Add fixtures for demo purposes

examples/demo-cluster/terraform/.gitignore

@@ -0,0 +1,3 @@
+.terraform
+.terraform.tfstate
+terraform.tfstate*

examples/demo-cluster/terraform/main.tf

@@ -0,0 +1,15 @@
+locals {
+  objects = yamldecode(file("./objects.yaml"))
+}
+
+data "aws_eks_cluster" "cluster" {
+  name = var.eks-cluster-name
+}
+data "aws_eks_cluster_auth" "cluster" {
+  name = var.eks-cluster-name
+}
+provider "kubernetes" {
+  host                   = data.aws_eks_cluster.cluster.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
+  token                  = data.aws_eks_cluster_auth.cluster.token
+}

examples/demo-cluster/terraform/objects.yaml

@@ -0,0 +1,31 @@
+serviceAccounts:
+  - name: rate-limiter-sa
+    role: rate-limiter-role
+  - name: apigw-sa
+    role: apigw-role
+  - name: kafka-proxy-sa
+    role: kafka-proxy-role
+  - name: inventory-service-sa
+    role: inventory-service-role
+
+pods:
+  - name: rate-limiter
+    serviceAccount: rate-limiter-sa
+  - name: apigw
+    serviceAccount: apigw-sa
+  - name: kafka-proxy
+    serviceAccount: kafka-proxy-sa
+  - name: inventory-service
+    serviceAccount: inventory-service-sa
+
+roles:
+  - name: rate-limiter-role
+    allowedServiceAccounts: [rate-limiter-sa]
+  - name: apigw-role
+    allowedServiceAccounts: [apigw-sa]
+  - name: kafka-proxy-role
+    allowedServiceAccounts: [kafka-proxy-sa]
+  - name: inventory-service-role
+    allowedServiceAccounts: [inventory-service-sa]
+  - name: s3-reader
+    allowedServiceAccounts: [apigw-sa, inventory-service-sa]

examples/demo-cluster/terraform/pods.tf

@@ -0,0 +1,17 @@
+resource "kubernetes_pod" "pod" {
+  for_each = {
+    for pod in local.objects.pods : pod.name => pod
+  }
+
+  metadata {
+    name = each.key
+  }
+  spec {
+    service_account_name = each.value.serviceAccount
+    container {
+      name = "main"
+      image = "amazon/aws-cli:latest"
+      command = ["sleep", "infinity"]
+    }
+  }
+}

examples/demo-cluster/terraform/roles.tf

@@ -0,0 +1,19 @@
+data "aws_caller_identity" "current" {}
+
+module "iam_eks_role" {
+  source    = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  for_each = {for role in local.objects.roles: role.name => role}
+
+  role_name = each.value.name
+
+  role_policy_arns = {
+    policy = "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
+  }
+
+  oidc_providers = {
+    one = {
+      provider_arn               = format("arn:aws:iam::%s:oidc-provider/%s", data.aws_caller_identity.current.account_id, replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", ""))
+      namespace_service_accounts = [for serviceAccount in each.value.allowedServiceAccounts: "default:${serviceAccount}"]
+    }
+  }
+}

examples/demo-cluster/terraform/serviceaccounts.tf

@@ -0,0 +1,12 @@
+
+
+resource "kubernetes_service_account" "service_account" {
+  for_each = { for serviceAccount in local.objects.serviceAccounts: serviceAccount.name => serviceAccount }
+
+  metadata {
+    name = each.value.name
+    annotations = {
+      "eks.amazonaws.com/role-arn" = module.iam_eks_role[each.value.role].iam_role_arn
+    }
+  }
+}

examples/demo-cluster/terraform/variables.tf

@@ -0,0 +1,3 @@
+variable "eks-cluster-name" {
+  description = "Name of the EKS cluster to provision the resources into"
+}

examples/demo-cluster/terraform/versions.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "~> 4.62.0"
+    }
+    kubernetes = {
+      source = "hashicorp/kubernetes"
+      version = "~> 2.19.0"
+    }
+  }
+}
+