From 6eecdaba2dd1e77280abb18684ee74410a7b6eee Mon Sep 17 00:00:00 2001 From: Fernando Ripoll Date: Tue, 25 Jun 2024 10:43:39 +0200 Subject: [PATCH] remove Vintage code and add CF templates for capa resources (#97) * Add CF templates for CAPA clusters * Remove Vintage and provide CF templates as an setup alternative * Simplify process * Address Vaclav comments * Add bucket URL * Apply suggestions from code review --- README.md | 182 +++---- admin-role/cloud-formation-template.yaml | 95 ++++ admin-role/iam-giantswarm-cp.tf | 2 +- admin-role/variables.tf | 6 - aws-operator-role/iam-giantswarm.tf | 34 -- aws-operator-role/iam-policy.json | 193 ------- aws-operator-role/outputs.tf | 3 - aws-operator-role/variables.tf | 21 - aws-operator-user/iam-giantswarm-cp.tf | 17 - aws-operator-user/iam-policy.json | 73 --- aws-operator-user/outputs.tf | 8 - capa-controller-role/README.md | 72 --- capa-controller-role/cleanup.sh | 2 +- .../cloud-formation-template.yaml | 484 ++++++++++++++++++ capa-controller-role/giantswarm-capa-role.tf | 2 +- capa-controller-role/setup.sh | 48 ++ capa-controller-role/variables.tf | 8 +- 17 files changed, 702 insertions(+), 548 deletions(-) create mode 100644 admin-role/cloud-formation-template.yaml delete mode 100644 aws-operator-role/iam-giantswarm.tf delete mode 100644 aws-operator-role/iam-policy.json delete mode 100644 aws-operator-role/outputs.tf delete mode 100644 aws-operator-role/variables.tf delete mode 100644 aws-operator-user/iam-giantswarm-cp.tf delete mode 100644 aws-operator-user/iam-policy.json delete mode 100644 aws-operator-user/outputs.tf delete mode 100644 capa-controller-role/README.md mode change 100644 => 100755 capa-controller-role/cleanup.sh create mode 100644 capa-controller-role/cloud-formation-template.yaml create mode 100755 capa-controller-role/setup.sh diff --git a/README.md b/README.md index 9686b87..03e4a05 100644 --- a/README.md +++ b/README.md @@ -1,155 +1,111 @@ # giantswarm-aws-account-prerequisites -This repo contains Terraform modules to prepare AWS accounts to run Giant Swarm -clusters. +This repo contains Cloud Formation templates and Terraform modules to prepare AWS accounts to run Giant Swarm clusters. # Cluster API + ## Before starting -Make sure to adjust AWS account limits according to [these -docs](https://docs.giantswarm.io/getting-started/cloud-provider-accounts/cluster-api/aws/#limits). -For Cluster API take a look at theese three modules in this repository: -1. [admin-role](./admin-role) which creates a role and a policy for our - staff to be able to operate the infrastructure created by our automation in - case of failures. -3. [capa-controller-role](./capa-controller-role) which creates - the role and policies that the controllers assume to create and manage the kubernetes clusters. +Make sure to adjust AWS account limits according to [these docs](https://docs.giantswarm.io/getting-started/cloud-provider-accounts/cluster-api/aws/#limits). -## 1. admin-role +For Cluster API take a look at these two modules in this repository: -For all AWS accounts part of the platform, does not matter if they are for -management or workload clusters, we need to have access in order to debug and -manage and operate the infrastructure. To do so, please run this module in the target -account: +1. [admin-role](./admin-role) which creates a role and a policy for our staff to be able to operate the infrastructure created by our automation in case of failures. +2. [capa-controller-role](./capa-controller-role) which creates the role and policies that the controllers assume to create and manage the kubernetes clusters. -```hcl -module "giantswarm-cp-prereqs" { - source = "git@github.com:giantswarm/giantswarm-aws-account-prerequisites/admin-role" -} +## 1. admin-role -output "giantswarm-admin-role" { - value = "${module.giantswarm-cp-prereqs.giantswarm-admin-role}" -} -``` +For all AWS accounts part of the platform Giant Swarm staff need to have access in order to debug and +manage and operate the infrastructure. To do so, please use one of the following methods to create the necessary role and policy in your AWS account. -The created role and policy name is `GiantSwarmAdmin`. +### AWS CloudFormation template -The created role ARN needs to be supplied to Giant Swarm. +You can execute the CloudFormation template directly by clicking [the admin role stack template](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/quickcreate?templateURL=https://cf-templates-giantswarm.s3.eu-central-1.amazonaws.com/admin-role/cloud-formation-template.yaml&stackName=GiantSwarmAdminRoleBootstrap&¶m_AdminRoleName=GiantSwarmAdmin) or uploading the [template file](./admin-role/cloud-formation-template.yaml) when creating a new stack in the AWS console. -## 2. capa-controller-role -Please read the [README.md](./capa-controller-role/README.md) of the capa-controller-role module. +You will be asked for the following parameters: +- `AdminRoleName`: The name of the role that will be created. Default is `GiantSwarmAdmin`. You dont need to change this unless you have a specific requirement. -# Vintage -## Before starting +Review the changes and click `Create stack`. In case of any error, please check the `Events` tab in the CloudFormation console and report the error to the Giant Swarm staff. -Make sure to adjust AWS account limits according to [these -docs](https://docs.giantswarm.io/guides/prepare-aws-account-for-tenant-clusters/#limits). +### Terraform -For Vintage take a look at theese three modules in this repository: +#### Requirements -1. [admin-role](./admin-role) which creates a role and a policy for our - staff to be able to operate the