From 1901c695bd25e2675843d5abe09f9129f99ff865 Mon Sep 17 00:00:00 2001 From: Andreas Sommer Date: Wed, 18 Dec 2024 16:10:49 +0100 Subject: [PATCH] Reduce setup options to only CloudFormation stacks --- CHANGELOG.md | 4 + README.md | 123 ++--------- .../{iam-giantswarm-cp.tf => admin-role.tf} | 0 admin-role/cloud-formation-template.yaml | 7 +- admin-role/iam-policy.json | 69 ------- admin-role/outputs.tf | 3 - .../capa-controller-policy.json | 186 ----------------- .../capa-controller-vpc-policy.json | 36 ---- capa-controller-role/cleanup.sh | 45 ---- .../cloud-formation-template.yaml | 66 +++++- capa-controller-role/crossplane-policy.json | 22 -- .../dns-controller-policy.json | 16 -- .../eks-controller-policy.json | 157 -------------- capa-controller-role/giantswarm-capa-role.tf | 194 ++++-------------- .../iam-controller-policy.json | 37 ---- capa-controller-role/import.tf | 117 ----------- .../irsa-operator-policy.json | 66 ------ capa-controller-role/mc-bootstrap-policy.json | 16 -- .../network-topology-operator-policy.json | 29 --- capa-controller-role/outputs.tf | 3 - .../resolver-rules-operator-policy.json | 27 --- capa-controller-role/setup.sh | 60 ------ capa-controller-role/trusted-entities.json | 29 --- capa-controller-role/variables.tf | 33 --- 24 files changed, 113 insertions(+), 1232 deletions(-) rename admin-role/{iam-giantswarm-cp.tf => admin-role.tf} (100%) delete mode 100644 admin-role/iam-policy.json delete mode 100644 admin-role/outputs.tf delete mode 100644 capa-controller-role/capa-controller-policy.json delete mode 100644 capa-controller-role/capa-controller-vpc-policy.json delete mode 100755 capa-controller-role/cleanup.sh delete mode 100644 capa-controller-role/crossplane-policy.json delete mode 100644 capa-controller-role/dns-controller-policy.json delete mode 100644 capa-controller-role/eks-controller-policy.json delete mode 100644 capa-controller-role/iam-controller-policy.json delete mode 100644 capa-controller-role/import.tf delete mode 100644 capa-controller-role/irsa-operator-policy.json delete mode 100644 capa-controller-role/mc-bootstrap-policy.json delete mode 100644 capa-controller-role/network-topology-operator-policy.json delete mode 100644 capa-controller-role/outputs.tf delete mode 100644 capa-controller-role/resolver-rules-operator-policy.json delete mode 100755 capa-controller-role/setup.sh delete mode 100644 capa-controller-role/trusted-entities.json delete mode 100644 capa-controller-role/variables.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a9a33b..00858f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed + +- Reduce setup options to only CloudFormation stacks + ## [4.3.1] - 2024-12-18 ### Changed diff --git a/README.md b/README.md index 5e0a053..5a773f5 100644 --- a/README.md +++ b/README.md @@ -1,129 +1,34 @@ # giantswarm-aws-account-prerequisites -This repo contains Cloud Formation templates and Terraform modules to prepare AWS accounts to run Giant Swarm clusters. - -# Cluster API +This repo contains Cloud Formation templates to prepare AWS accounts for running Giant Swarm clusters based on Cluster API Provider for AWS (CAPA). ## Before starting -Make sure to adjust AWS account limits according to [these docs](https://docs.giantswarm.io/getting-started/cloud-provider-accounts/cluster-api/aws/#limits). - -For Cluster API take a look at these two modules in this repository: - -1. [admin-role](./admin-role) which creates a role and a policy for our staff to be able to operate the infrastructure created by our automation in case of failures. -2. [capa-controller-role](./capa-controller-role) which creates the role and policies that the controllers assume to create and manage the kubernetes clusters. +Make sure to adjust AWS account limits according to [these docs](https://docs.giantswarm.io/getting-started/prepare-your-provider-infrastructure/aws/#quotas). Then please create the admin role for Giant Swarm staff access, as shown below. ## 1. admin-role -For all AWS accounts part of the platform Giant Swarm staff need to have access in order to debug and -manage and operate the infrastructure. To do so, please use one of the following methods to create the necessary role and policy in your AWS account. - -### AWS CloudFormation template +In all AWS accounts where you plan to run a management cluster and workload clusters, Giant Swarm staff need to have access in order to manage, operate and troubleshoot the infrastructure. -You can execute the CloudFormation template directly by clicking [the admin role stack template](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/quickcreate?templateURL=https://cf-templates-giantswarm.s3.eu-central-1.amazonaws.com/admin-role/cloud-formation-template.yaml&stackName=GiantSwarmAdminRoleBootstrap&¶m_AdminRoleName=GiantSwarmAdmin) or uploading the [template file](./admin-role/cloud-formation-template.yaml) when creating a new stack in the AWS console. - -You will be asked for the following parameters: - -- `AdminRoleName`: The name of the role that will be created. Default is `GiantSwarmAdmin`. You dont need to change this unless you have a specific requirement. +Therefore, please create the admin CloudFormation stack in each of those accounts. That can be done either from our [admin role stack template (direct link to AWS Console dialog)](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/quickcreate?templateURL=https://cf-templates-giantswarm.s3.eu-central-1.amazonaws.com/admin-role/cloud-formation-template.yaml&stackName=GiantSwarmAdminRoleBootstrap&¶m_AdminRoleName=GiantSwarmAdmin), or by uploading the [admin role stack definition file](./admin-role/cloud-formation-template.yaml) when creating a new stack in the AWS console. Review the changes and click `Create stack`. In case of any error, please check the `Events` tab in the CloudFormation console and report the error to the Giant Swarm staff. -### Terraform - -#### Requirements - -- `terraform` installed -- working AWS credentials set to the desired target account -- AWS region has to be set either via aws profile or via env `AWS_REGION` - -### Adjust variables - -- `admin_role_name` - can be adjusted to be more strict and specify role name. You dent need to change this unless you have a specific requirement. - -### Execution - -``` -terraform init -terraform apply -var="admin_role_name=GiantSwarmAdmin -``` - -The created role ARN needs to be supplied to Giant Swarm. - ## 2. capa-controller-role -In the AWS account where you plan to run the management cluster, you need to create a role that the Cluster API controllers will assume to create and manage workload clusters and all infrastructure resources. - -### AWS CloudFormation template - -You can execute directly the CloudFormation template by clicking the [capa controller role stack template](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/quickcreate?templateURL=https://cf-templates-giantswarm.s3.eu-central-1.amazonaws.com/capa-controller-role/cloud-formation-template.yaml&stackName=CAPAControllerRoleBootstrap¶m_InstallationName=CHANGE_THIS_FOR_THE_INSTALLATION_NAME¶m_ManagementClusterOidcProviderDomain=MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN) or uploading the [template file](./capa-controller-role/cloud-formation-template.yaml) when creating a new stack in the AWS console. - -You will be asked for the following parameters: - -- `InstallationName`: the name of the installation which you have agreed with Giant Swarm upfront. -- `ManagementClusterOidcProviderDomain`: the domain name used by the MC OIDC provider. Normally `irsa.