feat: additional worker iam instance profile policy and support map i…

…am user directly with aws-auth configmap (#17) * update support additional instance profile policy * update support directly map user to aws-auth
oozou · Apr 9, 2023 · d7662bd · d7662bd
1 parent 789b76d
commit d7662bd
Show file tree

Hide file tree

Showing 17 changed files with 100 additions and 32 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,26 @@
 
 All notable changes to this module will be documented in this file.
 
+## [1.0.16] - 2022-04-10
+
+Here we would have the update steps for 1.0.16 for people to follow.
+
+### Added
+
+- Support map iam user directly with aws-auth configmap
+
+### Changed
+
+- Update to support additional worker iam instance profile policy
+
+## [1.0.15] - 2023-03-23
+
+Here we would have the update steps for 1.0.15 for people to follow.
+
+### Fixed
+
+- worker node group name is too long
+
 ## [1.0.14] - 2022-09-29
 
 Here we would have the update steps for 1.0.14 for people to follow.

diff --git a/README.md b/README.md
@@ -105,14 +105,14 @@ additional_addons = {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.22.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.62.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_bootstrap"></a> [bootstrap](#module\_bootstrap) | ./modules/bootstrap | n/a |
-| <a name="module_eks_kms"></a> [eks\_kms](#module\_eks\_kms) | git@github.com:oozou/terraform-aws-kms-key.git | v1.0.0 |
+| <a name="module_eks_kms"></a> [eks\_kms](#module\_eks\_kms) | oozou/kms-key/aws | 1.0.0 |
 | <a name="module_nodegroup"></a> [nodegroup](#module\_nodegroup) | ./modules/nodegroup | n/a |
 | <a name="module_openid_connect"></a> [openid\_connect](#module\_openid\_connect) | ./modules/openid_connect_provider | n/a |
 
