From 923f3ddb9c6151d46029cc4627f6be6c19bbb9cb Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 13 Sep 2023 14:36:44 -0400 Subject: [PATCH] add irsa example --- examples/irsa/.tf-control | 20 +++++++++++ examples/irsa/.tf-control.tfrc | 24 ++++++++++++++ examples/irsa/irsa-role.tf | 51 +++++++++++++++++++++++++++++ examples/irsa/locals.tf | 17 ++++++++++ examples/irsa/region.tf | 3 ++ examples/irsa/tf-run.data | 31 ++++++++++++++++++ examples/irsa/tf-run.destroy.data | 6 ++++ examples/irsa/variables.auto.tfvars | 4 +++ examples/irsa/variables.tf | 22 +++++++++++++ 9 files changed, 178 insertions(+) create mode 100644 examples/irsa/.tf-control create mode 100644 examples/irsa/.tf-control.tfrc create mode 100644 examples/irsa/irsa-role.tf create mode 100644 examples/irsa/locals.tf create mode 100644 examples/irsa/region.tf create mode 100644 examples/irsa/tf-run.data create mode 100644 examples/irsa/tf-run.destroy.data create mode 100644 examples/irsa/variables.auto.tfvars create mode 100644 examples/irsa/variables.tf diff --git a/examples/irsa/.tf-control b/examples/irsa/.tf-control new file mode 100644 index 0000000..280f449 --- /dev/null +++ b/examples/irsa/.tf-control @@ -0,0 +1,20 @@ +# .tf-control +# allows for setting a specific command to be used for tf-* commands under this git repo +# see tf-control.sh help for more info + +TFCONTROL_VERSION="1.0.5" + +TFCOMMAND="terraform_latest" +# TF_CLI_CONFIG_FILE=PATH-TO-FILE/.tf-control.tfrc +# TFARGS="" +# TFNOLOG="" +# TFNOCOLOR="" + +# use the following to force a specific version. An upgrade of an existing 0.12.31 to 1.x +# needs you to cycle through 0.13.17, 0.14.11, and then latest (0.15.5 not needed). Other +# steps in between. See https://github.e.it.census.gov/terraform/support/tree/master/docs/how-to/terraform-upgrade for details +# +#TFCOMMAND="terraform_0.12.31" +#TFCOMMAND="terraform_0.13.7" +#TFCOMMAND="terraform_0.14.11" +#TFCOMMAND="terraform_0.15.5" diff --git a/examples/irsa/.tf-control.tfrc b/examples/irsa/.tf-control.tfrc new file mode 100644 index 0000000..7425488 --- /dev/null +++ b/examples/irsa/.tf-control.tfrc @@ -0,0 +1,24 @@ +TFCONTROL_VERSION="1.0.5" + +# https://www.terraform.io/docs/cli/config/config-file.html +plugin_cache_dir = "/data/terraform/terraform.d/plugin-cache" +#disable_checkpoint = true + +provider_installation { +# filesystem_mirror { +# path = "/apps/terraform/terraform.d/providers" +# include = [ "*/*/*" ] +# } + filesystem_mirror { + path = "/data/terraform/terraform.d/providers" + include = [ "*/*/*" ] + } +# filesystem_mirror { +# path = "/apps/terraform/terraform.d/providers" +# include = [ "external.terraform.census.gov/*/*" ] +# } + direct { + include = [ "*/*/*" ] + } +} + diff --git a/examples/irsa/irsa-role.tf b/examples/irsa/irsa-role.tf new file mode 100644 index 0000000..86c573e --- /dev/null +++ b/examples/irsa/irsa-role.tf @@ -0,0 +1,51 @@ +data "aws_iam_policy" "policies" { + for_each = toset(var.iam_managed_policies) + name = each.key +} + +module "role" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + + role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.namespace}:${var.name}" + role_name = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, var.name) + + # also may create additional policies and include here + role_policy_arns = { for k, v in data.aws_iam_policy.policies : k => v.arn } + # policy1 = data.aws_iam_policy.policy.arn + # policy2 = aws_iam_policy.policy2.arn + + oidc_providers = { + main = { + provider_arn = local.oidc_provider_arn + namespace_service_accounts = [format("%v:%v", var.namespace, var.name)] + } + } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + { + "eks:namespace" = var.namespace + "eks:user" = var.name + } + ) +} + +resource "kubernetes_namespace" "namespace" { + count = var.create_namespace ? 1 : 0 + metadata { + name = var.namespace + } +} + +resource "kubernetes_service_account" "sa" { + count = var.create_service_account ? 1 : 0 + metadata { + namespace = var.namespace + name = var.name + annotations = { + "eks.amazonaws.com/role-arn" = module.role.role_arn + } + } +} diff --git a/examples/irsa/locals.tf b/examples/irsa/locals.tf new file mode 100644 index 0000000..4b9ae5a --- /dev/null +++ b/examples/irsa/locals.tf @@ -0,0 +1,17 @@ +locals { + base_tags = { + "eks-cluster-name" = var.cluster_name + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + } +} + +# replace TF remote state accordingly in parent_rs with that from the parent directory, and be sure to make the link +locals { + vpc_id = local.parent_rs.cluster_vpc_id + subnet_ids = local.parent_rs.cluster_subnet_ids + cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id + + oidc_provider_url = local.parent_rs.oidc_provider_url + oidc_provider_arn = local.parent_rs.oidc_provider_arn +} diff --git a/examples/irsa/region.tf b/examples/irsa/region.tf new file mode 100644 index 0000000..f617506 --- /dev/null +++ b/examples/irsa/region.tf @@ -0,0 +1,3 @@ +locals { + region = var.region +} diff --git a/examples/irsa/tf-run.data b/examples/irsa/tf-run.data new file mode 100644 index 0000000..0db70b8 --- /dev/null +++ b/examples/irsa/tf-run.data @@ -0,0 +1,31 @@ +VERSION 1.4.2 +REMOTE-STATE +COMMAND tf-directory-setup.py -l none -f +COMMAND setup-new-directory.sh + +LINKTOP init +LINKTOP includes.d/variables.account_tags.tf +LINKTOP includes.d/variables.account_tags.auto.tfvars +LINKTOP includes.d/variables.infrastructure_tags.tf +LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars +LINKTOP includes.d/variables.application_tags.tf +# LINKTOP includes.d/variables.application_tags.auto.tfvars +LINK variables.application_tags.auto.tfvars +LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars +LINKTOP provider_configs.d/provider.ldap_new.tf +LINKTOP provider_configs.d/provider.ldap_new.variables.tf +LINK settings.auto.tfvars +LINK includes.d/parent_rs.tf +LINK includes.d/data.eks-subdirectory.tf +LINK includes.d/kubeconfig.eks-subdirectory.tf +LINK variables.eks.tf +LINK prefixes.tf +LINK providers.tf +LINK variables.addons.tf +LINK versions.tf +LINK version.tf +LINK variables.vpc.tf +LINK variables.vpc.auto.tfvars +COMMAND tf-init + +ALL diff --git a/examples/irsa/tf-run.destroy.data b/examples/irsa/tf-run.destroy.data new file mode 100644 index 0000000..7a82c9f --- /dev/null +++ b/examples/irsa/tf-run.destroy.data @@ -0,0 +1,6 @@ +VERSION 1.0.1 +BACKUP-STATE +COMMAND tf-init +COMMAND tf-state list + +ALL diff --git a/examples/irsa/variables.auto.tfvars b/examples/irsa/variables.auto.tfvars new file mode 100644 index 0000000..82ec7a2 --- /dev/null +++ b/examples/irsa/variables.auto.tfvars @@ -0,0 +1,4 @@ +namespace = "default" +name = "" +create_namespace = false +create_service_account = true diff --git a/examples/irsa/variables.tf b/examples/irsa/variables.tf new file mode 100644 index 0000000..4c5416f --- /dev/null +++ b/examples/irsa/variables.tf @@ -0,0 +1,22 @@ +variable "namespace" { + description = "Service namespace" + type = string + default = "default" +} + +variable "name" { + description = "Service account name" + type = string +} + +variable "create_namespace" { + description = "Create kubernetes namespace" + type = bool + default = false +} + +variable "create_service_account" { + description = "Create kubernetes service account" + type = bool + default = true +}