference to depricating the aws-auth ConfigMap, but this baseline enables access management with both EKS API and ConfigMap
-  # This is done especially since access entries are fairly course grained, especially given the granularity we can achieve via EKS native
-  # RBAC constructs in Roles and ClusterRoles and bindings.
-  # This below is just an example, in practice we'd notionally be creating a role (or multiple) specific to the cluster and setting policy
-  # to allow the cluster users to assume said role; but we need to spend some time parsing what exactly are the permissions we plan to hand
-  # out to these clusters.
-  # access_entries = {
-  #   inf-admin-t2 = {
-  #     principal_arn     = "arn:aws-us-gov:iam::224384469011:role/aws-reserved/sso.amazonaws.com/us-gov-east-1/AWSReservedSSO_inf-admin-t2_f3912d726991bbfa"
-  #     kubernetes_groups = []
-  #     policy_associations = {
-  #       admin = {
-  #         policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
-  #         access_scope = {
-  #           type = "cluster"
-  #         }
-  #       }
-  #     }
-  #   }
-  # }
+  viewers = {
+    for arn in tolist(data.aws_iam_roles.view_arns.arns) :
+    arn => {
+      principal_arn     = arn
+      kubernetes_groups = ["eks-console-dashboard-restricted-access-group"]
+      policy_associations = {
+        admin = {
+          policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
+          access_scope = {
+            type = "cluster"
+          }
+        }
+      }
+    }
+  }
+
+  access_entries = merge(local.admins, local.viewers)
 }
 
 module "cluster" {
@@ -168,10 +173,8 @@ module "cluster" {
         xvda = {
           device_name = "/dev/xvda"
           ebs = {
-            volume_size = var.eks_instance_disk_size
-            volume_type = "gp3"
-            # iops                  = 3000
-            # throughput            = 125
+            volume_size           = var.eks_instance_disk_size
+            volume_type           = "gp3"
             encrypted             = true
             delete_on_termination = true
             kms_key_id            = data.aws_kms_key.ebs_key.arn