From 38b7af848776457808bd4e05b885548c8019348d Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Fri, 30 Dec 2022 07:15:27 -0500
Subject: [PATCH] add beginning of example for cluster admin

---
 examples/cluster-assume-role/group.tf     |  2 ++
 examples/cluster-assume-role/policies.tf  | 33 +++++++++++++++++++++++
 examples/cluster-assume-role/variables.tf |  5 ++++
 3 files changed, 40 insertions(+)
 create mode 100644 examples/cluster-assume-role/group.tf
 create mode 100644 examples/cluster-assume-role/policies.tf
 create mode 100644 examples/cluster-assume-role/variables.tf

diff --git a/examples/cluster-assume-role/group.tf b/examples/cluster-assume-role/group.tf
new file mode 100644
index 0000000..c62ab90
--- /dev/null
+++ b/examples/cluster-assume-role/group.tf
@@ -0,0 +1,2 @@
+# add to user group
+#  aws_iam_policy.list_assume_policy.arn
diff --git a/examples/cluster-assume-role/policies.tf b/examples/cluster-assume-role/policies.tf
new file mode 100644
index 0000000..bca8567
--- /dev/null
+++ b/examples/cluster-assume-role/policies.tf
@@ -0,0 +1,33 @@
+# we want the per-cluster assume policies, but adding them all to the role may exceed the limit.  Here, we'll create a policy that
+# includes all the clusters that this group woudl manage
+
+data "aws_iam_role" "list" {
+  for_each = toset([for c in var.admin_cluster_list : format("r-eks-%v-cluster-admin", c)])
+  name     = each.key
+}
+
+#---
+# cluster admin assume policy
+#---
+resource "aws_iam_policy" "list_assume_policy" {
+  name        = format("p-%v-cluster-admin-role-assume", local.app_name)
+  path        = "/"
+  description = "Allow SAML role to assume cluster-admin roles"
+  policy      = data.aws_iam_policy_document.cluster-admin_assume_policy.json
+
+  tags = merge(
+    local.base_tags,
+    #    var.tags,
+    var.application_tags,
+    tomap({ "Name" = format("p-%v-cluster-admin-role-assume", local.app_name) }),
+  )
+}
+
+data "aws_iam_policy_document" "cluster-admin_assume_policy" {
+  statement {
+    sid       = "AllowSTSAssumeClusterAdminRole"
+    effect    = "Allow"
+    actions   = ["sts:AssumeRole"]
+    resources = [for k, v in data.aws_iam_role.list : v.arn]
+  }
+}
diff --git a/examples/cluster-assume-role/variables.tf b/examples/cluster-assume-role/variables.tf
new file mode 100644
index 0000000..9b488e7
--- /dev/null
+++ b/examples/cluster-assume-role/variables.tf
@@ -0,0 +1,5 @@
+variable "admin_cluster_list" {
+  description = "List of cluster names for which {cluster-name}-cluster-admin roles should be granted"
+  type        = list(string)
+  default     = []
+}