From 29da38d73fffda9f507f82e0e3c873b5b6712405 Mon Sep 17 00:00:00 2001 From: Joe Ferris Date: Wed, 12 Apr 2023 09:18:24 -0400 Subject: [PATCH] Rename developer/deploy service account modules These modules don't actually create Kubernetes service accounts - they create role bindings to allow groups mapped by aws-auth to perform tasks in the cluster. Principals who authenticate using aws-auth are not mapped to a service account. This updates the naming and documentation to reflect what's actually created. --- aws/application-config/README.md | 16 ++++------------ aws/application-config/main.tf | 10 ++++------ aws/application-config/outputs.tf | 4 ++-- aws/application-config/variables.tf | 12 ------------ .../README.md | 15 ++++++--------- .../main.tf | 0 .../makefile | 0 .../outputs.tf | 0 .../variables.tf | 0 .../versions.tf | 0 .../README.md | 13 +++++-------- .../main.tf | 0 .../makefile | 0 .../outputs.tf | 0 .../variables.tf | 0 .../versions.tf | 0 16 files changed, 21 insertions(+), 49 deletions(-) rename aws/{deploy-service-account => deploy-role-bindings}/README.md (84%) rename aws/{deploy-service-account => deploy-role-bindings}/main.tf (100%) rename aws/{deploy-service-account => deploy-role-bindings}/makefile (100%) rename aws/{deploy-service-account => deploy-role-bindings}/outputs.tf (100%) rename aws/{deploy-service-account => deploy-role-bindings}/variables.tf (100%) rename aws/{deploy-service-account => deploy-role-bindings}/versions.tf (100%) rename aws/{developer-service-account => developer-role-bindings}/README.md (85%) rename aws/{developer-service-account => developer-role-bindings}/main.tf (100%) rename aws/{developer-service-account => developer-role-bindings}/makefile (100%) rename aws/{developer-service-account => developer-role-bindings}/outputs.tf (100%) rename aws/{developer-service-account => developer-role-bindings}/variables.tf (100%) rename aws/{developer-service-account => developer-role-bindings}/versions.tf (100%) diff --git a/aws/application-config/README.md b/aws/application-config/README.md index 049c49ad..451de0b8 100644 --- a/aws/application-config/README.md +++ b/aws/application-config/README.md @@ -5,8 +5,8 @@ running on Flightdeck: - An Istio-managed namespace - A service account for an application IAM role -- A service account for a deployment IAM role -- A service account for developers to view application resources +- Role bindings for a deployment IAM role +- Role bindings for developers to view application resources - A SecretsManager SecretProviderClass for mounting secrets Example: @@ -24,15 +24,9 @@ module "example_sandbox_v1" { # Assign an IAM role to pods in this application pod_iam_role = aws_iam_role.service.arn - # Name of the deployment service account (default: deploy) - deploy_service_account = "example-staging-deploy" - # Must match a group declared in your eks-auth configmap deploy_group = "example-staging-deploy" - # Name of the developer service account (default: developer) - name = "example-staging-developer" - # Must match a group declared in your eks-auth configmap developer_group = "example-staging-developer" @@ -107,8 +101,8 @@ module "platform" { | Name | Source | Version | |------|--------|---------| -| [deploy\_service\_account](#module\_deploy\_service\_account) | ../deploy-service-account | n/a | -| [developer\_service\_account](#module\_developer\_service\_account) | ../developer-service-account | n/a | +| [deploy\_role\_bindings](#module\_deploy\_role\_bindings) | ../deploy-role-bindings | n/a | +| [developer\_role\_bindings](#module\_developer\_role\_bindings) | ../developer-role-bindings | n/a | | [secret\_provider\_class](#module\_secret\_provider\_class) | ../secret-provider-class | n/a | ## Resources @@ -125,9 +119,7 @@ module "platform" { | [create\_namespace](#input\_create\_namespace) | Set to false to disable creation of the Kubernetes namespace | `bool` | `true` | no | | [deploy\_cluster\_roles](#input\_deploy\_cluster\_roles) | Names of cluster roles for this serviceaccount (default: admin) | `list(string)` | 
[
  "admin"
]
