Rename developer/deploy service account modules

These modules don't actually create Kubernetes service accounts - they create role bindings to allow groups mapped by aws-auth to perform tasks in the cluster. Principals who authenticate using aws-auth are not mapped to a service account. This updates the naming and documentation to reflect what's actually created.
thoughtbot · Apr 12, 2023 · 29da38d · 29da38d
1 parent 1322c4e
commit 29da38d
Show file tree

Hide file tree

Showing 16 changed files with 21 additions and 49 deletions.
diff --git a/aws/application-config/README.md b/aws/application-config/README.md
@@ -5,8 +5,8 @@ running on Flightdeck:
 
 - An Istio-managed namespace
 - A service account for an application IAM role
-- A service account for a deployment IAM role
-- A service account for developers to view application resources
+- Role bindings for a deployment IAM role
+- Role bindings for developers to view application resources
 - A SecretsManager SecretProviderClass for mounting secrets
 
 Example:
@@ -24,15 +24,9 @@ module "example_sandbox_v1" {
   # Assign an IAM role to pods in this application
   pod_iam_role = aws_iam_role.service.arn
 
-  # Name of the deployment service account (default: deploy)
-  deploy_service_account = "example-staging-deploy"
-
   # Must match a group declared in your eks-auth configmap
   deploy_group = "example-staging-deploy"
 
-  # Name of the developer service account (default: developer)
-  name = "example-staging-developer"
-
   # Must match a group declared in your eks-auth configmap
   developer_group = "example-staging-developer"
 
@@ -107,8 +101,8 @@ module "platform" {
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_deploy_service_account"></a> [deploy\_service\_account](#module\_deploy\_service\_account) | ../deploy-service-account | n/a |
-| <a name="module_developer_service_account"></a> [developer\_service\_account](#module\_developer\_service\_account) | ../developer-service-account | n/a |
+| <a name="module_deploy_role_bindings"></a> [deploy\_role\_bindings](#module\_deploy\_role\_bindings) | ../deploy-role-bindings | n/a |
+| <a name="module_developer_role_bindings"></a> [developer\_role\_bindings](#module\_developer\_role\_bindings) | ../developer-role-bindings | n/a |
 | <a name="module_secret_provider_class"></a> [secret\_provider\_class](#module\_secret\_provider\_class) | ../secret-provider-class | n/a |
 
 ## Resources
@@ -125,9 +119,7 @@ module "platform" {
 | <a name="input_create_namespace"></a> [create\_namespace](#input\_create\_namespace) | Set to false to disable creation of the Kubernetes namespace | `bool` | `true` | no |
 | <a name="input_deploy_cluster_roles"></a> [deploy\_cluster\_roles](#input\_deploy\_cluster\_roles) | Names of cluster roles for this serviceaccount (default: admin) | `list(string)` | <pre>[<br>  "admin"<br>]</pre> | no |
 | <a name="input_deploy_group"></a> [deploy\_group](#input\_deploy\_group) | Name of the Kubernetes group allowed to deploy (default: NAMESPACE-deploy) | `string` | `null` | no |
-| <a name="input_deploy_service_account"></a> [deploy\_service\_account](#input\_deploy\_service\_account) | Name of the Kubernetes service account (default: deploy) | `string` | `"deploy"` | no |
 | <a name="input_developer_group"></a> [developer\_group](#input\_developer\_group) | Name of the Kubernetes group used by developers (default: NAMESPACE-developer) | `string` | `null` | no |
-| <a name="input_developer_service_account"></a> [developer\_service\_account](#input\_developer\_service\_account) | Name of the Kubernetes service account (default: developer) | `string` | `"developer"` | no |
 | <a name="input_enable_exec"></a> [enable\_exec](#input\_enable\_exec) | Set to true to allow running exec on pods | `bool` | `false` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Kubernetes namespace to which this tenant deploys | `string` | n/a | yes |
 | <a name="input_pod_iam_role"></a> [pod\_iam\_role](#input\_pod\_iam\_role) | ARN of the role which application pods should assume | `string` | n/a | yes |

diff --git a/aws/application-config/main.tf b/aws/application-config/main.tf
@@ -34,22 +34,20 @@ module "secret_provider_class" {
   secrets_manager_secrets = var.secrets_manager_secrets
 }
 
-module "deploy_service_account" {
+module "deploy_role_bindings" {
   depends_on = [kubernetes_namespace.this]
-  source     = "../deploy-service-account"
+  source     = "../deploy-role-bindings"
 
   cluster_roles = var.deploy_cluster_roles
   group         = coalesce(var.deploy_group, "${var.namespace}-deploy")
-  name          = var.deploy_service_account
   namespace     = var.namespace
 }
 
-module "developer_service_account" {
+module "developer_role_bindings" {
   depends_on = [kubernetes_namespace.this]
-  source     = "../developer-service-account"
+  source     = "../developer-role-bindings"
 
   enable_exec = var.enable_exec
   group       = coalesce(var.developer_group, "${var.namespace}-developer")
-  name        = var.developer_service_account
   namespace   = var.namespace
 }
diff --git a/aws/application-config/outputs.tf b/aws/application-config/outputs.tf
@@ -1,11 +1,11 @@
 output "deploy_group" {
   description = "Name of the group bound to deploy roles"
-  value       = module.deploy_service_account.group_name
+  value       = module.deploy_role_bindings.group_name
 }
 
 output "developer_group" {
   description = "Name of the group bound to developer roles"
-  value       = module.developer_service_account.group_name
+  value       = module.developer_role_bindings.group_name
 }
 
 output "namespace" {

diff --git a/aws/application-config/variables.tf b/aws/application-config/variables.tf
@@ -16,24 +16,12 @@ variable "deploy_group" {
   default     = null
 }
 
-variable "deploy_service_account" {
-  description = "Name of the Kubernetes service account (default: deploy)"
-  type        = string
-  default     = "deploy"
-}
-
 variable "developer_group" {
   description = "Name of the Kubernetes group used by developers (default: NAMESPACE-developer)"
   type        = string
   default     = null
 }
 
-variable "developer_service_account" {
-  description = "Name of the Kubernetes service account (default: developer)"
-  type        = string
-  default     = "developer"
-}
-
 variable "enable_exec" {
   description = "Set to true to allow running exec on pods"
   type        = bool

diff --git a/aws/deploy-service-account/README.md → aws/deploy-role-bindings/README.md b/aws/deploy-service-account/README.md → aws/deploy-role-bindings/README.md
@@ -1,17 +1,14 @@
 # Deploy Service Account
 
-This module creates a [Kubernetes service account] which can be used to write to
+This module creates [Kubernetes role bindings] which can be used to write to
 common resources used by Flightdeck applications, suitable for use in a CI/CD
 pipeline.
 
 Example:
 
 ``` hcl
-module "deploy_service_account" {
-  source = "github.com/thoughtbot/flightdeck//aws/deploy-service-account?ref=VERSION"
-
-  # Name of the service account (default: deploy)
-  name = "example-staging-deploy"
+module "deploy_role_bindings" {
+  source = "github.com/thoughtbot/flightdeck//aws/deploy-role-bindings?ref=VERSION"
 
   # Kubernetes namespace
   namespace = "example-staging"
@@ -24,8 +21,8 @@ module "deploy_service_account" {
 You can use the [github-actions-eks-deploy-role module] to create a role
 suitable for use in a GitHub Actions workflow.
 
-Once the deploy service account and role have been created, you must map them in
-your [eks-auth] config:
+Once the deploy role bindings have been created, you must map them in your
+[eks-auth] config:
 
 ``` hcl
 # In your platform configuration
@@ -41,7 +38,7 @@ module "workload_platform" {
 }
 ```
 
-[Kubernetes service account]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+[Kubernetes role bindings]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
 [eks-auth]: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
 [github-actions-eks-deploy-role module]: github.com/thoughtbot/terraform-eks-cicd//modules/github-actions-eks-deploy-role
 

diff --git a/aws/deploy-service-account/main.tf → aws/deploy-role-bindings/main.tf b/aws/deploy-service-account/main.tf → aws/deploy-role-bindings/main.tf
diff --git a/aws/deploy-service-account/makefile → aws/deploy-role-bindings/makefile b/aws/deploy-service-account/makefile → aws/deploy-role-bindings/makefile
diff --git a/aws/deploy-service-account/outputs.tf → aws/deploy-role-bindings/outputs.tf b/aws/deploy-service-account/outputs.tf → aws/deploy-role-bindings/outputs.tf
diff --git a/aws/deploy-service-account/variables.tf → aws/deploy-role-bindings/variables.tf b/aws/deploy-service-account/variables.tf → aws/deploy-role-bindings/variables.tf
diff --git a/aws/deploy-service-account/versions.tf → aws/deploy-role-bindings/versions.tf b/aws/deploy-service-account/versions.tf → aws/deploy-role-bindings/versions.tf
diff --git a/aws/developer-service-account/README.md → aws/developer-role-bindings/README.md b/aws/developer-service-account/README.md → aws/developer-role-bindings/README.md
@@ -1,18 +1,15 @@
 # Developer Service Account
 
-This module creates a [Kubernetes service account] which can be used by
+This module creates [Kubernetes role bindings] which can be used by
 developers to debug Flightdeck applications. It provides read access to most
 Kubernetes resources within the namespace, including the CRDs declared by
 Flightdeck.
 
 Example:
 
 ``` hcl
-module "developer_service_account" {
-  source = "github.com/thoughtbot/flightdeck//aws/developer-service-account?ref=VERSION"
-
-  # Name of the service account (default: developer)
-  name = "example-staging-developer"
+module "developer_role_bindings" {
+  source = "github.com/thoughtbot/flightdeck//aws/developer-role-bindings?ref=VERSION"
 
   # Kubernetes namespace
   namespace = "example-staging"
@@ -25,7 +22,7 @@ module "developer_service_account" {
 }
 ```
 
-Once the service account has been created, you must map them in your [eks-auth]
+Once the role bindings has been created, you must map them in your [eks-auth]
 config. You can use the [SSO permission set roles module] to lookup a role that
 developers will use.
 
@@ -48,7 +45,7 @@ module "platform" {
 
 ```
 
-[Kubernetes service account]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+[Kubernetes role bindings]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
 [eks-auth]: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
 [SSO permission set roles module]: https://github.com/thoughtbot/terraform-aws-sso-permission-set-roles
 

diff --git a/aws/developer-service-account/main.tf → aws/developer-role-bindings/main.tf b/aws/developer-service-account/main.tf → aws/developer-role-bindings/main.tf
diff --git a/aws/developer-service-account/makefile → aws/developer-role-bindings/makefile b/aws/developer-service-account/makefile → aws/developer-role-bindings/makefile
diff --git a/aws/developer-service-account/outputs.tf → aws/developer-role-bindings/outputs.tf b/aws/developer-service-account/outputs.tf → aws/developer-role-bindings/outputs.tf
diff --git a/aws/developer-service-account/variables.tf → aws/developer-role-bindings/variables.tf b/aws/developer-service-account/variables.tf → aws/developer-role-bindings/variables.tf
diff --git a/aws/developer-service-account/versions.tf → aws/developer-role-bindings/versions.tf b/aws/developer-service-account/versions.tf → aws/developer-role-bindings/versions.tf