scottt732 · February 11, 2025 17:23
diff --git a/partial.tf b/partial.tf
 #
 # ArgoCD Config - Clusters
 #
 resource "kubernetes_manifest" "clusters" {
  for_each = {
    for k, v in var.argo_managed_clusters : k => v if var.env_code == "mgmt"
  }

  manifest = {
    "apiVersion" = "v1"
    "kind"       = "Secret"
    "metadata" = {
      "name"      = "${var.company_name}-${each.value.env_code}-${each.value.cluster_code}-secret"
      "namespace" = "argo-cd"
      "labels" = {
        "argocd.argoproj.io/secret-type"          = "cluster"
        "environment"                             = each.value.env_code
        "${var.root_zone_fqdn}/account"           = "${each.value.account_id}"
        "${var.root_zone_fqdn}/region"            = "${each.value.account_id}"
        "${var.root_zone_fqdn}/cluster-name"      = "${var.company_name}-${each.value.env_code}-${each.value.cluster_code}"
        "${var.root_zone_fqdn}/cluster-full-name" = each.value.cluster_key
        "${var.root_zone_fqdn}/cluster-color"     = each.value.cluster_code
        "${var.root_zone_fqdn}/k8s-version"       = each.value.k8s_version
      }
    }
    "data" = {
      "name"   = base64encode("${var.company_name}-${each.value.env_code}-${each.value.cluster_code}")
      "server" = base64encode(each.value.env_code == "mgmt" ? "https://kubernetes.default.svc" : each.value.cluster_endpoint)
      "config" = base64encode(jsonencode({
        awsAuthConfig = {
          clusterName = "${each.value.cluster_key}"
          roleARN     = "arn:aws:iam::${each.value.account_id}:role/ArgoCDDeployerRole"
        }
        tlsClientConfig = {
          caData = each.value.cluster_ca_data
        }
      }))
    }

    "type" = "Opaque"
  }

  field_manager {
    force_conflicts = true
  }
 }

 #
 # Pod Identity
 #
 resource "aws_iam_role" "argocd_pod_identity_role" {
  name        = "ArgoCDPodIdentityRole"
  description = "Role to give ArgoCD access"
  assume_role_policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": "pods.eks.amazonaws.com"
        },
        "Action": [
          "sts:AssumeRole",
          "sts:TagSession"
        ],
        "Condition": {
          "StringEquals": {
            "aws:SourceAccount": "${local.mgmt_account_id}"
          },
          "ArnLike": {
            "aws:SourceArn": "arn:aws:eks:${var.region_code}:${var.account_id}:cluster/${local.cluster_name}"
          }
        }
      }
    ]
  })
  inline_policy {
    name   = "AssumeRole"
    policy = jsonencode({
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "sts:AssumeRole",
            "sts:TagSession"
          ],
          "Resource": [for cluster in var.argo_managed_clusters : 
            "arn:aws:iam::${cluster.account_id}:role/ArgoCDDeployerRole"
          ]
        }
      ]
    })
  }
 }

 resource "aws_iam_role" "argocd_deployer_role" {
  name        = "ArgoCDDeployerRole"
  description = "Role for ArgoCD deployment"
  assume_role_policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::${local.mgmt_account_id}:role/ArgoCDPodIdentityRole"
        },
        "Action": [
          "sts:AssumeRole",
          "sts:TagSession"
        ]
      }
    ]
  })
  
  # Add inline policy for EKS cluster access
  inline_policy {
    name = "EKSAccess"
    policy = jsonencode({
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "eks:DescribeCluster",
            "eks:ListClusters",
            "eks:AccessKubernetesApi",
            "eks:ListNodegroups",
            "eks:DescribeNodegroup",
            "eks:ListUpdates",
            "eks:ListFargateProfiles"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:ListAttachedRolePolicies"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ssm:GetParameter",
            "ssm:GetParameters"
          ],
          "Resource": "*"
        }
      ]
    })
  }
 }

 resource "aws_eks_access_entry" "argo_cd_pod_identity" {
  cluster_name      = local.cluster_name
  principal_arn     = aws_iam_role.argocd_pod_identity_role.arn
  kubernetes_groups = []
  type              = "STANDARD"
 }

 # Not sure if all of these are necessary
 resource "aws_eks_pod_identity_association" "argo_cd_application_controller" {
  count           = var.env_code == "mgmt" ? 1 : 0
  cluster_name    = local.cluster_name
  namespace       = "argo-cd"
  service_account = "argocd-application-controller"
  role_arn        = aws_iam_role.argocd_pod_identity_role.arn
 }

 resource "aws_eks_pod_identity_association" "argo_cd_applicationset_controller" {
  count           = var.env_code == "mgmt" ? 1 : 0
  cluster_name    = local.cluster_name
  namespace       = "argo-cd"
  service_account = "argocd-applicationset-controller"
  role_arn        = aws_iam_role.argocd_pod_identity_role.arn
 }

 resource "aws_eks_pod_identity_association" "argo_cd_server" {
  count           = var.env_code == "mgmt" ? 1 : 0
  cluster_name    = local.cluster_name
  namespace       = "argo-cd"
  service_account = "argocd-server"
  role_arn        = aws_iam_role.argocd_pod_identity_role.arn
 }
	#
	# ArgoCD Config - Clusters
	#
	resource "kubernetes_manifest" "clusters" {
	for_each = {
	for k, v in var.argo_managed_clusters : k => v if var.env_code == "mgmt"
	}

