Fix the kubernetes admin role, pull some of the iam stuff out into a separate tf file

bmonkman · bmonkman · commit c615a2d9380c · 2020-04-27T15:17:42.000-07:00
diff --git a/terraform/modules/eks/main.tf b/terraform/modules/eks/main.tf
@@ -14,38 +14,6 @@ provider "kubernetes" {
   version                = "~> 1.11"
 }
 
-# Create KubernetesAdmin role for aws-iam-authenticator
-resource "aws_iam_role" "kubernetes_admin_role" {
-  name               = "<% .Name %>-kubernetes-admin-${var.environment}"
-  assume_role_policy = var.assume_role_policy
-  description        = "Kubernetes administrator role (for AWS IAM Authenticator)"
-}
-
-# Allow kube admin to list and describe EKS clusters (through assumed role)
-data "aws_iam_policy_document" "eks_list_and_describe" {
-  statement {
-    actions = [
-      "eks:ListUpdates",
-      "eks:ListClusters",
-      "eks:DescribeUpdate",
-      "eks:DescribeCluster",
-    ]
-
-    resources = ["*"]
-  }
-}
-
-resource "aws_iam_policy" "eks_list_and_describe_policy" {
-  name   = "eks_list_and_describe"
-  policy = data.aws_iam_policy_document.eks_list_and_describe.json
-}
-
-resource "aws_iam_role_policy_attachment" "kube_admin_eks_access" {
-  role       = aws_iam_role.kubernetes_admin_role.id
-  policy_arn = aws_iam_policy.eks_list_and_describe_policy.arn
-}
-
-
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
   version = "10.0.0"
diff --git a/terraform/modules/eks/variables.tf b/terraform/modules/eks/variables.tf
@@ -14,10 +14,6 @@ variable "cluster_version" {
   description = "EKS cluster version number to use. Incrementing this will start a cluster upgrade"
 }
 
-variable "assume_role_policy" {
-  description = "IAM policy document for AssumeRole. Controls access to the kubernetes admin serviceaccount"
-}
-
 variable "private_subnets" {
   description = "VPC subnets for the EKS cluster"
   # type        = list(string)
diff --git a/terraform/modules/environment/iam.tf b/terraform/modules/environment/iam.tf
@@ -0,0 +1,65 @@
+
+# Data sources for EKS IAM
+data "aws_caller_identity" "current" {}
+
+# @TODO - sort out creating only a single user but multiple roles per env
+
+# Create KubernetesAdmin role for aws-iam-authenticator
+resource "aws_iam_role" "kubernetes_admin_role" {
+  name               = "${var.project}-kubernetes-admin-${var.environment}"
+  assume_role_policy = data.aws_iam_policy_document.assumerole_root_policy.json
+  description        = "Kubernetes administrator role (for AWS EKS auth)"
+}
+
+# Trust relationship to limit access to the k8s admin serviceaccount
+data "aws_iam_policy_document" "assumerole_root_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+  }
+
+  # Allow the CI user to assume this role
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [data.aws_iam_user.ci_user.arn]
+    }
+  }
+}
+
+resource "aws_iam_user_policy_attachment" "circleci_ecr_access" {
+  user       = data.aws_iam_user.ci_user.user_name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
+}
+
+
+# Allow the CI user to list and describe clusters
+data "aws_iam_policy_document" "eks_list_and_describe" {
+  statement {
+    actions = [
+      "eks:ListUpdates",
+      "eks:ListClusters",
+      "eks:DescribeUpdate",
+      "eks:DescribeCluster",
+    ]
+
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "eks_list_and_describe_policy" {
+  name   = "eks_list_and_describe"
+  policy = data.aws_iam_policy_document.eks_list_and_describe.json
+}
+
+resource "aws_iam_user_policy_attachment" "ci_user_list_and_describe_access" {
+  user       = data.aws_iam_user.ci_user.user_name
+  policy_arn = aws_iam_policy.eks_list_and_describe_policy.arn
+}
+
