Last active
January 5, 2020 17:49
-
-
Save rkhozinov/0df0d8fdaf54f2ff02b9809eb7a6be8d to your computer and use it in GitHub Desktop.
AWS EKS IAM Terraform v0.11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| variable "eks_cluster_name" {} | |
| provider "aws" {} | |
| data "aws_eks_cluster" "this" { | |
| name = "${var.eks_cluster_name}" | |
| } | |
| # https://www.terraform.io/docs/providers/aws/r/iam_openid_connect_provider.html | |
| resource "aws_iam_openid_connect_provider" "this" { | |
| client_id_list = ["sts.amazonaws.com"] | |
| # The Root CA Thumbprint for an OpenID Connect Identity Provider is currently | |
| # Being passed as a default value which is the same for all regions and | |
| # Is valid until (Jun 28 17:39:16 2034 GMT). | |
| # https://crt.sh/?q=9E99A48A9960B14926BB7F3B02E22DA2B0AB7280 | |
| # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html | |
| # https://github.com/terraform-providers/terraform-provider-aws/issues/10104 | |
| thumbprint_list = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"] | |
| url = "${data.aws_eks_cluster.this.identity.0.oidc.0.issuer}" | |
| } | |
| data "aws_iam_policy_document" "oidc_assume_policy" { | |
| statement { | |
| actions = ["sts:AssumeRoleWithWebIdentity"] | |
| effect = "Allow" | |
| condition { | |
| test = "StringLike" | |
| variable = "${replace(aws_iam_openid_connect_provider.this.url, "https://", "")}:sub" | |
| values = ["system:serviceaccount:default:*"] | |
| } | |
| principals { | |
| identifiers = ["${aws_iam_openid_connect_provider.this.arn}"] | |
| type = "Federated" | |
| } | |
| } | |
| } | |
| resource "aws_iam_role" "s3_reader" { | |
| name = "s3-reader" | |
| assume_role_policy = "${data.aws_iam_policy_document.oidc_assume_policy.json}" | |
| } | |
| data "aws_iam_policy_document" "s3_readonly" { | |
| statement { | |
| actions = ["s3:Get*", "s3:List*"] | |
| resources = ["*"] | |
| } | |
| } | |
| resource "aws_iam_role_policy" "s3_readonly" { | |
| policy = "${data.aws_iam_policy_document.s3_readonly.json}" | |
| role = "${aws_iam_role.s3_reader.id}" | |
| } | |
| data "aws_eks_cluster_auth" "this" { | |
| name = "${data.aws_eks_cluster.this.name}" | |
| } | |
| provider "kubernetes" { | |
| host = "${data.aws_eks_cluster.this.endpoint}" | |
| cluster_ca_certificate = "${base64decode(data.aws_eks_cluster.this.certificate_authority.0.data)}" | |
| token = "${data.aws_eks_cluster_auth.this.token}" | |
| load_config_file = false | |
| } | |
| resource "kubernetes_service_account" "alpine" { | |
| metadata { | |
| name = "alpine" | |
| namespace = "default" | |
| annotations { | |
| "eks.amazonaws.com/role-arn" = "${aws_iam_role.s3_reader.arn}" | |
| } | |
| } | |
| } | |
| resource "kubernetes_pod" "alpine" { | |
| metadata { | |
| name = "alpine" | |
| namespace = "default" | |
| } | |
| spec { | |
| # error: jsonpatch add operation does not apply: doc is missing path: "/spec/volumes/0" | |
| # soluton: https://github.com/terraform-providers/terraform-provider-kubernetes/issues/678 | |
| automount_service_account_token = true | |
| service_account_name = "${kubernetes_service_account.alpine.metadata.0.name}" | |
| container { | |
| name = "alpine" | |
| image = "rkhozinov/alpine-awscli:latest" | |
| command = ["/bin/sh", "-c", "sleep 60m"] | |
| image_pull_policy = "IfNotPresent" | |
| } | |
| restart_policy = "Always" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment