From 041792974f3e63447d023fd000e06e4e3036b876 Mon Sep 17 00:00:00 2001 From: Vedant Pareek Date: Mon, 13 May 2024 17:22:03 +0530 Subject: [PATCH 1/3] Added cloud integration for EKS platform IAM role --- iam.tf | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 9 ++++++++ 2 files changed, 70 insertions(+) diff --git a/iam.tf b/iam.tf index 9644252..d160962 100644 --- a/iam.tf +++ b/iam.tf @@ -74,6 +74,53 @@ data "aws_iam_policy_document" "truefoundry_platform_feature_user_ecr_policy_doc } } +data "aws_iam_policy_document" "truefoundry_platform_feature_cloud_integration_policy_document" { + count = var.platform_feature_enabled ? var.feature_cloud_integration_enabled ? 1 : 0 : 0 + statement { + effect = "Allow" + actions =[ + "eks:ListNodegroups", + "eks:DescribeFargateProfile", + "eks:ListTagsForResource", + "eks:DescribeInsight", + "eks:ListAddons", + "eks:DescribeAddon", + "eks:DescribePodIdentityAssociation", + "eks:ListInsights", + "eks:ListPodIdentityAssociations", + "eks:ListFargateProfiles", + "eks:DescribeNodegroup", + "eks:ListUpdates", + "eks:DescribeUpdate", + "eks:AccessKubernetesApi", + "eks:DescribeCluster", + ] + + resources = [ + "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:fargateprofile/${var.cluster_name}/*/*", + "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:addon/${var.cluster_name}/*/*", + "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:nodegroup/${var.cluster_name}/*/*", + "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:podidentityassociation/${var.cluster_name}/*", + "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:identityproviderconfig/${var.cluster_name}/*/*/*", + "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:cluster/${var.cluster_name}" + ] + } + statement { + effect = "Allow" + actions = [ + "eks:DescribeAddonConfiguration", + "eks:ListClusters", + "eks:DescribeAddonVersions", + "ec2:DescribeRegions" + ] + + resources = [ + "*" + ] + } +} + + resource "aws_iam_policy" "truefoundry_platform_feature_user_s3_policy" { count = var.platform_feature_enabled ? var.feature_blob_storage_enabled ? 1 : 0 : 0 name_prefix = "${local.truefoundry_unique_name}-s3-access" @@ -99,6 +146,14 @@ resource "aws_iam_policy" "truefoundry_platform_feature_user_ecr_policy" { } +resource "aws_iam_policy" "truefoundry_platform_feature_cloud_integration_policy" { + count = var.platform_feature_enabled ? var.feature_cloud_integration_enabled ? 1 : 0 : 0 + name_prefix = "${local.truefoundry_unique_name}-cloud-integration-access" + description = "IAM policy for TrueFoundry user for platform features cloud integration" + policy = data.aws_iam_policy_document.truefoundry_platform_feature_cloud_integration_policy_document[0].json + tags = local.tags +} + ################################################################################ # IAM role ################################################################################ @@ -140,4 +195,10 @@ resource "aws_iam_role_policy_attachment" "truefoundry_platform_user_ecr_policy_ count = var.platform_feature_enabled ? var.feature_docker_registry_enabled ? 1 : 0 : 0 role = aws_iam_role.truefoundry_platform_feature_iam_role[0].name policy_arn = aws_iam_policy.truefoundry_platform_feature_user_ecr_policy[0].arn +} + +resource "aws_iam_role_policy_attachment" "truefoundry_platform_user_cloud_integration_policy_attachment" { + count = var.platform_feature_enabled ? var.feature_cloud_integration_enabled ? 1 : 0 : 0 + role = aws_iam_role.truefoundry_platform_feature_iam_role[0].name + policy_arn = aws_iam_policy.truefoundry_platform_feature_cloud_integration_policy[0].arn } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 4cd0967..9181483 100644 --- a/variables.tf +++ b/variables.tf @@ -115,6 +115,15 @@ variable "feature_docker_registry_enabled" { default = true } +################################################################################ +# Cloud Integration +################################################################################ +variable "feature_cloud_integration_enabled" { + description = "Enable cloud integration feature in the platform" + type = bool + default = true +} + ################################################################################## ## Other variables ################################################################################## From 6d96ed5e9a47231ca03acd5787e1f414f337a60f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 13 May 2024 11:55:18 +0000 Subject: [PATCH 2/3] terraform-docs: automated action --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index d0907e4..6752a64 100644 --- a/README.md +++ b/README.md @@ -25,13 +25,16 @@ Truefoundry AWS platform features | Name | Type | |------|------| +| [aws_iam_policy.truefoundry_platform_feature_cloud_integration_policy](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_policy) | resource | | [aws_iam_policy.truefoundry_platform_feature_user_ecr_policy](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_policy) | resource | | [aws_iam_policy.truefoundry_platform_feature_user_s3_policy](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_policy) | resource | | [aws_iam_policy.truefoundry_platform_feature_user_ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_policy) | resource | | [aws_iam_role.truefoundry_platform_feature_iam_role](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.truefoundry_platform_user_cloud_integration_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.truefoundry_platform_user_ecr_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.truefoundry_platform_user_s3_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.truefoundry_platform_user_ssm_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_policy_document.truefoundry_platform_feature_cloud_integration_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.truefoundry_platform_feature_user_ecr_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.truefoundry_platform_feature_user_s3_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.truefoundry_platform_feature_user_ssm_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/iam_policy_document) | data source | @@ -51,6 +54,7 @@ Truefoundry AWS platform features | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | | [control\_plane\_roles](#input\_control\_plane\_roles) | Control plane roles that can assume your platform role | `list(string)` |
[
"arn:aws:iam::416964291864:role/tfy-ctl-euwe1-production-truefoundry-deps"
]
| no | | [feature\_blob\_storage\_enabled](#input\_feature\_blob\_storage\_enabled) | Enable blob storage feature in the platform | `bool` | `true` | no | +| [feature\_cloud\_integration\_enabled](#input\_feature\_cloud\_integration\_enabled) | Enable cloud integration feature in the platform | `bool` | `true` | no | | [feature\_docker\_registry\_enabled](#input\_feature\_docker\_registry\_enabled) | Enable docker registry feature in the platform | `bool` | `true` | no | | [feature\_secrets\_enabled](#input\_feature\_secrets\_enabled) | Enable secrets manager feature in the platform | `bool` | `true` | no | | [platform\_feature\_enabled](#input\_platform\_feature\_enabled) | Enable platform features like docker registry, secrets manager and blob storage | `bool` | `true` | no | From eceb0e7627d110d598a7d4406acebd1d81d9881c Mon Sep 17 00:00:00 2001 From: Vedant Pareek Date: Mon, 13 May 2024 17:25:44 +0530 Subject: [PATCH 3/3] terraform fmt --- iam.tf | 60 +++++++++++++++++++++++++++++----------------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/iam.tf b/iam.tf index d160962..61c481a 100644 --- a/iam.tf +++ b/iam.tf @@ -78,44 +78,44 @@ data "aws_iam_policy_document" "truefoundry_platform_feature_cloud_integration_p count = var.platform_feature_enabled ? var.feature_cloud_integration_enabled ? 1 : 0 : 0 statement { effect = "Allow" - actions =[ - "eks:ListNodegroups", - "eks:DescribeFargateProfile", - "eks:ListTagsForResource", - "eks:DescribeInsight", - "eks:ListAddons", - "eks:DescribeAddon", - "eks:DescribePodIdentityAssociation", - "eks:ListInsights", - "eks:ListPodIdentityAssociations", - "eks:ListFargateProfiles", - "eks:DescribeNodegroup", - "eks:ListUpdates", - "eks:DescribeUpdate", - "eks:AccessKubernetesApi", - "eks:DescribeCluster", - ] + actions = [ + "eks:ListNodegroups", + "eks:DescribeFargateProfile", + "eks:ListTagsForResource", + "eks:DescribeInsight", + "eks:ListAddons", + "eks:DescribeAddon", + "eks:DescribePodIdentityAssociation", + "eks:ListInsights", + "eks:ListPodIdentityAssociations", + "eks:ListFargateProfiles", + "eks:DescribeNodegroup", + "eks:ListUpdates", + "eks:DescribeUpdate", + "eks:AccessKubernetesApi", + "eks:DescribeCluster", + ] resources = [ - "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:fargateprofile/${var.cluster_name}/*/*", - "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:addon/${var.cluster_name}/*/*", - "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:nodegroup/${var.cluster_name}/*/*", - "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:podidentityassociation/${var.cluster_name}/*", - "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:identityproviderconfig/${var.cluster_name}/*/*/*", - "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:cluster/${var.cluster_name}" - ] + "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:fargateprofile/${var.cluster_name}/*/*", + "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:addon/${var.cluster_name}/*/*", + "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:nodegroup/${var.cluster_name}/*/*", + "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:podidentityassociation/${var.cluster_name}/*", + "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:identityproviderconfig/${var.cluster_name}/*/*/*", + "arn:aws:eks:${var.aws_region}:${var.aws_account_id}:cluster/${var.cluster_name}" + ] } statement { effect = "Allow" actions = [ - "eks:DescribeAddonConfiguration", - "eks:ListClusters", - "eks:DescribeAddonVersions", - "ec2:DescribeRegions" - ] + "eks:DescribeAddonConfiguration", + "eks:ListClusters", + "eks:DescribeAddonVersions", + "ec2:DescribeRegions" + ] resources = [ - "*" + "*" ] } }