@@ -123,27 +123,38 @@ additional_addons = {
 | [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_eks_addon.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource |
 | [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster) | resource |
+| [aws_iam_policy.combined_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.cluster_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.node_group_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.amazon_ec2_container_registry_readonly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.amazon_ec2_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.amazon_eks_cluster_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.amazon_eks_cni_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.amazon_eks_vpc_resource_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.amazon_eks_worker_node_combine_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.amazon_eks_worker_node_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_security_group.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.eks_egress_allow_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.eks_ingress_allow_tls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_iam_policy_document.cluster_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.combined_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.node_group_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_environment"></a> [environment](#input\_environment) | To manage a resources with tags | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | The Name of the EKS cluster | `string` | n/a | yes |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes |
+| <a name="input_subnets_ids"></a> [subnets\_ids](#input\_subnets\_ids) | List of IDs of subnets for create EKS | `list(string)` | n/a | yes |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the VPC for create security group | `string` | n/a | yes |
 | <a name="input_additional_addons"></a> [additional\_addons](#input\_additional\_addons) | additional addons for eks cluster | `map(any)` | <pre>{<br>  "vpc-cni": {<br>    "name": "vpc-cni"<br>  }<br>}</pre> | no |
 | <a name="input_additional_allow_cidr"></a> [additional\_allow\_cidr](#input\_additional\_allow\_cidr) | cidr for allow connection to eks cluster | `list(string)` | `[]` | no |
 | <a name="input_additional_service_accounts"></a> [additional\_service\_accounts](#input\_additional\_service\_accounts) | additional service account to access eks | <pre>list(object({<br>    name                 = string<br>    namespace            = string<br>    existing_policy_arns = list(string)<br>  }))</pre> | `[]` | no |
+| <a name="input_additional_worker_polices"></a> [additional\_worker\_polices](#input\_additional\_worker\_polices) | Additional IAM policies block, input as data source or json. Ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document. Bucket Policy Statements can be overriden by the statement with the same sid from the latest policy. | `list(string)` | `[]` | no |
+| <a name="input_admin_iam_arns"></a> [admin\_iam\_arns](#input\_admin\_iam\_arns) | admin iam arns for grant permission to aws-auth | `list(string)` | `[]` | no |
 | <a name="input_admin_role_arns"></a> [admin\_role\_arns](#input\_admin\_role\_arns) | admin role arns for grant permission to aws-auth | `list(string)` | `[]` | no |
 | <a name="input_aws_account"></a> [aws\_account](#input\_aws\_account) | AWS Credentials to access AWS by bootstrap module require if is\_config\_aws\_auth = trues | <pre>object({<br>    region     = string,<br>    access_key = string,<br>    secret_key = string<br>  })</pre> | <pre>{<br>  "access_key": "",<br>  "region": "",<br>  "secret_key": ""<br>}</pre> | no |
 | <a name="input_bootstrap_ami"></a> [bootstrap\_ami](#input\_bootstrap\_ami) | AMI for ec2 bootstrap module | `string` | `""` | no |
@@ -153,7 +164,6 @@ additional_addons = {
 | <a name="input_dev_role_arns"></a> [dev\_role\_arns](#input\_dev\_role\_arns) | dev role arns for grant permission to aws-auth | `list(string)` | `[]` | no |
 | <a name="input_eks_version"></a> [eks\_version](#input\_eks\_version) | Desired Kubernetes version. Downgrades are not supported by EKS. | `string` | `null` | no |
 | <a name="input_enabled_cluster_log_types"></a> [enabled\_cluster\_log\_types](#input\_enabled\_cluster\_log\_types) | List of the desired control plane logging to enable | `list(string)` | `[]` | no |
-| <a name="input_environment"></a> [environment](#input\_environment) | To manage a resources with tags | `string` | n/a | yes |
 | <a name="input_is_config_aws_auth"></a> [is\_config\_aws\_auth](#input\_is\_config\_aws\_auth) | require if create lb controler | `bool` | `true` | no |
 | <a name="input_is_create_argo_image_updater_sa"></a> [is\_create\_argo\_image\_updater\_sa](#input\_is\_create\_argo\_image\_updater\_sa) | is create default role with permission for argo-cd image updater (name : argo-cd-image-updater) | `bool` | `true` | no |
 | <a name="input_is_create_bootstrap"></a> [is\_create\_bootstrap](#input\_is\_create\_bootstrap) | if true will create bootstrap for config aws-auth | `bool` | `true` | no |
@@ -163,13 +173,9 @@ additional_addons = {
 | <a name="input_is_enabled_cluster_encryption"></a> [is\_enabled\_cluster\_encryption](#input\_is\_enabled\_cluster\_encryption) | if enable will create kms and config eks with kms key to encrpt secret | `bool` | `true` | no |
 | <a name="input_is_endpoint_private_access"></a> [is\_endpoint\_private\_access](#input\_is\_endpoint\_private\_access) | Whether the Amazon EKS private API server endpoint is enabled | `bool` | `true` | no |
 | <a name="input_is_endpoint_public_access"></a> [is\_endpoint\_public\_access](#input\_is\_endpoint\_public\_access) | Whether the Amazon EKS public API server endpoint is enabled | `bool` | `false` | no |
-| <a name="input_name"></a> [name](#input\_name) | The Name of the EKS cluster | `string` | n/a | yes |
 | <a name="input_node_groups"></a> [node\_groups](#input\_node\_groups) | EKS Node Group for create EC2 as worker node | `map(any)` | <pre>{<br>  "default": {<br>    "ami_type": "AL2_x86_64",<br>    "desired_size": 1,<br>    "disk_size": 20,<br>    "instance_types": [<br>      "t3.medium"<br>    ],<br>    "is_spot_instances": false,<br>    "labels": {<br>      "default_nodegroup_labels": "default-nodegroup"<br>    },<br>    "max_size": 1,<br>    "max_unavailable": 1,<br>    "min_size": 1,<br>    "taint": {}<br>  }<br>}</pre> | no |
-| <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix name of customer to be displayed in AWS console and resource | `string` | n/a | yes |
 | <a name="input_readonly_role_arns"></a> [readonly\_role\_arns](#input\_readonly\_role\_arns) | readonly role group arns for grant permission to aws-auth | `list(string)` | `[]` | no |
-| <a name="input_subnets_ids"></a> [subnets\_ids](#input\_subnets\_ids) | List of IDs of subnets for create EKS | `list(string)` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tag for a resource that create by this component | `map(string)` | `{}` | no |
-| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the VPC for create security group | `string` | n/a | yes |
 
 ## Outputs
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -20,4 +20,4 @@ Your can also report the vulnerabilities by emailing to Oozou DevOps team at:
 devops@oozou.com
 ```
 
-We will acknowledge your email within 72 hours on workday, and will send a more details response within 5 days. After the initial email start, we will investigate the security issue snd fix it as soon as possible.
+We will acknowledge your email within 72 hours on workday, and will send a more details response within 5 days. After the initial email start, we will investigate the security issue snd fix it as soon as possible.
diff --git a/bootstrap.tf b/bootstrap.tf
@@ -6,6 +6,7 @@ module "bootstrap" {
   ami                 = var.bootstrap_ami
   aws_account         = var.aws_account
   admin_role_arns     = var.admin_role_arns
+  admin_iam_arns      = var.admin_iam_arns
   dev_role_arns       = var.dev_role_arns
   readonly_role_arns  = var.readonly_role_arns
   node_group_role_arn = aws_iam_role.node_group_role.arn

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -10,19 +10,19 @@ module "eks" {
   is_enabled_cluster_encryption = true
   node_groups = {
     default = {
-      desired_size              = 1,
-      max_size                  = 1,
-      min_size                  = 1,
-      is_spot_instances         = true
-      disk_size                 = null
-      taint                     = [{
+      desired_size      = 1,
+      max_size          = 1,
+      min_size          = 1,
+      is_spot_instances = true
+      disk_size         = null
+      taint = [{
         key    = "dedicated"
         value  = "gpuGroup"
         effect = "NO_SCHEDULE"
       }]
       is_create_launch_template = true
       instance_types            = ["t3a.small"]
-      pre_bootstrap_user_data = "sysctl -w net.core.somaxconn='32767' net.ipv4.tcp_max_syn_backlog='32767' && contents=\"$(jq '.allowedUnsafeSysctls=[\"net.*\"]' /etc/kubernetes/kubelet/kubelet-config.json)\" && echo -E \"$${contents}\" > /etc/kubernetes/kubelet/kubelet-config.json"
+      pre_bootstrap_user_data   = "sysctl -w net.core.somaxconn='32767' net.ipv4.tcp_max_syn_backlog='32767' && contents=\"$(jq '.allowedUnsafeSysctls=[\"net.*\"]' /etc/kubernetes/kubelet/kubelet-config.json)\" && echo -E \"$${contents}\" > /etc/kubernetes/kubelet/kubelet-config.json"
       labels = {
         test = true
       }

diff --git a/iam.tf b/iam.tf
@@ -76,3 +76,19 @@ resource "aws_iam_role_policy_attachment" "amazon_ec2_ssm" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
   role       = aws_iam_role.node_group_role.name
 }
+
+# Additional policies
+data "aws_iam_policy_document" "combined_policy" {
+  source_policy_documents = var.additional_worker_polices
+}
+
+resource "aws_iam_policy" "combined_policy" {
+  name        = "${local.prefix}-node-group-additional-policy"
+  description = "${local.prefix} custom policy"
+  policy      = data.aws_iam_policy_document.combined_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "amazon_eks_worker_node_combine_policy" {
+  policy_arn = aws_iam_policy.combined_policy.arn
+  role       = aws_iam_role.node_group_role.name
+}
diff --git a/kms.tf b/kms.tf
@@ -1,5 +1,5 @@
 module "eks_kms" {
-  count = var.is_enabled_cluster_encryption ? 1 : 0
+  count   = var.is_enabled_cluster_encryption ? 1 : 0
   source  = "oozou/kms-key/aws"
   version = "1.0.0"
 

diff --git a/modules/bootstrap/data.tf b/modules/bootstrap/data.tf
@@ -38,6 +38,14 @@ EOT
       rolearn: ${arn}
       username: eks-readonly-${i}
 %{endfor~}
+EOT
+    admin_iam_arns        = <<EOT
+%{for i, arn in var.admin_iam_arns~}
+    - userarn: ${arn}
+      username: eks-iam-admin-${i}
+      groups:
+        - system:masters
+%{endfor~}
 EOT
     admin_role_binding    = <<EOT
 %{for i, arn in var.admin_role_arns~}

diff --git a/modules/bootstrap/secretsmanager.tf b/modules/bootstrap/secretsmanager.tf
@@ -11,4 +11,3 @@ resource "aws_secretsmanager_secret_version" "terraform_key" {
     aws_secret_access_key = var.aws_account.secret_key
   })
 }
-
diff --git a/modules/bootstrap/templates/eks-manifest-file.yml b/modules/bootstrap/templates/eks-manifest-file.yml
@@ -14,6 +14,8 @@ data:
 ${admin_role_arns}
 ${dev_role_arns}
 ${readonly_role_arns}
+  mapUsers: |
+${admin_iam_arns}
 ${admin_role_binding}
 ${dev_role_binding}
 ${readonly_role_binding}
diff --git a/modules/bootstrap/variables.tf b/modules/bootstrap/variables.tf
@@ -59,6 +59,11 @@ variable "readonly_role_arns" {
   type        = list(string)
 }
 
+variable "admin_iam_arns" {
+  description = "admin iam arns for grant permission to aws-auth"
+  type        = list(string)
+}
+
 variable "is_config_aws_auth" {
   description = "require if create lb controler"
   type        = bool

diff --git a/modules/nodegroup/launch_template.tf b/modules/nodegroup/launch_template.tf
@@ -1,6 +1,7 @@
 module "launch_template" {
   source  = "oozou/launch-template/aws"
-  version = "1.0.0"
+  version = "1.0.3"
+
   count                                  = var.is_create_launch_template ? 1 : 0
   prefix                                 = var.prefix
   environment                            = var.environment

diff --git a/modules/nodegroup/locals.tf b/modules/nodegroup/locals.tf
@@ -26,4 +26,3 @@ locals {
     { "nodegroup" = local.name },
   var.labels)
 }
-
diff --git a/modules/nodegroup/main.tf b/modules/nodegroup/main.tf
@@ -1,13 +1,13 @@
 resource "aws_eks_node_group" "this" {
-  cluster_name           = var.cluster_name
-  node_group_name        = format("%s-%s-nodegroup", local.prefix, var.name)
-  node_role_arn          = var.node_role_arn
-  subnet_ids             = var.subnet_ids
-  instance_types         = var.instance_types
-  ami_type               = var.ami_type
-  capacity_type          = var.is_spot_instances ? "SPOT" : "ON_DEMAND"
-  disk_size              = var.disk_size
-  labels                 = local.labels
+  cluster_name    = var.cluster_name
+  node_group_name = format("%s-%s-nodegroup", local.prefix, var.name)
+  node_role_arn   = var.node_role_arn
+  subnet_ids      = var.subnet_ids
+  instance_types  = var.instance_types
+  ami_type        = var.ami_type
+  capacity_type   = var.is_spot_instances ? "SPOT" : "ON_DEMAND"
+  disk_size       = var.disk_size
+  labels          = local.labels
 
   dynamic "launch_template" {
     for_each = var.is_create_launch_template ? [1] : []

diff --git a/modules/nodegroup/versions.tf b/modules/nodegroup/versions.tf
@@ -12,4 +12,3 @@ terraform {
     }
   }
 }
-
diff --git a/modules/openid_connect_provider/locals.tf b/modules/openid_connect_provider/locals.tf
@@ -2,17 +2,17 @@ locals {
   prefix = "${var.prefix}-${var.environment}"
   loadbalancer_controller_sa = {
     name                 = "aws-load-balancer-controller"
-    namespace = "kube-system"
+    namespace            = "kube-system"
     existing_policy_arns = [try(aws_iam_policy.aws_lb_controller[0].arn, null)]
   }
   argo_image_updater_sa = {
     name                 = "argocd-image-updater"
-    namespace = "argocd"
+    namespace            = "argocd"
     existing_policy_arns = ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"]
   }
   cluster_autoscaler_sa = {
     name                 = "cluster-autoscaler"
-    namespace = "kube-system"
+    namespace            = "kube-system"
     existing_policy_arns = [try(aws_iam_policy.cluster_autoscaler[0].arn, null)]
   }
   service_accounts = concat(

diff --git a/variables.tf b/variables.tf
@@ -125,6 +125,12 @@ variable "readonly_role_arns" {
   default     = []
 }
 
+variable "admin_iam_arns" {
+  description = "admin iam arns for grant permission to aws-auth"
+  type        = list(string)
+  default     = []
+}
+
 variable "additional_allow_cidr" {
   description = "cidr for allow connection to eks cluster"
   type        = list(string)
@@ -197,3 +203,9 @@ variable "bootstrap_ami" {
   description = "AMI for ec2 bootstrap module"
   default     = ""
 }
+
+variable "additional_worker_polices" {
+  description = "Additional IAM policies block, input as data source or json. Ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document. Bucket Policy Statements can be overriden by the statement with the same sid from the latest policy."
+  type        = list(string)
+  default     = []
+}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -11,4 +11,3 @@ resource "aws_secretsmanager_secret_version" "terraform_key" {
		aws_secret_access_key = var.aws_account.secret_key
		})
		}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -26,4 +26,3 @@ locals {
		{ "nodegroup" = local.name },
		var.labels)
		}