From 34bf362b96f7c65eba6115cc64c28ee35a451223 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 14 Oct 2021 11:01:16 -0400 Subject: [PATCH 01/14] initial --- patch-aws-auth/data.eks.tf | 7 + patch-aws-auth/data.tf | 1 + patch-aws-auth/defaults.tf | 1 + patch-aws-auth/examples/settings.aws-auth.tf | 12 ++ patch-aws-auth/examples/variables.aws-auth.tf | 23 +++ patch-aws-auth/kubeconfig.tf | 32 ++++ patch-aws-auth/locals.tf | 6 + patch-aws-auth/main.tf | 165 ++++++++++++++++++ patch-aws-auth/prefixes.tf | 1 + patch-aws-auth/providers.tf | 19 ++ .../templates/config_map.aws-auth.yaml.tpl | 17 ++ patch-aws-auth/variables.aws-auth.tf | 23 +++ patch-aws-auth/variables.eks.tf | 1 + 13 files changed, 308 insertions(+) create mode 100644 patch-aws-auth/data.eks.tf create mode 120000 patch-aws-auth/data.tf create mode 120000 patch-aws-auth/defaults.tf create mode 100644 patch-aws-auth/examples/settings.aws-auth.tf create mode 100644 patch-aws-auth/examples/variables.aws-auth.tf create mode 100644 patch-aws-auth/kubeconfig.tf create mode 100644 patch-aws-auth/locals.tf create mode 100644 patch-aws-auth/main.tf create mode 120000 patch-aws-auth/prefixes.tf create mode 100644 patch-aws-auth/providers.tf create mode 100644 patch-aws-auth/templates/config_map.aws-auth.yaml.tpl create mode 100644 patch-aws-auth/variables.aws-auth.tf create mode 120000 patch-aws-auth/variables.eks.tf diff --git a/patch-aws-auth/data.eks.tf b/patch-aws-auth/data.eks.tf new file mode 100644 index 0000000..aa36539 --- /dev/null +++ b/patch-aws-auth/data.eks.tf @@ -0,0 +1,7 @@ +eata "aws_eks_cluster" "cluster" { + name = var.cluster_name +} + +data "aws_eks_cluster_auth" "cluster" { + name = var.cluster_name +} diff --git a/patch-aws-auth/data.tf b/patch-aws-auth/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/patch-aws-auth/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file diff --git a/patch-aws-auth/defaults.tf b/patch-aws-auth/defaults.tf new file mode 120000 index 0000000..a5556ac --- /dev/null +++ b/patch-aws-auth/defaults.tf @@ -0,0 +1 @@ +../common/defaults.tf \ No newline at end of file diff --git a/patch-aws-auth/examples/settings.aws-auth.tf b/patch-aws-auth/examples/settings.aws-auth.tf new file mode 100644 index 0000000..02cc2f2 --- /dev/null +++ b/patch-aws-auth/examples/settings.aws-auth.tf @@ -0,0 +1,12 @@ +locals { + aws_auth_users = [] + aws_auth_roles = [ + { + # rolearn: data.terraform_remote_state.applications_apps-adsd-eks_vpc_east_vpc2_apps_eks-adsd-cumulus-dev.outputs.role_cluster-admin-role_arn + rolearn : "" + aws_rolename : format("%v%v-cluster-admin", local._prefixes["eks-role"], var.cluster_name) + username : "admin" + groups = ["system:masters", "eks-console-dashboard-full-access-group"] + }, + ] +} diff --git a/patch-aws-auth/examples/variables.aws-auth.tf b/patch-aws-auth/examples/variables.aws-auth.tf new file mode 100644 index 0000000..d43c508 --- /dev/null +++ b/patch-aws-auth/examples/variables.aws-auth.tf @@ -0,0 +1,23 @@ +# maybe just ignore the ARN entirely and force a read + +variable "aws_auth_users" { + description = "A list of objects where each object has userarn, aws_username, (k8s) username, and (k8s) groups, where groups is a list of groups to associate with the user. Leaving userarn as an empty string will pull the user ARN from AWS." + type = list(object({ + userarn = string + aws_username = string + username = string + groups = list(string) + })) + default = [] +} + +variable "aws_auth_roles" { + description = "A list of objects where each object has rolearn, aws_rolename, (k8s) username, and (k8s) groups, where groups is a list of groups to associate with the role. Leaving rolearn as an empty string will pull the role ARN from AWS." + type = list(object({ + rolearn = string + aws_rolename = string + username = string + groups = list(string) + })) + default = [] +} diff --git a/patch-aws-auth/kubeconfig.tf b/patch-aws-auth/kubeconfig.tf new file mode 100644 index 0000000..f1adf79 --- /dev/null +++ b/patch-aws-auth/kubeconfig.tf @@ -0,0 +1,32 @@ +# establish kubeconfig file needed for kubectl patch command +# requires kubectl command in the path + +resource "null_resource" "kubeconfig" { +# triggers = { +# always_run = timestamp() +# } + provisioner "local-exec" { + command = "which kubectl > /dev/null 2>&1; if [ $? != 0 ]; then 'echo missing kubectl'; exit 1; else exit 0; fi" + } + provisioner "local-exec" { + command = "test -d '${path.root}/setup' || mkdir '${path.root}/setup'" + } + provisioner "local-exec" { + environment = { + AWS_PROFILE = var.profile + AWS_REGION = var.region + } + command = "aws eks update-kubeconfig --name ${var.cluster_name} --kubeconfig ${path.root}/setup/aws-auth.kube.config" + } + depends_on = [data.aws_eks_cluster.cluster] +} + +#--- +# call it like +#--- +## provisioner "local-exec" { +## environment = { +## KUBECONFIG = "${path.root}/setup/kube.config" +## } +## command = "kubectli set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true" +## } diff --git a/patch-aws-auth/locals.tf b/patch-aws-auth/locals.tf new file mode 100644 index 0000000..521b7f3 --- /dev/null +++ b/patch-aws-auth/locals.tf @@ -0,0 +1,6 @@ +locals { + region = data.aws_region.current.name + aws_eks_cluster_auth = data.aws_eks_cluster_auth.cluster + aws_eks_cluster = data.aws_eks_cluster.cluster +} + diff --git a/patch-aws-auth/main.tf b/patch-aws-auth/main.tf new file mode 100644 index 0000000..c6c2fd7 --- /dev/null +++ b/patch-aws-auth/main.tf @@ -0,0 +1,165 @@ +/* +* # About patch-aws-auth +* +* # Example variable usage +* +* ```hcl +* # settings.auto.tfvars +* aws_auth_users = [ +* { +* userarn = "" +* aws_username = "a-ashle001" +* username = "admin" +* groups = ["system:masters", "eks-console-dashboard-full-access-group"] +* }, +* ] +* aws_auth_roles = [ +* { +* rolearn : "" +* aws_rolename : "r-inf-cloud-admin" +* username : "admin" +* groups = ["eks-console-dashboard-full-access-group"] +* }, +* ] +* ``` +* +* ```hcl +* # patch-aws-auth.tf +* module "awsauth_base_users" { +* source = THIS +* +* cluster_name = "adsd-cumulus-dev" +* aws_auth_users = var.aws_auth_users +* aws_auth_roles = var.aws_auth_roles +* } +* ``` +*/ + + +# pull in current configmap aws-auth +data "kubernetes_config_map" "aws-auth" { + metadata { + name = "aws-auth" + namespace = "kube-system" + } +} + +# map users without ARNs to arns +data "aws_iam_user" "auth_users" { + for_each = toset([for u in local.joined_auth_users : u.aws_username]) + user_name = each.key +} + +# map roles without ARNs to arns +data "aws_iam_role" "auth_roles" { + for_each = toset([for r in local.joined_auth_roles : r.aws_rolename]) + name = each.key +} + +locals { + existing_roles_string = lookup(data.kubernetes_config_map.aws-auth.data, "mapRoles", "") + existing_users_string = lookup(data.kubernetes_config_map.aws-auth.data, "mapUsers", "") + + existing_roles = local.existing_roles_string != "" ? yamldecode(local.existing_roles_string) : [] + existing_users = local.existing_users_string != "" ? yamldecode(local.existing_users_string) : [] + + joined_auth_users = concat(local.aws_auth_users, var.aws_auth_users) + joined_auth_roles = concat(local.aws_auth_roles, var.aws_auth_roles) + + mapped_auth_users = [for u in local.joined_auth_users : { + userarn = data.aws_iam_user.auth_users[u.aws_username].arn + aws_username = u.aws_username + username = u.username + groups = u.groups + }] + mapped_auth_roles = [for u in local.joined_auth_roles : { + rolearn = data.aws_iam_role.auth_roles[u.aws_rolename].arn + aws_rolename = u.aws_rolename + username = u.username + groups = u.groups + }] + + merged_users = merge( + { for user in local.existing_users : user.userarn => user }, + # { for user in local.aws_auth_users : user.userarn => user }, + # { for user in var.aws_auth_users : user.userarn => user } + { for user in local.mapped_auth_users : user.userarn => user }, + ) + + merged_roles = merge( + { for role in local.existing_roles : role.rolearn => role }, + # { for role in local.aws_auth_roles : role.rolearn => role }, + # { for role in var.aws_auth_roles : role.rolearn => role } + { for role in local.mapped_auth_roles : role.rolearn => role }, + ) + + # patch = yamlencode({ + # "data" = { + # "mapUsers" = values(local.merged_users) + # "mapRoles" = values(local.merged_roles) + # } + # }) + patch = < 0~} + mapRoles: | +%{for k, v in local.merged_roles~} + - rolearn: ${v.rolearn} + username: ${v.username} + groups: +%{for g in v.groups~} + - ${g} +%{endfor~} +%{endfor~} +%{endif~} +%{if length(local.merged_users) > 0~} + mapUsers: | +%{for k, v in local.merged_users~} + - userarn: ${v.userarn} + username: ${v.username} + groups: +%{for g in v.groups~} + - ${g} +%{endfor~} +%{endfor~} +%{endif~} +EOM + + # patch_t = templatefile("${path.root}/config_map.aws-auth.yaml.tpl",{ + # users = values(local.merged_users) + # roles = values(local.merged_roles) + # }) +} + +resource "null_resource" "patch-aws-auth" { + triggers = { + users = join(",", sort(keys(local.merged_users))) + roles = join(",", sort(keys(local.merged_roles))) + } + depends_on = [null_resource.kubeconfig] + + provisioner "local-exec" { + command = "test -d ${path.root}/setup || mkdir ${path.root}/setup" + } + provisioner "local-exec" { + working_dir = "${path.root}/setup" + command = "echo '${local.patch}' > config_map.aws-auth.patch.yaml" + } + provisioner "local-exec" { + working_dir = "${path.root}/setup" + command = "kubectl --kubeconfig aws-auth.kube.config patch --type merge -n kube-system configmap/aws-auth --patch-file config_map.aws-auth.patch.yaml" + } +} + +# output "map" { +# value = data.kubernetes_config_map.aws-auth +# } +# output "map_output" { +# value = { +# "object" = data.kubernetes_config_map.aws-auth +# "existing_users" = local.existing_users +# "existing_roles" = local.existing_roles +# "patch" = local.patch +# "patch_text" = local.patch_t +# } +# } diff --git a/patch-aws-auth/prefixes.tf b/patch-aws-auth/prefixes.tf new file mode 120000 index 0000000..7e265d5 --- /dev/null +++ b/patch-aws-auth/prefixes.tf @@ -0,0 +1 @@ +../common/prefixes.tf \ No newline at end of file diff --git a/patch-aws-auth/providers.tf b/patch-aws-auth/providers.tf new file mode 100644 index 0000000..e881b38 --- /dev/null +++ b/patch-aws-auth/providers.tf @@ -0,0 +1,19 @@ +terraform { + required_version = ">= 0.12.31" +} + +provider "kubernetes" { + host = local.aws_eks_cluster.endpoint + + cluster_ca_certificate = base64decode(local.aws_eks_cluster.certificate_authority[0].data) + token = local.aws_eks_cluster_auth.token +} + +# provider "helm" { +# kubernetes { +# host = local.aws_eks_cluster.endpoint +# +# cluster_ca_certificate = base64decode(local.aws_eks_cluster.certificate_authority[0].data) +# token = local.aws_eks_cluster_auth.token +# } +# } diff --git a/patch-aws-auth/templates/config_map.aws-auth.yaml.tpl b/patch-aws-auth/templates/config_map.aws-auth.yaml.tpl new file mode 100644 index 0000000..7c58ada --- /dev/null +++ b/patch-aws-auth/templates/config_map.aws-auth.yaml.tpl @@ -0,0 +1,17 @@ +data: +%{ if length(roles) > 0 } + mapRoles: | + %{ for k, v in roles ~} + - rolearn: ${v.rolearn} + username: ${v.username} + groups: ${v.groups} + %{ endfor ~} +%{ endif } +%{ if length(users) > 0 } + mapUsers: | + %{ for k, v in users ~} + - userarn: ${v.userarn} + username: ${v.username} + groups: ${v.groups} + %{ endfor ~} +%{ endif } diff --git a/patch-aws-auth/variables.aws-auth.tf b/patch-aws-auth/variables.aws-auth.tf new file mode 100644 index 0000000..d43c508 --- /dev/null +++ b/patch-aws-auth/variables.aws-auth.tf @@ -0,0 +1,23 @@ +# maybe just ignore the ARN entirely and force a read + +variable "aws_auth_users" { + description = "A list of objects where each object has userarn, aws_username, (k8s) username, and (k8s) groups, where groups is a list of groups to associate with the user. Leaving userarn as an empty string will pull the user ARN from AWS." + type = list(object({ + userarn = string + aws_username = string + username = string + groups = list(string) + })) + default = [] +} + +variable "aws_auth_roles" { + description = "A list of objects where each object has rolearn, aws_rolename, (k8s) username, and (k8s) groups, where groups is a list of groups to associate with the role. Leaving rolearn as an empty string will pull the role ARN from AWS." + type = list(object({ + rolearn = string + aws_rolename = string + username = string + groups = list(string) + })) + default = [] +} diff --git a/patch-aws-auth/variables.eks.tf b/patch-aws-auth/variables.eks.tf new file mode 120000 index 0000000..e7dc7b7 --- /dev/null +++ b/patch-aws-auth/variables.eks.tf @@ -0,0 +1 @@ +../common/variables.eks.tf \ No newline at end of file From 08db80d61490f1411d502f682512f08374622f8b Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 14 Oct 2021 11:06:22 -0400 Subject: [PATCH 02/14] add files --- common/prefixes.tf | 6 +++++ common/variables.eks.tf | 60 +++++++++++++++++++++++++++++++++++++++++ common/version.tf | 2 +- 3 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 common/variables.eks.tf diff --git a/common/prefixes.tf b/common/prefixes.tf index d2ee1fe..5b4d144 100644 --- a/common/prefixes.tf +++ b/common/prefixes.tf @@ -24,5 +24,11 @@ locals { "vpn-connection" = "vpn_" "log-group" = "lg-" "log-stream" = "lgs-" + # EKS + "eks" = "eks-" + "eks-user" = "s-eks-" + "eks-role" = "r-eks-" + "eks-policy" = "p-eks-" + "eks-security-group" = "eks-" } } diff --git a/common/variables.eks.tf b/common/variables.eks.tf new file mode 100644 index 0000000..fd44b5f --- /dev/null +++ b/common/variables.eks.tf @@ -0,0 +1,60 @@ +## variable "vpc_name" { +## description = "Define the VPC name that will be used by this cluster to find the VPC ID" +## type = string +## # default = "" +## } +## +## variable "subnets_name" { +## description = "Define the name of the subnets to be used by this cluster" +## type = string +## # default = "" +## } + +variable "cluster_name" { + description = "EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev)" + type = string + default = null +} + +variable "cluster_version" { + description = "The EKS Kubernetes version number, see https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html" + type = string + default = "1.21" +} + +variable "instance_type" { + description = "EKS worker node instance type (default: t3.xlarge)" + type = string + default = "t3.xlarge" +} + +variable "nodegroup_desired_size" { + description = "EKS Nodegroup desire size (default: 1)" + type = number + default = 1 +} + +variable "nodegroup_minumum_size" { + description = "EKS Nodegroup minimum size (default: 1)" + type = number + default = 1 +} + +variable "nodegroup_maximum_size" { + description = "EKs Nodegroup maximum size (default: 16)" + type = number + default = 16 +} + +variable "nodegroup_instance_disk_size" { + description = "The size of EKS nodegroup EBS disk in gigabytes (default: 40)" + type = number + default = 40 +} + +variable "domain" { + description = "The DNS domain name of the cluster. Defaults to empty which causes the sample application to use the domain assigned to the load balancer of the istio ingress gateway." + type = string + default = "" +} + diff --git a/common/version.tf b/common/version.tf index a0cd862..fa2705b 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "0.0.0" + _module_version = "1.0.0" } From 83118fdf49be17f73c80fcb05d03c85e866fc18c Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 14 Oct 2021 11:07:21 -0400 Subject: [PATCH 03/14] add README --- patch-aws-auth/README.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 patch-aws-auth/README.md diff --git a/patch-aws-auth/README.md b/patch-aws-auth/README.md new file mode 100644 index 0000000..e69de29 From 8558c8fe6e281786ea09ed84fc9343c7f7dcd6c7 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 14 Oct 2021 11:11:01 -0400 Subject: [PATCH 04/14] add info --- patch-aws-auth/README.md | 88 ++++++++++++++++++++++++++++++++++++ patch-aws-auth/data.eks.tf | 2 +- patch-aws-auth/kubeconfig.tf | 6 +-- patch-aws-auth/locals.tf | 4 +- patch-aws-auth/main.tf | 8 ++-- 5 files changed, 99 insertions(+), 9 deletions(-) diff --git a/patch-aws-auth/README.md b/patch-aws-auth/README.md index e69de29..f854412 100644 --- a/patch-aws-auth/README.md +++ b/patch-aws-auth/README.md @@ -0,0 +1,88 @@ +# About patch-aws-auth +This allows to add IAM roles and IAM users to the `aws-auth ConfigMap`, to tie IAM resources into +Kubernetes (k8s) users and group permissions. + +# Example variable usage + +```hcl +# settings.auto.tfvars +aws_auth_users = [ + { + userarn = "" + aws_username = "a-ashle001" + username = "admin" + groups = ["system:masters", "eks-console-dashboard-full-access-group"] + }, +] +aws_auth_roles = [ + { + rolearn : "" + aws_rolename : "r-inf-cloud-admin" + username : "admin" + groups = ["eks-console-dashboard-full-access-group"] + }, +] +``` + +```hcl +# patch-aws-auth.tf +module "awsauth_base_users" { + source = THIS + + cluster_name = "adsd-cumulus-dev" + aws_auth_users = var.aws_auth_users + aws_auth_roles = var.aws_auth_roles +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12.31 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [kubernetes](#provider\_kubernetes) | n/a | +| [null](#provider\_null) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [null_resource.kubeconfig](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.patch-aws-auth](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | +| [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| [aws_iam_role.auth_roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | +| [aws_iam_user.auth_users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_user) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [kubernetes_config_map.aws-auth](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/config_map) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_auth\_roles](#input\_aws\_auth\_roles) | A list of objects where each object has rolearn, aws\_rolename, (k8s) username, and (k8s) groups, where groups is a list of groups to associate with the role. Leaving rolearn as an empty string will pull the role ARN from AWS. | 
list(object({
    rolearn      = string
    aws_rolename = string
    username     = string
    groups       = list(string)
  }))
| `[]` | no | +| [aws\_auth\_users](#input\_aws\_auth\_users) | A list of objects where each object has userarn, aws\_username, (k8s) username, and (k8s) groups, where groups is a list of groups to associate with the user. Leaving userarn as an empty string will pull the user ARN from AWS. | 
list(object({
    userarn      = string
    aws_username = string
    username     = string
    groups       = list(string)
  }))
