From fc61c610da1809ebde0898e65e82071b255c1c34 Mon Sep 17 00:00:00 2001 From: Muse Mulatu Date: Tue, 4 Mar 2025 13:02:05 -0700 Subject: [PATCH 1/5] fix: add access entry for cluster creator. This commit removes entires for atlantis and argocd. --- aws-github/terraform/aws/eks/main.tf | 32 ++++++---------------------- 1 file changed, 7 insertions(+), 25 deletions(-) diff --git a/aws-github/terraform/aws/eks/main.tf b/aws-github/terraform/aws/eks/main.tf index 68deb2395..4db050f67 100644 --- a/aws-github/terraform/aws/eks/main.tf +++ b/aws-github/terraform/aws/eks/main.tf @@ -106,35 +106,17 @@ module "eks" { } # Enable admin permissions for the cluster creator - enable_cluster_creator_admin_permissions = true + enable_cluster_creator_admin_permissions = false access_entries = { - "argocd_" = { - cluster_name = "" - principal_arn = "arn:aws:iam:::role/argocd-" - username = "arn:aws:iam:::role/argocd-" + "cluster_creator" = { + principal_arn = "" policy_associations = { - view_deployments = { - policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" + admin_permission = { + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" access_scope = { - namespaces = ["default"] - type = "namespace" - } - } - } - } - - "atlantis_" = { - cluster_name = "" - principal_arn = "arn:aws:iam:::role/atlantis-" - username = "arn:aws:iam:::role/atlantis-" - policy_associations = { - view_deployments = { - policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" - access_scope = { - namespaces = ["default"] - type = "namespace" + type = "cluster" } } } @@ -616,7 +598,7 @@ EOT } resource "aws_iam_policy" "ssm_access_policy" { - name = "kubefirst-pro-api-ssm-access-${local.name}" + name = "kubefirst-pro-api-ssm-access-${local.name}" description = "Policy to allow SSM actions for kubefirst-pro-api" policy = jsonencode({ Version = "2012-10-17", From bc7ad02bcf77160ab38d567f5a764ca7bc8cec67 Mon Sep 17 00:00:00 2001 From: Muse Mulatu Date: Tue, 4 Mar 2025 15:02:29 -0700 Subject: [PATCH 2/5] chore: remove whitespace --- aws-github/terraform/aws/eks/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/aws-github/terraform/aws/eks/main.tf b/aws-github/terraform/aws/eks/main.tf index 4db050f67..8ceec8d72 100644 --- a/aws-github/terraform/aws/eks/main.tf +++ b/aws-github/terraform/aws/eks/main.tf @@ -109,7 +109,6 @@ module "eks" { enable_cluster_creator_admin_permissions = false access_entries = { - "cluster_creator" = { principal_arn = "" policy_associations = { From 682abea93baccbd8a964ffe9b4afc076a93b67f7 Mon Sep 17 00:00:00 2001 From: Muse Mulatu Date: Wed, 5 Mar 2025 19:17:49 -0700 Subject: [PATCH 3/5] feat: add access entry for cluster owner --- .../terraform/aws/eks/cluster_permission.tf | 57 +++++++++++++++++++ .../modules/workload-cluster/cluster_owner.tf | 25 ++++++++ 2 files changed, 82 insertions(+) create mode 100644 aws-github/terraform/aws/eks/cluster_permission.tf create mode 100644 aws-github/terraform/aws/modules/workload-cluster/cluster_owner.tf diff --git a/aws-github/terraform/aws/eks/cluster_permission.tf b/aws-github/terraform/aws/eks/cluster_permission.tf new file mode 100644 index 000000000..69dd7b967 --- /dev/null +++ b/aws-github/terraform/aws/eks/cluster_permission.tf @@ -0,0 +1,57 @@ +data "aws_iam_session_context" "current" { + # This data source provides information on the IAM source role of an STS assumed role + # For non-role ARNs, this data source simply passes the ARN through issuer ARN + # Ref https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2327#issuecomment-1355581682 + # Ref https://github.com/hashicorp/terraform-provider-aws/issues/28381 + arn = data.aws_caller_identity.current.arn +} + +data "aws_iam_policy_document" "assume_kubernetes_admin" { + statement { + actions = ["sts:AssumeRole"] + principals { + type = "AWS" + identifiers = [data.aws_iam_session_context.current.issuer_arn] + } + } +} + +data "aws_iam_policy_document" "describe_cluster" { + statement { + actions = [ + "eks:DescribeCluster" + ] + resources = ["arn:aws:eks:*:*:cluster/*"] + } +} + +resource "aws_iam_role" "kubernetes_admin" { + name = "-KubernetesAdmin" + assume_role_policy = data.aws_iam_policy_document.assume_kubernetes_admin.json +} + +resource "aws_iam_role_policy" "dynamodb_access" { + name = "DescribeCluster" + role = aws_iam_role.kubernetes_admin.id + policy = data.aws_iam_policy_document.describe_cluster.json +} + +resource "aws_eks_access_entry" "cluster_owner" { + cluster_name = module.eks.cluster_name + principal_arn = aws_iam_role.kubernetes_admin.arn + type = "STANDARD" +} + +resource "aws_eks_access_policy_association" "cluster_owner" { + cluster_name = module.eks.cluster_name + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + principal_arn = aws_iam_role.kubernetes_admin.arn + + access_scope { + type = "cluster" + } + + depends_on = [ + aws_eks_access_entry.cluster_owner + ] +} diff --git a/aws-github/terraform/aws/modules/workload-cluster/cluster_owner.tf b/aws-github/terraform/aws/modules/workload-cluster/cluster_owner.tf new file mode 100644 index 000000000..eef5fe4cd --- /dev/null +++ b/aws-github/terraform/aws/modules/workload-cluster/cluster_owner.tf @@ -0,0 +1,25 @@ +data "aws_caller_identity" "this" {} + +locals { + role_name = data.aws_caller_identity.this.account_id == "" ? "-KubernetesAdmin" : "kubefirst-pro-api-" +} + +resource "aws_eks_access_entry" "cluster_owner" { + cluster_name = module.eks.cluster_name + principal_arn = "arn:aws:iam::${data.aws_caller_identity.this.account_id}:role/${local.role_name}" + type = "STANDARD" +} + +resource "aws_eks_access_policy_association" "cluster_owner" { + cluster_name = module.eks.cluster_name + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + principal_arn = "arn:aws:iam::${data.aws_caller_identity.this.account_id}:role/${local.role_name}" + + access_scope { + type = "cluster" + } + + depends_on = [ + aws_eks_access_entry.cluster_owner + ] +} From 43e1e70e159d1e833dd2d169e936c9516a7e56c5 Mon Sep 17 00:00:00 2001 From: Muse Mulatu Date: Wed, 5 Mar 2025 19:18:18 -0700 Subject: [PATCH 4/5] rename file to cluster_permission --- .../workload-cluster/{cluster_owner.tf => cluster_permission.tf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename aws-github/terraform/aws/modules/workload-cluster/{cluster_owner.tf => cluster_permission.tf} (100%) diff --git a/aws-github/terraform/aws/modules/workload-cluster/cluster_owner.tf b/aws-github/terraform/aws/modules/workload-cluster/cluster_permission.tf similarity index 100% rename from aws-github/terraform/aws/modules/workload-cluster/cluster_owner.tf rename to aws-github/terraform/aws/modules/workload-cluster/cluster_permission.tf From 93dd8572e5e69a2d250198d13e80de8139bd71be Mon Sep 17 00:00:00 2001 From: Muse Mulatu Date: Wed, 5 Mar 2025 19:19:16 -0700 Subject: [PATCH 5/5] remove access entry for owner --- aws-github/terraform/aws/eks/main.tf | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/aws-github/terraform/aws/eks/main.tf b/aws-github/terraform/aws/eks/main.tf index 8ceec8d72..fbc9f662f 100644 --- a/aws-github/terraform/aws/eks/main.tf +++ b/aws-github/terraform/aws/eks/main.tf @@ -108,20 +108,6 @@ module "eks" { # Enable admin permissions for the cluster creator enable_cluster_creator_admin_permissions = false - access_entries = { - "cluster_creator" = { - principal_arn = "" - policy_associations = { - admin_permission = { - policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" - access_scope = { - type = "cluster" - } - } - } - } - } - tags = local.tags }