From 42d0c1005e14f807de12a2baf9961ab272d78264 Mon Sep 17 00:00:00 2001 From: Rodrigo Bersa Date: Thu, 21 Sep 2023 15:21:56 -0400 Subject: [PATCH] Slicing patterns --- README.md | 23 +-- patterns/development-team/README.md | 69 +++++++ .../{no-admin => development-team}/main.tf | 55 +----- patterns/development-team/outputs.tf | 35 ++++ .../variables.tf | 0 .../versions.tf | 0 patterns/multiple-app-teams/README.md | 69 +++++++ patterns/multiple-app-teams/main.tf | 133 ++++++++++++++ patterns/multiple-app-teams/outputs.tf | 35 ++++ .../variables.tf | 0 .../versions.tf | 0 patterns/namespaced-admin/README.md | 32 +--- patterns/namespaced-admin/main.tf | 170 +----------------- patterns/namespaced-admin/outputs.tf | 102 ++--------- patterns/no-admin/README.md | 77 -------- patterns/no-admin/outputs.tf | 71 -------- {patterns => tests}/complete/README.md | 7 + {patterns => tests}/complete/main.tf | 34 +++- {patterns => tests}/complete/outputs.tf | 33 +++- tests/complete/variables.tf | 0 tests/complete/versions.tf | 14 ++ 21 files changed, 469 insertions(+), 490 deletions(-) create mode 100644 patterns/development-team/README.md rename patterns/{no-admin => development-team}/main.tf (81%) create mode 100644 patterns/development-team/outputs.tf rename patterns/{complete => development-team}/variables.tf (100%) rename patterns/{complete => development-team}/versions.tf (100%) create mode 100644 patterns/multiple-app-teams/README.md create mode 100644 patterns/multiple-app-teams/main.tf create mode 100644 patterns/multiple-app-teams/outputs.tf rename patterns/{no-admin => multiple-app-teams}/variables.tf (100%) rename patterns/{no-admin => multiple-app-teams}/versions.tf (100%) delete mode 100644 patterns/no-admin/README.md delete mode 100644 patterns/no-admin/outputs.tf rename {patterns => tests}/complete/README.md (81%) rename {patterns => tests}/complete/main.tf (90%) rename {patterns => tests}/complete/outputs.tf (74%) create mode 100644 tests/complete/variables.tf create mode 100644 tests/complete/versions.tf diff --git a/README.md b/README.md index 3339382..eb0292f 100644 --- a/README.md +++ b/README.md @@ -4,29 +4,18 @@ Terraform module which creates multi-tenancy resources on Amazon EKS. ## Usage -See [`tests`](https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/tree/main/test) directory for working tests to reference: +See [`patterns`](https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/tree/main/patterns) directory for working tests to reference: -### Standalone - Admin Team +### Cluster Admin -```hcl -module "admin_team" { - source = "aws-ia/eks-blueprints-teams/aws" +https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/3011726aa7609fa201be8021ecfc2202bda47c8d/patterns/cluster-admin/main.tf#L38-L49 - name = "admin-team" +### Namespaced Admin - # Enables elevated, admin privileges for this team - enable_admin = true - users = ["arn:aws:iam::111122223333:role/my-admin-role"] - cluster_arn = "arn:aws:eks:us-west-2:111122223333:cluster/my-cluster" - - tags = { - Environment = "dev" - } -} -``` +https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/3011726aa7609fa201be8021ecfc2202bda47c8d/patterns/cluster-admin/main.tf#L38-L49 -### Standalone - Developer Team +### Developer Team ```hcl module "development_team" { diff --git a/patterns/development-team/README.md b/patterns/development-team/README.md new file mode 100644 index 0000000..523f7cd --- /dev/null +++ b/patterns/development-team/README.md @@ -0,0 +1,69 @@ +# Amazon EKS Blueprints Teams - Complete + +Configuration in this directory creates: + +- An EKS cluster (required to support module/tests) +- An administrative team +- A red team which demonstrates creating one team per module definition +- Blue teams which demonstrates creating multiple teams per module definition + +## Usage + +To run this example you need to execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + +Note that this example may create resources which will incur monetary charges on your AWS bill. Run `terraform destroy` when you no longer need these resources. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.47 | +| [kubernetes](#requirement\_kubernetes) | >= 2.17 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.47 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [development\_team](#module\_development\_team) | ../.. | n/a | +| [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.13 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | + +## Inputs + +No inputs. + +## Outputs + +| Name | Description | +|------|-------------| +| [development\_team\_aws\_auth\_configmap\_role](#output\_development\_team\_aws\_auth\_configmap\_role) | Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap | +| [development\_team\_iam\_role\_arn](#output\_development\_team\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role | +| [development\_team\_iam\_role\_name](#output\_development\_team\_iam\_role\_name) | The name of the IAM role | +| [development\_team\_iam\_role\_unique\_id](#output\_development\_team\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role | +| [development\_team\_kubeconfig](#output\_development\_team\_kubeconfig) | Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig | +| [development\_team\_namespaces](#output\_development\_team\_namespaces) | Mapf of Kubernetes namespaces created and their attributes | +| [development\_team\_rbac\_group](#output\_development\_team\_rbac\_group) | The name of the Kubernetes RBAC group | + + +Apache-2.0 Licensed. See [LICENSE](https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/main/LICENSE) diff --git a/patterns/no-admin/main.tf b/patterns/development-team/main.tf similarity index 81% rename from patterns/no-admin/main.tf rename to patterns/development-team/main.tf index 940f85c..284c5a5 100644 --- a/patterns/no-admin/main.tf +++ b/patterns/development-team/main.tf @@ -32,24 +32,24 @@ locals { } ################################################################################ -# EKS Multi-Tenancy Module +# EKS Development Teams Module ################################################################################ -module "red_team" { +module "development_team" { source = "../.." - name = "red-team" + name = "development-team" users = [data.aws_caller_identity.current.arn] cluster_arn = module.eks.cluster_arn oidc_provider_arn = module.eks.oidc_provider_arn labels = { - team = "red" + team = "dev" } annotations = { - team = "red" + team = "dev" } namespaces = { @@ -57,9 +57,10 @@ module "red_team" { # Provides access to an existing namespace create = false } - red = { + app = { + labels = { - projectName = "project-red", + projectName = "project-app", } resource_quota = { @@ -154,43 +155,6 @@ module "red_team" { tags = local.tags } -module "blue_teams" { - source = "../.." - - for_each = { - one = {} - two = {} - } - name = "blue-team-${each.key}" - - users = [data.aws_caller_identity.current.arn] - cluster_arn = module.eks.cluster_arn - oidc_provider_arn = module.eks.oidc_provider_arn - - namespaces = { - "blue-${each.key}" = { - labels = { - appName = "blue-team-app", - projectName = "project-blue", - } - - resource_quota = { - hard = { - "requests.cpu" = "2000m", - "requests.memory" = "4Gi", - "limits.cpu" = "4000m", - "limits.memory" = "16Gi", - "pods" = "20", - "secrets" = "20", - "services" = "20" - } - } - } - } - - tags = local.tags -} - ################################################################################ # Supporting Resources ################################################################################ @@ -219,8 +183,7 @@ module "eks" { manage_aws_auth_configmap = true aws_auth_roles = flatten( [ - module.red_team.aws_auth_configmap_role, - [for team in module.blue_teams : team.aws_auth_configmap_role], + module.development_team.aws_auth_configmap_role, ] ) diff --git a/patterns/development-team/outputs.tf b/patterns/development-team/outputs.tf new file mode 100644 index 0000000..50a21e7 --- /dev/null +++ b/patterns/development-team/outputs.tf @@ -0,0 +1,35 @@ +# Red Team +output "development_team_namespaces" { + description = "Mapf of Kubernetes namespaces created and their attributes" + value = module.development_team.namespaces +} + +output "development_team_rbac_group" { + description = "The name of the Kubernetes RBAC group" + value = module.development_team.rbac_group +} + +output "development_team_aws_auth_configmap_role" { + description = "Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap" + value = module.development_team.aws_auth_configmap_role +} + +output "development_team_iam_role_name" { + description = "The name of the IAM role" + value = module.development_team.iam_role_name +} + +output "development_team_iam_role_arn" { + description = "The Amazon Resource Name (ARN) specifying the IAM role" + value = module.development_team.iam_role_arn +} + +output "development_team_iam_role_unique_id" { + description = "Stable and unique string identifying the IAM role" + value = module.development_team.iam_role_unique_id +} + +output "development_team_kubeconfig" { + description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" + value = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name} --role-arn ${module.development_team.iam_role_arn}" +} diff --git a/patterns/complete/variables.tf b/patterns/development-team/variables.tf similarity index 100% rename from patterns/complete/variables.tf rename to patterns/development-team/variables.tf diff --git a/patterns/complete/versions.tf b/patterns/development-team/versions.tf similarity index 100% rename from patterns/complete/versions.tf rename to patterns/development-team/versions.tf diff --git a/patterns/multiple-app-teams/README.md b/patterns/multiple-app-teams/README.md new file mode 100644 index 0000000..24bc584 --- /dev/null +++ b/patterns/multiple-app-teams/README.md @@ -0,0 +1,69 @@ +# Amazon EKS Blueprints Teams - Complete + +Configuration in this directory creates: + +- An EKS cluster (required to support module/tests) +- An administrative team +- A red team which demonstrates creating one team per module definition +- Blue teams which demonstrates creating multiple teams per module definition + +## Usage + +To run this example you need to execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + +Note that this example may create resources which will incur monetary charges on your AWS bill. Run `terraform destroy` when you no longer need these resources. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.47 | +| [kubernetes](#requirement\_kubernetes) | >= 2.17 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.47 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [application\_teams](#module\_application\_teams) | ../.. | n/a | +| [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.13 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | + +## Inputs + +No inputs. + +## Outputs + +| Name | Description | +|------|-------------| +| [application\_teams\_aws\_auth\_configmap\_role](#output\_application\_teams\_aws\_auth\_configmap\_role) | Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap | +| [application\_teams\_iam\_role\_arn](#output\_application\_teams\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role | +| [application\_teams\_iam\_role\_name](#output\_application\_teams\_iam\_role\_name) | The name of the IAM role | +| [application\_teams\_iam\_role\_unique\_id](#output\_application\_teams\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role | +| [application\_teams\_kubeconfig](#output\_application\_teams\_kubeconfig) | Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig | +| [application\_teams\_namespaces](#output\_application\_teams\_namespaces) | Mapf of Kubernetes namespaces created and their attributes | +| [application\_teams\_rbac\_group](#output\_application\_teams\_rbac\_group) | The name of the Kubernetes RBAC group | + + +Apache-2.0 Licensed. See [LICENSE](https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/main/LICENSE) diff --git a/patterns/multiple-app-teams/main.tf b/patterns/multiple-app-teams/main.tf new file mode 100644 index 0000000..4b49af0 --- /dev/null +++ b/patterns/multiple-app-teams/main.tf @@ -0,0 +1,133 @@ +provider "aws" { + region = local.region +} + +provider "kubernetes" { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } +} + +data "aws_availability_zones" "available" {} +data "aws_caller_identity" "current" {} + +locals { + region = "us-west-2" + name = "ex-teams-${basename(path.cwd)}" + + vpc_cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 3) + + tags = { + Name = local.name + Example = local.name + Repository = "https://github.com/aws-ia/terraform-aws-eks-blueprints-teams" + } +} + +################################################################################ +# EKS Multi-Tenancy Module +################################################################################ + +module "application_teams" { + source = "../.." + + for_each = { + one = {} + two = {} + } + name = "app-team-${each.key}" + + users = [data.aws_caller_identity.current.arn] + cluster_arn = module.eks.cluster_arn + oidc_provider_arn = module.eks.oidc_provider_arn + + namespaces = { + "app-${each.key}" = { + labels = { + teamName = "${each.key}-team", + projectName = "${each.key}-project", + } + + resource_quota = { + hard = { + "requests.cpu" = "2000m", + "requests.memory" = "4Gi", + "limits.cpu" = "4000m", + "limits.memory" = "16Gi", + "pods" = "20", + "secrets" = "20", + "services" = "20" + } + } + } + } + + tags = local.tags +} + +################################################################################ +# Supporting Resources +################################################################################ + +module "eks" { + source = "terraform-aws-modules/eks/aws" + version = "~> 19.13" + + cluster_name = local.name + cluster_version = "1.27" + cluster_endpoint_public_access = true + + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets + + eks_managed_node_groups = { + initial = { + instance_types = ["m5.large"] + + min_size = 1 + max_size = 5 + desired_size = 2 + } + } + + manage_aws_auth_configmap = true + aws_auth_roles = flatten( + [ + [for team in module.application_teams : team.aws_auth_configmap_role], + ] + ) + + tags = local.tags +} + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 5.0" + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)] + + enable_nat_gateway = true + single_nat_gateway = true + + public_subnet_tags = { + "kubernetes.io/role/elb" = 1 + } + + private_subnet_tags = { + "kubernetes.io/role/internal-elb" = 1 + } + + tags = local.tags +} diff --git a/patterns/multiple-app-teams/outputs.tf b/patterns/multiple-app-teams/outputs.tf new file mode 100644 index 0000000..7003bc9 --- /dev/null +++ b/patterns/multiple-app-teams/outputs.tf @@ -0,0 +1,35 @@ +# Application Teams (creates multiple teams) +output "application_teams_namespaces" { + description = "Mapf of Kubernetes namespaces created and their attributes" + value = [for team in module.application_teams : team.namespaces] +} + +output "application_teams_rbac_group" { + description = "The name of the Kubernetes RBAC