From ab46a6c95d4546734e06b649cf51c1cf17c37b08 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Sun, 21 Nov 2021 12:44:59 -0500
Subject: [PATCH 1/2] update example

---
 .../cluster-roles/dba-rolebinding.tf          |  6 +--
 .../full-cluster/cluster-roles/dba.iam.tf     |  4 ++
 .../cluster-roles/deployer-clusterrole.tf     | 46 +++++++++++++++----
 .../cluster-roles/deployer-rolebinding.tf     | 37 +++++++++++++--
 .../cluster-roles/deployer.iam.tf             | 34 +++++++++++++-
 5 files changed, 108 insertions(+), 19 deletions(-)

diff --git a/examples/full-cluster/cluster-roles/dba-rolebinding.tf b/examples/full-cluster/cluster-roles/dba-rolebinding.tf
index 64fdb3d..e7d48aa 100644
--- a/examples/full-cluster/cluster-roles/dba-rolebinding.tf
+++ b/examples/full-cluster/cluster-roles/dba-rolebinding.tf
@@ -14,7 +14,7 @@ resource "kubernetes_namespace" "dba_managed_namespaces" {
 }
 
 resource "kubernetes_role_binding" "dba_admin_rolebinding" {
-#  for_each = toset(local.dba_managed_namespaces)
+  #  for_each = toset(local.dba_managed_namespaces)
   for_each = kubernetes_namespace.dba_managed_namespaces
 
   metadata {
@@ -32,9 +32,9 @@ resource "kubernetes_role_binding" "dba_admin_rolebinding" {
     api_group = "rbac.authorization.k8s.io"
   }
   subject {
-    kind = "Group"
+    kind      = "Group"
     name      = local.dba_k8s_group_name
     api_group = "rbac.authorization.k8s.io"
   }
-#  depends_on = [kubernetes_namespace.dba_managed_namespaces]
+  #  depends_on = [kubernetes_namespace.dba_managed_namespaces]
 }
diff --git a/examples/full-cluster/cluster-roles/dba.iam.tf b/examples/full-cluster/cluster-roles/dba.iam.tf
index 22e6780..eaea25d 100644
--- a/examples/full-cluster/cluster-roles/dba.iam.tf
+++ b/examples/full-cluster/cluster-roles/dba.iam.tf
@@ -52,6 +52,10 @@ locals {
       ]
       resources = [format(local.common_arn, "eks", format("%v/%v", "cluster", var.cluster_name))]
     }
+    STSAssumeRole = {
+      actions   = ["sts:AssumeRole"]
+      resources = [module.role_dba_administrator.role_arn]
+    }
   }
 }
 
diff --git a/examples/full-cluster/cluster-roles/deployer-clusterrole.tf b/examples/full-cluster/cluster-roles/deployer-clusterrole.tf
index 2fa46af..7cede6e 100644
--- a/examples/full-cluster/cluster-roles/deployer-clusterrole.tf
+++ b/examples/full-cluster/cluster-roles/deployer-clusterrole.tf
@@ -4,17 +4,42 @@ resource "kubernetes_cluster_role" "cicd_deployer_istiosystem_cluster_role" {
   }
 
   rule {
-    api_groups = ["cert-manager.io", "acme.cert-manager.io"]
-    resources  = ["certificates", "challenges", "orders", "certificaterequests", "issuers"]
-    verbs      = ["get", "list", "watch", "create", "update", "patch"]
+    api_groups = ["acme.cert-manager.io"]
+    resources  = ["challenges", "orders", "certificaterequests"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
   }
+
+  rule {
+    api_groups = ["cert-manager.io"]
+    resources  = ["certificates"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+  }
+
+
   rule {
-    verbs      = ["get", "list", "watch", "create", "update", "patch"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
     api_groups = ["networking.istio.io"]
     resources  = ["gateways"]
   }
 }
 
