From 254944764ec1797a13cb2734a3b5245ccce3ee02 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 10 Sep 2024 12:49:12 -0400 Subject: [PATCH 1/9] =?UTF-8?q?=F0=9F=90=9B=20fix(cluster=5Faccess):=20upd?= =?UTF-8?q?ate=20access=20entries=20for=20sso=20and=20non-sso=20roles?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 1 - main.tf | 34 +++++++--------------------------- 2 files changed, 7 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index 5b25973..c8ab9d5 100644 --- a/README.md +++ b/README.md @@ -121,7 +121,6 @@ Change logs are auto-generated with commitizen. | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | -| [aws_iam_roles.view_arns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | diff --git a/main.tf b/main.tf index 31a6df7..f5d5f03 100644 --- a/main.tf +++ b/main.tf @@ -33,12 +33,7 @@ data "aws_iam_roles" "sso_admins" { } data "aws_iam_roles" "roles" { - name_regex = "r-inf-terraform(-eks)" -} - -data "aws_iam_roles" "view_arns" { - name_regex = "AWSReservedSSO_inf-admin-t1" - path_prefix = "/aws-reserved/sso.amazonaws.com/" + name_regex = "r-inf-terrafor(m|m-eks)" } locals { @@ -61,9 +56,9 @@ locals { tags = merge(local.base_tags, var.tags) - admins = { - for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns)) : - arn => { + access_entries = { + for index, arn in tolist(concat(data.aws_iam_roles.roles.arns, data.aws_iam_roles.sso_admins.arns)) : + format("inf-terraform-t%d", index + 1) => { principal_arn = arn kubernetes_groups = ["eks-console-dashboard-full-access-group"] policy_associations = { @@ -76,24 +71,6 @@ locals { } } } - - viewers = { - for arn in tolist(data.aws_iam_roles.view_arns.arns) : - arn => { - principal_arn = arn - kubernetes_groups = ["eks-console-dashboard-restricted-access-group"] - policy_associations = { - admin = { - policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" - access_scope = { - type = "cluster" - } - } - } - } - } - - access_entries = merge(local.admins, local.viewers) } module "cluster" { @@ -117,6 +94,9 @@ module "cluster" { subnet_ids = local.subnets cluster_addons = { + adot = { + most_recent = true + } amazon-cloudwatch-observability = { most_recent = true service_account_role_arn = module.cloudwatch_observability_irsa_role.iam_role_arn From 7f12350f6cd492a5b5bf08e3fd5bdd139b583d93 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 10 Sep 2024 13:31:16 -0400 Subject: [PATCH 2/9] =?UTF-8?q?=F0=9F=90=9B=20fix(adot):=20removed=20adot?= =?UTF-8?q?=20addon=20as=20it=20requires=20pre-existing=20cluster=20cert-m?= =?UTF-8?q?anager?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/main.tf b/main.tf index f5d5f03..8842e58 100644 --- a/main.tf +++ b/main.tf @@ -94,9 +94,6 @@ module "cluster" { subnet_ids = local.subnets cluster_addons = { - adot = { - most_recent = true - } amazon-cloudwatch-observability = { most_recent = true service_account_role_arn = module.cloudwatch_observability_irsa_role.iam_role_arn From 89d9d47b71571bcbf1919c8a25407ea42993b1a7 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 10 Sep 2024 14:25:03 -0400 Subject: [PATCH 3/9] =?UTF-8?q?=F0=9F=90=9B=20fix(access=5Fentries):=20rev?= =?UTF-8?q?erse=20tolist=20concat=20into=20concat=20tolist?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 8842e58..501240b 100644 --- a/main.tf +++ b/main.tf @@ -57,10 +57,10 @@ locals { tags = merge(local.base_tags, var.tags) access_entries = { - for index, arn in tolist(concat(data.aws_iam_roles.roles.arns, data.aws_iam_roles.sso_admins.arns)) : - format("inf-terraform-t%d", index + 1) => { + for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns)) : + arn => { principal_arn = arn - kubernetes_groups = ["eks-console-dashboard-full-access-group"] + kubernetes_groups = ["system:masters", "eks-console-dashboard-full-access-group"] policy_associations = { admin = { policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" From 9b81254648c6a35548df06fbe44c62ea3bd71408 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 10 Sep 2024 14:29:02 -0400 Subject: [PATCH 4/9] =?UTF-8?q?=F0=9F=90=9B=20fix(access=5Fentries):=20reg?= =?UTF-8?q?ex=20changed=20to=20exclude=20route53?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 501240b..d1562d5 100644 --- a/main.tf +++ b/main.tf @@ -33,7 +33,7 @@ data "aws_iam_roles" "sso_admins" { } data "aws_iam_roles" "roles" { - name_regex = "r-inf-terrafor(m|m-eks)" + name_regex = "r-inf-terraform(-eks)" } locals { From db5055a2ef6151ef42f00dbf5355626646b2d6f5 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 10 Sep 2024 14:37:09 -0400 Subject: [PATCH 5/9] =?UTF-8?q?=F0=9F=90=9B=20fix(access=5Fentries):=20rem?= =?UTF-8?q?oved=20system:masters=20as=20system=20is=20invalid?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index d1562d5..94a620b 100644 --- a/main.tf +++ b/main.tf @@ -60,7 +60,7 @@ locals { for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns)) : arn => { principal_arn = arn - kubernetes_groups = ["system:masters", "eks-console-dashboard-full-access-group"] + kubernetes_groups = ["eks-console-dashboard-full-access-group"] policy_associations = { admin = { policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" From c926e42da566f66b3ab3a054c9352dae8cb95548 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 10 Sep 2024 18:03:50 -0400 Subject: [PATCH 6/9] =?UTF-8?q?=E2=9C=A8=20feat(access=5Fentries):=20added?= =?UTF-8?q?=20inf-admin-t1=20to=20view=20access?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 1 + main.tf | 25 ++++++++++++++++++++++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c8ab9d5..5b25973 100644 --- a/README.md +++ b/README.md @@ -121,6 +121,7 @@ Change logs are auto-generated with commitizen. | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | +| [aws_iam_roles.view_arns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | diff --git a/main.tf b/main.tf index 94a620b..8749b5f 100644 --- a/main.tf +++ b/main.tf @@ -36,6 +36,11 @@ data "aws_iam_roles" "roles" { name_regex = "r-inf-terraform(-eks)" } +data "aws_iam_roles" "view_arns" { + name_regex = "AWSReservedSSO_inf-admin-t1" + path_prefix = "/aws-reserved/sso.amazonaws.com/" +} + locals { vpc_id = data.aws_vpc.eks_vpc.id vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block @@ -56,7 +61,7 @@ locals { tags = merge(local.base_tags, var.tags) - access_entries = { + sso_entries = { for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns)) : arn => { principal_arn = arn @@ -71,6 +76,24 @@ locals { } } } + + view_entries = { + for arn in tolist(data.aws_iam_roles.view_arns.arns) : + arn => { + principal_arn = arn + kubernetes_groups = ["eks-console-dashboard-read-only-group"] + policy_associations = { + admin = { + policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" + access_scope = { + type = "cluster" + } + } + } + } + } + + access_entries = merge(local.sso_entries, local.view_entries) } module "cluster" { From 872c088c5b24b51950ab98a3995ae75c999eff88 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 10 Sep 2024 19:16:21 -0400 Subject: [PATCH 7/9] =?UTF-8?q?=F0=9F=90=9B=20fix(view-access):=20fix=20ku?= =?UTF-8?q?bernetes=20groups=20to=20reference=20restrictedaccess=20group?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 8749b5f..0d96dcd 100644 --- a/main.tf +++ b/main.tf @@ -81,7 +81,7 @@ locals { for arn in tolist(data.aws_iam_roles.view_arns.arns) : arn => { principal_arn = arn - kubernetes_groups = ["eks-console-dashboard-read-only-group"] + kubernetes_groups = ["eks-console-dashboard-restricted-access-group"] policy_associations = { admin = { policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" From 32e1768f8bc4b2d26177e720950e358c05dca351 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 10 Sep 2024 19:19:05 -0400 Subject: [PATCH 8/9] =?UTF-8?q?=F0=9F=90=9B=20fix(access=5Fentries):=20upd?= =?UTF-8?q?ate=20var=20names=20to=20better?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 0d96dcd..31a6df7 100644 --- a/main.tf +++ b/main.tf @@ -61,7 +61,7 @@ locals { tags = merge(local.base_tags, var.tags) - sso_entries = { + admins = { for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns)) : arn => { principal_arn = arn @@ -77,7 +77,7 @@ locals { } } - view_entries = { + viewers = { for arn in tolist(data.aws_iam_roles.view_arns.arns) : arn => { principal_arn = arn @@ -93,7 +93,7 @@ locals { } } - access_entries = merge(local.sso_entries, local.view_entries) + access_entries = merge(local.admins, local.viewers) } module "cluster" { From 9db2a21d79bfeb6ab80c633d7cff364882193991 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 11 Sep 2024 22:19:12 -0400 Subject: [PATCH 9/9] =?UTF-8?q?=F0=9F=90=9B=20fix(access=5Fentries):=20fil?= =?UTF-8?q?ter=20current=20arn=20from=20access=5Fentries=20as=20cluster=5F?= =?UTF-8?q?creator=20is=20enabled?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 3 ++- access_entries.tf | 56 ++++++++++++++++++++++++++++++++++++++++ main.tf | 65 +++++------------------------------------------ outputs.tf | 5 ++++ 4 files changed, 70 insertions(+), 59 deletions(-) create mode 100644 access_entries.tf diff --git a/README.md b/README.md index 5b25973..a27a618 100644 --- a/README.md +++ b/README.md @@ -121,7 +121,8 @@ Change logs are auto-generated with commitizen. | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | -| [aws_iam_roles.view_arns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | +| [aws_iam_roles.sso_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | +| [aws_iam_session_context.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_session_context) | data source | | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | diff --git a/access_entries.tf b/access_entries.tf new file mode 100644 index 0000000..477eca7 --- /dev/null +++ b/access_entries.tf @@ -0,0 +1,56 @@ +################################################################################ +# Access Entries +################################################################################ +data "aws_iam_session_context" "current" { + arn = data.aws_caller_identity.current.arn +} + +data "aws_iam_roles" "sso_admins" { + name_regex = "AWSReservedSSO_inf-admin-t(2|3|4)" + path_prefix = "/aws-reserved/sso.amazonaws.com/" +} + +data "aws_iam_roles" "roles" { + name_regex = "r-inf-terrafor(m|m-eks)" +} + +data "aws_iam_roles" "sso_read" { + name_regex = "AWSReservedSSO_inf-admin-t1" + path_prefix = "/aws-reserved/sso.amazonaws.com/" +} + +locals { + access_entries = merge(local.admins, local.viewers) + arns = [for arn in merge(data.aws_iam_roles.roles.arns, data.aws_iam_roles.sso_admins.arns) : arn if arn != data.aws_iam_session_context.current.issuer_arn] + admins = { + for arn in local.arns : + arn => { + principal_arn = arn + kubernetes_groups = ["eks-console-dashboard-full-access-group"] + policy_associations = { + admin = { + policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + access_scope = { + type = "cluster" + } + } + } + } + } + + viewers = { + for arn in tolist(data.aws_iam_roles.sso_read.arns) : + arn => { + principal_arn = arn + kubernetes_groups = ["eks-console-dashboard-restricted-access-group"] + policy_associations = { + view = { + policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" + access_scope = { + type = "cluster" + } + } + } + } + } +} diff --git a/main.tf b/main.tf index 31a6df7..1ca8953 100644 --- a/main.tf +++ b/main.tf @@ -27,73 +27,22 @@ data "aws_kms_key" "ebs_key" { key_id = data.aws_ebs_default_kms_key.current.key_arn } -data "aws_iam_roles" "sso_admins" { - name_regex = "AWSReservedSSO_inf-admin-t(2|3|4)" - path_prefix = "/aws-reserved/sso.amazonaws.com/" -} - -data "aws_iam_roles" "roles" { - name_regex = "r-inf-terraform(-eks)" -} - -data "aws_iam_roles" "view_arns" { - name_regex = "AWSReservedSSO_inf-admin-t1" - path_prefix = "/aws-reserved/sso.amazonaws.com/" -} - locals { - vpc_id = data.aws_vpc.eks_vpc.id - vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block - subnets = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0] - + additional_policies = {} base_tags = { - "eks-cluster-name" = var.cluster_name + "boc:eks-cluster-name" = var.cluster_name "boc:tf_module_name" = local.module_name "boc:tf_module_version" = local.module_version "boc:created_by" = "terraform" CostAllocation = var.tag_costallocation } + ng_name = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name) + subnets = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0] + tags = merge(local.base_tags, var.tags) + vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block + vpc_id = data.aws_vpc.eks_vpc.id - additional_policies = { - } - - ng_name = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name) - - tags = merge(local.base_tags, var.tags) - - admins = { - for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns)) : - arn => { - principal_arn = arn - kubernetes_groups = ["eks-console-dashboard-full-access-group"] - policy_associations = { - admin = { - policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" - access_scope = { - type = "cluster" - } - } - } - } - } - - viewers = { - for arn in tolist(data.aws_iam_roles.view_arns.arns) : - arn => { - principal_arn = arn - kubernetes_groups = ["eks-console-dashboard-restricted-access-group"] - policy_associations = { - admin = { - policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" - access_scope = { - type = "cluster" - } - } - } - } - } - access_entries = merge(local.admins, local.viewers) } module "cluster" { diff --git a/outputs.tf b/outputs.tf index c55fe96..b857692 100644 --- a/outputs.tf +++ b/outputs.tf @@ -129,6 +129,11 @@ output "cluster_status" { value = module.cluster.cluster_status } +output "access_entries" { + description = "The access_entries object added to cluster" + value = local.access_entries +} + ################################################################################ # KMS Key ################################################################################