| `[]` | no | +| [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | `null` | no | +| [cluster\_version](#input\_cluster\_version) | The EKS Kubernetes version number, see https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html | `string` | `"1.21"` | no | +| [domain](#input\_domain) | The DNS domain name of the cluster. Defaults to empty which causes the sample application to use the domain assigned to the load balancer of the istio ingress gateway. | `string` | `""` | no | +| [instance\_type](#input\_instance\_type) | EKS worker node instance type (default: t3.xlarge) | `string` | `"t3.xlarge"` | no | +| [nodegroup\_desired\_size](#input\_nodegroup\_desired\_size) | EKS Nodegroup desire size (default: 1) | `number` | `1` | no | +| [nodegroup\_instance\_disk\_size](#input\_nodegroup\_instance\_disk\_size) | The size of EKS nodegroup EBS disk in gigabytes (default: 40) | `number` | `40` | no | +| [nodegroup\_maximum\_size](#input\_nodegroup\_maximum\_size) | EKs Nodegroup maximum size (default: 16) | `number` | `16` | no | +| [nodegroup\_minumum\_size](#input\_nodegroup\_minumum\_size) | EKS Nodegroup minimum size (default: 1) | `number` | `1` | no | + +## Outputs + +No outputs. diff --git a/patch-aws-auth/data.eks.tf b/patch-aws-auth/data.eks.tf index aa36539..408d60b 100644 --- a/patch-aws-auth/data.eks.tf +++ b/patch-aws-auth/data.eks.tf @@ -1,4 +1,4 @@ -eata "aws_eks_cluster" "cluster" { +data "aws_eks_cluster" "cluster" { name = var.cluster_name } diff --git a/patch-aws-auth/kubeconfig.tf b/patch-aws-auth/kubeconfig.tf index f1adf79..6adbdd7 100644 --- a/patch-aws-auth/kubeconfig.tf +++ b/patch-aws-auth/kubeconfig.tf @@ -2,9 +2,9 @@ # requires kubectl command in the path resource "null_resource" "kubeconfig" { -# triggers = { -# always_run = timestamp() -# } + # triggers = { + # always_run = timestamp() + # } provisioner "local-exec" { command = "which kubectl > /dev/null 2>&1; if [ $? != 0 ]; then 'echo missing kubectl'; exit 1; else exit 0; fi" } diff --git a/patch-aws-auth/locals.tf b/patch-aws-auth/locals.tf index 521b7f3..a6f1b34 100644 --- a/patch-aws-auth/locals.tf +++ b/patch-aws-auth/locals.tf @@ -1,6 +1,6 @@ locals { - region = data.aws_region.current.name + region = data.aws_region.current.name aws_eks_cluster_auth = data.aws_eks_cluster_auth.cluster - aws_eks_cluster = data.aws_eks_cluster.cluster + aws_eks_cluster = data.aws_eks_cluster.cluster } diff --git a/patch-aws-auth/main.tf b/patch-aws-auth/main.tf index c6c2fd7..ba5d909 100644 --- a/patch-aws-auth/main.tf +++ b/patch-aws-auth/main.tf @@ -1,5 +1,7 @@ /* * # About patch-aws-auth +* This allows to add IAM roles and IAM users to the `aws-auth ConfigMap`, to tie IAM resources into +* Kubernetes (k8s) users and group permissions. * * # Example variable usage * @@ -33,7 +35,7 @@ * aws_auth_roles = var.aws_auth_roles * } * ``` -*/ +*/ # pull in current configmap aws-auth @@ -143,11 +145,11 @@ resource "null_resource" "patch-aws-auth" { } provisioner "local-exec" { working_dir = "${path.root}/setup" - command = "echo '${local.patch}' > config_map.aws-auth.patch.yaml" + command = "echo '${local.patch}' > config_map.aws-auth.patch.yaml" } provisioner "local-exec" { working_dir = "${path.root}/setup" - command = "kubectl --kubeconfig aws-auth.kube.config patch --type merge -n kube-system configmap/aws-auth --patch-file config_map.aws-auth.patch.yaml" + command = "kubectl --kubeconfig aws-auth.kube.config patch --type merge -n kube-system configmap/aws-auth --patch-file config_map.aws-auth.patch.yaml" } } From d250dce5398c0dfafece7324fd147af9b00e56c1 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 14 Oct 2021 11:14:13 -0400 Subject: [PATCH 05/14] update --- patch-aws-auth/README.md | 2 +- patch-aws-auth/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/patch-aws-auth/README.md b/patch-aws-auth/README.md index f854412..56af97f 100644 --- a/patch-aws-auth/README.md +++ b/patch-aws-auth/README.md @@ -27,7 +27,7 @@ aws_auth_roles = [ ```hcl # patch-aws-auth.tf module "awsauth_base_users" { - source = THIS + source = "git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth?feature-patch-aws-auth" cluster_name = "adsd-cumulus-dev" aws_auth_users = var.aws_auth_users diff --git a/patch-aws-auth/main.tf b/patch-aws-auth/main.tf index ba5d909..15ca266 100644 --- a/patch-aws-auth/main.tf +++ b/patch-aws-auth/main.tf @@ -28,7 +28,7 @@ * ```hcl * # patch-aws-auth.tf * module "awsauth_base_users" { -* source = THIS +* source = "git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth?feature-patch-aws-auth" * * cluster_name = "adsd-cumulus-dev" * aws_auth_users = var.aws_auth_users From f8c47b84dedd81340562c5c109c7b85a5387e608 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 14 Oct 2021 11:48:33 -0400 Subject: [PATCH 06/14] fix --- patch-aws-auth/README.md | 2 +- patch-aws-auth/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/patch-aws-auth/README.md b/patch-aws-auth/README.md index 56af97f..5e3f42e 100644 --- a/patch-aws-auth/README.md +++ b/patch-aws-auth/README.md @@ -27,7 +27,7 @@ aws_auth_roles = [ ```hcl # patch-aws-auth.tf module "awsauth_base_users" { - source = "git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth?feature-patch-aws-auth" + source = "git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth?ref=feature-patch-aws-auth" cluster_name = "adsd-cumulus-dev" aws_auth_users = var.aws_auth_users diff --git a/patch-aws-auth/main.tf b/patch-aws-auth/main.tf index 15ca266..16db92e 100644 --- a/patch-aws-auth/main.tf +++ b/patch-aws-auth/main.tf @@ -28,7 +28,7 @@ * ```hcl * # patch-aws-auth.tf * module "awsauth_base_users" { -* source = "git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth?feature-patch-aws-auth" +* source = "git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth?ref=feature-patch-aws-auth" * * cluster_name = "adsd-cumulus-dev" * aws_auth_users = var.aws_auth_users From ff380e195d05a9c281d9922e6bab443523ae8a4c Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 14 Oct 2021 11:56:14 -0400 Subject: [PATCH 07/14] add awscli variables --- common/variables.awscli.tf | 10 ++++++++++ patch-aws-auth/README.md | 2 ++ patch-aws-auth/kubeconfig.tf | 5 ++++- patch-aws-auth/locals.tf | 2 +- patch-aws-auth/variables.awscli.tf | 1 + 5 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 common/variables.awscli.tf create mode 120000 patch-aws-auth/variables.awscli.tf diff --git a/common/variables.awscli.tf b/common/variables.awscli.tf new file mode 100644 index 0000000..69ec329 --- /dev/null +++ b/common/variables.awscli.tf @@ -0,0 +1,10 @@ +variable "region" { + description = "AWS region (default: pull from current running provider)" + type = string + default = "" +} + +variable "profile" { + description = "AWS config profile. This is needed because we call the AWSCLI." + type = string +} diff --git a/patch-aws-auth/README.md b/patch-aws-auth/README.md index 5e3f42e..0636c42 100644 --- a/patch-aws-auth/README.md +++ b/patch-aws-auth/README.md @@ -82,6 +82,8 @@ No modules. | [nodegroup\_instance\_disk\_size](#input\_nodegroup\_instance\_disk\_size) | The size of EKS nodegroup EBS disk in gigabytes (default: 40) | `number` | `40` | no | | [nodegroup\_maximum\_size](#input\_nodegroup\_maximum\_size) | EKs Nodegroup maximum size (default: 16) | `number` | `16` | no | | [nodegroup\_minumum\_size](#input\_nodegroup\_minumum\_size) | EKS Nodegroup minimum size (default: 1) | `number` | `1` | no | +| [profile](#input\_profile) | AWS config profile. This is needed because we call the AWSCLI. | `string` | n/a | yes | +| [region](#input\_region) | AWS region (default: pull from current running provider) | `string` | `""` | no | ## Outputs diff --git a/patch-aws-auth/kubeconfig.tf b/patch-aws-auth/kubeconfig.tf index 6adbdd7..2f298bd 100644 --- a/patch-aws-auth/kubeconfig.tf +++ b/patch-aws-auth/kubeconfig.tf @@ -8,13 +8,16 @@ resource "null_resource" "kubeconfig" { provisioner "local-exec" { command = "which kubectl > /dev/null 2>&1; if [ $? != 0 ]; then 'echo missing kubectl'; exit 1; else exit 0; fi" } + provisioner "local-exec" { + command = "which aws > /dev/null 2>&1; if [ $? != 0 ]; then 'echo missing aws-cli (v2)'; exit 1; else exit 0; fi" + } provisioner "local-exec" { command = "test -d '${path.root}/setup' || mkdir '${path.root}/setup'" } provisioner "local-exec" { environment = { AWS_PROFILE = var.profile - AWS_REGION = var.region + AWS_REGION = local.region } command = "aws eks update-kubeconfig --name ${var.cluster_name} --kubeconfig ${path.root}/setup/aws-auth.kube.config" } diff --git a/patch-aws-auth/locals.tf b/patch-aws-auth/locals.tf index a6f1b34..37bfcf0 100644 --- a/patch-aws-auth/locals.tf +++ b/patch-aws-auth/locals.tf @@ -1,5 +1,5 @@ locals { - region = data.aws_region.current.name + region = var.region == "" ? data.aws_region.current.name : var.region aws_eks_cluster_auth = data.aws_eks_cluster_auth.cluster aws_eks_cluster = data.aws_eks_cluster.cluster } diff --git a/patch-aws-auth/variables.awscli.tf b/patch-aws-auth/variables.awscli.tf new file mode 120000 index 0000000..2b4bec3 --- /dev/null +++ b/patch-aws-auth/variables.awscli.tf @@ -0,0 +1 @@ +../common/variables.awscli.tf \ No newline at end of file From 7948c95ab1f21c11a73a2dbd0f3d230b475744d3 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 14 Oct 2021 12:07:45 -0400 Subject: [PATCH 08/14] fix --- patch-aws-auth/main.tf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/patch-aws-auth/main.tf b/patch-aws-auth/main.tf index 16db92e..5ad0331 100644 --- a/patch-aws-auth/main.tf +++ b/patch-aws-auth/main.tf @@ -65,8 +65,10 @@ locals { existing_roles = local.existing_roles_string != "" ? yamldecode(local.existing_roles_string) : [] existing_users = local.existing_users_string != "" ? yamldecode(local.existing_users_string) : [] - joined_auth_users = concat(local.aws_auth_users, var.aws_auth_users) - joined_auth_roles = concat(local.aws_auth_roles, var.aws_auth_roles) + # joined_auth_users = concat(local.aws_auth_users, var.aws_auth_users) + # joined_auth_roles = concat(local.aws_auth_roles, var.aws_auth_roles) + joined_auth_users = var.aws_auth_users + joined_auth_roles = var.aws_auth_roles mapped_auth_users = [for u in local.joined_auth_users : { userarn = data.aws_iam_user.auth_users[u.aws_username].arn From 85565651c11dca57b911864952e3ab86f8c632fd Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 14 Oct 2021 12:10:11 -0400 Subject: [PATCH 09/14] fix --- patch-aws-auth/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patch-aws-auth/main.tf b/patch-aws-auth/main.tf index 5ad0331..c5e23b7 100644 --- a/patch-aws-auth/main.tf +++ b/patch-aws-auth/main.tf @@ -48,13 +48,13 @@ data "kubernetes_config_map" "aws-auth" { # map users without ARNs to arns data "aws_iam_user" "auth_users" { - for_each = toset([for u in local.joined_auth_users : u.aws_username]) + for_each = toset([for u in local.joined_auth_users : u.aws_username if u.aws_username != ""]) user_name = each.key } # map roles without ARNs to arns data "aws_iam_role" "auth_roles" { - for_each = toset([for r in local.joined_auth_roles : r.aws_rolename]) + for_each = toset([for r in local.joined_auth_roles : r.aws_rolename if r.aws_rolename != ""]) name = each.key } From 539e62a6ca701adab04335263e75fab308cff2d1 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 14 Oct 2021 12:15:25 -0400 Subject: [PATCH 10/14] fix --- patch-aws-auth/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patch-aws-auth/main.tf b/patch-aws-auth/main.tf index c5e23b7..2411820 100644 --- a/patch-aws-auth/main.tf +++ b/patch-aws-auth/main.tf @@ -71,13 +71,13 @@ locals { joined_auth_roles = var.aws_auth_roles mapped_auth_users = [for u in local.joined_auth_users : { - userarn = data.aws_iam_user.auth_users[u.aws_username].arn + userarn = u.aws_username != "" ? data.aws_iam_user.auth_users[u.aws_username].arn : userarn aws_username = u.aws_username username = u.username groups = u.groups }] mapped_auth_roles = [for u in local.joined_auth_roles : { - rolearn = data.aws_iam_role.auth_roles[u.aws_rolename].arn + rolearn = u.aws_rolename != "" ? data.aws_iam_role.auth_roles[u.aws_rolename].arn : rolearn aws_rolename = u.aws_rolename username = u.username groups = u.groups From 12da3bf8873c718fc7ef87faa4dd3642338d40d9 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 14 Oct 2021 12:18:39 -0400 Subject: [PATCH 11/14] fix --- patch-aws-auth/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patch-aws-auth/main.tf b/patch-aws-auth/main.tf index 2411820..b78480d 100644 --- a/patch-aws-auth/main.tf +++ b/patch-aws-auth/main.tf @@ -71,13 +71,13 @@ locals { joined_auth_roles = var.aws_auth_roles mapped_auth_users = [for u in local.joined_auth_users : { - userarn = u.aws_username != "" ? data.aws_iam_user.auth_users[u.aws_username].arn : userarn + userarn = u.aws_username != "" ? data.aws_iam_user.auth_users[u.aws_username].arn : u.userarn aws_username = u.aws_username username = u.username groups = u.groups }] mapped_auth_roles = [for u in local.joined_auth_roles : { - rolearn = u.aws_rolename != "" ? data.aws_iam_role.auth_roles[u.aws_rolename].arn : rolearn + rolearn = u.aws_rolename != "" ? data.aws_iam_role.auth_roles[u.aws_rolename].arn : u.rolearn aws_rolename = u.aws_rolename username = u.username groups = u.groups From 32f7a18260ae8a41b5495b3c18af36fbdff5dccb Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 14 Oct 2021 12:33:27 -0400 Subject: [PATCH 12/14] update docs, remove files --- patch-aws-auth/README.md | 12 +++++++++--- patch-aws-auth/kubeconfig.tf | 8 ++++---- patch-aws-auth/locals.tf | 2 ++ patch-aws-auth/main.tf | 23 ++++++++++++++++++----- 4 files changed, 33 insertions(+), 12 deletions(-) diff --git a/patch-aws-auth/README.md b/patch-aws-auth/README.md index 0636c42..469d317 100644 --- a/patch-aws-auth/README.md +++ b/patch-aws-auth/README.md @@ -29,9 +29,13 @@ aws_auth_roles = [ module "awsauth_base_users" { source = "git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth?ref=feature-patch-aws-auth" - cluster_name = "adsd-cumulus-dev" - aws_auth_users = var.aws_auth_users - aws_auth_roles = var.aws_auth_roles + profile = "123456789012-ma6-gov" + region = "us-gov-east-1" + cluster_name = "adsd-cumulus-dev" + aws_auth_users = var.aws_auth_users + aws_auth_roles = var.aws_auth_roles + # optional + keep_temporary_files = false } ``` @@ -59,6 +63,7 @@ No modules. |------|------| | [null_resource.kubeconfig](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [null_resource.patch-aws-auth](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.remove_temporary_files](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | @@ -78,6 +83,7 @@ No modules. | [cluster\_version](#input\_cluster\_version) | The EKS Kubernetes version number, see https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html | `string` | `"1.21"` | no | | [domain](#input\_domain) | The DNS domain name of the cluster. Defaults to empty which causes the sample application to use the domain assigned to the load balancer of the istio ingress gateway. | `string` | `""` | no | | [instance\_type](#input\_instance\_type) | EKS worker node instance type (default: t3.xlarge) | `string` | `"t3.xlarge"` | no | +| [keep\_temporary\_files](#input\_keep\_temporary\_files) | This module creates temporary files in setup/patch-aws-auth.TIMESTAMP.