`. -- `ByoVpc` (optional - defaults to `false`): if `true`, the CAPA role will be created without the permissions needed to manage VPCs - -Review the changes and click `Create stack`. In case of any error, please check the `Events` tab in the CloudFormation console and report the error to the Giant Swarm staff. - -### Terraform - -#### Requirements - -- `terraform` installed -- working AWS credentials set to the desired target account -- AWS region has to be set either via aws profile or via env `AWS_REGION` - -### Adjust variables - -- `installation_name`: the name of the installation which you have agreed with Giant Swarm upfront. -- `management_cluster_oidc_provider_domain`: the domain name used by the MC OIDC provider. Normally `irsa.`. -- `byovpc` (optional - defaults to `false`): if `true`, the CAPA role will be created without the permissions needed to manage VPCs - -### Execution - -``` -terraform init -terraform apply -var="installation_name=test" -var="management_cluster_oidc_provider_domain=irsa.test.gaws.gigantic.io" -``` - -### Import existing resources - -To update the policies of an existing role, you can run Terraform with the extra variable `import_existing=true` to import the resources into the state: - -``` -terraform init -terraform apply -var="installation_name=test" -var="management_cluster_oidc_provider_domain=irsa.test.gaws.gigantic.io" -var="import_existing=true" -``` - -## AWS cli - -### Requirements +In the AWS account where you plan to run the management cluster, you need to create a role that the Cluster API Provider AWS (CAPA) controller will assume to create and manage workload clusters and all infrastructure resources. -- `awscli` installed -- `jq` installed -- working AWS credentials set to the desired target account -- located on the `capa-controller-role` directory of this git repo -- user `${INSTALLATION}-capa-controller` created in GiantSwarm root account `084190472784` +The same applies to all accounts where CAPA should be able to create workload clusters, since they don't necessarily need to run in the same account as your management cluster. The `AWSClusterRoleIdentity` objects on the management cluster define in which accounts you want to create workload clusters. -### Setup +**Once the admin role is created (see above), Giant Swarm staff takes over creating and maintaining the CloudFormation stack for each of your desired accounts and there is no further action needed by customers. Only if for some reason, you want to manage them yourself**, you can use these instructions: -``` -export INSTALLATION_NAME=test -export MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN=irsa.test.gaws.gigantic.io -# Optional: only set to true if this installation is going to be used exclusively to create WCs on existing VPCs and subnets -# export BYOVPC=true -# Optional: only set this to aws-cn if the installation is in China -# export AWS_PARTITION=aws-cn -chmod +x setup.sh -./setup.sh -``` +- Creation: Log into the right account in AWS Console, choose your desired region and create the CloudFormation stack from our [capa-controller-role stack template (direct link to AWS Console dialog)](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/quickcreate?templateURL=https://cf-templates-giantswarm.s3.eu-central-1.amazonaws.com/capa-controller-role/cloud-formation-template.yaml&stackName=CAPAControllerRoleBootstrap¶m_InstallationName=CHANGE_THIS_FOR_THE_INSTALLATION_NAME¶m_ManagementClusterOidcProviderDomain=MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN). Alternatively, you can upload the [capa-controller-role stack definition file](./capa-controller-role/cloud-formation-template.yaml) in this repository. -__warning__: You may need to modify the `trusted-entities.json` to use `aws-cn` in the `Principal` field when using the China region. + You will be asked for the following parameters: -### Cleanup + - `InstallationName`: the name of the installation which you have agreed with Giant Swarm upfront. + - `ByoVpc` (optional - defaults to `false`): if `true`, the CAPA role will be created without the permissions needed to manage VPCs. Turn this on if you only want to create clusters in VPCs that you have already created, without requiring CAPA to create or manage VPCs and its networking resources (like NAT/internet gateways, subnets, etc.). + - `ManagementClusterOidcProviderDomain`: the domain name used by the MC OIDC provider. Normally `irsa.`. -``` -export INSTALLATION_NAME=test -chmod +x cleanup.sh -./cleanup.sh -``` + Review the changes and click `Create stack`. In case of any error, please check the `Events` tab in the CloudFormation console and report the error to the Giant Swarm staff. +- Update: Select the CloudFormation stack in AWS Console, then `Update > Replace existing template` and use the latest released definition `https://cf-templates-giantswarm.s3.eu-central-1.amazonaws.com/capa-controller-role/cloud-formation-template.yaml` as source (or the [stack definition file](./capa-controller-role/cloud-formation-template.yaml) in this repository). diff --git a/admin-role/iam-giantswarm-cp.tf b/admin-role/admin-role.tf similarity index 100% rename from admin-role/iam-giantswarm-cp.tf rename to admin-role/admin-role.tf diff --git a/admin-role/cloud-formation-template.yaml b/admin-role/cloud-formation-template.yaml index 2000e62..88b757f 100644 --- a/admin-role/cloud-formation-template.yaml +++ b/admin-role/cloud-formation-template.yaml @@ -1,16 +1,11 @@ AWSTemplateFormatVersion: '2010-09-09' Description: CloudFormation template for bootstrapping the admin role in your AWS account. -Parameters: - AdminRoleName: - Type: String - Default: "GiantSwarmAdmin" - Resources: GiantSwarmAdminRole: Type: "AWS::IAM::Role" Properties: - RoleName: !Ref AdminRoleName + RoleName: GiantSwarmAdmin AssumeRolePolicyDocument: Version: '2012-10-17' Statement: diff --git a/admin-role/iam-policy.json b/admin-role/iam-policy.json deleted file mode 100644 index 1dff482..0000000 --- a/admin-role/iam-policy.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "acm:*", - "autoscaling:*", - "cloudformation:*", - "cloudfront:*", - "cloudwatch:*", - "dynamodb:*", - "ec2:*", - "ecr:*", - "elasticfilesystem:*", - "elasticloadbalancing:*", - "events:*", - "ram:*", - "iam:AddRoleToInstanceProfile", - "iam:AttachRolePolicy", - "iam:CreateAccessKey", - "iam:CreateInstanceProfile", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:CreateServiceLinkedRole", - "iam:DeleteAccessKey", - "iam:DeleteInstanceProfile", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DeleteRolePolicy", - "iam:DeleteServiceLinkedRole", - "iam:DetachRolePolicy", - "iam:GenerateServiceLastAccessedDetails", - "iam:Get*", - "iam:List*", - "iam:PassRole", - "iam:PutRolePolicy", - "iam:RemoveRoleFromInstanceProfile", - "iam:TagPolicy", - "iam:TagRole", - "iam:UpdateAccessKey", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateRoleDescription", - "kms:*", - "logs:*", - "route53:*", - "route53domains:*", - "route53resolver:*", - "s3:*", - "sts:AssumeRole", - "sts:DecodeAuthorizationMessage", - "sts:GetFederationToken", - "support:*", - "trustedadvisor:*", - "sqs:*", - "iam:CreateOpenIDConnectProvider", - "iam:DeleteOpenIDConnectProvider", - "iam:TagOpenIDConnectProvider", - "iam:UntagOpenIDConnectProvider", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:RemoveClientIDFromOpenIDConnectProvider", - "iam:AddClientIDToOpenIDConnectProvider" - ], - "Resource": "*" - } - ] -} diff --git a/admin-role/outputs.tf b/admin-role/outputs.tf deleted file mode 100644 index 7e065cd..0000000 --- a/admin-role/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "giantswarm-admin-role" { - value = aws_iam_role.giantswarm-admin.arn -} diff --git a/capa-controller-role/capa-controller-policy.json b/capa-controller-role/capa-controller-policy.json deleted file mode 100644 index 6b8307b..0000000 --- a/capa-controller-role/capa-controller-policy.json +++ /dev/null @@ -1,186 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:AllocateAddress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:DeleteNetworkInterface", - "ec2:DeleteSecurityGroup", - "ec2:DeleteTags", - "ec2:DetachNetworkInterface", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeDhcpOptions", - "ec2:DescribeInstances", - "ec2:DescribeInstanceTypes", - "ec2:DescribeInternetGateways", - "ec2:DescribeImages", - "ec2:DescribeNatGateways", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeNetworkInterfaceAttribute", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSecurityGroupRules", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "ec2:DescribeVpcAttribute", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVolumes", - "ec2:DisassociateAddress", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyNetworkInterfaceAttribute", - "ec2:ReleaseAddress", - "ec2:RevokeSecurityGroupIngress", - "ec2:RevokeSecurityGroupEgress", - "ec2:RunInstances", - "ec2:TerminateInstances", - "tag:GetResources", - "elasticloadbalancing:*", - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeInstanceRefreshes", - "autoscaling:SuspendProcesses", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:DeleteLifecycleHook", - "autoscaling:DescribeLifecycleHooks", - "autoscaling:PutLifecycleHook", - "ec2:CreateLaunchTemplate", - "ec2:CreateLaunchTemplateVersion", - "ec2:DescribeLaunchTemplates", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DeleteLaunchTemplate", - "ec2:DeleteLaunchTemplateVersions", - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:GetObject", - "s3:PutObject", - "s3:DeleteObject", - "s3:PutBucketPolicy", - "s3:ListBucket", - "s3:PutBucketAcl", - "s3:PutLifecycleConfiguration", - "s3:PutBucketOwnershipControls", - "s3:PutBucketTagging" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "autoscaling:CancelInstanceRefresh", - "autoscaling:CreateAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup", - "autoscaling:CreateOrUpdateTags", - "autoscaling:StartInstanceRefresh", - "autoscaling:DeleteAutoScalingGroup", - "autoscaling:DeleteTags" - ], - "Resource": [ - "arn:*:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": [ - "arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" - ], - "Condition": { - "StringLike": { - "iam:AWSServiceName": "autoscaling.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": [ - "arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing" - ], - "Condition": { - "StringLike": { - "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": [ - "arn:*:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot" - ], - "Condition": { - "StringLike": { - "iam:AWSServiceName": "spot.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": [ - "arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io" - ] - }, - { - "Effect": "Allow", - "Action": [ - "secretsmanager:CreateSecret", - "secretsmanager:DeleteSecret", - "secretsmanager:TagResource" - ], - "Resource": [ - "arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "iam:ListOpenIDConnectProviders", - "iam:CreateOpenIDConnectProvider", - "iam:AddClientIDToOpenIDConnectProvider", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:DeleteOpenIDConnectProvider" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "events:DeleteRule", - "events:DescribeRule", - "events:ListTargetsByRule", - "events:PutRule", - "events:PutTargets", - "events:RemoveTargets", - "sqs:CreateQueue", - "sqs:DeleteMessage", - "sqs:DeleteQueue", - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:ReceiveMessage", - "sqs:SetQueueAttributes" - ], - "Resource": [ - "*" - ] - } - ] -} diff --git a/capa-controller-role/capa-controller-vpc-policy.json b/capa-controller-role/capa-controller-vpc-policy.json deleted file mode 100644 index 1ce3301..0000000 --- a/capa-controller-role/capa-controller-vpc-policy.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:AssociateRouteTable", - "ec2:AssociateVpcCidrBlock", - "ec2:AttachInternetGateway", - "ec2:CreateInternetGateway", - "ec2:CreateNatGateway", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSubnet", - "ec2:CreateVpc", - "ec2:CreateVpcEndpoint", - "ec2:ModifyVpcAttribute", - "ec2:ModifyVpcEndpoint", - "ec2:DeleteInternetGateway", - "ec2:DeleteNatGateway", - "ec2:DeleteRouteTable", - "ec2:DeleteSubnet", - "ec2:DeleteVpc", - "ec2:DeleteVpcEndpoints", - "ec2:DetachInternetGateway", - "ec2:DisassociateRouteTable", - "ec2:DisassociateVpcCidrBlock", - "ec2:ModifySubnetAttribute", - "ec2:ReplaceRoute" - ], - "Resource": [ - "*" - ] - } - ] -} diff --git a/capa-controller-role/cleanup.sh b/capa-controller-role/cleanup.sh deleted file mode 100755 index 3a05d14..0000000 --- a/capa-controller-role/cleanup.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash - -set -u - -BLUE='\033[0;34m' -RED='\033[0;31m' -GREEN='\033[0;32m' -NC='\033[0m' - -ROLE_NAME="giantswarm-${INSTALLATION_NAME}-capa-controller" -AWS_ACCOUNT_ID="$(aws sts get-caller-identity --output text --query 'Account')" -AWS_PARTITION=${AWS_PARTITION:-aws} -GS_USER_ACCOUNT=${GS_USER_ACCOUNT:-"084190472784"} - -POL_TYPES=("capa-controller" "capa-controller-vpc" "dns-controller" "eks-controller" "iam-controller" "irsa-operator" "resolver-rules-operator" "network-topology-operator" "mc-bootstrap" "crossplane") -POL_ARN_PREFIX="arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:policy" - -function echo_fail_or_success { - s=$1 - if [ "$s" != 0 ]; then - echo -e "${RED} failed${NC}" - else - echo -e "${GREEN} success${NC}" - fi -} - -echo -e "${BLUE}Role name: ${ROLE_NAME}${NC}" -for pol_type in ${POL_TYPES[@]}; do - POL_NAME="giantswarm-${INSTALLATION_NAME}-${pol_type}-policy" - POL_ARN="$POL_ARN_PREFIX/$POL_NAME" - - echo -n "|_ Detaching policy ${POL_NAME}..." - aws iam detach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${POL_ARN}" - echo_fail_or_success "$?" - - echo -n "|_ Delete policy ${POL_NAME}..." - aws iam delete-policy --policy-arn "${POL_ARN}" - echo_fail_or_success "$?" -done - -echo -n "|_ Deleting role..." -aws iam delete-role --role-name "${ROLE_NAME}" -echo_fail_or_success "$?" - -exit 0 diff --git a/capa-controller-role/cloud-formation-template.yaml b/capa-controller-role/cloud-formation-template.yaml index a308f76..ae0594e 100644 --- a/capa-controller-role/cloud-formation-template.yaml +++ b/capa-controller-role/cloud-formation-template.yaml @@ -5,9 +5,7 @@ Parameters: InstallationName: Type: String Description: "The name of the management cluster." - ManagementClusterOidcProviderDomain: - Type: String - Description: "The AWS account ID of the management cluster." + ByoVpc: Type: String Description: "If true, the CAPA role will be created without the permissions needed to manage VPCs" @@ -15,6 +13,16 @@ Parameters: AllowedValues: - "true" - "false" + GiantSwarmUserAccount: + Type: String + Description: "Account of Giant Swarm IAM users (`084190472784`, except for China). Assumed to be in the same partition as the CloudFormation stack account (`aws`, or `aws-cn` for China)." + Default: "084190472784" + # No `AllowedValues` here, since we don't publish the identifiers of other accounts + AllowedPattern: "^[0-9]{12}$" + ManagementClusterOidcProviderDomain: + Type: String + Description: "The OIDC domain of the management cluster, typically `irsa..`, for example `irsa.golem.gaws.gigantic.io`." + AllowPattern: "^([0-9a-z-]+)(\\.[0-9a-z-]+)+$" Conditions: # The policy is not needed in BYO VPC installations @@ -27,6 +35,7 @@ Resources: Type: "AWS::IAM::Role" Properties: RoleName: !Sub "giantswarm-${InstallationName}-capa-controller" + Description: "Giant Swarm managed role for k8s cluster creation" AssumeRolePolicyDocument: !Sub | { "Version": "2012-10-17", @@ -34,14 +43,14 @@ Resources: { "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::084190472784:user/${InstallationName}-capa-controller" + "AWS": "arn:${AWS::Partition}:iam::${GiantSwarmUserAccount}:user/${InstallationName}-capa-controller" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { - "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/${ManagementClusterOidcProviderDomain}" + "Federated": "arn:${AWS::Partition}:iam::${AWS::AccountId}:oidc-provider/${ManagementClusterOidcProviderDomain}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { @@ -64,6 +73,7 @@ Resources: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub "giantswarm-${InstallationName}-capa-controller-policy" + Description: "Giant Swarm managed policy for k8s cluster creation" PolicyDocument: Version: "2012-10-17" Statement: @@ -199,12 +209,16 @@ Resources: Resource: "*" Roles: - !Ref GiantSwarmCapaControllerRole + Tags: + - Key: "installation" + Value: !Ref InstallationName GiantSwarmCapaControllerVpcManagedPolicy: Condition: CreateVpcPolicy Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub "giantswarm-${InstallationName}-capa-controller-vpc-policy" + Description: "Giant Swarm managed policy for k8s cluster creation" PolicyDocument: Version: "2012-10-17" Statement: @@ -236,11 +250,15 @@ Resources: Resource: "*" Roles: - !Ref GiantSwarmCapaControllerRole + Tags: + - Key: "installation" + Value: !Ref InstallationName GiantSwarmDNSControllerManagedPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub "giantswarm-${InstallationName}-dns-controller-policy" + Description: "Giant Swarm managed policy for k8s cluster creation" PolicyDocument: Version: "2012-10-17" Statement: @@ -252,11 +270,15 @@ Resources: Resource: "*" Roles: - !Ref GiantSwarmCapaControllerRole + Tags: + - Key: "installation" + Value: !Ref InstallationName GiantSwarmCrossplaneManagedPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub "giantswarm-${InstallationName}-crossplane-policy" + Description: "Giant Swarm managed policy for k8s cluster creation" PolicyDocument: Version: "2012-10-17" Statement: @@ -276,11 +298,15 @@ Resources: Resource: "*" Roles: - !Ref GiantSwarmCapaControllerRole + Tags: + - Key: "installation" + Value: !Ref InstallationName GiantSwarmEKSControllerManagedPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub "giantswarm-${InstallationName}-eks-controller-policy" + Description: "Giant Swarm managed policy for k8s cluster creation" PolicyDocument: Version: "2012-10-17" Statement: @@ -317,7 +343,6 @@ Resources: - "arn:*:iam::*:policy/AmazonEKSWorkerNodePolicy" - "arn:*:iam::*:policy/AmazonEKS_CNI_Policy" - "arn:*:iam::*:policy/AmazonEC2ContainerRegistryReadOnly" - - "arn:*:iam::*:policy/AmazonEKSClusterPolicy" - Effect: "Allow" Action: - "eks:DescribeCluster" @@ -374,11 +399,15 @@ Resources: "kms:ResourceAliases": "alias/cluster-api-provider-aws-*" Roles: - !Ref GiantSwarmCapaControllerRole + Tags: + - Key: "installation" + Value: !Ref InstallationName GiantSwarmIAMControllerManagedPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub "giantswarm-${InstallationName}-iam-controller-policy" + Description: "Giant Swarm managed policy for k8s cluster creation" PolicyDocument: Version: "2012-10-17" Statement: @@ -406,11 +435,15 @@ Resources: Resource: "arn:*:iam::*:instance-profile/*" Roles: - !Ref GiantSwarmCapaControllerRole + Tags: + - Key: "installation" + Value: !Ref InstallationName GiantSwarmIRSAControllerManagedPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub "giantswarm-${InstallationName}-irsa-controller-policy" + Description: "Giant Swarm managed policy for k8s cluster creation" PolicyDocument: Version: "2012-10-17" Statement: @@ -456,7 +489,6 @@ Resources: - "s3:PutBucketPublicAccessBlock" - "s3:PutEncryptionConfiguration" - "s3:PutLifecycleConfiguration" - - "s3:PutObjectAcl" Resource: "arn:*:s3:::*-g8s-*" - Effect: "Allow" Action: @@ -468,24 +500,35 @@ Resources: Resource: "*" Roles: - !Ref GiantSwarmCapaControllerRole + Tags: + - Key: "installation" + Value: !Ref InstallationName GiantSwarmMCBootstrapManagedPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub "giantswarm-${InstallationName}-mc-bootstrap-policy" + Description: "Giant Swarm managed policy for k8s cluster creation" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" - Action: "ec2:DeleteVolume" + Action: + - "ec2:DeleteVolume" + - "s3:GetBucketTagging" + - "s3:ListAllMyBuckets" Resource: "*" Roles: - !Ref GiantSwarmCapaControllerRole + Tags: + - Key: "installation" + Value: !Ref InstallationName GiantSwarmNetworkTopologyControllerManagedPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub "giantswarm-${InstallationName}-network-topology-controller-policy" + Description: "Giant Swarm managed policy for k8s cluster creation" PolicyDocument: Version: "2012-10-17" Statement: @@ -511,11 +554,15 @@ Resources: Resource: "*" Roles: - !Ref GiantSwarmCapaControllerRole + Tags: + - Key: "installation" + Value: !Ref InstallationName GiantSwarmResolverRulesOperatorManagedPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub "giantswarm-${InstallationName}-resolver-rules-operator-policy" + Description: "Giant Swarm managed policy for k8s cluster creation" PolicyDocument: Version: "2012-10-17" Statement: @@ -538,6 +585,9 @@ Resources: Resource: "*" Roles: - !Ref GiantSwarmCapaControllerRole + Tags: + - Key: "installation" + Value: !Ref InstallationName Outputs: GiantSwarmCapaControllerRoleArn: diff --git a/capa-controller-role/crossplane-policy.json b/capa-controller-role/crossplane-policy.json deleted file mode 100644 index 810e9eb..0000000 --- a/capa-controller-role/crossplane-policy.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateSecurityGroup", - "ec2:DeleteSecurityGroup", - "ec2:DescribeSecurityGroupRules", - "ec2:DescribeSecurityGroups", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "cloudwatch:*", - "sqs:*", - "events:*" - ], - "Resource": "*" - } - ] -} diff --git a/capa-controller-role/dns-controller-policy.json b/capa-controller-role/dns-controller-policy.json deleted file mode 100644 index c223ade..0000000 --- a/capa-controller-role/dns-controller-policy.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "route53:*", - "route53domains:*", - "route53resolver:*" - ], - "Resource": [ - "*" - ] - } - ] -} diff --git a/capa-controller-role/eks-controller-policy.json b/capa-controller-role/eks-controller-policy.json deleted file mode 100644 index bc6fac0..0000000 --- a/capa-controller-role/eks-controller-policy.json +++ /dev/null @@ -1,157 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ssm:GetParameter" - ], - "Resource": [ - "arn:*:ssm:*:*:parameter/aws/service/eks/optimized-ami/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": [ - "arn:*:iam::*:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS" - ], - "Condition": { - "StringLike": { - "iam:AWSServiceName": "eks.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": [ - "arn:*:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup" - ], - "Condition": { - "StringLike": { - "iam:AWSServiceName": "eks-nodegroup.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": [ - "arn:*:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate" - ], - "Condition": { - "StringLike": { - "iam:AWSServiceName": "eks-fargate.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "iam:GetRole", - "iam:ListAttachedRolePolicies" - ], - "Resource": [ - "arn:*:iam::*:role/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "iam:GetPolicy" - ], - "Resource": [ - "arn:*:iam::*:policy/AmazonEKSClusterPolicy", - "arn:*:iam::*:policy/AmazonEKSWorkerNodePolicy", - "arn:*:iam::*:policy/AmazonEKS_CNI_Policy", - "arn:*:iam::*:policy/AmazonEC2ContainerRegistryReadOnly", - "arn:*:iam::*:policy/AmazonEKSClusterPolicy" - ] - }, - { - "Effect": "Allow", - "Action": [ - "eks:DescribeCluster", - "eks:ListClusters", - "eks:CreateCluster", - "eks:TagResource", - "eks:UpdateClusterVersion", - "eks:DeleteCluster", - "eks:UpdateClusterConfig", - "eks:UntagResource", - "eks:UpdateNodegroupVersion", - "eks:DescribeNodegroup", - "eks:DeleteNodegroup", - "eks:UpdateNodegroupConfig", - "eks:CreateNodegroup", - "eks:AssociateEncryptionConfig", - "eks:ListIdentityProviderConfigs", - "eks:AssociateIdentityProviderConfig", - "eks:DescribeIdentityProviderConfig", - "eks:DisassociateIdentityProviderConfig" - ], - "Resource": [ - "arn:*:eks:*:*:cluster/*", - "arn:*:eks:*:*:nodegroup/*/*/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AssociateVpcCidrBlock", - "ec2:DisassociateVpcCidrBlock", - "eks:ListAddons", - "eks:CreateAddon", - "eks:DescribeAddonVersions", - "eks:DescribeAddon", - "eks:DeleteAddon", - "eks:UpdateAddon", - "eks:TagResource", - "eks:DescribeFargateProfile", - "eks:CreateFargateProfile", - "eks:DeleteFargateProfile", - "eks:ListIdentityProviderConfigs", - "eks:DescribeIdentityProviderConfig" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": [ - "*" - ], - "Condition": { - "StringEquals": { - "iam:PassedToService": "eks.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "kms:CreateGrant", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Condition": { - "ForAnyValue:StringLike": { - "kms:ResourceAliases": "alias/cluster-api-provider-aws-*" - } - } - } - ] -} diff --git a/capa-controller-role/giantswarm-capa-role.tf b/capa-controller-role/giantswarm-capa-role.tf index 8599758..3fcd940 100644 --- a/capa-controller-role/giantswarm-capa-role.tf +++ b/capa-controller-role/giantswarm-capa-role.tf @@ -1,182 +1,60 @@ -locals { - tags = { - "installation" = var.installation_name - } -} - -provider "aws" { - ignore_tags { - keys = ["maintainer", "owner", "repo"] - } +variable "installation_name" { + type = string + description = "Name of the installation (= name of management cluster). Please ask Giant Swarm staff to provide it." } -data "aws_caller_identity" "current" {} +variable "gs_user_account" { + type = string + description = "Account of Giant Swarm IAM users (`084190472784`, except for China)" + default = "084190472784" -resource "aws_iam_role" "giantswarm-capa-controller-role" { - name = "giantswarm-${var.installation_name}-capa-controller" - assume_role_policy = templatefile("${path.module}/trusted-entities.json", { - INSTALLATION_NAME = var.installation_name - AWS_ACCOUNT_ID = data.aws_caller_identity.current.account_id - MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN = var.management_cluster_oidc_provider_domain - AWS_PARTITION = var.aws_partition - GS_USER_ACCOUNT = var.gs_user_account - }) - tags = local.tags - description = "Giant Swarm managed role for k8s cluster creation" - lifecycle { - # Avoid recreation due to these fields in case the object was initially created with different values - ignore_changes = [description] + validation { + condition = can(regex("^[0-9]{12}$", var.gs_user_account)) + error_message = "AWS account ID must consist of exactly 12 digits" } } -resource "aws_iam_policy" "giantswarm-capa-controller-policy" { - name = "giantswarm-${var.installation_name}-capa-controller-policy" - policy = file("${path.module}/capa-controller-policy.json") - tags = local.tags - description = "Giant Swarm managed policy for k8s cluster creation" - lifecycle { - # Avoid recreation due to these fields in case the object was initially created with different values - ignore_changes = [description] - } -} -resource "aws_iam_role_policy_attachment" "giantswarm-capa-controller-policy-attachment" { - role = aws_iam_role.giantswarm-capa-controller-role.name - policy_arn = aws_iam_policy.giantswarm-capa-controller-policy.arn -} +variable "management_cluster_oidc_provider_domain" { + type = string + description = "OIDC provider domain of the management cluster" -resource "aws_iam_policy" "giantswarm-capa-controller-vpc-policy" { - count = var.byovpc ? 0 : 1 # This policy is not needed in BYO VPC installations - name = "giantswarm-${var.installation_name}-capa-controller-vpc-policy" - policy = file("${path.module}/capa-controller-vpc-policy.json") - tags = local.tags - description = "Giant Swarm managed policy for k8s cluster creation" - lifecycle { - # Avoid recreation due to these fields in case the object was initially created with different values - ignore_changes = [description] + validation { + condition = can(regex("^([0-9a-z-]+)(\\.[0-9a-z-]+)+$", var.management_cluster_oidc_provider_domain)) + error_message = "Invalid OIDC provider domain" } } -resource "aws_iam_role_policy_attachment" "giantswarm-capa-controller-vpc-policy-attachment" { - count = var.byovpc ? 0 : 1 # This policy is not needed in BYO VPC installations - role = aws_iam_role.giantswarm-capa-controller-role.name - policy_arn = aws_iam_policy.giantswarm-capa-controller-vpc-policy[0].arn -} -resource "aws_iam_policy" "giantswarm-dns-controller-policy" { - name = "giantswarm-${var.installation_name}-dns-controller-policy" - policy = file("${path.module}/dns-controller-policy.json") - tags = local.tags - description = "Giant Swarm managed policy for k8s cluster creation" - lifecycle { - # Avoid recreation due to these fields in case the object was initially created with different values - ignore_changes = [description] - } -} -resource "aws_iam_role_policy_attachment" "giantswarm-dns-controller-policy-attachment" { - role = aws_iam_role.giantswarm-capa-controller-role.name - policy_arn = aws_iam_policy.giantswarm-dns-controller-policy.arn +variable "byovpc" { + type = bool + description = "If true, the CAPA role will be created without the permissions needed to manage VPCs" + default = false } -resource "aws_iam_policy" "giantswarm-eks-controller-policy" { - name = "giantswarm-${var.installation_name}-eks-controller-policy" - policy = file("${path.module}/eks-controller-policy.json") - tags = local.tags - description = "Giant Swarm managed policy for k8s cluster creation" - lifecycle { - # Avoid recreation due to these fields in case the object was initially created with different values - ignore_changes = [description] +locals { + tags = { + "installation" = var.installation_name } } -resource "aws_iam_role_policy_attachment" "giantswarm-eks-controller-policy-attachment" { - role = aws_iam_role.giantswarm-capa-controller-role.name - policy_arn = aws_iam_policy.giantswarm-eks-controller-policy.arn -} -resource "aws_iam_policy" "giantswarm-iam-controller-policy" { - name = "giantswarm-${var.installation_name}-iam-controller-policy" - policy = file("${path.module}/iam-controller-policy.json") - tags = local.tags - description = "Giant Swarm managed policy for k8s cluster creation" - lifecycle { - # Avoid recreation due to these fields in case the object was initially created with different values - ignore_changes = [description] +provider "aws" { + ignore_tags { + keys = ["maintainer", "owner", "repo"] } } -resource "aws_iam_role_policy_attachment" "giantswarm-iam-controller-policy-attachment" { - role = aws_iam_role.giantswarm-capa-controller-role.name - policy_arn = aws_iam_policy.giantswarm-iam-controller-policy.arn -} -resource "aws_iam_policy" "giantswarm-irsa-controller-policy" { - name = "giantswarm-${var.installation_name}-irsa-controller-policy" - policy = file("${path.module}/irsa-operator-policy.json") - tags = local.tags - description = "Giant Swarm managed policy for k8s cluster creation" - lifecycle { - # Avoid recreation due to these fields in case the object was initially created with different values - ignore_changes = [description] - } -} -resource "aws_iam_role_policy_attachment" "giantswarm-irsa-controller-policy-attachment" { - role = aws_iam_role.giantswarm-capa-controller-role.name - policy_arn = aws_iam_policy.giantswarm-irsa-controller-policy.arn -} +data "aws_caller_identity" "current" {} -resource "aws_iam_policy" "giantswarm-network-topology-controller-policy" { - name = "giantswarm-${var.installation_name}-network-topology-controller-policy" - policy = file("${path.module}/network-topology-operator-policy.json") - tags = local.tags - description = "Giant Swarm managed policy for k8s cluster creation" - lifecycle { - # Avoid recreation due to these fields in case the object was initially created with different values - ignore_changes = [description] - } -} -resource "aws_iam_role_policy_attachment" "giantswarm-network-topology-controller-policy-attachment" { - role = aws_iam_role.giantswarm-capa-controller-role.name - policy_arn = aws_iam_policy.giantswarm-network-topology-controller-policy.arn -} +resource "aws_cloudformation_stack" "giantswarm_capa_controller" { + name = "GiantSwarmAdminRoleBootstrap" + template_body = file("${path.module}/cloud-formation-template.yaml") -resource "aws_iam_policy" "giantswarm-resolver-rules-operator-policy" { - name = "giantswarm-${var.installation_name}-resolver-rules-operator-policy" - policy = file("${path.module}/resolver-rules-operator-policy.json") - tags = local.tags - description = "Giant Swarm managed policy for k8s cluster creation" - lifecycle { - # Avoid recreation due to these fields in case the object was initially created with different values - ignore_changes = [description] - } -} -resource "aws_iam_role_policy_attachment" "giantswarm-resolver-rules-operator-policy-attachment" { - role = aws_iam_role.giantswarm-capa-controller-role.name - policy_arn = aws_iam_policy.giantswarm-resolver-rules-operator-policy.arn -} + parameters = { + InstallationName = var.installation_name -resource "aws_iam_policy" "giantswarm-mc-bootstrap-policy" { - name = "giantswarm-${var.installation_name}-mc-bootstrap-policy" - policy = file("${path.module}/mc-bootstrap-policy.json") - tags = local.tags - description = "Giant Swarm managed policy for k8s cluster creation" - lifecycle { - # Avoid recreation due to these fields in case the object was initially created with different values - ignore_changes = [description] + ByoVpc = var.byovpc + ManagementClusterOidcProviderDomain = var.management_cluster_oidc_provider_domain + GiantSwarmUserAccount = var.gs_user_account } -} -resource "aws_iam_role_policy_attachment" "giantswarm-mc-bootstrap-policy-attachment" { - role = aws_iam_role.giantswarm-capa-controller-role.name - policy_arn = aws_iam_policy.giantswarm-mc-bootstrap-policy.arn -} -resource "aws_iam_policy" "giantswarm-crossplane-policy" { - name = "giantswarm-${var.installation_name}-crossplane-policy" - policy = file("${path.module}/crossplane-policy.json") - tags = local.tags - description = "Giant Swarm managed policy for k8s cluster creation" - lifecycle { - # Avoid recreation due to these fields in case the object was initially created with different values - ignore_changes = [description] - } -} -resource "aws_iam_role_policy_attachment" "giantswarm-crossplane-policy-attachment" { - role = aws_iam_role.giantswarm-capa-controller-role.name - policy_arn = aws_iam_policy.giantswarm-crossplane-policy.arn + tags = local.tags } diff --git a/capa-controller-role/iam-controller-policy.json b/capa-controller-role/iam-controller-policy.json deleted file mode 100644 index 0170906..0000000 --- a/capa-controller-role/iam-controller-policy.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:GetRole", - "iam:ListAttachedRolePolicies", - "iam:DetachRolePolicy", - "iam:DeleteRole", - "iam:CreateRole", - "iam:TagRole", - "iam:AttachRolePolicy", - "iam:PutRolePolicy", - "iam:ListRolePolicies", - "iam:DeleteRolePolicy", - "iam:*" - ], - "Resource": [ - "arn:*:iam::*:role/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "iam:CreateInstanceProfile", - "iam:AddRoleToInstanceProfile", - "iam:RemoveRoleFromInstanceProfile", - "iam:DeleteInstanceProfile", - "iam:*" - ], - "Resource": [ - "arn:*:iam::*:instance-profile/*" - ] - } - ] -} diff --git a/capa-controller-role/import.tf b/capa-controller-role/import.tf deleted file mode 100644 index 5255a71..0000000 --- a/capa-controller-role/import.tf +++ /dev/null @@ -1,117 +0,0 @@ -locals { - existing_install_for_each = var.import_existing ? toset([1]) : toset([]) -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_role.giantswarm-capa-controller-role - id = "giantswarm-${var.installation_name}-capa-controller" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_policy.giantswarm-capa-controller-policy - id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-capa-controller-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_role_policy_attachment.giantswarm-capa-controller-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-capa-controller-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_policy.giantswarm-dns-controller-policy - id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-dns-controller-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_role_policy_attachment.giantswarm-dns-controller-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-dns-controller-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_policy.giantswarm-eks-controller-policy - id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-eks-controller-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_role_policy_attachment.giantswarm-eks-controller-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-eks-controller-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_policy.giantswarm-iam-controller-policy - id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-iam-controller-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_role_policy_attachment.giantswarm-iam-controller-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-iam-controller-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_policy.giantswarm-irsa-controller-policy - id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-irsa-controller-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_role_policy_attachment.giantswarm-irsa-controller-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-irsa-controller-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_policy.giantswarm-network-topology-controller-policy - id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-network-topology-controller-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_role_policy_attachment.giantswarm-network-topology-controller-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-network-topology-controller-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_policy.giantswarm-resolver-rules-operator-policy - id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-resolver-rules-operator-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_role_policy_attachment.giantswarm-resolver-rules-operator-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-resolver-rules-operator-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_policy.giantswarm-mc-bootstrap-policy - id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-mc-bootstrap-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_role_policy_attachment.giantswarm-mc-bootstrap-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-mc-bootstrap-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_policy.giantswarm-crossplane-policy - id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-crossplane-policy" -} - -import { - for_each = local.existing_install_for_each - to = aws_iam_role_policy_attachment.giantswarm-crossplane-policy-attachment - id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-crossplane-policy" -} diff --git a/capa-controller-role/irsa-operator-policy.json b/capa-controller-role/irsa-operator-policy.json deleted file mode 100644 index df7b60d..0000000 --- a/capa-controller-role/irsa-operator-policy.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:CreateOpenIDConnectProvider", - "iam:DeleteOpenIDConnectProvider", - "iam:ListOpenIDConnectProviderTags", - "iam:TagOpenIDConnectProvider", - "iam:UntagOpenIDConnectProvider", - "iam:ListOpenIDConnectProviders", - "iam:GetOpenIDConnectProvider", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:RemoveClientIDFromOpenIDConnectProvider", - "iam:AddClientIDToOpenIDConnectProvider", - "cloudfront:TagResource", - "cloudfront:UntagResource", - "cloudfront:GetCloudFrontOriginAccessIdentity", - "cloudfront:CreateCloudFrontOriginAccessIdentity", - "cloudfront:DeleteCloudFrontOriginAccessIdentity", - "cloudfront:GetDistribution", - "cloudfront:CreateDistribution", - "cloudfront:UpdateDistribution", - "cloudfront:DeleteDistribution", - "cloudfront:ListDistributions", - "cloudfront:ListTagsForResource" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:DeleteObject", - "s3:GetBucketLogging", - "s3:GetObject", - "s3:ListBucket", - "s3:PutBucketAcl", - "s3:PutBucketLogging", - "s3:PutBucketOwnershipControls", - "s3:PutBucketTagging", - "s3:PutObjectAcl", - "s3:PutObject", - "s3:PutBucketPolicy", - "s3:PutBucketPublicAccessBlock", - "s3:PutEncryptionConfiguration", - "s3:PutLifecycleConfiguration", - "s3:PutObjectAcl" - ], - "Resource": "arn:*:s3:::*-g8s-*" - }, - { - "Effect": "Allow", - "Action": [ - "acm:RequestCertificate", - "acm:AddTagsToCertificate", - "acm:DescribeCertificate", - "acm:ListCertificates", - "acm:DeleteCertificate" - ], - "Resource": "*" - } - ] -} diff --git a/capa-controller-role/mc-bootstrap-policy.json b/capa-controller-role/mc-bootstrap-policy.json deleted file mode 100644 index 570d18b..0000000 --- a/capa-controller-role/mc-bootstrap-policy.