-
Notifications
You must be signed in to change notification settings - Fork 791
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: added tf infra for AWS ami account #6517
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# AWS Account for CAPA AMI Publication | ||
|
||
This contains Terraform used to manage users & permissions for the **cncf-k8s-infra-aws-capa-ami** AWS account (`arn:aws:organizations::348685125169:account/o-kz4vlkihvy/819546954734`). | ||
|
||
## Tool Requirements | ||
|
||
* [Terraform](https://developer.hashicorp.com/terraform/downloads) v1.6.0 or greater | ||
* AWS CLI | ||
|
||
## Pre-reqs | ||
|
||
This will need to be run by someone that is an admin in the account or by someone that can assume role to give admin in the account. | ||
|
||
## Running | ||
|
||
Set the AWS environment variables for the user that has access to the account. | ||
|
||
Then run the following to disable the blocking of public AMIs: | ||
|
||
```bash | ||
hack/disable-block.sh | ||
``` | ||
|
||
> NOTE: the script is used to disable the block as it doesn't naturally fit well into Terraform when running it across many regions. | ||
|
||
Then do the usual terraform flow: | ||
|
||
```bash | ||
terraform plan | ||
terraform apply | ||
``` | ||
|
||
If its the first time its been run you can then supply the CAPA maintainers with the initial passwords for their IAM accounts. | ||
|
||
Also one of the maintainers will need to be given the access key id and secret got IAM account to be used for automation. These have been encrypted with the gpg of one of the maintainers. | ||
|
||
## Adding users | ||
|
||
The CAPA maintainers have been added as IAM users. The iam user name matches their GitHub username. | ||
|
||
Where possible the the user should be defined with **pgp_key** so that the initial password for the IAM user is encrypted. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
#!/usr/bin/env bash | ||
|
||
# Copyright 2024 The Kubernetes Authors. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
## This script is used to disable the block on public access to AMIs | ||
|
||
AMI_REGIONS="ap-south-1,eu-west-3,eu-west-2,eu-west-1,ap-northeast-2,ap-northeast-1,sa-east-1,ca-central-1,ap-southeast-1,ap-southeast-2,eu-central-1,us-east-1,us-east-2,us-west-1,us-west-2" | ||
|
||
IFS=',' | ||
read -ra arr <<<"$AMI_REGIONS" | ||
|
||
for val in "${arr[@]}"; do | ||
aws ec2 disable-image-block-public-access --region "$val" | ||
done |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
/* | ||
Copyright 2024 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
resource "aws_iam_group" "maintainers" { | ||
name = "maintainers" | ||
} | ||
|
||
resource "aws_iam_group_membership" "maintainers" { | ||
name = "capa-maintainers" | ||
|
||
users = [ | ||
aws_iam_user.ankitasw.name, | ||
aws_iam_user.dlipovetsky.name, | ||
aws_iam_user.richardcase.name, | ||
aws_iam_user.vincepri.name, | ||
] | ||
|
||
group = aws_iam_group.maintainers.name | ||
} | ||
|
||
resource "aws_iam_group_policy_attachment" "maintainer-admin" { | ||
group = aws_iam_group.maintainers.name | ||
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
/* | ||
Copyright 2024 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is there an automated way to keep this file in sync with the team membership? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We could look at doing something for that in the future There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Maybe using |
||
|
||
resource "aws_iam_user" "ankitasw" { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. seeing IAM users like this in 2024 is a bit sad - is this because we do not have SSO setup? |
||
name = "ankitasw" | ||
} | ||
resource "aws_iam_user_login_profile" "ankitasw_login" { | ||
user = aws_iam_user.ankitasw.name | ||
password_reset_required = true | ||
} | ||
|
||
output "ankitasw_password" { | ||
value = aws_iam_user_login_profile.ankitasw_login.encrypted_password | ||
} | ||
|
||
resource "aws_iam_user" "dlipovetsky" { | ||
name = "dlipovetsky" | ||
} | ||
resource "aws_iam_user_login_profile" "dlipovetsky_login" { | ||
user = aws_iam_user.dlipovetsky.name | ||
password_reset_required = true | ||
} | ||
|
||
output "dlipovetsky_password" { | ||
value = aws_iam_user_login_profile.dlipovetsky_login.encrypted_password | ||
} | ||
|
||
resource "aws_iam_user" "richardcase" { | ||
name = "richardcase" | ||
} | ||
resource "aws_iam_user_login_profile" "richardcase_login" { | ||
user = aws_iam_user.richardcase.name | ||
pgp_key = "mQINBGKe9M0BEACqiPeuyj4wm7uIfLqeYxDwj6QFf9D/vxnusBEy3Y7AoIUsRE7hAIAIkKxFseqPsz1BjhZFUHyz7W81He4LH5NafzjR//Rb0h6acmJARHSyrBJsDC837CPxJJaVkhX2Y2rim+MJyqsPUxvCoEY+9mf1z6IOQLFS1eglGxyo7SI4JvZtNUS/SXfa1LhaQ11DtuVB0MPd86xCaXLMr5gUOreh63IySuXIZibeUNpZeqAVsm0OKhHb8qDSo2tCKUqUB4lCF4VkOnqetO4lQQlMHrW6S6O/HQ8X/PPXVVvR8L8IjDLVEp5UcIgQwNmy3uCOR6AYj6OpMxGLg9iTyidB2JPV+bynkanjWYXQAnHwfhL2F67ihPvV0FqX52n+WUdYjxqLV/sZcIDj9FNIvw+6043q7hx2N80p/aaX6yFHZmcw4ygpTblgWw/7JTu1gGtASY6Jik95UiyDmEOrLdo7PNQyajkKsTvEVHwHEI8SEMpJr1fLrJms5QDebG9vtfEAFa3a2/nv0tfv+eTBMSKLvjvAmh88m5rQjRaIi971N2BlYTkdsCgQQPV+kwT2vtuI12RAn/ykH76WuEjXVtEliQPVwrAJQxTAWND481Q7SohQI9VcdhARV66gCctTaooWQdTYDd2FU61XA4FEo7QV8czrcc1pnzSLOLU+Acr3NQMkrwARAQABtCdSaWNoYXJkIENhc2UgPHJpY2hhcmQuY2FzZUBvdXRsb29rLmNvbT6JAlcEEwEKAEECGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQhvJMGF6FmKNZ2lAsxfINc3qmMzQUCY900uQIZAQAKCRAxfINc3qmMzYOyD/4otNj6bBJdiSbuFRR4kUkJX/LlaqHZwLoYwHOg1Xky4mJWDZYG+ygpbqk/Tfir9yBmbADOyyCYabn9uqtE75VzLzKlOZNrC0gUguEqWnwa7nyAaN7rk1uoeIgQ7gvtdJJhGz177WpefTo4sevB3nB/Xg12UWlXqjjQgcAF6o1CalULMJjBvJ0vMiwunNd9eI9Jk9sEvQ/hnXODmubCqBOd53m/K03bBY7Gnl+wF/y6POBCCNHpYsWQ6z/DMl/vUJA/wsuu/6S8rpS9kkJ7xoX6dvfzsSLV6RUHA6eHbuuaLRJPVTYjIZVgFCuw8U2iB8e4h9PNOorNNprOPz8DcAkAayaZRk9YJji+tW8H6rH84BW7K2DCQ3fmrugwG3MW29wb2GiLGgMKtEGJjJGGbVMEDl1GH7ndP8WyfNY1qRIvHQN6gBLrA5N++PM9fvm0bi5D1vOr+0gtBwshgmNb3OoK+SKhxynei2demXYgA+N8NXgPZYren6SPurD8bHW+T0hoIA+HW00Yq6SS/WX2IONCUkjnkD9sZ5Wef+TjscdTvdLhwCFYoF9jETG1i2dzbQ2G8e9D7abhJxusR4XtKZehb0CMipKSNs73YquTWkCaMijaDRdIeeQlBi2TwqQ6hZZTj+9aG+dLGj6itiVcQMw8QoxOaexspPAL6bLSgz7dCokCVAQTAQoAPhYhBCG8kwYXoWYo1naUCzF8g1zeqYzNBQJinvTNAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEDF8g1zeqYzNx2oP/jEDh8oMOZw36PcDRiXyzb5yoCoYYtEB2YIIlzjTx59qVSvXAG6zZPdLZi6qOrnmylFIRzFMgxlb651KzV0tp4Qh10tv21GCgbi4s5p9RL6ZccSiRb48TTyvMNZCLpBIss+nM6cVpazpYhmVRwdC5pPicpT6BGpPCv0pQlka16jY9Xv3m9ywPO6XvLcdCYTD34ekKmnaySLSC6JBOuwLfRfCHOBotb0TDxTi7GXY7BP/U3rzJlXUJ+DzpKNAwUxfH/eE++0lUCtbAsnvr6uyV1pdN3PCU6RkED3pEEPKl7eyXxiLHlVibqNTx9d9qAz1Zg2zfXzXPAhT971MkOeuzWyMESuhImnRAogqzFMtf0rOzj8ksZ/29SV28wif5fCJVPzhQBbZFpFe3wmj3NtR7CxlHd9Zdyp2tzzycPTywLgNX26BN9EmrmKMfVMYLnJq/60lPLVe5XSl2jx19T1oYHXJuP3wUwDbkmWMaVVvkyo8R5bcGWCOpfMcaw/7P8l12G9ti5VGWCC/O7slGkRGW/9Ey3o75F0LmKOGZmqOr44YRlK9Vl1zbNoej5tZVxYnYvIErauYG1HqPNnWM0HAIVS+r7kNRj6j+9iAXiwOycLkdmHzkeNRdsfaUVf5drpwgoTZW4/+ZtJLrK8lhpeviIWWq3iQm9/qxbfKyqww1AxTtCJSaWNoYXJkIENhc2UgPHJpY2htY2FzZUBnbWFpbC5jb20+iQJSBBMBCgA8FiEEIbyTBhehZijWdpQLMXyDXN6pjM0FAmPdNIcCGwMFCQPCZwAECwkIBwQVCgkIBRYCAwEAAh4FAheAAAoJEDF8g1zeqYzNx7YP/0DDDHD57kvVqa9B0yrNBSBZRLIGLMSQaibYt3C0SLCrM1kj3TJMVnp7PjdII6BI1Io7mbroDELNFvvmFKLCGKyIonhK3qPWoZ8DgXjTyrHMqDVUKiwu8Z3xCWsLhO6nabcJbXmrw79fRCojaxUrNRZMFa3xxeT4RXQ8w58pSRRke/AfVfWXcl3eoCK2dakR7WtM5CzESb+XSeE6aFCylLL3rgc/94oC1bOdHenbr4NJ0Qx07sKZY1DW3S2TcnWt748a6XD0RIjL8wLolEfc/Rsxxg89TKEaU4IhlUCo3kV0h2gtzW2Bx5RFBvpRHP4TksZhBUX3j8RDb1U14ksWt+mMVBctwQpbhoVBEALGT03qXXHwwiKV1OUqi+KTo+xVdDsLljhdBgGGv8UsllyWRDB1oOCIRO44HM60z7A5q9kqFkLcSL7puD5PWrpb/fDhh8oUHfVjqanzaXP0Q7LJcm/NLxtiJfPfK/aDamtIrQNKnGnqshmUqc29Y0nB87EXOMD9FzkxQHG6mBb5CJx1YTEcdUji+JhM1BDIr5gfwn94whsJYeTdSJny1MjQaUZUs28p8V+p6eawH3gY2M6QiTRsGz8vNtIzp7RLsX4xxuGznm67Id0xKkE2L1aOtTCJQ5AoVq+Jz9BreQsiNdBQEdcBlxbwyR6BLw7UnDwE0IfKuQINBGKe9RoBEADa9lXpjdRraUoPI4wrZ/mr/Ck1tGZ+7t4kcSS5j9GOkLe5qgv6f5IrDouh0cGF4+ksR7lqAdv3i5OGBCDhlu6G2KMqH8wGx6gMfHNnSPqdozYTalkhn0j16V6RRUUzugZ/XSQOAs/5haJuM82ZYGppZkjaujiEX3uHZ0pAXzUjnpGK9S6PaI0j1rEGQJjaCItiJoH4XpSIRUz7nxTJTVRjlRvW3yIeXzytlJN/QbE25aPWECe/cQgu00eRb6ILM27kcBGNkFpCAuTa5GTzOljjsCgox8Vts2MX82XIigG+3L1Yx+dh9OwlWbJBNPkI7iZpciOdejJkqMo/d8n8jtWmJuOlD30nj/lAeoUdYJ6Dv80QpM6idsWFEThjERb9qI0ym9r5GBHoTYWMpAtuDXN+PeUNe8YJ98v4lpYZRKbyp399uHB72q6eXq/J3C9uo8t8kTevVR5wwc6JOPi9bdjMQBW1YzsOAGkaL1eG6AQL4GLnPGy26jPsdVQFk87hbyFCMBP+vS14do0v++eLHVQE9vzI8p/hvLtEV+SF2p5+vU4bthDyctU9c+JHISPHWON7iLuxO8GYweI+ZZ0zgixcEIhILX32P6rX7g8OxD/zvfLDq/L/Rg0V/EmPij8j0JDHdmnAObpG8+fVUQfv5UFo2/547LWuOskT/xM+JII4IwARAQABiQI8BBgBCgAmFiEEIbyTBhehZijWdpQLMXyDXN6pjM0FAmKe9RoCGyAFCQPCZwAACgkQMXyDXN6pjM0WShAApqfsvpVR9m1dA5I/7dO7kzaedE1s6dAlRVTqQXE2TTVdnriQin+gYQjJyMsZRNe0w3oTWYgS1QYToZ+hJoY5hGogqjHpTl0u0LsynLCAo9jbnoLfswwO2LXijdyT0C1IQfz6FuMX7HKoNz/PfHK6SfKqBzKs/rO/jZSpkR1sw2ZSqdjOR9WwJ81CPMY/aFSiq2Q3Fkf7HovbUAMz1gRW5FHgmxfyDELVEQbVeLjzn2lC1eQraVH3Fw7ix4tGrwPj7+C87lKnktUaF1hUyiMlCjYkcHkKyaxEFwf68E3bIpPEUwIkibHqTGuD5M1dQYPRB6wXg1wwxPuTTJkDHhAYPu7xGKRx/mRg8mQ/HkTkccKugq6iGZgt9vxSqUob9/My7lCUqPYYxDR9jnN1HGfSA4n50FRXtHUIN279SOTjhiofmYq+uF4a/MaCDrc+owyWP2Vphl2mGJxFalLVwVRI/vIZz088qZ04w/O/FS2UeAGqqPxgSQjKmT42LyMp9lAGi+zbgVAdfGgoMULscbR6Otr5GiH9weq0toMqVjRRc6DyIFal0LSEqQavCnaQhstTDyfObCrORa62Kb8eNytrhf5Y58pZJ92cv0PlXTef7tqBV3y5HgPu06TiE2flydFokqJWGloZAuPB5IOxkMumveL8whTbKXP+Kf3qHue6bje5Ag0EYp70zQEQAKUCctDmoP7NNj8g+fmCBjB2Vb+msEFuM3kWaBP4J3Byz7MmGTkaBNqp8ZtJ7cOyTTVAXf2OX13qv/jXxd1k0c2krKjhFe9mZkdcK+unfYRvH74qswmOkpmLbWjbYsQ2rCmlUYPfMTE5inlFu0/gMxY0saoni2u5jB8eEqcdBq/skFwOggO1mngPZnh+A6nVKSI+7+Z8cmbzVANyg5JxDlsO5j7kbZP3Qc+Hg1IzoAkjeHtdhpvU4/gbzA61pubRn/mcPjK5YUSoXIhnUcQEk+/D1wxrwlD2unBsuFMFw87SDuhMzEyblIFc4he3ukgBfrNpW6LBp2NbVI3+YQFVd+i0uoo475/uYexRVZLicFOWIXdP6ak0K5ox9vV2PCbfJwyuDe6pFumshtdFcua0h7UP1qOpqb5tAFQKvdKWHsA/DbXW0cwssni6mhj8GxcUNJoATu2IvdGwCFGgzr4iDOS5AvAEwgQJWCUHCOW/pAso/IDArUxqX32q0r/qJ5KIqcnDpPFtDoiV30MaZrTFz9Qj9Z4qLusJpULO4GWYwwVmB2q7J6/1CfxZiuEYxd3OcAahdbp998pCmQIvbdGBOvzMP1grX1dxBeIdDDBgn/emKa++a6HPb19PHawclpQV0EuHxQ9a3m9ymlr1E/8lpOfqImN6N0Kd4/pUvHILhxJ7ABEBAAGJAjwEGAEKACYWIQQhvJMGF6FmKNZ2lAsxfINc3qmMzQUCYp70zQIbDAUJA8JnAAAKCRAxfINc3qmMzR6PEACbSFg5y+wp8e4vdCJKpxMOLxzlZ1hOikfJQ5XnllagNTktvP8CGVcgdbutDOOZ3j+0lDXS7+QF19LzoIrpMiY5R1eQOfaiqbWMoe+f2cM4h60yScjHP/+DT7SZ9WHgG2a2BqZ/6/ixcwMT570nObDTCK3RR8pyY+KpFJY/9XFhc7l4tSz1Jx851noQvVFLEPqSEILAIg46V/tb9eiZ+LkpapDEksqnoyU5eS0uO770zeCFRWh9DesH14qLNmFwgYO2Rh5sYNtNp12G1Mzy1I6VSpaBZBh/CaKP6oaNG/0xJiY5m74kN9aTLRwBScbLIMT07KBM919oLRHjzDaMj657xTYLSqlew2q5XHqjTosopXHpRier/67MBU5LmleJ0ipTDDu+5cKlXteU9pIBj4YgyBVC/PtSHO3SbvDR7xdgFJs7JitkazONMrKf1ejXO/QF62MnRlGttAn96yJz4quowMIUFD1Fl8Vjj2/mCDQiPtYvjy/5s5Qoz+F3CJxejEEaaxSivdvg3bECkzEA2Ii/SZ9Nr8o9yDByOUHo16a1qEoxfSfpsvU0c30oUL+jYk2FlT80JnTf8VQczE+Q/M0E6/q/xI5C5nW9bYT8A1Dln47VGBmtGxkNZETilda5IjNyU4rmsAO6GxFalk3woAGBQ9XmDj1pyrieUbcj1k22QA==" | ||
password_reset_required = true | ||
} | ||
output "richardcase_password" { | ||
value = aws_iam_user_login_profile.richardcase_login.encrypted_password | ||
} | ||
|
||
resource "aws_iam_user" "vincepri" { | ||
name = "vincepri" | ||
} | ||
resource "aws_iam_user_login_profile" "vincepri_login" { | ||
user = aws_iam_user.vincepri.name | ||
password_reset_required = true | ||
} | ||
|
||
output "vincepri_password" { | ||
value = aws_iam_user_login_profile.vincepri_login.encrypted_password | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a least-privilege alternative to this access that we can grant?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes for sure. How about initially we scope the "admin" down to only the services that are used for AMI publishing. The original thinking was that more elevated permissions would be needed initially whilst we work out all the automation / diagnose issues.
Ultimately, we could make it so it's just the build agent (prow or GHA) that has access.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TBH, I don't even agree with giving
AdministratorAccess
to Prow.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The more i think about it (based on your feedback), the maintainers don't need access to the account. Just whatever CI we use. I'll also re-think this based on that.