From c4d8f26c0346fcc81820d5dbc53edc99aa1a98fc Mon Sep 17 00:00:00 2001 From: Rodrigo Bersa Date: Thu, 21 Sep 2023 19:29:32 -0400 Subject: [PATCH] refactor `patterns/multiple-app-teams` --- patterns/development-team/README.md | 4 +- patterns/multiple-app-teams/README.md | 34 +++++++-- patterns/multiple-app-teams/eks.tf | 64 ++++++++++++++++ patterns/multiple-app-teams/main.tf | 103 +------------------------- patterns/multiple-app-teams/teams.tf | 40 ++++++++++ patterns/namespaced-admin/README.md | 2 +- 6 files changed, 134 insertions(+), 113 deletions(-) create mode 100644 patterns/multiple-app-teams/eks.tf create mode 100644 patterns/multiple-app-teams/teams.tf diff --git a/patterns/development-team/README.md b/patterns/development-team/README.md index e3bf9dc..fea8315 100644 --- a/patterns/development-team/README.md +++ b/patterns/development-team/README.md @@ -1,4 +1,4 @@ -# Amazon EKS Blueprints Teams - Namespaced Admin +# Amazon EKS Blueprints Teams - Development Team This example shows how to create a team with privileges restricted to the Namespaces it owns, allowing to specify fine grained permissions and resource access through the definition of Role's Resources, Verbs and API Groups using Kubernetes constructs, and also define LimitRanges, ResourceQuotas, amd NetworkPolicies. In this example, teams will have *read-only* access to list Namespaces and Nodes. @@ -24,7 +24,7 @@ Configuration in this directory creates: - A VPC (required to support module/eks) - An EKS cluster (required to support module/teams) -- A team with `admin` privileges inside Namespaces, but with read-only access to Namespaces and Nodes +- A team with restricted privileges inside Namespaces, and with read-only access to list Namespaces and Nodes To run this pattern you need to execute: diff --git a/patterns/multiple-app-teams/README.md b/patterns/multiple-app-teams/README.md index 24bc584..d5acf59 100644 --- a/patterns/multiple-app-teams/README.md +++ b/patterns/multiple-app-teams/README.md @@ -1,17 +1,35 @@ -# Amazon EKS Blueprints Teams - Complete +# Amazon EKS Blueprints Teams - Multiple Application Teams -Configuration in this directory creates: +This example shows how to create a multiple teams using the same approach of the [`patterns/development-team`](https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/tree/main/patterns/development-team) pattern. Each team will be restricted to the Namespaces they own, together with fine grained permissions and resource access through the definition of Role's Resources, Verbs and API Groups using Kubernetes constructs, and also define LimitRanges, ResourceQuotas, amd NetworkPolicies for each one. In this example, teams will have *read-only* access to list Namespaces and Nodes. + +- RBAC Authorization [documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) +- Namespaced vs. non-Namespaced objects [documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#not-all-objects-are-in-a-namespace) +- Resource Quotas [documentation](https://kubernetes.io/docs/concepts/policy/resource-quotas/) +- Limit Ranges [documentation](https://kubernetes.io/docs/concepts/policy/limit-range/) +- Network Policy [documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/) + +## Areas of Interest + +- `teams.tf` contains a sample configuration of the `teams` module, using the `for_each` Terraform Meta-Argument at the Module level creating multiple teams with the same configuration, in this case providing restricted access to specific Namespaces, and *read-only* access to list Namespaces and Nodes for the specified identities. + +https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/main/patterns/multiple-app-teams/teams.tf#L5-L123 -- An EKS cluster (required to support module/tests) -- An administrative team -- A red team which demonstrates creating one team per module definition -- Blue teams which demonstrates creating multiple teams per module definition +- `eks.tf` holds the EKS Cluster configuration and the setup of the `aws-auth` configMap, providing the EKS authentication model for the identities and RBAC authorization created by the `teams` module. + +https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/main/patterns/multiple-app-teams/eks.tf#L28-L33 + +## Deploy + +Configuration in this directory creates: -## Usage +- A VPC (required to support module/eks) +- An EKS cluster (required to support module/teams) +- Creation of two teams with restricted privileges inside their specific Namespaces, and no access to each other Namespaces. Read-only access to list Namespaces and Nodes -To run this example you need to execute: +To run this pattern you need to execute: ```bash +$ cd patterns/cluster-admin $ terraform init $ terraform plan $ terraform apply diff --git a/patterns/multiple-app-teams/eks.tf b/patterns/multiple-app-teams/eks.tf new file mode 100644 index 0000000..0dc440d --- /dev/null +++ b/patterns/multiple-app-teams/eks.tf @@ -0,0 +1,64 @@ +################################################################################ +# Supporting Resources +################################################################################ +# EKS Cluster +################################################################################ + +module "eks" { + source = "terraform-aws-modules/eks/aws" + version = "~> 19.13" + + cluster_name = local.name + cluster_version = "1.27" + cluster_endpoint_public_access = true + + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets + + eks_managed_node_groups = { + initial = { + instance_types = ["m5.large"] + + min_size = 1 + max_size = 5 + desired_size = 2 + } + } + + manage_aws_auth_configmap = true + aws_auth_roles = flatten( + [ + [for team in module.application_teams : team.aws_auth_configmap_role], + ] + ) + + tags = local.tags +} + +################################################################################ +# VPC +################################################################################ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 5.0" + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)] + + enable_nat_gateway = true + single_nat_gateway = true + + public_subnet_tags = { + "kubernetes.io/role/elb" = 1 + } + + private_subnet_tags = { + "kubernetes.io/role/internal-elb" = 1 + } + + tags = local.tags +} diff --git a/patterns/multiple-app-teams/main.tf b/patterns/multiple-app-teams/main.tf index 4b49af0..72990d2 100644 --- a/patterns/multiple-app-teams/main.tf +++ b/patterns/multiple-app-teams/main.tf @@ -19,7 +19,7 @@ data "aws_caller_identity" "current" {} locals { region = "us-west-2" - name = "ex-teams-${basename(path.cwd)}" + name = basename(path.cwd) vpc_cidr = "10.0.0.0/16" azs = slice(data.aws_availability_zones.available.names, 0, 3) @@ -30,104 +30,3 @@ locals { Repository = "https://github.com/aws-ia/terraform-aws-eks-blueprints-teams" } } - -################################################################################ -# EKS Multi-Tenancy Module -################################################################################ - -module "application_teams" { - source = "../.." - - for_each = { - one = {} - two = {} - } - name = "app-team-${each.key}" - - users = [data.aws_caller_identity.current.arn] - cluster_arn = module.eks.cluster_arn - oidc_provider_arn = module.eks.oidc_provider_arn - - namespaces = { - "app-${each.key}" = { - labels = { - teamName = "${each.key}-team", - projectName = "${each.key}-project", - } - - resource_quota = { - hard = { - "requests.cpu" = "2000m", - "requests.memory" = "4Gi", - "limits.cpu" = "4000m", - "limits.memory" = "16Gi", - "pods" = "20", - "secrets" = "20", - "services" = "20" - } - } - } - } - - tags = local.tags -} - -################################################################################ -# Supporting Resources -################################################################################ - -module "eks" { - source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" - - cluster_name = local.name - cluster_version = "1.27" - cluster_endpoint_public_access = true - - vpc_id = module.vpc.vpc_id - subnet_ids = module.vpc.private_subnets - - eks_managed_node_groups = { - initial = { - instance_types = ["m5.large"] - - min_size = 1 - max_size = 5 - desired_size = 2 - } - } - - manage_aws_auth_configmap = true - aws_auth_roles = flatten( - [ - [for team in module.application_teams : team.aws_auth_configmap_role], - ] - ) - - tags = local.tags -} - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "~> 5.0" - - name = local.name - cidr = local.vpc_cidr - - azs = local.azs - private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] - public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)] - - enable_nat_gateway = true - single_nat_gateway = true - - public_subnet_tags = { - "kubernetes.io/role/elb" = 1 - } - - private_subnet_tags = { - "kubernetes.io/role/internal-elb" = 1 - } - - tags = local.tags -} diff --git a/patterns/multiple-app-teams/teams.tf b/patterns/multiple-app-teams/teams.tf new file mode 100644 index 0000000..9925d75 --- /dev/null +++ b/patterns/multiple-app-teams/teams.tf @@ -0,0 +1,40 @@ +################################################################################ +# EKS Blueprints Teams Module - Multiple Application Teams +################################################################################ + +module "application_teams" { + source = "../.." + + for_each = { + one = {} + two = {} + } + name = "app-team-${each.key}" + + users = [data.aws_caller_identity.current.arn] + cluster_arn = module.eks.cluster_arn + oidc_provider_arn = module.eks.oidc_provider_arn + + namespaces = { + "app-${each.key}" = { + labels = { + teamName = "${each.key}-team", + projectName = "${each.key}-project", + } + + resource_quota = { + hard = { + "requests.cpu" = "2000m", + "requests.memory" = "4Gi", + "limits.cpu" = "4000m", + "limits.memory" = "16Gi", + "pods" = "20", + "secrets" = "20", + "services" = "20" + } + } + } + } + + tags = local.tags +} diff --git a/patterns/namespaced-admin/README.md b/patterns/namespaced-admin/README.md index 0445194..5f29c65 100644 --- a/patterns/namespaced-admin/README.md +++ b/patterns/namespaced-admin/README.md @@ -21,7 +21,7 @@ Configuration in this directory creates: - A VPC (required to support module/eks) - An EKS cluster (required to support module/teams) -- A team with `admin` privileges inside Namespaces, but with read-only access to Namespaces and Nodes +- A team with `admin` privileges inside Namespaces, but with read-only access to list Namespaces and Nodes To run this pattern you need to execute: