Created
January 5, 2020 17:50
-
-
Save rkhozinov/9a363be9a4352f2bd68f343c7c550632 to your computer and use it in GitHub Desktop.
AWS EKS IAM Terraform v0.12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| variable "eks_cluster_name" {} | |
| provider "aws" {} | |
| data "aws_eks_cluster" "this" { | |
| name = var.eks_cluster_name | |
| } | |
| # https://www.terraform.io/docs/providers/aws/r/iam_openid_connect_provider.html | |
| resource "aws_iam_openid_connect_provider" "this" { | |
| client_id_list = ["sts.amazonaws.com"] | |
| # The Root CA Thumbprint for an OpenID Connect Identity Provider is currently | |
| # Being passed as a default value which is the same for all regions and | |
| # Is valid until (Jun 28 17:39:16 2034 GMT). | |
| # https://crt.sh/?q=9E99A48A9960B14926BB7F3B02E22DA2B0AB7280 | |
| # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html | |
| # https://github.com/terraform-providers/terraform-provider-aws/issues/10104 | |
| thumbprint_list = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"] | |
| url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer | |
| } | |
| data "aws_iam_policy_document" "oidc_assume_policy" { | |
| statement { | |
| actions = ["sts:AssumeRoleWithWebIdentity"] | |
| effect = "Allow" | |
| condition { | |
| test = "StringLike" | |
| variable = "${replace(aws_iam_openid_connect_provider.this.url, "https://", "")}:sub" | |
| values = ["system:serviceaccount:default:*"] | |
| } | |
| principals { | |
| identifiers = [aws_iam_openid_connect_provider.this.arn] | |
| type = "Federated" | |
| } | |
| } | |
| } | |
| resource "aws_iam_role" "s3_reader" { | |
| name = "s3-reader" | |
| assume_role_policy = data.aws_iam_policy_document.oidc_assume_policy.json | |
| } | |
| data "aws_iam_policy_document" "s3_readonly" { | |
| statement { | |
| actions = ["s3:Get*", "s3:List*"] | |
| resources = ["*"] | |
| } | |
| } | |
| resource "aws_iam_role_policy" "s3_readonly" { | |
| policy = data.aws_iam_policy_document.s3_readonly.json | |
| role = aws_iam_role.s3_reader.id | |
| } | |
| data "aws_eks_cluster_auth" "this" { | |
| name = data.aws_eks_cluster.this.name | |
| } | |
| provider "kubernetes" { | |
| host = data.aws_eks_cluster.this.endpoint | |
| cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority[0].data) | |
| token = data.aws_eks_cluster_auth.this.token | |
| load_config_file = false | |
| } | |
| resource "kubernetes_service_account" "alpine" { | |
| metadata { | |
| name = "alpine" | |
| namespace = "default" | |
| annotations = { | |
| "eks.amazonaws.com/role-arn" = aws_iam_role.s3_reader.arn | |
| } | |
| } | |
| } | |
| resource "kubernetes_pod" "alpine" { | |
| metadata { | |
| name = "alpine" | |
| namespace = "default" | |
| } | |
| spec { | |
| # error: jsonpatch add operation does not apply: doc is missing path: "/spec/volumes/0" | |
| # soluton: https://github.com/terraform-providers/terraform-provider-kubernetes/issues/678 | |
| automount_service_account_token = true | |
| service_account_name = kubernetes_service_account.alpine.metadata[0].name | |
| container { | |
| name = "alpine" | |
| image = "rkhozinov/alpine-awscli:latest" | |
| command = ["/bin/sh", "-c", "sleep 60m"] | |
| image_pull_policy = "IfNotPresent" | |
| } | |
| restart_policy = "Always" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment