Merge pull request #3 from aws-ia/03-07-2023-pre-publish-adjustments

refactor: Updating module version.
aws-ia · Mar 7, 2023 · b8e1439 · b8e1439
2 parents 12a1438 + b8a0f5c
commit b8e1439
Show file tree

Hide file tree

Showing 25 changed files with 1,704 additions and 318 deletions.
diff --git a/data.tf → .old/data.tf b/data.tf → .old/data.tf
diff --git a/examples/basic/.header.md → .old/examples/basic/.header.md b/examples/basic/.header.md → .old/examples/basic/.header.md
diff --git a/examples/basic/README.md → .old/examples/basic/README.md b/examples/basic/README.md → .old/examples/basic/README.md
diff --git a/examples/basic/main.tf → .old/examples/basic/main.tf b/examples/basic/main.tf → .old/examples/basic/main.tf
diff --git a/examples/basic/outputs.tf → .old/examples/basic/outputs.tf b/examples/basic/outputs.tf → .old/examples/basic/outputs.tf
diff --git a/examples/basic/providers.tf → .old/examples/basic/providers.tf b/examples/basic/providers.tf → .old/examples/basic/providers.tf
diff --git a/examples/basic/variables.tf → .old/examples/basic/variables.tf b/examples/basic/variables.tf → .old/examples/basic/variables.tf
diff --git a/locals.tf → .old/locals.tf b/locals.tf → .old/locals.tf
diff --git a/.old/main.tf b/.old/main.tf
@@ -0,0 +1,213 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# Namespace
+# ---------------------------------------------------------------------------------------------------------------------
+resource "kubernetes_namespace" "team" {
+  for_each = var.application_teams
+  metadata {
+    name   = each.key
+    labels = try(each.value["labels"], {})
+  }
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# Quotas
+# ---------------------------------------------------------------------------------------------------------------------
+resource "kubernetes_resource_quota" "this" {
+  for_each = { for team_name, team_data in var.application_teams : team_name => team_data if lookup(team_data, "quota", "") != "" }
+
+  metadata {
+    name      = "quotas"
+    namespace = kubernetes_namespace.team[each.key].metadata[0].name
+  }
+
+  spec {
+    hard = try(each.value.quota, {})
+  }
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# IAM / RBAC
+# ---------------------------------------------------------------------------------------------------------------------
+resource "aws_iam_role" "team_access" {
+  for_each = { for team_name, team_data in var.application_teams : team_name => team_data if lookup(team_data, "users", "") != "" }
+
+  name                 = "${var.eks_cluster_id}-${each.key}-access"
+  permissions_boundary = var.iam_role_permissions_boundary
+
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "AWS" : each.value.users
+        },
+        "Action" : "sts:AssumeRole"
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+resource "kubernetes_cluster_role" "team" {
+  for_each = var.application_teams
+  metadata {
+    name = "${each.key}-team-cluster-role"
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["namespaces", "nodes"]
+    verbs      = ["get", "list", "watch"]
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "team" {
+  for_each = var.application_teams
+  metadata {
+    name = "${each.key}-team-cluster-role-binding"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "${each.key}-team-cluster-role"
+  }
+  subject {
+    kind      = "Group"
+    name      = "${each.key}-group"
+    api_group = "rbac.authorization.k8s.io"
+  }
+}
+
+resource "kubernetes_role" "team" {
+  for_each = var.application_teams
+  #checkov:skip=CKV_K8S_49:API Groups access required for first deployment.
+  metadata {
+    name      = "${each.key}-role"
+    namespace = kubernetes_namespace.team[each.key].metadata[0].name
+  }
+  rule {
+    api_groups = ["*"]
+    resources  = ["configmaps", "pods", "podtemplates", "secrets", "serviceaccounts", "services", "deployments", "horizontalpodautoscalers", "networkpolicies", "statefulsets", "replicasets"]
+    verbs      = ["get", "list", "watch"]
+  }
+  rule {
+    api_groups = ["*"]
+    resources  = ["resourcequotas"]
+    verbs      = ["get", "list", "watch"]
+  }
+}
+
+resource "kubernetes_role_binding" "team" {
+  for_each = var.application_teams
+  metadata {
+    name      = "${each.key}-role-binding"
+    namespace = kubernetes_namespace.team[each.key].metadata[0].name
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "Role"
+    name      = "${each.key}-role"
+  }
+  subject {
+    kind      = "Group"
+    name      = "${each.key}-group"
+    api_group = "rbac.authorization.k8s.io"
+    namespace = kubernetes_namespace.team[each.key].metadata[0].name
+  }
+}
+
+resource "aws_iam_role" "team_sa_irsa" {
+  for_each = var.application_teams
+
+  name                 = "${var.eks_cluster_id}-${each.key}-sa-role"
+  permissions_boundary = var.iam_role_permissions_boundary
+
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Federated" : local.eks_oidc_provider_arn
+        },
+        "Action" : "sts:AssumeRoleWithWebIdentity",
+        "Condition" : {
+          "StringEquals" : {
+            "${local.eks_oidc_issuer_url}:sub" : "system:serviceaccount:${each.key}:${format("%s-sa", each.key)}",
+            "${local.eks_oidc_issuer_url}:aud" : "sts.amazonaws.com"
+          }
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# Kubernetes Team Service Account
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "kubernetes_service_account" "team" {
+  for_each = var.application_teams
+  metadata {
+    name        = format("%s-sa", each.key)
+    namespace   = kubernetes_namespace.team[each.key].metadata[0].name
+    annotations = { "eks.amazonaws.com/role-arn" : aws_iam_role.team_sa_irsa[each.key].arn }
+  }
+  automount_service_account_token = true
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# Kubernetes Manifests
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "kubectl_manifest" "team" {
+  for_each  = { for manifest in local.team_manifests : manifest => file(manifest) }
+  yaml_body = each.value
+  depends_on = [
+    kubernetes_namespace.team
+  ]
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# Platform Team
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_iam_role" "platform_team" {
+  for_each = var.platform_teams
+
+  name                 = "${var.eks_cluster_id}-${each.key}-access"
+  permissions_boundary = var.iam_role_permissions_boundary
+  managed_policy_arns  = [aws_iam_policy.platform_team_eks_access[0].arn]
+
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "AWS" : each.value.users
+        },
+        "Action" : "sts:AssumeRole"
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# Platform Team EKS access IAM policy
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_iam_policy" "platform_team_eks_access" {
+  count       = length(var.platform_teams) > 0 ? 1 : 0
+  name        = "${var.eks_cluster_id}-PlatformTeamEKSAccess"
+  path        = "/"
+  description = "Platform Team EKS Console Access"
+  policy      = data.aws_iam_policy_document.platform_team_eks_access[0].json
+  tags        = var.tags
+}
diff --git a/.old/outputs.tf b/.old/outputs.tf
@@ -0,0 +1,41 @@
+output "platform_teams_iam_role_arn" {
+  description = "IAM role ARN for Platform Teams"
+  value = tomap({
+    for k, v in aws_iam_role.platform_team : k => v.arn
+  })
+}
+
+output "application_teams_iam_role_arn" {
+  description = "IAM role ARN for Teams"
+  value = tomap({
+    for k, v in aws_iam_role.team_access : k => v.arn
+  })
+}
+
+output "team_sa_irsa_iam_role" {
+  description = "IAM role name for Teams EKS Service Account (IRSA)"
+  value = tomap({
+    for k, v in aws_iam_role.team_sa_irsa : k => v.name
+  })
+}
+
+output "team_sa_irsa_iam_role_arn" {
+  description = "IAM role ARN for Teams EKS Service Account (IRSA)"
+  value = tomap({
+    for k, v in aws_iam_role.team_sa_irsa : k => v.arn
+  })
+}
+
+output "platform_teams_configure_kubectl" {
+  description = "Configure kubectl for each Platform Team: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig"
+  value = tomap({
+    for k, v in aws_iam_role.platform_team : k => "aws eks --region ${data.aws_region.current.id} update-kubeconfig --name ${data.aws_eks_cluster.eks_cluster.name}  --role-arn ${v.arn}"
+  })
+}
+
+output "application_teams_configure_kubectl" {
+  description = "Configure kubectl for each Application Teams: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig"
+  value = tomap({
+    for k, v in aws_iam_role.team_access : k => "aws eks --region ${data.aws_region.current.id} update-kubeconfig --name ${data.aws_eks_cluster.eks_cluster.name}  --role-arn ${v.arn}"
+  })
+}
diff --git a/.old/variables.tf b/.old/variables.tf
@@ -0,0 +1,28 @@
+variable "application_teams" {
+  description = "Map of maps of teams to create"
+  type        = any
+  default     = {}
+}
+
+variable "platform_teams" {
+  description = "Map of maps of teams to create"
+  type        = any
+  default     = {}
+}
+
+variable "tags" {
+  description = "A map of tags to add to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+variable "eks_cluster_id" {
+  description = "EKS Cluster name"
+  type        = string
+}
+
+variable "iam_role_permissions_boundary" {
+  description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
+  type        = string
+  default     = null
+}
diff --git a/.old/versions.tf b/.old/versions.tf
@@ -0,0 +1,22 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.72"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.10"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.14"
+    }
+    awscc = {
+      source  = "hashicorp/awscc"
+      version = ">= 0.24.0"
+    }
+  }
+}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -25,7 +25,7 @@ repos:
           - '--args=--only=terraform_documented_outputs'
           - '--args=--only=terraform_documented_variables'
           - '--args=--only=terraform_typed_variables'
-          - '--args=--only=terraform_module_pinned_source'
+#          - '--args=--only=terraform_module_pinned_source'
           - '--args=--only=terraform_naming_convention'
           - '--args=--only=terraform_required_version'
           - '--args=--only=terraform_required_providers'
@@ -36,3 +36,4 @@ repos:
       - id: terraform_tfsec
         args:
           - --args=--concise-output
+          - --args=--exclude-path=examples/