feat: Initial implementation of pulling policies from external sources

clowdhaus · Jan 25, 2024 · 5132d70 · 5132d70
1 parent adac7ae
commit 5132d70
Show file tree

Hide file tree

Showing 5 changed files with 81 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -28,26 +28,40 @@ Examples codified under the [`examples`](https://github.com/clowdhaus/terraform-
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_http"></a> [http](#requirement\_http) | >= 3.4 |
+| <a name="requirement_template"></a> [template](#requirement\_template) | >= 2.2 |
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_http"></a> [http](#provider\_http) | >= 3.4 |
+| <a name="provider_template"></a> [template](#provider\_template) | >= 2.2 |
 
 ## Modules
 
 No modules.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [http_http.this](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
+| [template_file.this](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
+| <a name="input_karpenter_version"></a> [karpenter\_version](#input\_karpenter\_version) | The version of Karpenter to deploy | `string` | `"v0.28.0"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 
 ## Outputs

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -20,7 +20,7 @@ locals {
 module "external_policies" {
   source = "../.."
 
-  create = false
+  # karpenter_version = "v0.33.1"
 
   tags = local.tags
 }

diff --git a/main.tf b/main.tf
@@ -1,4 +1,44 @@
+data "aws_region" "current" {}
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+
 locals {
-  create = var.create
-  tags   = var.tags
+  account_id = data.aws_caller_identity.current.account_id
+  partition  = data.aws_partition.current.partition
+  region     = data.aws_region.current.name
+}
+
+data "http" "this" {
+  count = var.create ? 1 : 0
+
+  url = "https://raw.githubusercontent.com/clowdhaus/example-external-policies/${var.karpenter_version}/policy/policy.json"
+}
+
+data "template_file" "this" {
+  count = var.create ? 1 : 0
+
+  template = data.http.this[0].response_body
+  vars = {
+    "AWS::Partition"              = local.partition
+    "AWS::Region"                 = local.region
+    ClusterName                   = "Example"
+    ClusterArn                    = "arn:${local.partition}:eks:${local.region}:${local.account_id}:cluster/Example"
+    KarpenterNodeRoleArn          = "arn:${local.partition}:iam::${local.account_id}:role/KarpenterNodeRole-Example"
+    KarpenterInterruptionQueueArn = "arn:${local.partition}:sqs:${local.region}:${local.account_id}:Example"
+  }
+}
+
+################################################################################
+# Policy
+################################################################################
+
+resource "aws_iam_policy" "this" {
+  count = var.create ? 1 : 0
+
+  name_prefix = "KarpenterNode-"
+  description = "Karpenter controller node IAM role"
+
+  policy = data.template_file.this[0].rendered
+
+  tags = var.tags
 }
diff --git a/variables.tf b/variables.tf
@@ -9,3 +9,13 @@ variable "tags" {
   type        = map(string)
   default     = {}
 }
+
+################################################################################
+# Policy
+################################################################################
+
+variable "karpenter_version" {
+  description = "The version of Karpenter to deploy"
+  type        = string
+  default     = "v0.28.0"
+}
diff --git a/versions.tf b/versions.tf
@@ -1,10 +1,18 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.3"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.0"
+      version = ">= 5.0"
+    }
+    http = {
+      source  = "hashicorp/http"
+      version = ">= 3.4"
+    }
+    template = {
+      source  = "hashicorp/template"
+      version = ">= 2.2"
     }
   }
 }