refactor patterns/multiple-app-teams

patterns/development-team/README.md

@@ -1,4 +1,4 @@
-# Amazon EKS Blueprints Teams - Namespaced Admin
+# Amazon EKS Blueprints Teams - Development Team
 
 This example shows how to create a team with privileges restricted to the Namespaces it owns, allowing to specify fine grained permissions and resource access through the definition of Role's Resources, Verbs and API Groups using Kubernetes constructs, and also define LimitRanges, ResourceQuotas, amd NetworkPolicies. In this example, teams will have *read-only* access to list Namespaces and Nodes.
 
@@ -24,7 +24,7 @@ Configuration in this directory creates:
 
 - A VPC (required to support module/eks)
 - An EKS cluster (required to support module/teams)
-- A team with `admin` privileges inside Namespaces, but with read-only access to Namespaces and Nodes
+- A team with restricted privileges inside Namespaces, and with read-only access to list Namespaces and Nodes
 
 To run this pattern you need to execute:
 

patterns/multiple-app-teams/README.md

@@ -1,17 +1,35 @@
-# Amazon EKS Blueprints Teams - Complete
+# Amazon EKS Blueprints Teams - Multiple Application Teams
 
-Configuration in this directory creates:
+This example shows how to create a multiple teams using the same approach of the [`patterns/development-team`](https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/tree/main/patterns/development-team) pattern. Each team will be restricted to the Namespaces they own, together with fine grained permissions and resource access through the definition of Role's Resources, Verbs and API Groups using Kubernetes constructs, and also define LimitRanges, ResourceQuotas, amd NetworkPolicies for each one. In this example, teams will have *read-only* access to list Namespaces and Nodes.
+
+- RBAC Authorization [documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
+- Namespaced vs. non-Namespaced objects [documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#not-all-objects-are-in-a-namespace)
+- Resource Quotas [documentation](https://kubernetes.io/docs/concepts/policy/resource-quotas/)
+- Limit Ranges [documentation](https://kubernetes.io/docs/concepts/policy/limit-range/)
+- Network Policy [documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
+
+## Areas of Interest
+
+- `teams.tf` contains a sample configuration of the `teams` module, using the `for_each` Terraform Meta-Argument at the Module level creating multiple teams with the same configuration, in this case providing restricted access to specific Namespaces, and *read-only* access to list Namespaces and Nodes for the specified identities.
+
+https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/main/patterns/multiple-app-teams/teams.tf#L5-L123
 
-- An EKS cluster (required to support module/tests)
-- An administrative team
-- A red team which demonstrates creating one team per module definition
-- Blue teams which demonstrates creating multiple teams per module definition
+- `eks.tf` holds the EKS Cluster configuration and the setup of the `aws-auth` configMap, providing the EKS authentication model for the identities and RBAC authorization created by the `teams` module.
+
+https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/main/patterns/multiple-app-teams/eks.tf#L28-L33
+
+## Deploy
+
+Configuration in this directory creates:
 
-## Usage
+- A VPC (required to support module/eks)
+- An EKS cluster (required to support module/teams)
+- Creation of two teams with restricted privileges inside their specific Namespaces, and no access to each other Namespaces. Read-only access to list Namespaces and Nodes
 
-To run this example you need to execute:
+To run this pattern you need to execute:
 
 ```bash
+$ cd patterns/cluster-admin
 $ terraform init
 $ terraform plan
 $ terraform apply

patterns/multiple-app-teams/eks.tf

@@ -0,0 +1,64 @@
+################################################################################
+# Supporting Resources
+################################################################################
+# EKS Cluster
+################################################################################
+
+module "eks" {
+  source  = "terraform-aws-modules/eks/aws"
+  version = "~> 19.13"
+
+  cluster_name                   = local.name
+  cluster_version                = "1.27"
+  cluster_endpoint_public_access = true
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  eks_managed_node_groups = {
+    initial = {
+      instance_types = ["m5.large"]
+
+      min_size     = 1
+      max_size     = 5
+      desired_size = 2
+    }
+  }
+
+  manage_aws_auth_configmap = true
+  aws_auth_roles = flatten(
+    [
+      [for team in module.application_teams : team.aws_auth_configmap_role],
+    ]
+  )
+
+  tags = local.tags
+}
+
+################################################################################
+# VPC
+################################################################################
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 5.0"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
+
+  enable_nat_gateway = true
+  single_nat_gateway = true
+
+  public_subnet_tags = {
+    "kubernetes.io/role/elb" = 1
+  }
+
+  private_subnet_tags = {
+    "kubernetes.io/role/internal-elb" = 1
+  }
+
+  tags = local.tags
+}

patterns/multiple-app-teams/main.tf

@@ -19,7 +19,7 @@ data "aws_caller_identity" "current" {}
 
 locals {
   region = "us-west-2"
-  name   = "ex-teams-${basename(path.cwd)}"
+  name   = basename(path.cwd)
 
   vpc_cidr = "10.0.0.0/16"
   azs      = slice(data.aws_availability_zones.available.names, 0, 3)
@@ -30,104 +30,3 @@ locals {
     Repository = "https://github.com/aws-ia/terraform-aws-eks-blueprints-teams"
   }
 }
-
-################################################################################
-# EKS Multi-Tenancy Module
-################################################################################
-
-module "application_teams" {
-  source = "../.."
-
-  for_each = {
-    one = {}
-    two = {}
-  }
-  name = "app-team-${each.key}"
-
-  users             = [data.aws_caller_identity.current.arn]
-  cluster_arn       = module.eks.cluster_arn
-  oidc_provider_arn = module.eks.oidc_provider_arn
-
-  namespaces = {
-    "app-${each.key}" = {
-      labels = {
-        teamName    = "${each.key}-team",
-        projectName = "${each.key}-project",
-      }
-
-      resource_quota = {
-        hard = {
-          "requests.cpu"    = "2000m",
-          "requests.memory" = "4Gi",
-          "limits.cpu"      = "4000m",
-          "limits.memory"   = "16Gi",
-          "pods"            = "20",
-          "secrets"         = "20",
-          "services"        = "20"
-        }
-      }
-    }
-  }
-
-  tags = local.tags
-}
-
-################################################################################
-# Supporting Resources
-################################################################################
-
-module "eks" {
-  source  = "terraform-aws-modules/eks/aws"
-  version = "~> 19.13"
-
-  cluster_name                   = local.name
-  cluster_version                = "1.27"
-  cluster_endpoint_public_access = true
-
-  vpc_id     = module.vpc.vpc_id
-  subnet_ids = module.vpc.private_subnets
-
-  eks_managed_node_groups = {
-    initial = {
-      instance_types = ["m5.large"]
-
-      min_size     = 1
-      max_size     = 5
-      desired_size = 2
-    }
-  }
-
-  manage_aws_auth_configmap = true
-  aws_auth_roles = flatten(
-    [
-      [for team in module.application_teams : team.aws_auth_configmap_role],
-    ]
-  )
-
-  tags = local.tags
-}
-
-module "vpc" {
-  source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 5.0"
-
-  name = local.name
-  cidr = local.vpc_cidr
-
-  azs             = local.azs
-  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
-  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
-
-  enable_nat_gateway = true
-  single_nat_gateway = true
-
-  public_subnet_tags = {
-    "kubernetes.io/role/elb" = 1
-  }
-
-  private_subnet_tags = {
-    "kubernetes.io/role/internal-elb" = 1
-  }
-
-  tags = local.tags
-}

patterns/multiple-app-teams/teams.tf

@@ -0,0 +1,40 @@
+################################################################################
+# EKS Blueprints Teams Module - Multiple Application Teams
+################################################################################
+
+module "application_teams" {
+  source = "../.."
+
+  for_each = {
+    one = {}
+    two = {}
+  }
+  name = "app-team-${each.key}"
+
+  users             = [data.aws_caller_identity.current.arn]
+  cluster_arn       = module.eks.cluster_arn
+  oidc_provider_arn = module.eks.oidc_provider_arn
+
+  namespaces = {
+    "app-${each.key}" = {
+      labels = {
+        teamName    = "${each.key}-team",
+        projectName = "${each.key}-project",
+      }
+
+      resource_quota = {
+        hard = {
+          "requests.cpu"    = "2000m",
+          "requests.memory" = "4Gi",
+          "limits.cpu"      = "4000m",
+          "limits.memory"   = "16Gi",
+          "pods"            = "20",
+          "secrets"         = "20",
+          "services"        = "20"
+        }
+      }
+    }
+  }
+
+  tags = local.tags
+}

patterns/namespaced-admin/README.md

@@ -21,7 +21,7 @@ Configuration in this directory creates:
 
 - A VPC (required to support module/eks)
 - An EKS cluster (required to support module/teams)
-- A team with `admin` privileges inside Namespaces, but with read-only access to Namespaces and Nodes
+- A team with `admin` privileges inside Namespaces, but with read-only access to list Namespaces and Nodes
 
 To run this pattern you need to execute: