update example

terraform-modules · Nov 21, 2021 · ab46a6c · ab46a6c
1 parent 5279dcd
commit ab46a6c
Show file tree

Hide file tree

Showing 5 changed files with 108 additions and 19 deletions.
diff --git a/examples/full-cluster/cluster-roles/dba-rolebinding.tf b/examples/full-cluster/cluster-roles/dba-rolebinding.tf
@@ -14,7 +14,7 @@ resource "kubernetes_namespace" "dba_managed_namespaces" {
 }
 
 resource "kubernetes_role_binding" "dba_admin_rolebinding" {
-#  for_each = toset(local.dba_managed_namespaces)
+  #  for_each = toset(local.dba_managed_namespaces)
   for_each = kubernetes_namespace.dba_managed_namespaces
 
   metadata {
@@ -32,9 +32,9 @@ resource "kubernetes_role_binding" "dba_admin_rolebinding" {
     api_group = "rbac.authorization.k8s.io"
   }
   subject {
-    kind = "Group"
+    kind      = "Group"
     name      = local.dba_k8s_group_name
     api_group = "rbac.authorization.k8s.io"
   }
-#  depends_on = [kubernetes_namespace.dba_managed_namespaces]
+  #  depends_on = [kubernetes_namespace.dba_managed_namespaces]
 }
diff --git a/examples/full-cluster/cluster-roles/dba.iam.tf b/examples/full-cluster/cluster-roles/dba.iam.tf
@@ -52,6 +52,10 @@ locals {
       ]
       resources = [format(local.common_arn, "eks", format("%v/%v", "cluster", var.cluster_name))]
     }
+    STSAssumeRole = {
+      actions   = ["sts:AssumeRole"]
+      resources = [module.role_dba_administrator.role_arn]
+    }
   }
 }
 

diff --git a/examples/full-cluster/cluster-roles/deployer-clusterrole.tf b/examples/full-cluster/cluster-roles/deployer-clusterrole.tf
@@ -4,17 +4,42 @@ resource "kubernetes_cluster_role" "cicd_deployer_istiosystem_cluster_role" {
   }
 
   rule {
-    api_groups = ["cert-manager.io", "acme.cert-manager.io"]
-    resources  = ["certificates", "challenges", "orders", "certificaterequests", "issuers"]
-    verbs      = ["get", "list", "watch", "create", "update", "patch"]
+    api_groups = ["acme.cert-manager.io"]
+    resources  = ["challenges", "orders", "certificaterequests"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
   }
+
+  rule {
+    api_groups = ["cert-manager.io"]
+    resources  = ["certificates"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+  }
+
+
   rule {
-    verbs      = ["get", "list", "watch", "create", "update", "patch"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
     api_groups = ["networking.istio.io"]
     resources  = ["gateways"]
   }
 }
 
+resource "kubernetes_cluster_role" "cicd_deployer_istio_cluster_role" {
+  metadata {
+    name = var.deployer_application_istio_role_name
+  }
+  rule {
+    api_groups = ["security.istio.io"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+    resources  = ["requestauthentications", "authorizationpolicies", "peerauthentications"]
+  }
+
+  rule {
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+    api_groups = ["networking.istio.io"]
+    resources  = ["virtualservices", "destinationrules", "gateways"]
+  }
+}
+
 resource "kubernetes_cluster_role" "cicd_deployer_application_cluster_role" {
   metadata {
     name = var.deployer_application_role_name
@@ -28,14 +53,15 @@ resource "kubernetes_cluster_role" "cicd_deployer_application_cluster_role" {
   }
 
   rule {
-    api_groups = ["cert-manager.io", "acme.cert-manager.io"]
-    resources  = ["certificates", "challenges", "orders", "certificaterequests", "issuers"]
-    verbs      = ["get", "list", "watch", "create", "update", "patch"]
+    api_groups = ["acme.cert-manager.io"]
+    resources  = ["challenges", "orders", "certificaterequests"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
   }
 
   rule {
-    verbs      = ["get", "list", "watch", "create", "update", "patch"]
-    api_groups = ["networking.istio.io", "security.istio.io"]
-    resources  = ["virtualservices", "authorizationpolicies", "destinationrules", "peerauthentications", "requestauthentications"]
+    api_groups = ["cert-manager.io"]
+    resources  = ["certificates"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
   }
+
 }
diff --git a/examples/full-cluster/cluster-roles/deployer-rolebinding.tf b/examples/full-cluster/cluster-roles/deployer-rolebinding.tf
@@ -15,15 +15,15 @@ resource "kubernetes_role_binding" "deployer_istio_role_binding" {
   }
   subject {
     kind = "Group"
-#    name      = format("%v%v-%v", local._prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name)
+    #    name      = format("%v%v-%v", local._prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name)
     name      = local.cicd_k8s_iam_username
     api_group = "rbac.authorization.k8s.io"
   }
 }
 
 locals {
   cicd_managed_namespaces = formatlist("%v-%v", var.cluster_name, var.cicd_managed_namespaces)
-  cicd_k8s_iam_username     = format("%v%v-%v", local._prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name)
+  cicd_k8s_iam_username   = format("%v%v-%v", local._prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name)
   cicd_k8s_group_name     = format("%v%v-%v", local._prefixes["eks"], var.cluster_name, var.cicd_k8s_group_name)
 }
 
@@ -37,8 +37,35 @@ resource "kubernetes_namespace" "cicd_managed_namespaces" {
   }
 }
 
+
+resource "kubernetes_role_binding" "deployer_application_istio_rolebinding" {
+  #  for_each = toset(local.cicd_managed_namespaces)
+  for_each = kubernetes_namespace.cicd_managed_namespaces
+
+  metadata {
+    name      = var.deployer_application_istio_rolebinding_name
+    namespace = each.key
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = var.deployer_application_istio_role_name
+  }
+  subject {
+    kind      = "User"
+    name      = var.cicd_k8s_user_name
+    api_group = "rbac.authorization.k8s.io"
+  }
+  subject {
+    kind      = "Group"
+    name      = local.cicd_k8s_iam_username
+    api_group = "rbac.authorization.k8s.io"
+  }
+  #  depends_on = [kubernetes_namespace.cicd_managed_namespaces]
+}
+
 resource "kubernetes_role_binding" "deployer_application_rolebinding" {
-#  for_each = toset(local.cicd_managed_namespaces)
+  #  for_each = toset(local.cicd_managed_namespaces)
   for_each = kubernetes_namespace.cicd_managed_namespaces
 
   metadata {
@@ -56,9 +83,9 @@ resource "kubernetes_role_binding" "deployer_application_rolebinding" {
     api_group = "rbac.authorization.k8s.io"
   }
   subject {
-    kind = "Group"
+    kind      = "Group"
     name      = local.cicd_k8s_iam_username
     api_group = "rbac.authorization.k8s.io"
   }
-#  depends_on = [kubernetes_namespace.cicd_managed_namespaces]
+  #  depends_on = [kubernetes_namespace.cicd_managed_namespaces]
 }
diff --git a/examples/full-cluster/cluster-roles/deployer.iam.tf b/examples/full-cluster/cluster-roles/deployer.iam.tf
@@ -1,5 +1,6 @@
 locals {
   policy_cicd_k8s_group_name = replace(local.cicd_k8s_iam_username, local._prefixes["eks-user"], local._prefixes["eks-policy"])
+  role_cicd_k8s_group_name   = replace(local.cicd_k8s_iam_username, local._prefixes["eks-user"], "")
   iam_policies_cicd          = ["p-inf-manage-access-keys"]
 }
 
@@ -27,6 +28,22 @@ module "service_cicd_deployer" {
     var.application_tags,
   )
 }
+module "role_cicd_deployer" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git"
+
+  role_name              = local.role_cicd_k8s_group_name
+  role_description       = "Role for EKS cluster ${var.cluster_name} for access by ${var.cicd_k8s_group_name}"
+  enable_ldap_creation   = false
+  assume_policy_document = data.aws_iam_policy_document.cicd_deployer_allow_sts.json
+  #  attached_policies   =   flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn]))
+  attached_policies = [aws_iam_policy.cicd_deployer.arn]
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
 
 resource "aws_iam_policy" "cicd_deployer" {
   name        = local.policy_cicd_k8s_group_name
@@ -49,7 +66,7 @@ locals {
       resources = ["*"]
     }
     ECRWrite = {
-      effect = "Deny"
+      #      effect = "Deny"
       actions = [
         "ecr:BatchDeleteImage",
         "ecr:CompleteLayerUpload",
@@ -98,6 +115,21 @@ data "aws_iam_policy_document" "cicd_deployer" {
   }
 }
 
+# allow anyone in this account to assume the role, if they have the permission to do so
+data "aws_iam_policy_document" "cicd_deployer_allow_sts" {
+  statement {
+    sid     = "AllowSTSAssume"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(local.iam_arn, "root"),
+      ]
+    }
+  }
+}
+
 # output "service_cicd_deployer_arn" {
 #   description = "CICD Deployer user ARN"
 #   value       = module.service_cicd_deployer.user_arn