refactor patterns/cluster-admin

patterns/README.md

@@ -1,3 +1,6 @@
 # Amazon EKS Blueprints Teams
 
-- [Complete](https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/tree/main/tests/complete)
+- [Cluster Admin](https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/tree/main/patterns/cluster-admin)
+- [Namespaced Admin](https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/tree/main/patterns/namespaced-admin)
+- [Development Team](https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/tree/main/patterns/development-team)
+- [Multiple Application Teams](https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/tree/main/multiple-app-teams)

patterns/cluster-admin/README.md

@@ -1,17 +1,31 @@
-# Amazon EKS Blueprints Teams - Complete
+# Amazon EKS Blueprints Teams - Cluster Admin
 
-Configuration in this directory creates:
+This example shows how to create a team with Cluster Admin privileges for the specified identities (`users/role`). For this to work, the created team will be tied to the `system:masters` Kubernetes RBAC group, that will give them the *super-user* permissions, as defined in the `cluster-admin` Kubernetes clusterRole.
+
+- [RBAC Authorization for User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
+
+## Areas of Interest
+
+- `teams.tf` contains a sample configuration of the `teams` module, in this case with a `cluster-admin` or *super-user* privileges for the provided identities.
+
+https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/main/patterns/cluster-admin/teams.tf#L5-L15
 
-- An EKS cluster (required to support module/tests)
-- An administrative team
-- A red team which demonstrates creating one team per module definition
-- Blue teams which demonstrates creating multiple teams per module definition
+- `eks.tf` holds the EKS Cluster configuration and the setup of the `aws-auth` configMap, providing the EKS authentication model for the identities and RBAC authorization created by the `teams` module.
+
+https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/main/patterns/cluster-admin/eks.tf#L28-L33
+
+## Deploy
+
+Configuration in this directory creates:
 
-## Usage
+- A VPC (required to support module/eks)
+- An EKS cluster (required to support module/teams)
+- A team with `cluster-admin` privileges
 
-To run this example you need to execute:
+To run this pattern you need to execute:
 
 ```bash
+$ cd patterns/cluster-admin
 $ terraform init
 $ terraform plan
 $ terraform apply
@@ -39,9 +53,7 @@ Note that this example may create resources which will incur monetary charges on
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_admin_team"></a> [admin\_team](#module\_admin\_team) | ../.. | n/a |
-| <a name="module_blue_teams"></a> [blue\_teams](#module\_blue\_teams) | ../.. | n/a |
 | <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.13 |
-| <a name="module_red_team"></a> [red\_team](#module\_red\_team) | ../.. | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
 
 ## Resources
@@ -66,20 +78,6 @@ No inputs.
 | <a name="output_admin_team_kubeconfig"></a> [admin\_team\_kubeconfig](#output\_admin\_team\_kubeconfig) | Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig |
 | <a name="output_admin_team_namespaces"></a> [admin\_team\_namespaces](#output\_admin\_team\_namespaces) | Map of Kubernetes namespaces created and their attributes |
 | <a name="output_admin_team_rbac_group"></a> [admin\_team\_rbac\_group](#output\_admin\_team\_rbac\_group) | The name of the Kubernetes RBAC group |
-| <a name="output_blue_teams_aws_auth_configmap_role"></a> [blue\_teams\_aws\_auth\_configmap\_role](#output\_blue\_teams\_aws\_auth\_configmap\_role) | Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap |
-| <a name="output_blue_teams_iam_role_arn"></a> [blue\_teams\_iam\_role\_arn](#output\_blue\_teams\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
-| <a name="output_blue_teams_iam_role_name"></a> [blue\_teams\_iam\_role\_name](#output\_blue\_teams\_iam\_role\_name) | The name of the IAM role |
-| <a name="output_blue_teams_iam_role_unique_id"></a> [blue\_teams\_iam\_role\_unique\_id](#output\_blue\_teams\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
-| <a name="output_blue_teams_kubeconfig"></a> [blue\_teams\_kubeconfig](#output\_blue\_teams\_kubeconfig) | Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig |
-| <a name="output_blue_teams_namespaces"></a> [blue\_teams\_namespaces](#output\_blue\_teams\_namespaces) | Mapf of Kubernetes namespaces created and their attributes |
-| <a name="output_blue_teams_rbac_group"></a> [blue\_teams\_rbac\_group](#output\_blue\_teams\_rbac\_group) | The name of the Kubernetes RBAC group |
-| <a name="output_red_team_aws_auth_configmap_role"></a> [red\_team\_aws\_auth\_configmap\_role](#output\_red\_team\_aws\_auth\_configmap\_role) | Dictionary containing the necessary details for adding the role created to the `aws-auth` configmap |
-| <a name="output_red_team_iam_role_arn"></a> [red\_team\_iam\_role\_arn](#output\_red\_team\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
-| <a name="output_red_team_iam_role_name"></a> [red\_team\_iam\_role\_name](#output\_red\_team\_iam\_role\_name) | The name of the IAM role |
-| <a name="output_red_team_iam_role_unique_id"></a> [red\_team\_iam\_role\_unique\_id](#output\_red\_team\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
-| <a name="output_red_team_kubeconfig"></a> [red\_team\_kubeconfig](#output\_red\_team\_kubeconfig) | Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig |
-| <a name="output_red_team_namespaces"></a> [red\_team\_namespaces](#output\_red\_team\_namespaces) | Mapf of Kubernetes namespaces created and their attributes |
-| <a name="output_red_team_rbac_group"></a> [red\_team\_rbac\_group](#output\_red\_team\_rbac\_group) | The name of the Kubernetes RBAC group |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 Apache-2.0 Licensed. See [LICENSE](https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/main/LICENSE)

patterns/cluster-admin/eks.tf

@@ -0,0 +1,64 @@
+################################################################################
+# Supporting Resources
+################################################################################
+# EKS Cluster
+################################################################################
+
+module "eks" {
+  source  = "terraform-aws-modules/eks/aws"
+  version = "~> 19.13"
+
+  cluster_name                   = local.name
+  cluster_version                = "1.27"
+  cluster_endpoint_public_access = true
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  eks_managed_node_groups = {
+    initial = {
+      instance_types = ["m5.large"]
+
+      min_size     = 1
+      max_size     = 5
+      desired_size = 2
+    }
+  }
+
+  manage_aws_auth_configmap = true
+  aws_auth_roles = flatten(
+    [
+      module.admin_team.aws_auth_configmap_role,
+    ]
+  )
+
+  tags = local.tags
+}
+
+################################################################################
+# VPC
+################################################################################
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 5.0"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
+
+  enable_nat_gateway = true
+  single_nat_gateway = true
+
+  public_subnet_tags = {
+    "kubernetes.io/role/elb" = 1
+  }
+
+  private_subnet_tags = {
+    "kubernetes.io/role/internal-elb" = 1
+  }
+
+  tags = local.tags
+}

patterns/cluster-admin/main.tf

@@ -30,237 +30,3 @@ locals {
     Repository = "https://github.com/aws-ia/terraform-aws-eks-blueprints-teams"
   }
 }
-
-################################################################################
-# EKS Multi-Tenancy Module
-################################################################################
-
-module "admin_team" {
-  source = "../.."
-
-  name = "admin-team"
-
-  enable_admin = true
-  users        = [data.aws_caller_identity.current.arn]
-  cluster_arn  = module.eks.cluster_arn
-
-  tags = local.tags
-}
-
-module "red_team" {
-  source = "../.."
-
-  name = "red-team"
-
-  users             = [data.aws_caller_identity.current.arn]
-  cluster_arn       = module.eks.cluster_arn
-  oidc_provider_arn = module.eks.oidc_provider_arn
-
-  labels = {
-    team = "red"
-  }
-
-  annotations = {
-    team = "red"
-  }
-
-  namespaces = {
-    default = {
-      # Provides access to an existing namespace
-      create = false
-    }
-    red = {
-      labels = {
-        projectName = "project-red",
-      }
-
-      resource_quota = {
-        hard = {
-          "requests.cpu"    = "1000m",
-          "requests.memory" = "4Gi",
-          "limits.cpu"      = "2000m",
-          "limits.memory"   = "8Gi",
-          "pods"            = "10",
-          "secrets"         = "10",
-          "services"        = "10"
-        }
-      }
-
-      limit_range = {
-        limit = [
-          {
-            type = "Pod"
-            max = {
-              cpu    = "200m"
-              memory = "1Gi"
-            }
-          },
-          {
-            type = "PersistentVolumeClaim"
-            min = {
-              storage = "24M"
-            }
-          },
-          {
-            type = "Container"
-            default = {
-              cpu    = "50m"
-              memory = "24Mi"
-            }
-          }
-        ]
-      }
-
-      network_policy = {
-        pod_selector = {
-          match_expressions = [{
-            key      = "name"
-            operator = "In"
-            values   = ["webfront", "api"]
-          }]
-        }
-
-        ingress = [{
-          ports = [
-            {
-              port     = "http"
-              protocol = "TCP"
-            },
-            {
-              port     = "53"
-              protocol = "TCP"
-            },
-            {
-              port     = "53"
-              protocol = "UDP"
-            }
-          ]
-
-          from = [
-            {
-              namespace_selector = {
-                match_labels = {
-                  name = "default"
-                }
-              }
-            },
-            {
-              ip_block = {
-                cidr = "10.0.0.0/8"
-                except = [
-                  "10.0.0.0/24",
-                  "10.0.1.0/24",
-                ]
-              }
-            }
-          ]
-        }]
-
-        egress = [] # single empty rule to allow all egress traffic
-
-        policy_types = ["Ingress", "Egress"]
-      }
-    }
-  }
-
-  tags = local.tags
-}
-
-module "blue_teams" {
-  source = "../.."
-
-  for_each = {
-    one = {}
-    two = {}
-  }
-  name = "blue-team-${each.key}"
-
-  users             = [data.aws_caller_identity.current.arn]
-  cluster_arn       = module.eks.cluster_arn
-  oidc_provider_arn = module.eks.oidc_provider_arn
-
-  namespaces = {
-    "blue-${each.key}" = {
-      labels = {
-        appName     = "blue-team-app",
-        projectName = "project-blue",
-      }
-
-      resource_quota = {
-        hard = {
-          "requests.cpu"    = "2000m",
-          "requests.memory" = "4Gi",
-          "limits.cpu"      = "4000m",
-          "limits.memory"   = "16Gi",
-          "pods"            = "20",
-          "secrets"         = "20",
-          "services"        = "20"
-        }
-      }
-    }
-  }
-
-  tags = local.tags
-}
-
-################################################################################
-# Supporting Resources
-################################################################################
-
-module "eks" {
-  source  = "terraform-aws-modules/eks/aws"
-  version = "~> 19.13"
-
-  cluster_name                   = local.name
-  cluster_version                = "1.27"
-  cluster_endpoint_public_access = true
-
-  vpc_id     = module.vpc.vpc_id
-  subnet_ids = module.vpc.private_subnets
-
-  eks_managed_node_groups = {
-    initial = {
-      instance_types = ["m5.large"]
-
-      min_size     = 1
-      max_size     = 5
-      desired_size = 2
-    }
-  }
-
-  manage_aws_auth_configmap = true
-  aws_auth_roles = flatten(
-    [
-      module.admin_team.aws_auth_configmap_role,
-      module.red_team.aws_auth_configmap_role,
-      [for team in module.blue_teams : team.aws_auth_configmap_role],
-    ]
-  )
-
-  tags = local.tags
-}
-
-module "vpc" {
-  source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 5.0"
-
-  name = local.name
-  cidr = local.vpc_cidr
-
-  azs             = local.azs
-  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
-  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
-
-  enable_nat_gateway = true
-  single_nat_gateway = true
-
-  public_subnet_tags = {
-    "kubernetes.io/role/elb" = 1
-  }
-
-  private_subnet_tags = {
-    "kubernetes.io/role/internal-elb" = 1
-  }
-
-  tags = local.tags
-}