diff --git a/README.md b/README.md index 5b25973..a27a618 100644 --- a/README.md +++ b/README.md @@ -121,7 +121,8 @@ Change logs are auto-generated with commitizen. | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | -| [aws_iam_roles.view_arns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | +| [aws_iam_roles.sso_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | +| [aws_iam_session_context.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_session_context) | data source | | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | diff --git a/access_entries.tf b/access_entries.tf new file mode 100644 index 0000000..477eca7 --- /dev/null +++ b/access_entries.tf @@ -0,0 +1,56 @@ +################################################################################ +# Access Entries +################################################################################ +data "aws_iam_session_context" "current" { + arn = data.aws_caller_identity.current.arn +} + +data "aws_iam_roles" "sso_admins" { + name_regex = "AWSReservedSSO_inf-admin-t(2|3|4)" + path_prefix = "/aws-reserved/sso.amazonaws.com/" +} + +data "aws_iam_roles" "roles" { + name_regex = "r-inf-terrafor(m|m-eks)" +} + +data "aws_iam_roles" "sso_read" { + name_regex = "AWSReservedSSO_inf-admin-t1" + path_prefix = "/aws-reserved/sso.amazonaws.com/" +} + +locals { + access_entries = merge(local.admins, local.viewers) + arns = [for arn in merge(data.aws_iam_roles.roles.arns, data.aws_iam_roles.sso_admins.arns) : arn if arn != data.aws_iam_session_context.current.issuer_arn] + admins = { + for arn in local.arns : + arn => { + principal_arn = arn + kubernetes_groups = ["eks-console-dashboard-full-access-group"] + policy_associations = { + admin = { + policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + access_scope = { + type = "cluster" + } + } + } + } + } + + viewers = { + for arn in tolist(data.aws_iam_roles.sso_read.arns) : + arn => { + principal_arn = arn + kubernetes_groups = ["eks-console-dashboard-restricted-access-group"] + policy_associations = { + view = { + policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" + access_scope = { + type = "cluster" + } + } + } + } + } +} diff --git a/main.tf b/main.tf index 31a6df7..1ca8953 100644 --- a/main.tf +++ b/main.tf @@ -27,73 +27,22 @@ data "aws_kms_key" "ebs_key" { key_id = data.aws_ebs_default_kms_key.current.key_arn } -data "aws_iam_roles" "sso_admins" { - name_regex = "AWSReservedSSO_inf-admin-t(2|3|4)" - path_prefix = "/aws-reserved/sso.amazonaws.com/" -} - -data "aws_iam_roles" "roles" { - name_regex = "r-inf-terraform(-eks)" -} - -data "aws_iam_roles" "view_arns" { - name_regex = "AWSReservedSSO_inf-admin-t1" - path_prefix = "/aws-reserved/sso.amazonaws.com/" -} - locals { - vpc_id = data.aws_vpc.eks_vpc.id - vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block - subnets = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0] - + additional_policies = {} base_tags = { - "eks-cluster-name" = var.cluster_name + "boc:eks-cluster-name" = var.cluster_name "boc:tf_module_name" = local.module_name "boc:tf_module_version" = local.module_version "boc:created_by" = "terraform" CostAllocation = var.tag_costallocation } + ng_name = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name) + subnets = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0] + tags = merge(local.base_tags, var.tags) + vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block + vpc_id = data.aws_vpc.eks_vpc.id - additional_policies = { - } - - ng_name = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name) - - tags = merge(local.base_tags, var.tags) - - admins = { - for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns)) : - arn => { - principal_arn = arn - kubernetes_groups = ["eks-console-dashboard-full-access-group"] - policy_associations = { - admin = { - policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" - access_scope = { - type = "cluster" - } - } - } - } - } - - viewers = { - for arn in tolist(data.aws_iam_roles.view_arns.arns) : - arn => { - principal_arn = arn - kubernetes_groups = ["eks-console-dashboard-restricted-access-group"] - policy_associations = { - admin = { - policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" - access_scope = { - type = "cluster" - } - } - } - } - } - access_entries = merge(local.admins, local.viewers) } module "cluster" { diff --git a/outputs.tf b/outputs.tf index c55fe96..b857692 100644 --- a/outputs.tf +++ b/outputs.tf @@ -129,6 +129,11 @@ output "cluster_status" { value = module.cluster.cluster_status } +output "access_entries" { + description = "The access_entries object added to cluster" + value = local.access_entries +} + ################################################################################ # KMS Key ################################################################################