/terraform-aws-eks-roles

A terraform module to create all necessary resources for Admin, Operations and ViewOnly AWS policies/roles and its respective ClusterRoles, ClusterRoleBindings and its ConfigMap aws-auth.

Primary LanguageHCLMIT LicenseMIT

terraform-aws-eks-roles

A terraform module to create all necessary resources for Admin, Operations and ViewOnly AWS policies/roles and its respective ClusterRoles, ClusterRoleBindings and its ConfigMap aws-auth. Inspired by and adapted from this doc and its source code. Read the AWS docs on EKS to get connected to the k8s dashboard.

Assumptions

  • You have an EKS cluster in an AWS Account
  • You have an AWS CLI with access to AWS Account were EKS cluster exist
  • You have an AWS user with sufficient permissions to create IAM policies and IAM roles
  • You have a kubeconfig file with access as system:master to the EKS Cluster
  • You have kubectl installed and configured properly

Usage example

A full example is contained in the examples/basic directory.

module "kubernetes-roles" {
    source             = "./terraform-aws-eks-roles"

    cluster_name             = var.cluster-name
    master_user              = var.master-user
    local_kube_context       = var.local-kube-context
    cluster_nodes_role       = var.cluster-nodes-role
    tags                     = var.tags
}

Conditional creation

Need more roles?

Sometimes you need to have a way to create other roles, you can add them using the variables, also including the yml files in cluster-roles and cluster-roles-binding folders. Keep in mind the variables cluster_role_qty and cluster_role_binding_qty must be increased or reduced according. And final you need to crate the resources, locals and outputs for each new role.

dry-run for aws-auth.yml

The variable overwrite_aws_auth will allow you to generate the aws-auth.yml file without apply, so you can review it, edit or whatever you need from it. By default, this variable is false.

variable "overwrite_aws_auth" {
  type        = bool
  default     = false
  description = "WARNING!!! If true it will override the aws-auth ConfigMap of your cluster"
}

Resources Names

Name of the resources in AWS will follow a predefined pattern, like:


prefix + Role name or Policy name + Cluster name

Other documentation

Doc generation

Code formatting and documentation for variables and outputs is generated using pre-commit-terraform hooks which uses terraform-docs.

Follow these instructions to install pre-commit locally.

And install terraform-docs with go get github.com/segmentio/terraform-docs or brew install terraform-docs.

Contributing

Report issues/questions/feature requests on in the issues section.

Full contributing guidelines are covered here.

Change log

The changelog captures all important release notes from v1.0.0

Authors

Created by:

License

MIT License

Copyright (c) 2020 The terraform-aws-eks-roles module Authors.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Requirements

Name Version
terraform >= 0.12.23
aws >= 2.54.0
local >= 1.4.0
null >= 2.1.2

Providers

Name Version
aws >= 2.54.0
local >= 1.4.0
null >= 2.1.2

Inputs

Name Description Type Default Required
cluster_name EKS cluster name in AWS string n/a yes
cluster_nodes_role IAM Role ARN used by EKS Cluster Nodes, a.k.a Cluster IAM Role ARN string n/a yes
cluster_role_binding_qty amount of ClusterRolesBinding to be provisioned, it helps with local iterations number 3 no
cluster_role_qty amount of ClusterRoles to be provisioned, it helps with local iterations number 3 no
cluster_roles ClusterRoles to be provisioned in EKS list 
[
  "cluster-role-cluster-admin",
  "cluster-role-cluster-operations",
  "cluster-role-cluster-viewonly"
]
 no
cluster_roles_binding ClusterRolesBinding to be provisioned in EKS list 
[
  "cluster-role-binding-cluster-admin",
  "cluster-role-binding-cluster-operations",
  "cluster-role-binding-cluster-viewonly"
]
 no
local_kube_context Local kubectl context to be used to provision string n/a yes
master_user Master cluster user, in case aws-auth roles don't work string n/a yes
overwrite_aws_auth WARNING!!! If true it will override the aws-auth ConfigMap of your cluster bool false no
policy_names IAM policy names list 
[
  "EKS-AdminPolicy",
  "EKS-OpsPolicy",
  "EKS-ViewOnlyPolicy"
]
 no
resources_prefix This variable will be a prefix for each IAM Role and Policy string "" no
roles_names IAM role names list 
[
  "EKS-AdminsRole",
  "EKS-OpsRole",
  "EKS-ViewOnlyRole"
]
 no
tags n/a map(string) 
{
  "Name": ""
}
 no

Outputs

Name Description
iam_policy_KubernetesAdminPolicy KubernetesAdminPolicy ARN
iam_policy_KubernetesOpsPolicy KubernetesOpsPolicy ARN
iam_policy_KubernetesViewOnlyPolicy KubernetesViewOnlyPolicy ARN
iam_role_KubernetesAdminRole KubernetesAdminRole ARN
iam_role_KubernetesOpsRole KubernetesOpsRole ARN
iam_role_KubernetesViewOnlyRole KubernetesViewOnlyRole ARN