diff --git a/examples/demo-cluster/README.md b/examples/demo-cluster/README.md new file mode 100644 index 0000000..e69de29 diff --git a/examples/demo-cluster/terraform/.gitignore b/examples/demo-cluster/terraform/.gitignore new file mode 100644 index 0000000..2fe8862 --- /dev/null +++ b/examples/demo-cluster/terraform/.gitignore @@ -0,0 +1,3 @@ +.terraform +.terraform.tfstate +terraform.tfstate* diff --git a/examples/demo-cluster/terraform/.terraform.lock.hcl b/examples/demo-cluster/terraform/.terraform.lock.hcl new file mode 100644 index 0000000..1ac5fa4 --- /dev/null +++ b/examples/demo-cluster/terraform/.terraform.lock.hcl @@ -0,0 +1,45 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.62.0" + constraints = "~> 4.62.0" + hashes = [ + "h1:6x4fZWzzoUpQyIa6wl160ONU9o9IRmK6Hivt9zNFDug=", + "zh:12059dc2b639797b9facb6397ac6aec563891634be8e5aadf3a457590c1147d4", + "zh:1b3515d70b6998359d0a6d3b3c287940ab2e5c59cd02f95c7d9dab7df76e86b6", + "zh:423a1d3afdb6b625f2e3b06770ef4324740d400ff1a0d6d566c87d3f841d74fc", + "zh:58612b5a27d929dd1dff04d18d840b9cc59d45fed06247f0c2f87c1e5d3257d9", + "zh:5b243cd2250dd097293e06c1cc85e805565194e53f594ccd070252c7af644f54", + "zh:61ad9739e7d6fca8fddef269cb2ba7285f0632f5f27660755662550e1f69e4bb", + "zh:6700d86f5bfcae8491c87a7769b211a079dbf6dfb325bde76bf407aca3e76ff4", + "zh:67c7925f3b7ac1988c2aee8965b1f6f04738984cf8ae302b88215549793d14c1", + "zh:686770264b907b3e4c75fd751f8ea717a7e393d2fbde0950c4703fa809e573f0", + "zh:740236fda351a8f4976ddbd37e543c8d746a409e3a6aa290a8c5ff774b264455", + "zh:88ace13281a344044624ed088125c30f1a803188bf95874d09ca7e95725d5727", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a4810a034f5def017607b0b079c7867c983da653928bd9f67edbc18575c0b629", + "zh:e1c10e1641b5f17fec61910d6c3514e241f650ced84523f09cb16271a9a1e651", + "zh:f63593ee2e01a2e1096ae9959fa43f0521114b3335f6440170f0d35d1969e8a2", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.19.0" + constraints = "~> 2.19.0" + hashes = [ + "h1:WXTbK59MHZVtikifTCvqpH/3TKMnj3MyQke4ymmUjlg=", + "zh:028d346460de2d1d19b4c863dfc36be51c7bcd97d372b54a3a946bcb19f3f613", + "zh:391d0b38c455437d0a2ab1beb6ce6e1230aa4160bbae11c58b2810b258b44280", + "zh:40ea742f91b67f66e71d7091cfd40cc604528c4947651924bd6d8bd8d9793708", + "zh:48a99d341c8ba3cadaafa7cb99c0f11999f5e23f5cfb0f8469b4e352d9116e74", + "zh:4a5ade940eff267cbf7dcd52c1a7ac3999e7cc24996a409bd8b37bdb48a97f02", + "zh:5063742016a8249a4be057b9cc0ef24a684ec76d0ae5463d4b07e9b2d21e047e", + "zh:5d36b3a5662f840a6788f5e2a19d02139e87318feb3c5d82c7d076be1366fec4", + "zh:75edd9960cb30e54ef7de1b7df2761a274f17d4d41f54e72f86b43f41af3eb6d", + "zh:b85cadef3e6f25f1a10a617472bf5e8449decd61626733a1bc723de5edc08f64", + "zh:dc565b17b4ea6dde6bd1b92bc37e5e850fcbf9400540eec00ad3d9552a76ac2e", + "zh:deb665cc2123f2701aa3d653987b2ca35fb035a08a76a2382efb215c209f19a5", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/examples/demo-cluster/terraform/main.tf b/examples/demo-cluster/terraform/main.tf new file mode 100644 index 0000000..d483f40 --- /dev/null +++ b/examples/demo-cluster/terraform/main.tf @@ -0,0 +1,15 @@ +locals { + objects = yamldecode(file("./objects.yaml")) +} + +data "aws_eks_cluster" "cluster" { + name = var.eks-cluster-name +} +data "aws_eks_cluster_auth" "cluster" { + name = var.eks-cluster-name +} +provider "kubernetes" { + host = data.aws_eks_cluster.cluster.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) + token = data.aws_eks_cluster_auth.cluster.token +} diff --git a/examples/demo-cluster/terraform/objects.yaml b/examples/demo-cluster/terraform/objects.yaml new file mode 100644 index 0000000..a99c4cc --- /dev/null +++ b/examples/demo-cluster/terraform/objects.yaml @@ -0,0 +1,31 @@ +serviceAccounts: + - name: rate-limiter-sa + role: rate-limiter-role + - name: apigw-sa + role: apigw-role + - name: kafka-proxy-sa + role: kafka-proxy-role + - name: inventory-service-sa + role: inventory-service-role + +pods: + - name: rate-limiter + serviceAccount: rate-limiter-sa + - name: apigw + serviceAccount: apigw-sa + - name: kafka-proxy + serviceAccount: kafka-proxy-sa + - name: inventory-service + serviceAccount: inventory-service-sa + +roles: + - name: rate-limiter-role + allowedServiceAccounts: [rate-limiter-sa] + - name: apigw-role + allowedServiceAccounts: [apigw-sa] + - name: kafka-proxy-role + allowedServiceAccounts: [kafka-proxy-sa] + - name: inventory-service-role + allowedServiceAccounts: [inventory-service-sa] + - name: s3-reader + allowedServiceAccounts: [apigw-sa, inventory-service-sa] \ No newline at end of file diff --git a/examples/demo-cluster/terraform/pods.tf b/examples/demo-cluster/terraform/pods.tf new file mode 100644 index 0000000..51eb956 --- /dev/null +++ b/examples/demo-cluster/terraform/pods.tf @@ -0,0 +1,17 @@ +resource "kubernetes_pod" "pod" { + for_each = { + for pod in local.objects.pods : pod.name => pod + } + + metadata { + name = each.key + } + spec { + service_account_name = each.value.serviceAccount + container { + name = "main" + image = "amazon/aws-cli:latest" + command = ["sleep", "infinity"] + } + } +} \ No newline at end of file diff --git a/examples/demo-cluster/terraform/roles.tf b/examples/demo-cluster/terraform/roles.tf new file mode 100644 index 0000000..d41f017 --- /dev/null +++ b/examples/demo-cluster/terraform/roles.tf @@ -0,0 +1,19 @@ +data "aws_caller_identity" "current" {} + +module "iam_eks_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + for_each = {for role in local.objects.roles: role.name => role} + + role_name = each.value.name + + role_policy_arns = { + policy = "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" + } + + oidc_providers = { + one = { + provider_arn = format("arn:aws:iam::%s:oidc-provider/%s", data.aws_caller_identity.current.account_id, replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")) + namespace_service_accounts = [for serviceAccount in each.value.allowedServiceAccounts: "default:${serviceAccount}"] + } + } +} \ No newline at end of file diff --git a/examples/demo-cluster/terraform/serviceaccounts.tf b/examples/demo-cluster/terraform/serviceaccounts.tf new file mode 100644 index 0000000..869c91a --- /dev/null +++ b/examples/demo-cluster/terraform/serviceaccounts.tf @@ -0,0 +1,12 @@ + + +resource "kubernetes_service_account" "service_account" { + for_each = { for serviceAccount in local.objects.serviceAccounts: serviceAccount.name => serviceAccount } + + metadata { + name = each.value.name + annotations = { + "eks.amazonaws.com/role-arn" = module.iam_eks_role[each.value.role].iam_role_arn + } + } +} \ No newline at end of file diff --git a/examples/demo-cluster/terraform/variables.tf b/examples/demo-cluster/terraform/variables.tf new file mode 100644 index 0000000..ffd2b24 --- /dev/null +++ b/examples/demo-cluster/terraform/variables.tf @@ -0,0 +1,3 @@ +variable "eks-cluster-name" { + description = "Name of the EKS cluster to provision the resources into" +} \ No newline at end of file diff --git a/examples/demo-cluster/terraform/versions.tf b/examples/demo-cluster/terraform/versions.tf new file mode 100644 index 0000000..76971d1 --- /dev/null +++ b/examples/demo-cluster/terraform/versions.tf @@ -0,0 +1,13 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.62.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.19.0" + } + } +} +