Tweaked the way that role based access works for Heptio auth

5692bf8d · Chris Merrett · 6c57b145 · 5692bf8d · 5692bf8d · 5692bf8d
Commit 5692bf8d authored Jun 22, 2018 by Chris Merrett
Showing with 19 additions and 2 deletions

cluster.tf cluster.tf +4 -0

data.tf data.tf +5 -2

config-map-aws-auth.yaml.tpl templates/config-map-aws-auth.yaml.tpl +4 -0

kubeconfig.tpl templates/kubeconfig.tpl +2 -0

variables.tf variables.tf +4 -0

No files found.
--- a/cluster.tf
+++ b/cluster.tf
@@ -61,3 +61,7 @@ resource "aws_iam_role" "admin" {
  assume_role_policy = "${data.aws_iam_policy_document.admin.json}"
 }
+resource "aws_iam_group" "admin" {
+  name = "${var.cluster_name}-eks-kubernetes-admin"
+}
--- a/data.tf
+++ b/data.tf
@@ -55,6 +55,7 @@ data "aws_iam_policy_document" "admin" {
      identifiers = [
        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:group/${var.cluster_name}-eks-kubernetes-admin",
        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/Steamhaus",
      ]
    }
@@ -69,6 +70,7 @@ data "template_file" "kubeconfig" {
    endpoint            = "${aws_eks_cluster.cluster.endpoint}"
    region              = "${data.aws_region.current.name}"
    cluster_auth_base64 = "${aws_eks_cluster.cluster.certificate_authority.0.data}"
+    admin_role_arn      = "${aws_iam_role.admin.arn}"
  }
 }
@@ -76,8 +78,9 @@ data "template_file" "config_map_aws_auth" {
  template = "${file("${path.module}/templates/config-map-aws-auth.yaml.tpl")}"
  vars {
-    role_arn       = "${aws_iam_role.workers.arn}"
+    role_arn           = "${aws_iam_role.workers.arn}"
-    admin_role_arn = "${aws_iam_role.admin.arn}"
+    admin_role_arn     = "${aws_iam_role.admin.arn}"
+    steamhaus_role_arn = "${var.steamhaus_role_arn}"
  }
 }

--- a/templates/config-map-aws-auth.yaml.tpl
+++ b/templates/config-map-aws-auth.yaml.tpl
@@ -14,3 +14,7 @@ data:
      username: kubernetes-admin
      groups:
        - system:masters
+    - rolearn: ${steamhaus_role_arn}
+      username: steamhaus-admin
+      groups:
+        - system:masters
--- a/templates/kubeconfig.tpl
+++ b/templates/kubeconfig.tpl
@@ -25,3 +25,5 @@ users:
        - "token"
        - "-i"
        - "${cluster_name}"
+        #- "-r"
+        #- "${admin_role_arn}"
--- a/variables.tf
+++ b/variables.tf
@@ -55,3 +55,7 @@ variable "alt_dns_cluster_ip" {
  description = "Alternate DNS cluster IP address on different (non 10.x.x.x) range - this is a fallback"
  default     = "172.20.0.10"
 }
+variable "steamhaus_role_arn" {
+  description = "Role ARN within the account for Steamhaus federated access"
+}