	manifest = {
	"apiVersion" = "v1"
	"kind" = "Secret"
	"metadata" = {
	"name" = "${var.company_name}-${each.value.env_code}-${each.value.cluster_code}-secret"
	"namespace" = "argo-cd"
	"labels" = {
	"argocd.argoproj.io/secret-type" = "cluster"
	"environment" = each.value.env_code
	"${var.root_zone_fqdn}/account" = "${each.value.account_id}"
	"${var.root_zone_fqdn}/region" = "${each.value.account_id}"
	"${var.root_zone_fqdn}/cluster-name" = "${var.company_name}-${each.value.env_code}-${each.value.cluster_code}"
	"${var.root_zone_fqdn}/cluster-full-name" = each.value.cluster_key
	"${var.root_zone_fqdn}/cluster-color" = each.value.cluster_code
	"${var.root_zone_fqdn}/k8s-version" = each.value.k8s_version
	}
	}
	"data" = {
	"name" = base64encode("${var.company_name}-${each.value.env_code}-${each.value.cluster_code}")
	"server" = base64encode(each.value.env_code == "mgmt" ? "https://kubernetes.default.svc" : each.value.cluster_endpoint)
	"config" = base64encode(jsonencode({
	awsAuthConfig = {
	clusterName = "${each.value.cluster_key}"
	roleARN = "arn:aws:iam::${each.value.account_id}:role/ArgoCDDeployerRole"
	}
	tlsClientConfig = {
	caData = each.value.cluster_ca_data
	}
	}))
	}

	"type" = "Opaque"
	}

	field_manager {
	force_conflicts = true
	}
	}

	#
	# Pod Identity
	#
	resource "aws_iam_role" "argocd_pod_identity_role" {
	name = "ArgoCDPodIdentityRole"
	description = "Role to give ArgoCD access"
	assume_role_policy = jsonencode({
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"Service": "pods.eks.amazonaws.com"
	},
	"Action": [
	"sts:AssumeRole",
	"sts:TagSession"
	],
	"Condition": {
	"StringEquals": {
	"aws:SourceAccount": "${local.mgmt_account_id}"
	},
	"ArnLike": {
	"aws:SourceArn": "arn:aws:eks:${var.region_code}:${var.account_id}:cluster/${local.cluster_name}"
	}
	}
	}
	]
	})
	inline_policy {
	name = "AssumeRole"
	policy = jsonencode({
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": [
	"sts:AssumeRole",
	"sts:TagSession"
	],
	"Resource": [for cluster in var.argo_managed_clusters :
	"arn:aws:iam::${cluster.account_id}:role/ArgoCDDeployerRole"
	]
	}
	]
	})
	}
	}

	resource "aws_iam_role" "argocd_deployer_role" {
	name = "ArgoCDDeployerRole"
	description = "Role for ArgoCD deployment"
	assume_role_policy = jsonencode({
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"AWS": "arn:aws:iam::${local.mgmt_account_id}:role/ArgoCDPodIdentityRole"
	},
	"Action": [
	"sts:AssumeRole",
	"sts:TagSession"
	]
	}
	]
	})

	# Add inline policy for EKS cluster access
	inline_policy {
	name = "EKSAccess"
	policy = jsonencode({
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": [
	"eks:DescribeCluster",
	"eks:ListClusters",
	"eks:AccessKubernetesApi",
	"eks:ListNodegroups",
	"eks:DescribeNodegroup",
	"eks:ListUpdates",
	"eks:ListFargateProfiles"
	],
	"Resource": "*"
	},
	{
	"Effect": "Allow",
	"Action": [
	"iam:GetRole",
	"iam:ListAttachedRolePolicies"
	],
	"Resource": "*"
	},
	{
	"Effect": "Allow",
	"Action": [
	"ssm:GetParameter",
	"ssm:GetParameters"
	],
	"Resource": "*"
	}
	]
	})
	}
	}

	resource "aws_eks_access_entry" "argo_cd_pod_identity" {
	cluster_name = local.cluster_name
	principal_arn = aws_iam_role.argocd_pod_identity_role.arn
	kubernetes_groups = []
	type = "STANDARD"
	}

	# Not sure if all of these are necessary
	resource "aws_eks_pod_identity_association" "argo_cd_application_controller" {
	count = var.env_code == "mgmt" ? 1 : 0
	cluster_name = local.cluster_name
	namespace = "argo-cd"
	service_account = "argocd-application-controller"
	role_arn = aws_iam_role.argocd_pod_identity_role.arn
	}

	resource "aws_eks_pod_identity_association" "argo_cd_applicationset_controller" {
	count = var.env_code == "mgmt" ? 1 : 0
	cluster_name = local.cluster_name
	namespace = "argo-cd"
	service_account = "argocd-applicationset-controller"
	role_arn = aws_iam_role.argocd_pod_identity_role.arn
	}

	resource "aws_eks_pod_identity_association" "argo_cd_server" {
	count = var.env_code == "mgmt" ? 1 : 0
	cluster_name = local.cluster_name
	namespace = "argo-cd"
	service_account = "argocd-server"
	role_arn = aws_iam_role.argocd_pod_identity_role.arn
	}