add info

terraform-modules · Oct 14, 2021 · 8558c8f · 8558c8f
1 parent 83118fd
commit 8558c8f
Show file tree

Hide file tree

Showing 5 changed files with 99 additions and 9 deletions.
diff --git a/patch-aws-auth/README.md b/patch-aws-auth/README.md
@@ -0,0 +1,88 @@
+# About patch-aws-auth
+This allows to add IAM roles and IAM users to the `aws-auth ConfigMap`, to tie IAM resources into
+Kubernetes (k8s) users and group permissions.
+
+# Example variable usage
+
+```hcl
+# settings.auto.tfvars
+aws_auth_users = [
+  {
+    userarn      = ""
+    aws_username = "a-ashle001"
+    username     = "admin"
+    groups       = ["system:masters", "eks-console-dashboard-full-access-group"]
+  },
+]
+aws_auth_roles = [
+  {
+    rolearn : ""
+    aws_rolename : "r-inf-cloud-admin"
+    username : "admin"
+    groups = ["eks-console-dashboard-full-access-group"]
+  },
+]
+```
+
+```hcl
+# patch-aws-auth.tf
+module "awsauth_base_users" {
+  source = THIS
+
+  cluster_name = "adsd-cumulus-dev"
+  aws_auth_users = var.aws_auth_users
+  aws_auth_roles = var.aws_auth_roles
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.31 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | n/a |
+| <a name="provider_null"></a> [null](#provider\_null) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [null_resource.kubeconfig](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.patch-aws-auth](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
+| [aws_iam_role.auth_roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
+| [aws_iam_user.auth_users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_user) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [kubernetes_config_map.aws-auth](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/config_map) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_auth_roles"></a> [aws\_auth\_roles](#input\_aws\_auth\_roles) | A list of objects where each object has rolearn, aws\_rolename, (k8s) username, and (k8s) groups, where groups is a list of groups to associate with the role.  Leaving rolearn as an empty string will pull the role ARN from AWS. | <pre>list(object({<br>    rolearn      = string<br>    aws_rolename = string<br>    username     = string<br>    groups       = list(string)<br>  }))</pre> | `[]` | no |
+| <a name="input_aws_auth_users"></a> [aws\_auth\_users](#input\_aws\_auth\_users) | A list of objects where each object has userarn, aws\_username, (k8s) username, and (k8s) groups, where groups is a list of groups to associate with the user.  Leaving userarn as an empty string will pull the user ARN from AWS. | <pre>list(object({<br>    userarn      = string<br>    aws_username = string<br>    username     = string<br>    groups       = list(string)<br>  }))</pre> | `[]` | no |
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | `null` | no |
+| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS Kubernetes version number, see https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html | `string` | `"1.21"` | no |
+| <a name="input_domain"></a> [domain](#input\_domain) | The DNS domain name of the cluster.  Defaults to empty which causes the sample application to use the domain assigned to the load balancer of the istio ingress gateway. | `string` | `""` | no |
+| <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | EKS worker node instance type (default: t3.xlarge) | `string` | `"t3.xlarge"` | no |
+| <a name="input_nodegroup_desired_size"></a> [nodegroup\_desired\_size](#input\_nodegroup\_desired\_size) | EKS Nodegroup desire size (default: 1) | `number` | `1` | no |
+| <a name="input_nodegroup_instance_disk_size"></a> [nodegroup\_instance\_disk\_size](#input\_nodegroup\_instance\_disk\_size) | The size of EKS nodegroup EBS disk in gigabytes (default: 40) | `number` | `40` | no |
+| <a name="input_nodegroup_maximum_size"></a> [nodegroup\_maximum\_size](#input\_nodegroup\_maximum\_size) | EKs Nodegroup maximum size (default: 16) | `number` | `16` | no |
+| <a name="input_nodegroup_minumum_size"></a> [nodegroup\_minumum\_size](#input\_nodegroup\_minumum\_size) | EKS Nodegroup minimum size (default: 1) | `number` | `1` | no |
+
+## Outputs
+
+No outputs.
diff --git a/patch-aws-auth/data.eks.tf b/patch-aws-auth/data.eks.tf
@@ -1,4 +1,4 @@
-eata "aws_eks_cluster" "cluster" {
+data "aws_eks_cluster" "cluster" {
   name = var.cluster_name
 }
 

diff --git a/patch-aws-auth/kubeconfig.tf b/patch-aws-auth/kubeconfig.tf
@@ -2,9 +2,9 @@
 # requires kubectl command in the path
 
 resource "null_resource" "kubeconfig" {
-#  triggers = { 
-#    always_run = timestamp()
-#  }
+  #  triggers = { 
+  #    always_run = timestamp()
+  #  }
   provisioner "local-exec" {
     command = "which kubectl > /dev/null 2>&1; if [ $? != 0 ]; then 'echo missing kubectl'; exit 1; else exit 0; fi"
   }

diff --git a/patch-aws-auth/locals.tf b/patch-aws-auth/locals.tf
@@ -1,6 +1,6 @@
 locals {
-  region = data.aws_region.current.name
+  region               = data.aws_region.current.name
   aws_eks_cluster_auth = data.aws_eks_cluster_auth.cluster
-  aws_eks_cluster = data.aws_eks_cluster.cluster
+  aws_eks_cluster      = data.aws_eks_cluster.cluster
 }
 
diff --git a/patch-aws-auth/main.tf b/patch-aws-auth/main.tf
@@ -1,5 +1,7 @@
 /* 
 * # About patch-aws-auth
+* This allows to add IAM roles and IAM users to the `aws-auth ConfigMap`, to tie IAM resources into
+* Kubernetes (k8s) users and group permissions.
 *
 * # Example variable usage
 * 
@@ -33,7 +35,7 @@
 *   aws_auth_roles = var.aws_auth_roles
 * }
 * ```
-*/ 
+*/
 
 
 # pull in current configmap aws-auth
@@ -143,11 +145,11 @@ resource "null_resource" "patch-aws-auth" {
   }
   provisioner "local-exec" {
     working_dir = "${path.root}/setup"
-    command = "echo '${local.patch}' > config_map.aws-auth.patch.yaml"
+    command     = "echo '${local.patch}' > config_map.aws-auth.patch.yaml"
   }
   provisioner "local-exec" {
     working_dir = "${path.root}/setup"
-    command = "kubectl --kubeconfig aws-auth.kube.config patch --type merge -n kube-system configmap/aws-auth --patch-file config_map.aws-auth.patch.yaml"
+    command     = "kubectl --kubeconfig aws-auth.kube.config patch --type merge -n kube-system configmap/aws-auth --patch-file config_map.aws-auth.patch.yaml"
   }
 }