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteVolume", - "s3:GetBucketTagging", - "s3:ListAllMyBuckets" - ], - "Resource": [ - "*" - ] - } - ] -} diff --git a/capa-controller-role/network-topology-operator-policy.json b/capa-controller-role/network-topology-operator-policy.json deleted file mode 100644 index b4d052a..0000000 --- a/capa-controller-role/network-topology-operator-policy.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags", - "ec2:DescribeTransitGateways", - "ec2:DescribeTransitGatewayVpcAttachments", - "ec2:DescribeTransitGatewayAttachments", - "ec2:CreateTransitGateway", - "ec2:CreateTransitGatewayVpcAttachment", - "ec2:DeleteTransitGateway", - "ec2:DeleteTransitGatewayVpcAttachment", - "ec2:CreateManagedPrefixList", - "ec2:DescribeManagedPrefixLists", - "ec2:ModifyManagedPrefixList", - "ec2:GetManagedPrefixListEntries", - "ec2:DeleteRoute", - "ec2:CreateRoute", - "ec2:DescribeRouteTables", - "sns:Publish" - ], - "Resource": "*" - } - ] -} diff --git a/capa-controller-role/outputs.tf b/capa-controller-role/outputs.tf deleted file mode 100644 index 0776eea..0000000 --- a/capa-controller-role/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "giantswarm-capa-controller-role" { - value = aws_iam_role.giantswarm-capa-controller-role.arn -} diff --git a/capa-controller-role/resolver-rules-operator-policy.json b/capa-controller-role/resolver-rules-operator-policy.json deleted file mode 100644 index ac16c21..0000000 --- a/capa-controller-role/resolver-rules-operator-policy.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:DeleteSecurityGroup", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSecurityGroupRules", - "ec2:RevokeSecurityGroupIngress", - "ec2:AuthorizeSecurityGroupIngress", - "ram:*", - "sts:AssumeRole", - "route53resolver:*", - "ec2:CreateNetworkInterface", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeAvailabilityZones", - "ec2:DeleteNetworkInterface", - "ec2:DescribeSubnets" - ], - "Resource": [ - "*" - ] - } - ] -} diff --git a/capa-controller-role/setup.sh b/capa-controller-role/setup.sh deleted file mode 100755 index b59402f..0000000 --- a/capa-controller-role/setup.sh +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash - -set -u - -BLUE='\033[0;34m' -RED='\033[0;31m' -GREEN='\033[0;32m' -NC='\033[0m' - -AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) -ROLE_NAME="giantswarm-${INSTALLATION_NAME}-capa-controller" -POL_TYPES=("capa-controller" "dns-controller" "eks-controller" "iam-controller" "irsa-operator" "resolver-rules-operator" "network-topology-operator" "mc-bootstrap" "crossplane") -TAGS="Key=installation,Value=${INSTALLATION_NAME}" -BYOVPC=${BYOVPC:-false} -AWS_PARTITION=${AWS_PARTITION:-aws} -GS_USER_ACCOUNT=${GS_USER_ACCOUNT:-"084190472784"} - -if [ "$BYOVPC" == "false" ]; then - # This policy is not needed in BYO VPC installations - POL_TYPES+=("capa-controller-vpc") -fi - -function echo_fail_or_success { - s=$1 - if [ "$s" != 0 ]; then - echo -e "${RED} failed${NC}. Please review the required permissions and try again." - else - echo -e "${GREEN} success${NC}" - fi -} - -function create_role { - export AWS_ACCOUNT_ID - envsubst < ./trusted-entities.json > ${INSTALLATION_NAME}-trusted-entities.json - aws iam create-role --role-name "${ROLE_NAME}" --description "Giant Swarm managed role for k8s cluster creation" --assume-role-policy-document file://${INSTALLATION_NAME}-trusted-entities.json --tags ${TAGS} - err=$? - rm -f ${INSTALLATION_NAME}-trusted-entities.json - return $err -} - -function create_policy { - policy_arn=$(aws iam create-policy --policy-name $2 --description "Giant Swarm managed policy for k8s cluster creation" --policy-document file://$1-policy.json --tags ${TAGS} | jq -r '.Policy.Arn') - aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${policy_arn}" -} - -export AWS_PAGER="" -echo -n "|_ Creating the role ${ROLE_NAME}..." -create_role -echo_fail_or_success "$?" - -# Create policies -for pol_type in ${POL_TYPES[@]}; do - pol_name="giantswarm-${INSTALLATION_NAME}-${pol_type}-policy" - - echo -n "|_ Create policy ${pol_name}..." - create_policy "${pol_type}" "${pol_name}" - echo_fail_or_success "$?" -done - -exit 0 diff --git a/capa-controller-role/trusted-entities.json b/capa-controller-role/trusted-entities.json deleted file mode 100644 index 6a944ae..0000000 --- a/capa-controller-role/trusted-entities.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:${AWS_PARTITION}:iam::${GS_USER_ACCOUNT}:user/${INSTALLATION_NAME}-capa-controller" - }, - "Action": "sts:AssumeRole", - "Condition": {} - }, - { - "Effect": "Allow", - "Principal": { - "Federated": "arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:oidc-provider/${MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN}" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "ForAnyValue:StringEquals": { - "${MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN}:sub": [ - "system:serviceaccount:crossplane:upbound-provider-aws", - "system:serviceaccount:crossplane:upbound-provider-aws-importer", - "system:serviceaccount:crossplane:xfn-network-discovery" - ] - } - } - } - ] -} diff --git a/capa-controller-role/variables.tf b/capa-controller-role/variables.tf deleted file mode 100644 index a916671..0000000 --- a/capa-controller-role/variables.tf +++ /dev/null @@ -1,33 +0,0 @@ -variable "installation_name" { - type = string - description = "If you dont know what `installation_name` value is suppose to be, ask Giant Swarm staff and they will provide it." -} - -variable "aws_partition" { - type = string - description = "AWS partition used for ARN referencing, use aws-cn for China regions" - default = "aws" -} - -variable "gs_user_account" { - type = string - description = "AWS account where GS staff users are located" - default = "084190472784" -} - -variable "management_cluster_oidc_provider_domain" { - type = string - description = "OIDC provider domain of the management cluster" -} - -variable "import_existing" { - type = bool - description = "If true, import existing resources" - default = false -} - -variable "byovpc" { - type = bool - description = "If true, the CAPA role will be created without the permissions needed to manage VPCs" - default = false -}