| no | | [deploy\_group](#input\_deploy\_group) | Name of the Kubernetes group allowed to deploy (default: NAMESPACE-deploy) | `string` | `null` | no | -| [deploy\_service\_account](#input\_deploy\_service\_account) | Name of the Kubernetes service account (default: deploy) | `string` | `"deploy"` | no | | [developer\_group](#input\_developer\_group) | Name of the Kubernetes group used by developers (default: NAMESPACE-developer) | `string` | `null` | no | -| [developer\_service\_account](#input\_developer\_service\_account) | Name of the Kubernetes service account (default: developer) | `string` | `"developer"` | no | | [enable\_exec](#input\_enable\_exec) | Set to true to allow running exec on pods | `bool` | `false` | no | | [namespace](#input\_namespace) | Kubernetes namespace to which this tenant deploys | `string` | n/a | yes | | [pod\_iam\_role](#input\_pod\_iam\_role) | ARN of the role which application pods should assume | `string` | n/a | yes | diff --git a/aws/application-config/main.tf b/aws/application-config/main.tf index f9af34c0..4e031633 100644 --- a/aws/application-config/main.tf +++ b/aws/application-config/main.tf @@ -34,22 +34,20 @@ module "secret_provider_class" { secrets_manager_secrets = var.secrets_manager_secrets } -module "deploy_service_account" { +module "deploy_role_bindings" { depends_on = [kubernetes_namespace.this] - source = "../deploy-service-account" + source = "../deploy-role-bindings" cluster_roles = var.deploy_cluster_roles group = coalesce(var.deploy_group, "${var.namespace}-deploy") - name = var.deploy_service_account namespace = var.namespace } -module "developer_service_account" { +module "developer_role_bindings" { depends_on = [kubernetes_namespace.this] - source = "../developer-service-account" + source = "../developer-role-bindings" enable_exec = var.enable_exec group = coalesce(var.developer_group, "${var.namespace}-developer") - name = var.developer_service_account namespace = var.namespace } diff --git a/aws/application-config/outputs.tf b/aws/application-config/outputs.tf index 30e34537..fa71e673 100644 --- a/aws/application-config/outputs.tf +++ b/aws/application-config/outputs.tf @@ -1,11 +1,11 @@ output "deploy_group" { description = "Name of the group bound to deploy roles" - value = module.deploy_service_account.group_name + value = module.deploy_role_bindings.group_name } output "developer_group" { description = "Name of the group bound to developer roles" - value = module.developer_service_account.group_name + value = module.developer_role_bindings.group_name } output "namespace" { diff --git a/aws/application-config/variables.tf b/aws/application-config/variables.tf index aa73f95d..1ed8ecbf 100644 --- a/aws/application-config/variables.tf +++ b/aws/application-config/variables.tf @@ -16,24 +16,12 @@ variable "deploy_group" { default = null } -variable "deploy_service_account" { - description = "Name of the Kubernetes service account (default: deploy)" - type = string - default = "deploy" -} - variable "developer_group" { description = "Name of the Kubernetes group used by developers (default: NAMESPACE-developer)" type = string default = null } -variable "developer_service_account" { - description = "Name of the Kubernetes service account (default: developer)" - type = string - default = "developer" -} - variable "enable_exec" { description = "Set to true to allow running exec on pods" type = bool diff --git a/aws/deploy-service-account/README.md b/aws/deploy-role-bindings/README.md similarity index 84% rename from aws/deploy-service-account/README.md rename to aws/deploy-role-bindings/README.md index 014b6475..925fa964 100644 --- a/aws/deploy-service-account/README.md +++ b/aws/deploy-role-bindings/README.md @@ -1,17 +1,14 @@ # Deploy Service Account -This module creates a [Kubernetes service account] which can be used to write to +This module creates [Kubernetes role bindings] which can be used to write to common resources used by Flightdeck applications, suitable for use in a CI/CD pipeline. Example: ``` hcl -module "deploy_service_account" { - source = "github.com/thoughtbot/flightdeck//aws/deploy-service-account?ref=VERSION" - - # Name of the service account (default: deploy) - name = "example-staging-deploy" +module "deploy_role_bindings" { + source = "github.com/thoughtbot/flightdeck//aws/deploy-role-bindings?ref=VERSION" # Kubernetes namespace namespace = "example-staging" @@ -24,8 +21,8 @@ module "deploy_service_account" { You can use the [github-actions-eks-deploy-role module] to create a role suitable for use in a GitHub Actions workflow. -Once the deploy service account and role have been created, you must map them in -your [eks-auth] config: +Once the deploy role bindings have been created, you must map them in your +[eks-auth] config: ``` hcl # In your platform configuration @@ -41,7 +38,7 @@ module "workload_platform" { } ``` -[Kubernetes service account]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +[Kubernetes role bindings]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ [eks-auth]: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html [github-actions-eks-deploy-role module]: github.com/thoughtbot/terraform-eks-cicd//modules/github-actions-eks-deploy-role diff --git a/aws/deploy-service-account/main.tf b/aws/deploy-role-bindings/main.tf similarity index 100% rename from aws/deploy-service-account/main.tf rename to aws/deploy-role-bindings/main.tf diff --git a/aws/deploy-service-account/makefile b/aws/deploy-role-bindings/makefile similarity index 100% rename from aws/deploy-service-account/makefile rename to aws/deploy-role-bindings/makefile diff --git a/aws/deploy-service-account/outputs.tf b/aws/deploy-role-bindings/outputs.tf similarity index 100% rename from aws/deploy-service-account/outputs.tf rename to aws/deploy-role-bindings/outputs.tf diff --git a/aws/deploy-service-account/variables.tf b/aws/deploy-role-bindings/variables.tf similarity index 100% rename from aws/deploy-service-account/variables.tf rename to aws/deploy-role-bindings/variables.tf diff --git a/aws/deploy-service-account/versions.tf b/aws/deploy-role-bindings/versions.tf similarity index 100% rename from aws/deploy-service-account/versions.tf rename to aws/deploy-role-bindings/versions.tf diff --git a/aws/developer-service-account/README.md b/aws/developer-role-bindings/README.md similarity index 85% rename from aws/developer-service-account/README.md rename to aws/developer-role-bindings/README.md index fbd816fa..471b6d83 100644 --- a/aws/developer-service-account/README.md +++ b/aws/developer-role-bindings/README.md @@ -1,6 +1,6 @@ # Developer Service Account -This module creates a [Kubernetes service account] which can be used by +This module creates [Kubernetes role bindings] which can be used by developers to debug Flightdeck applications. It provides read access to most Kubernetes resources within the namespace, including the CRDs declared by Flightdeck. @@ -8,11 +8,8 @@ Flightdeck. Example: ``` hcl -module "developer_service_account" { - source = "github.com/thoughtbot/flightdeck//aws/developer-service-account?ref=VERSION" - - # Name of the service account (default: developer) - name = "example-staging-developer" +module "developer_role_bindings" { + source = "github.com/thoughtbot/flightdeck//aws/developer-role-bindings?ref=VERSION" # Kubernetes namespace namespace = "example-staging" @@ -25,7 +22,7 @@ module "developer_service_account" { } ``` -Once the service account has been created, you must map them in your [eks-auth] +Once the role bindings has been created, you must map them in your [eks-auth] config. You can use the [SSO permission set roles module] to lookup a role that developers will use. @@ -48,7 +45,7 @@ module "platform" { ``` -[Kubernetes service account]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +[Kubernetes role bindings]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ [eks-auth]: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html [SSO permission set roles module]: https://github.com/thoughtbot/terraform-aws-sso-permission-set-roles diff --git a/aws/developer-service-account/main.tf b/aws/developer-role-bindings/main.tf similarity index 100% rename from aws/developer-service-account/main.tf rename to aws/developer-role-bindings/main.tf diff --git a/aws/developer-service-account/makefile b/aws/developer-role-bindings/makefile similarity index 100% rename from aws/developer-service-account/makefile rename to aws/developer-role-bindings/makefile diff --git a/aws/developer-service-account/outputs.tf b/aws/developer-role-bindings/outputs.tf similarity index 100% rename from aws/developer-service-account/outputs.tf rename to aws/developer-role-bindings/outputs.tf diff --git a/aws/developer-service-account/variables.tf b/aws/developer-role-bindings/variables.tf similarity index 100% rename from aws/developer-service-account/variables.tf rename to aws/developer-role-bindings/variables.tf diff --git a/aws/developer-service-account/versions.tf b/aws/developer-role-bindings/versions.tf similarity index 100% rename from aws/developer-service-account/versions.tf rename to aws/developer-role-bindings/versions.tf