Skip to content

Commit

Permalink
revert cross account changes
Browse files Browse the repository at this point in the history
  • Loading branch information
jamesgreen-moj committed Nov 14, 2023
1 parent f92b675 commit 2a0a588
Show file tree
Hide file tree
Showing 4 changed files with 157 additions and 147 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/deployment.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ on:
- "main"
push:
branches:
- "montoring-impovements"
- "main"

permissions:
id-token: write
Expand Down
268 changes: 134 additions & 134 deletions modules/eks/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -433,140 +433,140 @@ data "aws_iam_policy_document" "cloudwatch_exporter_assume_role_policy_other_aws

# IAM role for Cloudwatch Exporter in development aws account

#resource "aws_iam_role" "cloudwatch_exporter_development" {
# count = terraform.workspace == "development" ? 0 : 1
# assume_role_policy = data.aws_iam_policy_document.cloudwatch_exporter_assume_role_policy_other_aws_accounts.json
# name = "${var.prefix}-CloudwatchExporter"
#
# tags = var.tags
#
# provider = aws.development
#}

#resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_development" {
# count = terraform.workspace == "development" ? 0 : 1
# name = "${var.prefix}-CloudwatchExporterIAMPolicy"
# path = "/"
# description = "IAM role policy for Cloudwatch Exporter in EKS Cluster for ${var.prefix}"
#
# policy = data.template_file.cloudwatch_exporter_iam_policy.rendered
#
# tags = var.tags
#
# provider = aws.development
#}

#resource "aws_iam_role_policy_attachment" "cloudwatch_exporter_IAMPolicy_development" {
# count = terraform.workspace == "development" ? 0 : 1
# policy_arn = aws_iam_policy.cloudwatch_exporter_iam_policy_development[0].arn
# role = aws_iam_role.cloudwatch_exporter_development[0].name
#
# provider = aws.development
#}

#resource "aws_iam_policy" "development_cloudwatch_exporter_role_allow_assume_policy" {
# count = terraform.workspace == "development" ? 0 : 1
# name = "development_cloudwatch_exporter_role_allow_assume_policy"
# path = "/"
# description = "Policy that allows cloudwatch exporter in EKS Cluster for ${var.prefix} to assume role in development AWS account"
#
# policy = <<POLICY
#{
# "Version": "2012-10-17",
# "Statement": [
# {
# "Sid": "Statement",
# "Effect": "Allow",
# "Action": "sts:AssumeRole",
# "Resource": [
# "${aws_iam_role.cloudwatch_exporter_development[0].arn}"
# ]
# }
# ]
#}
#POLICY
#
# depends_on = [
# aws_iam_role.cloudwatch_exporter_development
# ]
#}

#resource "aws_iam_role_policy_attachment" "development_cloudwatch_exporter_allow_assume_IAMPolicy" {
# count = terraform.workspace == "development" ? 0 : 1
# policy_arn = aws_iam_policy.development_cloudwatch_exporter_role_allow_assume_policy[0].arn
# role = aws_iam_role.cloudwatch_exporter.name
#
# depends_on = [
# aws_iam_policy.development_cloudwatch_exporter_role_allow_assume_policy
# ]
#}
resource "aws_iam_role" "cloudwatch_exporter_development" {
count = terraform.workspace == "development" ? 0 : 1
assume_role_policy = data.aws_iam_policy_document.cloudwatch_exporter_assume_role_policy_other_aws_accounts.json
name = "${var.prefix}-CloudwatchExporter"

tags = var.tags

provider = aws.development
}

resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_development" {
count = terraform.workspace == "development" ? 0 : 1
name = "${var.prefix}-CloudwatchExporterIAMPolicy"
path = "/"
description = "IAM role policy for Cloudwatch Exporter in EKS Cluster for ${var.prefix}"

policy = data.template_file.cloudwatch_exporter_iam_policy.rendered

tags = var.tags

provider = aws.development
}

resource "aws_iam_role_policy_attachment" "cloudwatch_exporter_IAMPolicy_development" {
count = terraform.workspace == "development" ? 0 : 1
policy_arn = aws_iam_policy.cloudwatch_exporter_iam_policy_development[0].arn
role = aws_iam_role.cloudwatch_exporter_development[0].name

provider = aws.development
}

resource "aws_iam_policy" "development_cloudwatch_exporter_role_allow_assume_policy" {
count = terraform.workspace == "development" ? 0 : 1
name = "development_cloudwatch_exporter_role_allow_assume_policy"
path = "/"
description = "Policy that allows cloudwatch exporter in EKS Cluster for ${var.prefix} to assume role in development AWS account"

policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"${aws_iam_role.cloudwatch_exporter_development[0].arn}"
]
}
]
}
POLICY

depends_on = [
aws_iam_role.cloudwatch_exporter_development
]
}

resource "aws_iam_role_policy_attachment" "development_cloudwatch_exporter_allow_assume_IAMPolicy" {
count = terraform.workspace == "development" ? 0 : 1
policy_arn = aws_iam_policy.development_cloudwatch_exporter_role_allow_assume_policy[0].arn
role = aws_iam_role.cloudwatch_exporter.name

depends_on = [
aws_iam_policy.development_cloudwatch_exporter_role_allow_assume_policy
]
}

# IAM role for Cloudwatch Exporter in pre-production AWS account

#resource "aws_iam_role" "cloudwatch_exporter_pre_production" {
# count = terraform.workspace == "pre-production" ? 0 : 1
# assume_role_policy = data.aws_iam_policy_document.cloudwatch_exporter_assume_role_policy_other_aws_accounts.json
# name = "${var.prefix}-CloudwatchExporter"
#
# tags = var.tags
#
# provider = aws.pre_production
#}

#resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_pre_production" {
# count = terraform.workspace == "pre-production" ? 0 : 1
# name = "${var.prefix}-CloudwatchExporterIAMPolicy"
# path = "/"
# description = "IAM role policy for Cloudwatch Exporter in EKS Cluster for ${var.prefix}"
#
# policy = data.template_file.cloudwatch_exporter_iam_policy.rendered
#
# tags = var.tags
#
# provider = aws.pre_production
#}

#resource "aws_iam_role_policy_attachment" "cloudwatch_exporter_IAMPolicy_pre_production" {
# count = terraform.workspace == "pre-production" ? 0 : 1
# policy_arn = aws_iam_policy.cloudwatch_exporter_iam_policy_pre_production[0].arn
# role = aws_iam_role.cloudwatch_exporter_pre_production[0].name
#
# provider = aws.pre_production
#}

#resource "aws_iam_policy" "pre_production_cloudwatch_exporter_role_allow_assume_policy" {
# count = terraform.workspace == "pre-production" ? 0 : 1
# name = "pre_production_cloudwatch_exporter_role_allow_assume_policy"
# path = "/"
# description = "Policy that allows cloudwatch exporter in EKS Cluster for ${var.prefix} to assume role in pre-production AWS account"
#
# policy = <<POLICY
#{
# "Version": "2012-10-17",
# "Statement": [
# {
# "Sid": "Statement",
# "Effect": "Allow",
# "Action": "sts:AssumeRole",
# "Resource": [
# "${aws_iam_role.cloudwatch_exporter_pre_production[0].arn}"
# ]
# }
# ]
#}
#POLICY
#
# depends_on = [
# aws_iam_role.cloudwatch_exporter_pre_production
# ]
#}

#resource "aws_iam_role_policy_attachment" "pre_production_cloudwatch_exporter_allow_assume_IAMPolicy" {
# count = terraform.workspace == "pre-production" ? 0 : 1
# policy_arn = aws_iam_policy.pre_production_cloudwatch_exporter_role_allow_assume_policy[0].arn
# role = aws_iam_role.cloudwatch_exporter.name
#
# depends_on = [
# aws_iam_policy.pre_production_cloudwatch_exporter_role_allow_assume_policy
# ]
#}
resource "aws_iam_role" "cloudwatch_exporter_pre_production" {
count = terraform.workspace == "pre-production" ? 0 : 1
assume_role_policy = data.aws_iam_policy_document.cloudwatch_exporter_assume_role_policy_other_aws_accounts.json
name = "${var.prefix}-CloudwatchExporter"

tags = var.tags

provider = aws.pre_production
}

resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_pre_production" {
count = terraform.workspace == "pre-production" ? 0 : 1
name = "${var.prefix}-CloudwatchExporterIAMPolicy"
path = "/"
description = "IAM role policy for Cloudwatch Exporter in EKS Cluster for ${var.prefix}"

policy = data.template_file.cloudwatch_exporter_iam_policy.rendered

tags = var.tags

provider = aws.pre_production
}

resource "aws_iam_role_policy_attachment" "cloudwatch_exporter_IAMPolicy_pre_production" {
count = terraform.workspace == "pre-production" ? 0 : 1
policy_arn = aws_iam_policy.cloudwatch_exporter_iam_policy_pre_production[0].arn
role = aws_iam_role.cloudwatch_exporter_pre_production[0].name