*. This flag determines whether to keep or remove them (default: false) | `bool` | `false` | no | | [nodegroup\_desired\_size](#input\_nodegroup\_desired\_size) | EKS Nodegroup desire size (default: 1) | `number` | `1` | no | | [nodegroup\_instance\_disk\_size](#input\_nodegroup\_instance\_disk\_size) | The size of EKS nodegroup EBS disk in gigabytes (default: 40) | `number` | `40` | no | | [nodegroup\_maximum\_size](#input\_nodegroup\_maximum\_size) | EKs Nodegroup maximum size (default: 16) | `number` | `16` | no | diff --git a/patch-aws-auth/kubeconfig.tf b/patch-aws-auth/kubeconfig.tf index 2f298bd..df93dc3 100644 --- a/patch-aws-auth/kubeconfig.tf +++ b/patch-aws-auth/kubeconfig.tf @@ -2,9 +2,9 @@ # requires kubectl command in the path resource "null_resource" "kubeconfig" { - # triggers = { - # always_run = timestamp() - # } + triggers = { + always_run = timestamp() + } provisioner "local-exec" { command = "which kubectl > /dev/null 2>&1; if [ $? != 0 ]; then 'echo missing kubectl'; exit 1; else exit 0; fi" } @@ -19,7 +19,7 @@ resource "null_resource" "kubeconfig" { AWS_PROFILE = var.profile AWS_REGION = local.region } - command = "aws eks update-kubeconfig --name ${var.cluster_name} --kubeconfig ${path.root}/setup/aws-auth.kube.config" + command = "aws eks update-kubeconfig --name ${var.cluster_name} --kubeconfig ${path.root}/setup/${local.tmp_filename_prefix}.kube.config" } depends_on = [data.aws_eks_cluster.cluster] } diff --git a/patch-aws-auth/locals.tf b/patch-aws-auth/locals.tf index 37bfcf0..b55ae7b 100644 --- a/patch-aws-auth/locals.tf +++ b/patch-aws-auth/locals.tf @@ -2,5 +2,7 @@ locals { region = var.region == "" ? data.aws_region.current.name : var.region aws_eks_cluster_auth = data.aws_eks_cluster_auth.cluster aws_eks_cluster = data.aws_eks_cluster.cluster + + tmp_filename_prefix = format("patch-aws-auth.%v", timestamp()) } diff --git a/patch-aws-auth/main.tf b/patch-aws-auth/main.tf index b78480d..cc31aab 100644 --- a/patch-aws-auth/main.tf +++ b/patch-aws-auth/main.tf @@ -30,9 +30,13 @@ * module "awsauth_base_users" { * source = "git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth?ref=feature-patch-aws-auth" * -* cluster_name = "adsd-cumulus-dev" -* aws_auth_users = var.aws_auth_users -* aws_auth_roles = var.aws_auth_roles +* profile = "123456789012-ma6-gov" +* region = "us-gov-east-1" +* cluster_name = "adsd-cumulus-dev" +* aws_auth_users = var.aws_auth_users +* aws_auth_roles = var.aws_auth_roles +* # optional +* keep_temporary_files = false * } * ``` */ @@ -147,11 +151,20 @@ resource "null_resource" "patch-aws-auth" { } provisioner "local-exec" { working_dir = "${path.root}/setup" - command = "echo '${local.patch}' > config_map.aws-auth.patch.yaml" + command = "echo '${local.patch}' > ${local.tmp_filename_prefix}.config_map.patch.yaml" } provisioner "local-exec" { working_dir = "${path.root}/setup" - command = "kubectl --kubeconfig aws-auth.kube.config patch --type merge -n kube-system configmap/aws-auth --patch-file config_map.aws-auth.patch.yaml" + command = "kubectl --kubeconfig ${local.tmp_filename_prefix}.kube.config patch --type merge -n kube-system configmap/aws-auth --patch-file ${local.tmp_filename_prefix}.config_map.patch.yaml" + } +} + +resource "null_resource" "remove_temporary_files" { + count = var.keep_temporary_files ? 0 : 1 + + provisioner "local-exec" { + working_dir = "${path.root}/setup" + command = "rm ${local.tmp_filename_prefix}.*" } } From a0062914b6c6356beae8fc81dfd26ba1137beb7d Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 14 Oct 2021 12:34:09 -0400 Subject: [PATCH 13/14] add changelog --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2ce3418..48c832e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,5 @@ # Versions -* v1.0.0 -- {{ yyyy-mm-dd }} - - initial creation +* v1.0.0 -- 2021-10-14 + - patch-aws-auth module creation From 957154b0b3ca218d3f648acba7d2532a48ade8c7 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 14 Oct 2021 12:34:28 -0400 Subject: [PATCH 14/14] add variables.tf --- patch-aws-auth/variables.tf | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 patch-aws-auth/variables.tf diff --git a/patch-aws-auth/variables.tf b/patch-aws-auth/variables.tf new file mode 100644 index 0000000..60e0f94 --- /dev/null +++ b/patch-aws-auth/variables.tf @@ -0,0 +1,5 @@ +variable "keep_temporary_files" { + description = "This module creates temporary files in setup/patch-aws-auth.TIMESTAMP.*. This flag determines whether to keep or remove them (default: false)" + type = bool + default = false +}