From bd2ae69d135c025ef9bb3ee029fb092ba4e3a274 Mon Sep 17 00:00:00 2001 From: lpm0073 Date: Tue, 6 Feb 2024 09:00:23 -0600 Subject: [PATCH] refactor: new cluster access auth method w terraform-aws-modules/eks/aws v20.0 --- .../stacks/modules/kubernetes/main.tf | 53 +++++++------------ .../stacks/modules/kubernetes/providers.tf | 3 -- .../kubernetes/terragrunt.hcl | 25 +-------- 3 files changed, 22 insertions(+), 59 deletions(-) diff --git a/{{cookiecutter.github_repo_name}}/terraform/stacks/modules/kubernetes/main.tf b/{{cookiecutter.github_repo_name}}/terraform/stacks/modules/kubernetes/main.tf index 5741e30c..133d0d9c 100644 --- a/{{cookiecutter.github_repo_name}}/terraform/stacks/modules/kubernetes/main.tf +++ b/{{cookiecutter.github_repo_name}}/terraform/stacks/modules/kubernetes/main.tf @@ -12,6 +12,7 @@ # - https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/ # #------------------------------------------------------------------------------ +data "aws_partition" "current" {} locals { # Used by Karpenter config to determine correct partition (i.e. - `aws`, `aws-gov`, `aws-cn`, etc.) @@ -26,38 +27,6 @@ locals { } -resource "kubernetes_config_map_v1_data" "aws_auth_new" { - metadata { - name = "aws-auth" - namespace = "kube-system" - } - - data = { - "mapAccounts" = jsonencode([]) - "mapRoles" = <<-EOT - - "groups": - - "system:bootstrappers" - - "system:nodes" - "rolearn": "arn:aws:iam::${var.account_id}:role/service-eks-node-group-20230225001424228200000001" - {% raw %}"username": "system:node:{{EC2PrivateDNSName}}"{% endraw %} - - "groups": - - "system:bootstrappers" - - "system:nodes" - "rolearn": "arn:aws:iam::${var.account_id}:role/wordpress-eks-node-group-20230821193015357700000001" - {% raw %}"username": "system:node:{{EC2PrivateDNSName}}"{% endraw %} - EOT - "mapUsers" = <<-EOT - - "groups": - - "system:masters" - "userarn": "arn:aws:iam::${var.account_id}:user/system/bastion-user/apps-hosting-service-bastion" - "username": "apps-hosting-service-bastion" - EOT - } - - field_manager = "Terraform" - force = true -} - module "eks" { source = "terraform-aws-modules/eks/aws" version = "~> {{ cookiecutter.terraform_aws_modules_eks }}" @@ -89,6 +58,24 @@ module "eks" { # kubectl and k9s work from inside the bastion server by default. create_iam_role = true + # Cluster access entry + enable_cluster_creator_admin_permissions = true + access_entries = { + bastion = { + kubernetes_groups = [] + principal_arn = var.bastion_iam_arn + + policy_associations = { + admin = { + policy_arn = "arn:${local.partition}:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + access_scope = { + type = "cluster" + } + } + } + } + } + tags = merge( local.tags, module.cookiecutter_meta.tags, @@ -353,7 +340,7 @@ resource "aws_security_group" "worker_group_mgmt" { { Name = "eks-${var.shared_resource_identifier}-worker_group_mgmt" }, { "cookiecutter/resource/source" = "hashicorp/aws/aws_security_group" - "cookiecutter/resource/version" = "{{ cookiecutter.terraform_provider_hashicorp_aws_version }}" + "cookiecutter/resource/version" = "5.35" } ) } diff --git a/{{cookiecutter.github_repo_name}}/terraform/stacks/modules/kubernetes/providers.tf b/{{cookiecutter.github_repo_name}}/terraform/stacks/modules/kubernetes/providers.tf index e17c27af..82d6c49e 100644 --- a/{{cookiecutter.github_repo_name}}/terraform/stacks/modules/kubernetes/providers.tf +++ b/{{cookiecutter.github_repo_name}}/terraform/stacks/modules/kubernetes/providers.tf @@ -12,9 +12,6 @@ # the local kubeconfig file. #------------------------------------------------------------------------------ -# Required by Karpenter -data "aws_partition" "current" {} - provider "kubernetes" { host = module.eks.cluster_endpoint cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) diff --git a/{{cookiecutter.github_repo_name}}/terraform/stacks/{{cookiecutter.global_platform_shared_resource_identifier}}/kubernetes/terragrunt.hcl b/{{cookiecutter.github_repo_name}}/terraform/stacks/{{cookiecutter.global_platform_shared_resource_identifier}}/kubernetes/terragrunt.hcl index fca1f5f5..bcfbbe5c 100644 --- a/{{cookiecutter.github_repo_name}}/terraform/stacks/{{cookiecutter.global_platform_shared_resource_identifier}}/kubernetes/terragrunt.hcl +++ b/{{cookiecutter.github_repo_name}}/terraform/stacks/{{cookiecutter.global_platform_shared_resource_identifier}}/kubernetes/terragrunt.hcl @@ -93,34 +93,13 @@ inputs = { hosting_group_min_size = local.hosting_group_min_size hosting_group_max_size = local.hosting_group_max_size - map_roles = [] kms_key_owners = [ - "${local.bastion_iam_arn}", + "${local.bastion_iam_arn}" # ------------------------------------------------------------------------- # ADD MORE CLUSTER ADMIN USER IAM ACCOUNTS TO THE AWS KMS KEY OWNER LIST: # ------------------------------------------------------------------------- - "arn:aws:iam::${local.account_id}:user/mcdaniel", + #"arn:aws:iam::${local.account_id}:user/mcdaniel", #"arn:aws:iam::${local.account_id}:user/bob_marley", ] - map_users = [ - { - userarn = local.bastion_iam_arn - username = local.bastion_iam_username - groups = ["system:masters"] - }, - # ------------------------------------------------------------------------- - # ADD MORE CLUSTER ADMIN USER IAM ACCOUNTS HERE: - # ------------------------------------------------------------------------- - { - userarn = "arn:aws:iam::${local.account_id}:user/mcdaniel" - username = "mcdaniel" - groups = ["system:masters"] - }, - #{ - # userarn = "arn:aws:iam::${local.account_id}:user/bob_marley" - # username = "bob_marley" - # groups = ["system:masters"] - #}, - ] }