provider = aws.pre_production
}

resource "aws_iam_policy" "pre_production_cloudwatch_exporter_role_allow_assume_policy" {
count = terraform.workspace == "pre-production" ? 0 : 1
name = "pre_production_cloudwatch_exporter_role_allow_assume_policy"
path = "/"
description = "Policy that allows cloudwatch exporter in EKS Cluster for ${var.prefix} to assume role in pre-production AWS account"

policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"${aws_iam_role.cloudwatch_exporter_pre_production[0].arn}"
]
}
]
}
POLICY

depends_on = [
aws_iam_role.cloudwatch_exporter_pre_production
]
}

resource "aws_iam_role_policy_attachment" "pre_production_cloudwatch_exporter_allow_assume_IAMPolicy" {
count = terraform.workspace == "pre-production" ? 0 : 1
policy_arn = aws_iam_policy.pre_production_cloudwatch_exporter_role_allow_assume_policy[0].arn
role = aws_iam_role.cloudwatch_exporter.name

depends_on = [
aws_iam_policy.pre_production_cloudwatch_exporter_role_allow_assume_policy
]
}
8 changes: 8 additions & 0 deletions modules/eks/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,14 @@ output "cloudwatch_exporter_iam_role_arn" {
value = aws_iam_role.cloudwatch_exporter.arn
}

output "cloudwatch_exporter_development_iam_role_arn" {
value = aws_iam_role.cloudwatch_exporter_development != [] ? aws_iam_role.cloudwatch_exporter_development[0].arn : ""
}

output "cloudwatch_exporter_pre_production_iam_role_arn" {
value = aws_iam_role.cloudwatch_exporter_pre_production != [] ? aws_iam_role.cloudwatch_exporter_pre_production[0].arn : ""
}

output "db_endpoint" {
value = aws_db_instance.this.endpoint
}
26 changes: 14 additions & 12 deletions outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -36,18 +36,20 @@ output "certificate" {

output "eks_cluster" {
value = var.enabled ? {
issuer = module.eks[0].issuer
name = module.eks[0].cluster_name
endpoint = module.eks[0].endpoint
aws_load_balancer_controller_iam_role_arn = module.eks[0].aws_load_balancer_controller_iam_role_arn
external_dns_iam_role_arn = module.eks[0].external_dns_iam_role_arn
aws_efs_csi_driver_iam_role_arn = module.eks[0].aws_efs_csi_driver_iam_role_arn
aws_ebs_csi_driver_iam_role_arn = module.eks[0].aws_ebs_csi_driver_iam_role_arn
efs_file_system_id = module.eks[0].efs_file_system_id
thanos_iam_role_arn = module.eks[0].thanos_iam_role_arn
thanos_storage_s3_bucket_name = module.eks[0].thanos_storage_s3_bucket_name
cloudwatch_exporter_iam_role_arn = module.eks[0].cloudwatch_exporter_iam_role_arn
db_endpoint = module.eks[0].db_endpoint
issuer = module.eks[0].issuer
name = module.eks[0].cluster_name
endpoint = module.eks[0].endpoint
aws_load_balancer_controller_iam_role_arn = module.eks[0].aws_load_balancer_controller_iam_role_arn
external_dns_iam_role_arn = module.eks[0].external_dns_iam_role_arn
aws_efs_csi_driver_iam_role_arn = module.eks[0].aws_efs_csi_driver_iam_role_arn
aws_ebs_csi_driver_iam_role_arn = module.eks[0].aws_ebs_csi_driver_iam_role_arn
efs_file_system_id = module.eks[0].efs_file_system_id
thanos_iam_role_arn = module.eks[0].thanos_iam_role_arn
thanos_storage_s3_bucket_name = module.eks[0].thanos_storage_s3_bucket_name
cloudwatch_exporter_iam_role_arn = module.eks[0].cloudwatch_exporter_iam_role_arn
cloudwatch_exporter_development_iam_role_arn = module.eks[0].cloudwatch_exporter_development_iam_role_arn
cloudwatch_exporter_pre_production_iam_role_arn = module.eks[0].cloudwatch_exporter_pre_production_iam_role_arn
db_endpoint = module.eks[0].db_endpoint
} : null
sensitive = true
}
Expand Down

0 comments on commit 2a0a588

Please sign in to comment.