diff --git a/examples/full-cluster/cluster-roles/dba-rolebinding.tf b/examples/full-cluster/cluster-roles/dba-rolebinding.tf index 64fdb3d..e7d48aa 100644 --- a/examples/full-cluster/cluster-roles/dba-rolebinding.tf +++ b/examples/full-cluster/cluster-roles/dba-rolebinding.tf @@ -14,7 +14,7 @@ resource "kubernetes_namespace" "dba_managed_namespaces" { } resource "kubernetes_role_binding" "dba_admin_rolebinding" { -# for_each = toset(local.dba_managed_namespaces) + # for_each = toset(local.dba_managed_namespaces) for_each = kubernetes_namespace.dba_managed_namespaces metadata { @@ -32,9 +32,9 @@ resource "kubernetes_role_binding" "dba_admin_rolebinding" { api_group = "rbac.authorization.k8s.io" } subject { - kind = "Group" + kind = "Group" name = local.dba_k8s_group_name api_group = "rbac.authorization.k8s.io" } -# depends_on = [kubernetes_namespace.dba_managed_namespaces] + # depends_on = [kubernetes_namespace.dba_managed_namespaces] } diff --git a/examples/full-cluster/cluster-roles/dba.iam.tf b/examples/full-cluster/cluster-roles/dba.iam.tf index 22e6780..eaea25d 100644 --- a/examples/full-cluster/cluster-roles/dba.iam.tf +++ b/examples/full-cluster/cluster-roles/dba.iam.tf @@ -52,6 +52,10 @@ locals { ] resources = [format(local.common_arn, "eks", format("%v/%v", "cluster", var.cluster_name))] } + STSAssumeRole = { + actions = ["sts:AssumeRole"] + resources = [module.role_dba_administrator.role_arn] + } } } diff --git a/examples/full-cluster/cluster-roles/deployer-clusterrole.tf b/examples/full-cluster/cluster-roles/deployer-clusterrole.tf index 2fa46af..88361ab 100644 --- a/examples/full-cluster/cluster-roles/deployer-clusterrole.tf +++ b/examples/full-cluster/cluster-roles/deployer-clusterrole.tf @@ -4,12 +4,20 @@ resource "kubernetes_cluster_role" "cicd_deployer_istiosystem_cluster_role" { } rule { - api_groups = ["cert-manager.io", "acme.cert-manager.io"] - resources = ["certificates", "challenges", "orders", "certificaterequests", "issuers"] - verbs = ["get", "list", "watch", "create", "update", "patch"] + api_groups = ["acme.cert-manager.io"] + resources = ["challenges", "orders", "certificaterequests"] + verbs = ["create","delete","deletecollection","get","list","patch","update","patch"] } + + rule { + api_groups = ["cert-manager.io"] + resources = ["certificates"] + verbs = ["create","delete","deletecollection","get","list","patch","update","patch"] + } + + rule { - verbs = ["get", "list", "watch", "create", "update", "patch"] + verbs = ["create","delete","deletecollection","get","list","patch","update","patch"] api_groups = ["networking.istio.io"] resources = ["gateways"] } @@ -28,14 +36,26 @@ resource "kubernetes_cluster_role" "cicd_deployer_application_cluster_role" { } rule { - api_groups = ["cert-manager.io", "acme.cert-manager.io"] - resources = ["certificates", "challenges", "orders", "certificaterequests", "issuers"] - verbs = ["get", "list", "watch", "create", "update", "patch"] + api_groups = ["acme.cert-manager.io"] + resources = ["challenges", "orders", "certificaterequests"] + verbs = ["create","delete","deletecollection","get","list","patch","update","patch"] + } + + rule { + api_groups = ["cert-manager.io"] + resources = ["certificates"] + verbs = ["create","delete","deletecollection","get","list","patch","update","patch"] + } + + rule { + api_groups = ["security.istio.io"] + verbs = ["create","delete","deletecollection","get","list","patch","update","patch"] + resources = ["requestauthentications","authorizationpolicies","peerauthentications"] } rule { - verbs = ["get", "list", "watch", "create", "update", "patch"] - api_groups = ["networking.istio.io", "security.istio.io"] - resources = ["virtualservices", "authorizationpolicies", "destinationrules", "peerauthentications", "requestauthentications"] + verbs = ["create","delete","deletecollection","get","list","patch","update","patch"] + api_groups = ["networking.istio.io"] + resources = ["virtualservices", "destinationrules", "gateways"] } } diff --git a/examples/full-cluster/cluster-roles/deployer-rolebinding.tf b/examples/full-cluster/cluster-roles/deployer-rolebinding.tf index 0d6e7f3..a763fd7 100644 --- a/examples/full-cluster/cluster-roles/deployer-rolebinding.tf +++ b/examples/full-cluster/cluster-roles/deployer-rolebinding.tf @@ -15,7 +15,7 @@ resource "kubernetes_role_binding" "deployer_istio_role_binding" { } subject { kind = "Group" -# name = format("%v%v-%v", local._prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name) + # name = format("%v%v-%v", local._prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name) name = local.cicd_k8s_iam_username api_group = "rbac.authorization.k8s.io" } @@ -23,7 +23,7 @@ resource "kubernetes_role_binding" "deployer_istio_role_binding" { locals { cicd_managed_namespaces = formatlist("%v-%v", var.cluster_name, var.cicd_managed_namespaces) - cicd_k8s_iam_username = format("%v%v-%v", local._prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name) + cicd_k8s_iam_username = format("%v%v-%v", local._prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name) cicd_k8s_group_name = format("%v%v-%v", local._prefixes["eks"], var.cluster_name, var.cicd_k8s_group_name) } @@ -38,7 +38,7 @@ resource "kubernetes_namespace" "cicd_managed_namespaces" { } resource "kubernetes_role_binding" "deployer_application_rolebinding" { -# for_each = toset(local.cicd_managed_namespaces) + # for_each = toset(local.cicd_managed_namespaces) for_each = kubernetes_namespace.cicd_managed_namespaces metadata { @@ -56,9 +56,9 @@ resource "kubernetes_role_binding" "deployer_application_rolebinding" { api_group = "rbac.authorization.k8s.io" } subject { - kind = "Group" + kind = "Group" name = local.cicd_k8s_iam_username api_group = "rbac.authorization.k8s.io" } -# depends_on = [kubernetes_namespace.cicd_managed_namespaces] + # depends_on = [kubernetes_namespace.cicd_managed_namespaces] } diff --git a/examples/full-cluster/cluster-roles/deployer.iam.tf b/examples/full-cluster/cluster-roles/deployer.iam.tf index dfe46f4..1b22261 100644 --- a/examples/full-cluster/cluster-roles/deployer.iam.tf +++ b/examples/full-cluster/cluster-roles/deployer.iam.tf @@ -1,5 +1,6 @@ locals { policy_cicd_k8s_group_name = replace(local.cicd_k8s_iam_username, local._prefixes["eks-user"], local._prefixes["eks-policy"]) + role_cicd_k8s_group_name = replace(local.cicd_k8s_iam_username, local._prefixes["eks-user"],"") iam_policies_cicd = ["p-inf-manage-access-keys"] } @@ -27,6 +28,22 @@ module "service_cicd_deployer" { var.application_tags, ) } +module "role_cicd_deployer" { + source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" + + role_name = local.role_cicd_k8s_group_name + role_description = "Role for EKS cluster ${var.cluster_name} for access by ${var.cicd_k8s_group_name}" + enable_ldap_creation = false + assume_policy_document = data.aws_iam_policy_document.cicd_deployer_allow_sts.json + # attached_policies = flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn])) + attached_policies = [aws_iam_policy.cicd_deployer.arn] + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + ) +} resource "aws_iam_policy" "cicd_deployer" { name = local.policy_cicd_k8s_group_name @@ -49,7 +66,7 @@ locals { resources = ["*"] } ECRWrite = { - effect = "Deny" +# effect = "Deny" actions = [ "ecr:BatchDeleteImage", "ecr:CompleteLayerUpload", @@ -98,6 +115,21 @@ data "aws_iam_policy_document" "cicd_deployer" { } } +# allow anyone in this account to assume the role, if they have the permission to do so +data "aws_iam_policy_document" "cicd_deployer_allow_sts" { + statement { + sid = "AllowSTSAssume" + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + type = "AWS" + identifiers = [ + format(local.iam_arn, "root"), + ] + } + } +} + # output "service_cicd_deployer_arn" { # description = "CICD Deployer user ARN" # value = module.service_cicd_deployer.user_arn