group" + value = [for team in module.application_teams : team.rbac_group] +} + +output "application_teams_aws_auth_configmap_role" { + description = "Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap" + value = [for team in module.application_teams : team.aws_auth_configmap_role] +} + +output "application_teams_iam_role_name" { + description = "The name of the IAM role" + value = [for team in module.application_teams : team.iam_role_name] +} + +output "application_teams_iam_role_arn" { + description = "The Amazon Resource Name (ARN) specifying the IAM role" + value = [for team in module.application_teams : team.iam_role_arn] +} + +output "application_teams_iam_role_unique_id" { + description = "Stable and unique string identifying the IAM role" + value = [for team in module.application_teams : team.iam_role_unique_id] +} + +output "application_teams_kubeconfig" { + description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" + value = [for team in module.application_teams : "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name} --role-arn ${team.iam_role_arn}"] +} diff --git a/patterns/no-admin/variables.tf b/patterns/multiple-app-teams/variables.tf similarity index 100% rename from patterns/no-admin/variables.tf rename to patterns/multiple-app-teams/variables.tf diff --git a/patterns/no-admin/versions.tf b/patterns/multiple-app-teams/versions.tf similarity index 100% rename from patterns/no-admin/versions.tf rename to patterns/multiple-app-teams/versions.tf diff --git a/patterns/namespaced-admin/README.md b/patterns/namespaced-admin/README.md index 927c6ce..fb6da36 100644 --- a/patterns/namespaced-admin/README.md +++ b/patterns/namespaced-admin/README.md @@ -38,10 +38,8 @@ Note that this example may create resources which will incur monetary charges on | Name | Source | Version | |------|--------|---------| -| [blue\_teams](#module\_blue\_teams) | ../.. | n/a | | [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.13 | -| [platform\_team](#module\_platform\_team) | ../.. | n/a | -| [red\_team](#module\_red\_team) | ../.. | n/a | +| [operations\_team](#module\_operations\_team) | ../.. | n/a | | [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | ## Resources @@ -59,27 +57,13 @@ No inputs. | Name | Description | |------|-------------| -| [blue\_teams\_aws\_auth\_configmap\_role](#output\_blue\_teams\_aws\_auth\_configmap\_role) | Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap | -| [blue\_teams\_iam\_role\_arn](#output\_blue\_teams\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role | -| [blue\_teams\_iam\_role\_name](#output\_blue\_teams\_iam\_role\_name) | The name of the IAM role | -| [blue\_teams\_iam\_role\_unique\_id](#output\_blue\_teams\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role | -| [blue\_teams\_kubeconfig](#output\_blue\_teams\_kubeconfig) | Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig | -| [blue\_teams\_namespaces](#output\_blue\_teams\_namespaces) | Mapf of Kubernetes namespaces created and their attributes | -| [blue\_teams\_rbac\_group](#output\_blue\_teams\_rbac\_group) | The name of the Kubernetes RBAC group | -| [platform\_team\_aws\_auth\_configmap\_role](#output\_platform\_team\_aws\_auth\_configmap\_role) | Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap | -| [platform\_team\_iam\_role\_arn](#output\_platform\_team\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role | -| [platform\_team\_iam\_role\_name](#output\_platform\_team\_iam\_role\_name) | The name of the IAM role | -| [platform\_team\_iam\_role\_unique\_id](#output\_platform\_team\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role | -| [platform\_team\_kubeconfig](#output\_platform\_team\_kubeconfig) | Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig | -| [platform\_team\_namespaces](#output\_platform\_team\_namespaces) | Map of Kubernetes namespaces created and their attributes | -| [platform\_team\_rbac\_group](#output\_platform\_team\_rbac\_group) | The name of the Kubernetes RBAC group | -| [red\_team\_aws\_auth\_configmap\_role](#output\_red\_team\_aws\_auth\_configmap\_role) | Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap | -| [red\_team\_iam\_role\_arn](#output\_red\_team\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role | -| [red\_team\_iam\_role\_name](#output\_red\_team\_iam\_role\_name) | The name of the IAM role | -| [red\_team\_iam\_role\_unique\_id](#output\_red\_team\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role | -| [red\_team\_kubeconfig](#output\_red\_team\_kubeconfig) | Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig | -| [red\_team\_namespaces](#output\_red\_team\_namespaces) | Mapf of Kubernetes namespaces created and their attributes | -| [red\_team\_rbac\_group](#output\_red\_team\_rbac\_group) | The name of the Kubernetes RBAC group | +| [operations\_team\_aws\_auth\_configmap\_role](#output\_operations\_team\_aws\_auth\_configmap\_role) | Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap | +| [operations\_team\_iam\_role\_arn](#output\_operations\_team\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role | +| [operations\_team\_iam\_role\_name](#output\_operations\_team\_iam\_role\_name) | The name of the IAM role | +| [operations\_team\_iam\_role\_unique\_id](#output\_operations\_team\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role | +| [operations\_team\_kubeconfig](#output\_operations\_team\_kubeconfig) | Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig | +| [operations\_team\_namespaces](#output\_operations\_team\_namespaces) | Map of Kubernetes namespaces created and their attributes | +| [operations\_team\_rbac\_group](#output\_operations\_team\_rbac\_group) | The name of the Kubernetes RBAC group | Apache-2.0 Licensed. See [LICENSE](https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/main/LICENSE) diff --git a/patterns/namespaced-admin/main.tf b/patterns/namespaced-admin/main.tf index 50058e3..eb46b06 100644 --- a/patterns/namespaced-admin/main.tf +++ b/patterns/namespaced-admin/main.tf @@ -35,24 +35,24 @@ locals { # EKS Multi-Tenancy Module ################################################################################ -module "platform_team" { +module "operations_team" { source = "../.." - name = "platform-team" + name = "operations-team" users = [data.aws_caller_identity.current.arn] cluster_arn = module.eks.cluster_arn oidc_provider_arn = module.eks.oidc_provider_arn labels = { - team = "platform" + team = "ops" } annotations = { - team = "platform" + team = "ops" } - cluster_role_name = "platform-team" + cluster_role_name = "ops-team" cluster_role_ref_name = "admin" role_ref = { kind = "ClusterRole" @@ -62,162 +62,6 @@ module "platform_team" { tags = local.tags } -module "red_team" { - source = "../.." - - name = "red-team" - - users = [data.aws_caller_identity.current.arn] - cluster_arn = module.eks.cluster_arn - oidc_provider_arn = module.eks.oidc_provider_arn - - labels = { - team = "red" - } - - annotations = { - team = "red" - } - - namespaces = { - default = { - # Provides access to an existing namespace - create = false - } - red = { - labels = { - projectName = "project-red", - } - - resource_quota = { - hard = { - "requests.cpu" = "1000m", - "requests.memory" = "4Gi", - "limits.cpu" = "2000m", - "limits.memory" = "8Gi", - "pods" = "10", - "secrets" = "10", - "services" = "10" - } - } - - limit_range = { - limit = [ - { - type = "Pod" - max = { - cpu = "200m" - memory = "1Gi" - } - }, - { - type = "PersistentVolumeClaim" - min = { - storage = "24M" - } - }, - { - type = "Container" - default = { - cpu = "50m" - memory = "24Mi" - } - } - ] - } - - network_policy = { - pod_selector = { - match_expressions = [{ - key = "name" - operator = "In" - values = ["webfront", "api"] - }] - } - - ingress = [{ - ports = [ - { - port = "http" - protocol = "TCP" - }, - { - port = "53" - protocol = "TCP" - }, - { - port = "53" - protocol = "UDP" - } - ] - - from = [ - { - namespace_selector = { - match_labels = { - name = "default" - } - } - }, - { - ip_block = { - cidr = "10.0.0.0/8" - except = [ - "10.0.0.0/24", - "10.0.1.0/24", - ] - } - } - ] - }] - - egress = [] # single empty rule to allow all egress traffic - - policy_types = ["Ingress", "Egress"] - } - } - } - - tags = local.tags -} - -module "blue_teams" { - source = "../.." - - for_each = { - one = {} - two = {} - } - name = "blue-team-${each.key}" - - users = [data.aws_caller_identity.current.arn] - cluster_arn = module.eks.cluster_arn - oidc_provider_arn = module.eks.oidc_provider_arn - - namespaces = { - "blue-${each.key}" = { - labels = { - appName = "blue-team-app", - projectName = "project-blue", - } - - resource_quota = { - hard = { - "requests.cpu" = "2000m", - "requests.memory" = "4Gi", - "limits.cpu" = "4000m", - "limits.memory" = "16Gi", - "pods" = "20", - "secrets" = "20", - "services" = "20" - } - } - } - } - - tags = local.tags -} - ################################################################################ # Supporting Resources ################################################################################ @@ -246,9 +90,7 @@ module "eks" { manage_aws_auth_configmap = true aws_auth_roles = flatten( [ - module.platform_team.aws_auth_configmap_role, - module.red_team.aws_auth_configmap_role, - [for team in module.blue_teams : team.aws_auth_configmap_role], + module.operations_team.aws_auth_configmap_role, ] ) diff --git a/patterns/namespaced-admin/outputs.tf b/patterns/namespaced-admin/outputs.tf index 3d1646e..0050010 100644 --- a/patterns/namespaced-admin/outputs.tf +++ b/patterns/namespaced-admin/outputs.tf @@ -1,107 +1,35 @@ -# Platform Team -output "platform_team_namespaces" { +# Operations Team +output "operations_team_namespaces" { description = "Map of Kubernetes namespaces created and their attributes" - value = module.platform_team.namespaces + value = module.operations_team.namespaces } -output "platform_team_rbac_group" { +output "operations_team_rbac_group" { description = "The name of the Kubernetes RBAC group" - value = module.platform_team.rbac_group + value = module.operations_team.rbac_group } -output "platform_team_aws_auth_configmap_role" { +output "operations_team_aws_auth_configmap_role" { description = "Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap" - value = module.platform_team.aws_auth_configmap_role + value = module.operations_team.aws_auth_configmap_role } -output "platform_team_iam_role_name" { +output "operations_team_iam_role_name" { description = "The name of the IAM role" - value = module.platform_team.iam_role_name + value = module.operations_team.iam_role_name } -output "platform_team_iam_role_arn" { +output "operations_team_iam_role_arn" { description = "The Amazon Resource Name (ARN) specifying the IAM role" - value = module.platform_team.iam_role_arn + value = module.operations_team.iam_role_arn } -output "platform_team_iam_role_unique_id" { +output "operations_team_iam_role_unique_id" { description = "Stable and unique string identifying the IAM role" - value = module.platform_team.iam_role_unique_id + value = module.operations_team.iam_role_unique_id } -output "platform_team_kubeconfig" { +output "operations_team_kubeconfig" { description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" - value = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name} --role-arn ${module.platform_team.iam_role_arn}" -} - -# Red Team -output "red_team_namespaces" { - description = "Mapf of Kubernetes namespaces created and their attributes" - value = module.red_team.namespaces -} - -output "red_team_rbac_group" { - description = "The name of the Kubernetes RBAC group" - value = module.red_team.rbac_group -} - -output "red_team_aws_auth_configmap_role" { - description = "Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap" - value = module.red_team.aws_auth_configmap_role -} - -output "red_team_iam_role_name" { - description = "The name of the IAM role" - value = module.red_team.iam_role_name -} - -output "red_team_iam_role_arn" { - description = "The Amazon Resource Name (ARN) specifying the IAM role" - value = module.red_team.iam_role_arn -} - -output "red_team_iam_role_unique_id" { - description = "Stable and unique string identifying the IAM role" - value = module.red_team.iam_role_unique_id -} - -output "red_team_kubeconfig" { - description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" - value = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name} --role-arn ${module.red_team.iam_role_arn}" -} - -# Blue Teams (creates multiple teams) -output "blue_teams_namespaces" { - description = "Mapf of Kubernetes namespaces created and their attributes" - value = [for team in module.blue_teams : team.namespaces] -} - -output "blue_teams_rbac_group" { - description = "The name of the Kubernetes RBAC group" - value = [for team in module.blue_teams : team.rbac_group] -} - -output "blue_teams_aws_auth_configmap_role" { - description = "Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap" - value = [for team in module.blue_teams : team.aws_auth_configmap_role] -} - -output "blue_teams_iam_role_name" { - description = "The name of the IAM role" - value = [for team in module.blue_teams : team.iam_role_name] -} - -output "blue_teams_iam_role_arn" { - description = "The Amazon Resource Name (ARN) specifying the IAM role" - value = [for team in module.blue_teams : team.iam_role_arn] -} - -output "blue_teams_iam_role_unique_id" { - description = "Stable and unique string identifying the IAM role" - value = [for team in module.blue_teams : team.iam_role_unique_id] -} - -output "blue_teams_kubeconfig" { - description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" - value = [for team in module.blue_teams : "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name} --role-arn ${team.iam_role_arn}"] + value = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name} --role-arn ${module.operations_team.iam_role_arn}" } diff --git a/patterns/no-admin/README.md b/patterns/no-admin/README.md deleted file mode 100644 index b5b46d9..0000000 --- a/patterns/no-admin/README.md +++ /dev/null @@ -1,77 +0,0 @@ -# Amazon EKS Blueprints Teams - Complete - -Configuration in this directory creates: - -- An EKS cluster (required to support module/tests) -- An administrative team -- A red team which demonstrates creating one team per module definition -- Blue teams which demonstrates creating multiple teams per module definition - -## Usage - -To run this example you need to execute: - -```bash -$ terraform init -$ terraform plan -$ terraform apply -``` - -Note that this example may create resources which will incur monetary charges on your AWS bill. Run `terraform destroy` when you no longer need these resources. - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.47 | -| [kubernetes](#requirement\_kubernetes) | >= 2.17 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.47 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [blue\_teams](#module\_blue\_teams) | ../.. | n/a | -| [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.13 | -| [red\_team](#module\_red\_team) | ../.. | n/a | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | - -## Inputs - -No inputs. - -## Outputs - -| Name | Description | -|------|-------------| -| [blue\_teams\_aws\_auth\_configmap\_role](#output\_blue\_teams\_aws\_auth\_configmap\_role) | Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap | -| [blue\_teams\_iam\_role\_arn](#output\_blue\_teams\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role | -| [blue\_teams\_iam\_role\_name](#output\_blue\_teams\_iam\_role\_name) | The name of the IAM role | -| [blue\_teams\_iam\_role\_unique\_id](#output\_blue\_teams\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role | -| [blue\_teams\_kubeconfig](#output\_blue\_teams\_kubeconfig) | Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig | -| [blue\_teams\_namespaces](#output\_blue\_teams\_namespaces) | Mapf of Kubernetes namespaces created and their attributes | -| [blue\_teams\_rbac\_group](#output\_blue\_teams\_rbac\_group) | The name of the Kubernetes RBAC group | -| [red\_team\_aws\_auth\_configmap\_role](#output\_red\_team\_aws\_auth\_configmap\_role) | Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap | -| [red\_team\_iam\_role\_arn](#output\_red\_team\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role | -| [red\_team\_iam\_role\_name](#output\_red\_team\_iam\_role\_name) | The name of the IAM role | -| [red\_team\_iam\_role\_unique\_id](#output\_red\_team\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role | -| [red\_team\_kubeconfig](#output\_red\_team\_kubeconfig) | Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig | -| [red\_team\_namespaces](#output\_red\_team\_namespaces) | Mapf of Kubernetes namespaces created and their attributes | -| [red\_team\_rbac\_group](#output\_red\_team\_rbac\_group) | The name of the Kubernetes RBAC group | - - -Apache-2.0 Licensed. See [LICENSE](https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/main/LICENSE) diff --git a/patterns/no-admin/outputs.tf b/patterns/no-admin/outputs.tf deleted file mode 100644 index 8dd6977..0000000 --- a/patterns/no-admin/outputs.tf +++ /dev/null @@ -1,71 +0,0 @@ -# Red Team -output "red_team_namespaces" { - description = "Mapf of Kubernetes namespaces created and their attributes" - value = module.red_team.namespaces -} - -output "red_team_rbac_group" { - description = "The name of the Kubernetes RBAC group" - value = module.red_team.rbac_group -} - -output "red_team_aws_auth_configmap_role" { - description = "Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap" - value = module.red_team.aws_auth_configmap_role -} - -output "red_team_iam_role_name" { - description = "The name of the IAM role" - value = module.red_team.iam_role_name -} - -output "red_team_iam_role_arn" { - description = "The Amazon Resource Name (ARN) specifying the IAM role" - value = module.red_team.iam_role_arn -} - -output "red_team_iam_role_unique_id" { - description = "Stable and unique string identifying the IAM role" - value = module.red_team.iam_role_unique_id -} - -output "red_team_kubeconfig" { - description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" - value = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name} --role-arn ${module.red_team.iam_role_arn}" -} - -# Blue Teams (creates multiple teams) -output "blue_teams_namespaces" { - description = "Mapf of Kubernetes namespaces created and their attributes" - value = [for team in module.blue_teams : team.namespaces] -} - -output "blue_teams_rbac_group" { - description = "The name of the Kubernetes RBAC group" - value = [for team in module.blue_teams : team.rbac_group] -} - -output "blue_teams_aws_auth_configmap_role" { - description = "Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap" - value = [for team in module.blue_teams : team.aws_auth_configmap_role] -} - -output "blue_teams_iam_role_name" { - description = "The name of the IAM role" - value = [for team in module.blue_teams : team.iam_role_name] -} - -output "blue_teams_iam_role_arn" { - description = "The Amazon Resource Name (ARN) specifying the IAM role" - value = [for team in module.blue_teams : team.iam_role_arn] -} - -output "blue_teams_iam_role_unique_id" { - description = "Stable and unique string identifying the IAM role" - value = [for team in module.blue_teams : team.iam_role_unique_id] -} - -output "blue_teams_kubeconfig" { - description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" - value = [for team in module.blue_teams : "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name} --role-arn ${team.iam_role_arn}"] -} diff --git a/patterns/complete/README.md b/tests/complete/README.md similarity index 81% rename from patterns/complete/README.md rename to tests/complete/README.md index a5b57dd..0ed819f 100644 --- a/patterns/complete/README.md +++ b/tests/complete/README.md @@ -41,6 +41,7 @@ Note that this example may create resources which will incur monetary charges on | [admin\_team](#module\_admin\_team) | ../.. | n/a | | [blue\_teams](#module\_blue\_teams) | ../.. | n/a | | [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.13 | +| [platform\_team](#module\_platform\_team) | ../.. | n/a | | [red\_team](#module\_red\_team) | ../.. | n/a | | [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | @@ -71,6 +72,12 @@ No inputs. | [blue\_teams\_iam\_role\_unique\_id](#output\_blue\_teams\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role | | [blue\_teams\_namespaces](#output\_blue\_teams\_namespaces) | Mapf of Kubernetes namespaces created and their attributes | | [blue\_teams\_rbac\_group](#output\_blue\_teams\_rbac\_group) | The name of the Kubernetes RBAC group | +| [platform\_team\_aws\_auth\_configmap\_role](#output\_platform\_team\_aws\_auth\_configmap\_role) | Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap | +| [platform\_team\_iam\_role\_arn](#output\_platform\_team\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role | +| [platform\_team\_iam\_role\_name](#output\_platform\_team\_iam\_role\_name) | The name of the IAM role | +| [platform\_team\_iam\_role\_unique\_id](#output\_platform\_team\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role | +| [platform\_team\_namespaces](#output\_platform\_team\_namespaces) | Mapf of Kubernetes namespaces created and their attributes | +| [platform\_team\_rbac\_group](#output\_platform\_team\_rbac\_group) | The name of the Kubernetes RBAC group | | [red\_team\_aws\_auth\_configmap\_role](#output\_red\_team\_aws\_auth\_configmap\_role) | Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap | | [red\_team\_iam\_role\_arn](#output\_red\_team\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role | | [red\_team\_iam\_role\_name](#output\_red\_team\_iam\_role\_name) | The name of the IAM role | diff --git a/patterns/complete/main.tf b/tests/complete/main.tf similarity index 90% rename from patterns/complete/main.tf rename to tests/complete/main.tf index 24562f5..560f57c 100644 --- a/patterns/complete/main.tf +++ b/tests/complete/main.tf @@ -47,6 +47,33 @@ module "admin_team" { tags = local.tags } +module "platform_team" { + source = "../.." + + name = "platform-team" + + users = [data.aws_caller_identity.current.arn] + cluster_arn = module.eks.cluster_arn + oidc_provider_arn = module.eks.oidc_provider_arn + + labels = { + team = "platform" + } + + annotations = { + team = "platform" + } + + cluster_role_name = "platform-team" + cluster_role_ref_name = "admin" + role_ref = { + kind = "ClusterRole" + name = "admin" + } + + tags = local.tags +} + module "red_team" { source = "../.." @@ -57,11 +84,11 @@ module "red_team" { oidc_provider_arn = module.eks.oidc_provider_arn labels = { - team = "red" + team = "red-team" } annotations = { - team = "red" + team = "red-team" } namespaces = { @@ -71,7 +98,7 @@ module "red_team" { } red = { labels = { - projectName = "project-red", + projectName = "red-app", } resource_quota = { @@ -232,6 +259,7 @@ module "eks" { aws_auth_roles = flatten( [ module.admin_team.aws_auth_configmap_role, + module.platform_team.aws_auth_configmap_role, module.red_team.aws_auth_configmap_role, [for team in module.blue_teams : team.aws_auth_configmap_role], ] diff --git a/patterns/complete/outputs.tf b/tests/complete/outputs.tf similarity index 74% rename from patterns/complete/outputs.tf rename to tests/complete/outputs.tf index 8ef2e0e..a56978b 100644 --- a/patterns/complete/outputs.tf +++ b/tests/complete/outputs.tf @@ -1,4 +1,4 @@ -# Admin +# Admin Team output "admin_team_namespaces" { description = "Mapf of Kubernetes namespaces created and their attributes" value = module.admin_team.namespaces @@ -29,6 +29,37 @@ output "admin_team_iam_role_unique_id" { value = module.admin_team.iam_role_unique_id } +# Platform Team +output "platform_team_namespaces" { + description = "Mapf of Kubernetes namespaces created and their attributes" + value = module.platform_team.namespaces +} + +output "platform_team_rbac_group" { + description = "The name of the Kubernetes RBAC group" + value = module.platform_team.rbac_group +} + +output "platform_team_aws_auth_configmap_role" { + description = "Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap" + value = module.platform_team.aws_auth_configmap_role +} + +output "platform_team_iam_role_name" { + description = "The name of the IAM role" + value = module.platform_team.iam_role_name +} + +output "platform_team_iam_role_arn" { + description = "The Amazon Resource Name (ARN) specifying the IAM role" + value = module.platform_team.iam_role_arn +} + +output "platform_team_iam_role_unique_id" { + description = "Stable and unique string identifying the IAM role" + value = module.platform_team.iam_role_unique_id +} + # Red Team output "red_team_namespaces" { description = "Mapf of Kubernetes namespaces created and their attributes" diff --git a/tests/complete/variables.tf b/tests/complete/variables.tf new file mode 100644 index 0000000..e69de29 diff --git a/tests/complete/versions.tf b/tests/complete/versions.tf new file mode 100644 index 0000000..91b9931 --- /dev/null +++ b/tests/complete/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.47" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.17" + } + } +}