getting close to a final version for terraform infrastructure in AWS

marcuss · Oct 21, 2024 · d3828c0 · d3828c0
1 parent 2dcbe1a
commit d3828c0
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 27 deletions.
diff --git a/infrastructure/providers/aws/federated_deployer_role.tf b/infrastructure/providers/aws/federated_deployer_role.tf
@@ -1,6 +1,11 @@
-
+# Data source to get caller identity
 data "aws_caller_identity" "current" {}
 
+# Define a local value for the AWS user ARN
+locals {
+  local_aws_user_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/${var.local_machine_aws_user}"
+}
+
 # IAM Role for GitHub Actions
 resource "aws_iam_role" "eks_federated_deployer" {
   name = "eks-federated-deployer" # Role name
@@ -26,7 +31,7 @@ resource "aws_iam_role" "eks_federated_deployer" {
         "Sid": "Statement1",
         "Effect": "Allow",
         "Principal": {
-          "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/${var.local_machine_aws_user}"
+          "AWS": local.local_aws_user_arn
         },
         "Action": [
           "sts:AssumeRole"
@@ -70,10 +75,22 @@ resource "aws_eks_access_entry" "eks_federated_deployer_access_entry" {
   ]
 }
 
-# Associate AmazonEKSAdminPolicy TODO: remove if a deployment succeed with out this
-# resource "aws_eks_access_policy_association" "eks_admin_policy" {
+resource "aws_eks_access_policy_association" "federated_deployer_eks_admin_policy" {
+  cluster_name  = module.eks.cluster_name
+  policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy"
+  principal_arn = aws_iam_role.eks_federated_deployer.arn
+
+  access_scope {
+    type = "cluster"
+  }
+
+  depends_on = [aws_eks_access_entry.eks_federated_deployer_access_entry]
+}
+
+# # Associate AmazonEKSAdminViewPolicy  TODO: remove if deployment succeeds without this
+# resource "aws_eks_access_policy_association" "cluster_admin_policy" {
 #   cluster_name  = module.eks.cluster_name
-#   policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy"
+#   policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
 #   principal_arn = aws_iam_role.eks_federated_deployer.arn
 #
 #   access_scope {
@@ -82,11 +99,11 @@ resource "aws_eks_access_entry" "eks_federated_deployer_access_entry" {
 #
 #   depends_on = [aws_eks_access_entry.eks_federated_deployer_access_entry]
 # }
-#
-# # Associate AmazonEKSAdminViewPolicy
-# resource "aws_eks_access_policy_association" "cluster_admin_policy" {
+
+# Associate AmazonEKSClusterPolicy
+# resource "aws_eks_access_policy_association" "cluster_policy" {
 #   cluster_name  = module.eks.cluster_name
-#   policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+#   policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSEditPolicy"
 #   principal_arn = aws_iam_role.eks_federated_deployer.arn
 #
 #   access_scope {
@@ -96,11 +113,22 @@ resource "aws_eks_access_entry" "eks_federated_deployer_access_entry" {
 #   depends_on = [aws_eks_access_entry.eks_federated_deployer_access_entry]
 # }
 
-# Associate AmazonEKSClusterPolicy
-resource "aws_eks_access_policy_association" "cluster_policy" {
+resource "aws_eks_access_entry" "local_user_access_entry" {
+  cluster_name      = module.eks.cluster_name
+  principal_arn     = local.local_aws_user_arn
+  kubernetes_groups = [] # No Kubernetes groups used
+  type              = "STANDARD"
+
+  depends_on = [
+    module.eks,
+    aws_iam_role_policy.eks_federated_deployer_policy
+  ]
+}
+
+resource "aws_eks_access_policy_association" "local_aws_user_eks_admin_policy" {
   cluster_name  = module.eks.cluster_name
-  policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSEditPolicy"
-  principal_arn = aws_iam_role.eks_federated_deployer.arn
+  policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy"
+  principal_arn = local.local_aws_user_arn
 
   access_scope {
     type = "cluster"

diff --git a/infrastructure/providers/aws/oidc.tf b/infrastructure/providers/aws/oidc.tf
@@ -0,0 +1,8 @@
+# Create an IAM OIDC provider for GitHub
+resource "aws_iam_openid_connect_provider" "github_oidc" {
+  url = "https://token.actions.githubusercontent.com" # OIDC provider URL for GitHub
+
+  client_id_list = ["sts.amazonaws.com"] # Audience for the OIDC tokens
+
+  thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"] # This is actually not currently used by AWS, specially Github OIDC does validate without a thumbprint
+}
diff --git a/infrastructure/providers/aws/vpc.tf b/infrastructure/providers/aws/vpc.tf
@@ -32,12 +32,3 @@ module "vpc" {
     environment = var.environment
   }
 }
-
-# Create an IAM OIDC provider for GitHub
-resource "aws_iam_openid_connect_provider" "github_oidc" {
-  url = "https://token.actions.githubusercontent.com" # OIDC provider URL for GitHub
-
-  client_id_list = ["sts.amazonaws.com"] # Audience for the OIDC tokens
-
-  thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"] # This is actually not currently used by AWS, specially Github OIDC does validate without a thumbprint
-}
diff --git a/infrastructure/variables.tf b/infrastructure/variables.tf
@@ -1,3 +1,10 @@
+# Define a variable for the local AWS user
+variable "local_machine_aws_user" {
+  description = "The name of the local machine's AWS user"
+  type        = string
+}
+
+
 variable "environment" {
   description = "The environment name (e.g., dev, staging, prod)"
   type        = string
@@ -51,9 +58,4 @@ variable "gcp_region" {
 variable "business_unit" {
   description = "Prefix or value to tag resources"
   type        = string
-}
-
-variable "local_machine_aws_user" {
-  description = "Local machine AWS Cli user, to allow to assume the federated deployer role"
-  type        = string
 }