+resource "kubernetes_cluster_role" "cicd_deployer_istio_cluster_role" {
+  metadata {
+    name = var.deployer_application_istio_role_name
+  }
+  rule {
+    api_groups = ["security.istio.io"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+    resources  = ["requestauthentications", "authorizationpolicies", "peerauthentications"]
+  }
+
+  rule {
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+    api_groups = ["networking.istio.io"]
+    resources  = ["virtualservices", "destinationrules", "gateways"]
+  }
+}
+
 resource "kubernetes_cluster_role" "cicd_deployer_application_cluster_role" {
   metadata {
     name = var.deployer_application_role_name
@@ -28,14 +53,15 @@ resource "kubernetes_cluster_role" "cicd_deployer_application_cluster_role" {
   }
 
   rule {
-    api_groups = ["cert-manager.io", "acme.cert-manager.io"]
-    resources  = ["certificates", "challenges", "orders", "certificaterequests", "issuers"]
-    verbs      = ["get", "list", "watch", "create", "update", "patch"]
+    api_groups = ["acme.cert-manager.io"]
+    resources  = ["challenges", "orders", "certificaterequests"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
   }
 
   rule {
-    verbs      = ["get", "list", "watch", "create", "update", "patch"]
-    api_groups = ["networking.istio.io", "security.istio.io"]
-    resources  = ["virtualservices", "authorizationpolicies", "destinationrules", "peerauthentications", "requestauthentications"]
+    api_groups = ["cert-manager.io"]
+    resources  = ["certificates"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
   }
+
 }
diff --git a/examples/full-cluster/cluster-roles/deployer-rolebinding.tf b/examples/full-cluster/cluster-roles/deployer-rolebinding.tf
index 0d6e7f3..3b90b7b 100644
--- a/examples/full-cluster/cluster-roles/deployer-rolebinding.tf
+++ b/examples/full-cluster/cluster-roles/deployer-rolebinding.tf
@@ -15,7 +15,7 @@ resource "kubernetes_role_binding" "deployer_istio_role_binding" {
   }
   subject {
     kind = "Group"
-#    name      = format("%v%v-%v", local._prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name)
+    #    name      = format("%v%v-%v", local._prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name)
     name      = local.cicd_k8s_iam_username
     api_group = "rbac.authorization.k8s.io"
   }
@@ -23,7 +23,7 @@ resource "kubernetes_role_binding" "deployer_istio_role_binding" {
 
 locals {
   cicd_managed_namespaces = formatlist("%v-%v", var.cluster_name, var.cicd_managed_namespaces)
-  cicd_k8s_iam_username     = format("%v%v-%v", local._prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name)
+  cicd_k8s_iam_username   = format("%v%v-%v", local._prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name)
   cicd_k8s_group_name     = format("%v%v-%v", local._prefixes["eks"], var.cluster_name, var.cicd_k8s_group_name)
 }
 
@@ -37,8 +37,35 @@ resource "kubernetes_namespace" "cicd_managed_namespaces" {
   }
 }
 
+
+resource "kubernetes_role_binding" "deployer_application_istio_rolebinding" {
+  #  for_each = toset(local.cicd_managed_namespaces)
+  for_each = kubernetes_namespace.cicd_managed_namespaces
+
+  metadata {
+    name      = var.deployer_application_istio_rolebinding_name
+    namespace = each.key
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = var.deployer_application_istio_role_name
+  }
+  subject {
+    kind      = "User"
+    name      = var.cicd_k8s_user_name
+    api_group = "rbac.authorization.k8s.io"
+  }
+  subject {
+    kind      = "Group"
+    name      = local.cicd_k8s_iam_username
+    api_group = "rbac.authorization.k8s.io"
+  }
+  #  depends_on = [kubernetes_namespace.cicd_managed_namespaces]
+}
+
 resource "kubernetes_role_binding" "deployer_application_rolebinding" {
-#  for_each = toset(local.cicd_managed_namespaces)
+  #  for_each = toset(local.cicd_managed_namespaces)
   for_each = kubernetes_namespace.cicd_managed_namespaces
 
   metadata {
@@ -56,9 +83,9 @@ resource "kubernetes_role_binding" "deployer_application_rolebinding" {
     api_group = "rbac.authorization.k8s.io"
   }
   subject {
-    kind = "Group"
+    kind      = "Group"
     name      = local.cicd_k8s_iam_username
     api_group = "rbac.authorization.k8s.io"
   }
-#  depends_on = [kubernetes_namespace.cicd_managed_namespaces]
+  #  depends_on = [kubernetes_namespace.cicd_managed_namespaces]
 }
diff --git a/examples/full-cluster/cluster-roles/deployer.iam.tf b/examples/full-cluster/cluster-roles/deployer.iam.tf
index dfe46f4..13f4192 100644
--- a/examples/full-cluster/cluster-roles/deployer.iam.tf
+++ b/examples/full-cluster/cluster-roles/deployer.iam.tf
@@ -1,5 +1,6 @@
 locals {
   policy_cicd_k8s_group_name = replace(local.cicd_k8s_iam_username, local._prefixes["eks-user"], local._prefixes["eks-policy"])
+  role_cicd_k8s_group_name   = replace(local.cicd_k8s_iam_username, local._prefixes["eks-user"], "")
   iam_policies_cicd          = ["p-inf-manage-access-keys"]
 }
 
@@ -27,6 +28,22 @@ module "service_cicd_deployer" {
     var.application_tags,
   )
 }
+module "role_cicd_deployer" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git"
+
+  role_name              = local.role_cicd_k8s_group_name
+  role_description       = "Role for EKS cluster ${var.cluster_name} for access by ${var.cicd_k8s_group_name}"
+  enable_ldap_creation   = false
+  assume_policy_document = data.aws_iam_policy_document.cicd_deployer_allow_sts.json
+  #  attached_policies   =   flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn]))
+  attached_policies = [aws_iam_policy.cicd_deployer.arn]
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
 
 resource "aws_iam_policy" "cicd_deployer" {
   name        = local.policy_cicd_k8s_group_name
@@ -49,7 +66,7 @@ locals {
       resources = ["*"]
     }
     ECRWrite = {
-      effect = "Deny"
+      #      effect = "Deny"
       actions = [
         "ecr:BatchDeleteImage",
         "ecr:CompleteLayerUpload",
@@ -98,6 +115,21 @@ data "aws_iam_policy_document" "cicd_deployer" {
   }
 }
 
+# allow anyone in this account to assume the role, if they have the permission to do so
+data "aws_iam_policy_document" "cicd_deployer_allow_sts" {
+  statement {
+    sid     = "AllowSTSAssume"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(local.iam_arn, "root"),
+      ]
+    }
+  }
+}
+
 # output "service_cicd_deployer_arn" {
 #   description = "CICD Deployer user ARN"
 #   value       = module.service_cicd_deployer.user_arn

From d677d55a71c797240ee7ef79e679592ac79e8550 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Sun, 21 Nov 2021 12:45:03 -0500
Subject: [PATCH 2/2] update example

---
 examples/full-cluster/providers.tf | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/examples/full-cluster/providers.tf b/examples/full-cluster/providers.tf
index 815e4c1..03c6b10 100644
--- a/examples/full-cluster/providers.tf
+++ b/examples/full-cluster/providers.tf
@@ -2,11 +2,17 @@ terraform {
   required_version = ">= 0.12.31"
 }
 
-provider "kubernetes" {
-  host = local.aws_eks_cluster.endpoint
+# to import, you cannot have provider fields which count on data elements (as these locals show).  You need to use the config_path.
+# see these for more info:
+#  https://github.com/hashicorp/terraform-provider-kubernetes/issues/793
+#  https://www.terraform.io/docs/cli/commands/import.html#provider-configuration
+#  https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs
 
+provider "kubernetes" {
+  host                   = local.aws_eks_cluster.endpoint
   cluster_ca_certificate = base64decode(local.aws_eks_cluster.certificate_authority[0].data)
   token                  = local.aws_eks_cluster_auth.token
+#   config_path = "${path.root}/setup/kube.config"
 }
 
 provider "helm" {