From 8558c8fe6e281786ea09ed84fc9343c7f7dcd6c7 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 14 Oct 2021 11:11:01 -0400 Subject: [PATCH] add info --- patch-aws-auth/README.md | 88 ++++++++++++++++++++++++++++++++++++ patch-aws-auth/data.eks.tf | 2 +- patch-aws-auth/kubeconfig.tf | 6 +-- patch-aws-auth/locals.tf | 4 +- patch-aws-auth/main.tf | 8 ++-- 5 files changed, 99 insertions(+), 9 deletions(-) diff --git a/patch-aws-auth/README.md b/patch-aws-auth/README.md index e69de29..f854412 100644 --- a/patch-aws-auth/README.md +++ b/patch-aws-auth/README.md @@ -0,0 +1,88 @@ +# About patch-aws-auth +This allows to add IAM roles and IAM users to the `aws-auth ConfigMap`, to tie IAM resources into +Kubernetes (k8s) users and group permissions. + +# Example variable usage + +```hcl +# settings.auto.tfvars +aws_auth_users = [ + { + userarn = "" + aws_username = "a-ashle001" + username = "admin" + groups = ["system:masters", "eks-console-dashboard-full-access-group"] + }, +] +aws_auth_roles = [ + { + rolearn : "" + aws_rolename : "r-inf-cloud-admin" + username : "admin" + groups = ["eks-console-dashboard-full-access-group"] + }, +] +``` + +```hcl +# patch-aws-auth.tf +module "awsauth_base_users" { + source = THIS + + cluster_name = "adsd-cumulus-dev" + aws_auth_users = var.aws_auth_users + aws_auth_roles = var.aws_auth_roles +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12.31 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [kubernetes](#provider\_kubernetes) | n/a | +| [null](#provider\_null) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [null_resource.kubeconfig](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.patch-aws-auth](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | +| [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| [aws_iam_role.auth_roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | +| [aws_iam_user.auth_users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_user) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [kubernetes_config_map.aws-auth](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/config_map) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_auth\_roles](#input\_aws\_auth\_roles) | A list of objects where each object has rolearn, aws\_rolename, (k8s) username, and (k8s) groups, where groups is a list of groups to associate with the role. Leaving rolearn as an empty string will pull the role ARN from AWS. | 
list(object({
    rolearn      = string
    aws_rolename = string
    username     = string
    groups       = list(string)
  }))
| `[]` | no | +| [aws\_auth\_users](#input\_aws\_auth\_users) | A list of objects where each object has userarn, aws\_username, (k8s) username, and (k8s) groups, where groups is a list of groups to associate with the user. Leaving userarn as an empty string will pull the user ARN from AWS. | 
list(object({
    userarn      = string
    aws_username = string
    username     = string
    groups       = list(string)
  }))
| `[]` | no | +| [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | `null` | no | +| [cluster\_version](#input\_cluster\_version) | The EKS Kubernetes version number, see https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html | `string` | `"1.21"` | no | +| [domain](#input\_domain) | The DNS domain name of the cluster. Defaults to empty which causes the sample application to use the domain assigned to the load balancer of the istio ingress gateway. | `string` | `""` | no | +| [instance\_type](#input\_instance\_type) | EKS worker node instance type (default: t3.xlarge) | `string` | `"t3.xlarge"` | no | +| [nodegroup\_desired\_size](#input\_nodegroup\_desired\_size) | EKS Nodegroup desire size (default: 1) | `number` | `1` | no | +| [nodegroup\_instance\_disk\_size](#input\_nodegroup\_instance\_disk\_size) | The size of EKS nodegroup EBS disk in gigabytes (default: 40) | `number` | `40` | no | +| [nodegroup\_maximum\_size](#input\_nodegroup\_maximum\_size) | EKs Nodegroup maximum size (default: 16) | `number` | `16` | no | +| [nodegroup\_minumum\_size](#input\_nodegroup\_minumum\_size) | EKS Nodegroup minimum size (default: 1) | `number` | `1` | no | + +## Outputs + +No outputs. diff --git a/patch-aws-auth/data.eks.tf b/patch-aws-auth/data.eks.tf index aa36539..408d60b 100644 --- a/patch-aws-auth/data.eks.tf +++ b/patch-aws-auth/data.eks.tf @@ -1,4 +1,4 @@ -eata "aws_eks_cluster" "cluster" { +data "aws_eks_cluster" "cluster" { name = var.cluster_name } diff --git a/patch-aws-auth/kubeconfig.tf b/patch-aws-auth/kubeconfig.tf index f1adf79..6adbdd7 100644 --- a/patch-aws-auth/kubeconfig.tf +++ b/patch-aws-auth/kubeconfig.tf @@ -2,9 +2,9 @@ # requires kubectl command in the path resource "null_resource" "kubeconfig" { -# triggers = { -# always_run = timestamp() -# } + # triggers = { + # always_run = timestamp() + # } provisioner "local-exec" { command = "which kubectl > /dev/null 2>&1; if [ $? != 0 ]; then 'echo missing kubectl'; exit 1; else exit 0; fi" } diff --git a/patch-aws-auth/locals.tf b/patch-aws-auth/locals.tf index 521b7f3..a6f1b34 100644 --- a/patch-aws-auth/locals.tf +++ b/patch-aws-auth/locals.tf @@ -1,6 +1,6 @@ locals { - region = data.aws_region.current.name + region = data.aws_region.current.name aws_eks_cluster_auth = data.aws_eks_cluster_auth.cluster - aws_eks_cluster = data.aws_eks_cluster.cluster + aws_eks_cluster = data.aws_eks_cluster.cluster } diff --git a/patch-aws-auth/main.tf b/patch-aws-auth/main.tf index c6c2fd7..ba5d909 100644 --- a/patch-aws-auth/main.tf +++ b/patch-aws-auth/main.tf @@ -1,5 +1,7 @@ /* * # About patch-aws-auth +* This allows to add IAM roles and IAM users to the `aws-auth ConfigMap`, to tie IAM resources into +* Kubernetes (k8s) users and group permissions. * * # Example variable usage * @@ -33,7 +35,7 @@ * aws_auth_roles = var.aws_auth_roles * } * ``` -*/ +*/ # pull in current configmap aws-auth @@ -143,11 +145,11 @@ resource "null_resource" "patch-aws-auth" { } provisioner "local-exec" { working_dir = "${path.root}/setup" - command = "echo '${local.patch}' > config_map.aws-auth.patch.yaml" + command = "echo '${local.patch}' > config_map.aws-auth.patch.yaml" } provisioner "local-exec" { working_dir = "${path.root}/setup" - command = "kubectl --kubeconfig aws-auth.kube.config patch --type merge -n kube-system configmap/aws-auth --patch-file config_map.aws-auth.patch.yaml" + command = "kubectl --kubeconfig aws-auth.kube.config patch --type merge -n kube-system configmap/aws-auth --patch-file config_map.aws-auth.patch.yaml" } }