infrastructure created by our automation in - case of failures. -2. [aws-operator-user](./aws-operator-user) which creates a user and its policy - to be used for our automation to manage the infrastructure. -3. [aws-operator-role](./aws-operator-role) which creates - the role and policy to be assumed for the automation user to create and manage - resources. +- `terraform` installed +- working AWS credentials set to the desired target account +- AWS region has to be set either via aws profile or via env `AWS_REGION` -## 1. admin-role +### Adjust variables -For all AWS accounts part of the platform, does not matter if they are for -control plane or tenant clusters, we need to have access in order to debug and -operator the infrastructure. To do so, please run this module in the target -account: +- `admin_role_name` - can be adjusted to be more strict and specify role name. You dent need to change this unless you have a specific requirement. -```hcl -module "giantswarm-cp-prereqs" { - source = "git@github.com:giantswarm/giantswarm-aws-account-prerequisites//admin-role" -} +### Execution -output "giantswarm-admin-role" { - value = "${module.giantswarm-cp-prereqs.giantswarm-admin-role}" -} ``` - -The created role and policy name is `GiantSwarmAdmin`. +terraform init . +terraform apply -var="admin_role_name=GiantSwarmAdmin +``` The created role ARN needs to be supplied to Giant Swarm. -## 2. aws-operator-user +## 2. capa-controller-role + +In the AWS account where you plan to run the management cluster, you need to create a role that the Cluster API controllers will assume to create and manage workload clusters and all infrastructure resources. -Giant Swarm needs a IAM user to be used for the automation in AWS some account. -This is usually the Control Plane AWS account but it doesn't have to. To do so, -please run this module in the target account: +### AWS CloudFormation template -```hcl -module "giantswarm-cp-prereqs" { - source = "git@github.com:giantswarm/giantswarm-aws-account-prerequisites//aws-operator-user" -} +You can execute directly the CloudFormation template by clocking the [capa controller role stack template](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/quickcreate?templateURL=https://cf-templates-giantswarm.s3.eu-central-1.amazonaws.com/capa-controller-role/cloud-formation-template.yaml&stackName=CAPAControllerRoleBootstrap¶m_InstallationName=CHANGE_THIS_FOR_THE_INSTALLATION_NAME¶m_ManagementClusterAccountID=MANAGEMENT_CLUSTER_ACCOUNT_ID) or uploading the [template file](./capa-controller-role/cloud-formation-template.yaml) when creating a new stack in the AWS console. -output "user-access-key-id" { - value = "${module.giantswarm-cp-prereqs.user-access-key-id}" -} +You will be asked for the following parameters: -output "user-access-key-secret" { - value = "${module.giantswarm-cp-prereqs.user-access-key-secret}" -} -``` +- `InstallationName`: The name of the installation which you have agreed with Giant Swarm upfront. +- `ManagementClusterAccountID`: The account ID of the management cluster account. This is the account where the management cluster will be running. -The created user name is `GiantSwarmAWSOperator` and its policy name is -`GiantSwarmUserAWSOperator`. +Review the changes and click `Create stack`. In case of any error, please check the `Events` tab in the CloudFormation console and report the error to the Giant Swarm staff. -Get the access key ID and secret from the output - these must be provided to Giant Swarm. +### Terraform -When `sensitive = true` in output.tf, the secret value will be redacted. You can however -find it directly from the state file by running: +#### Requirements -```bash -cat terraform.tfstate | grep secret -``` +- `terraform` installed +- working AWS credentials set to the desired target account +- AWS region has to be set either via aws profile or via env `AWS_REGION` + +### Adjust variables + +- `management_cluster_account_id` - the account id of the management cluster account. +- `installation_name` - the name of the installation which you have agreed with Giant Swarm upfront. + +### Execution -**Note:** as the access key ID and secret are output in plaintext, they will -also be included in your Terraform state file. Please take this into -consideration when using this module. If this isn't acceptable then it is -possible to encrypt the secret using a [PGP key, or a keybase -user](https://www.terraform.io/docs/providers/aws/r/iam_access_key.html#pgp_key) - -## 3. aws-operator-role - -Now, for the Control Plane account and each AWS Tenant account you need to run -this module to enable our automation to assume the role in order to manage all -clusters resources. - -You will need to provide the `main_account_id` which is the AWS account ID where -`GiantSwarmAWSOperator` user was created (using `aws-operator-user` module) and -`target_account_id` which is the AWS account ID of provisioned Control Plane or -Tenant Cluster AWS account. - -```hcl -module "giantswarm-tc-prereqs" { - source = "git@github.com:giantswarm/giantswarm-aws-account-prerequisites//aws-operator-role" - main_account_id = "111111111111" # Account with GiantSwarmAWSOperator user. - target_account_id = "22222222222" # Account to create role in. -} - -output "aws-operator-role-arn" { - value = "${module.giantswarm-tc-prereqs.aws-operator-role}" -} +``` +terraform init . +terraform apply -var="installation_name=test" ``` -The role and policy name is `GiantSwarmAWSOperator`. +## AWS cli -The AWS Operator Role ARN needs to be supplied to Giant Swarm. +### Requirements -## Adding new Tenant Cluster account +- `awscli` installed +- `jq` installed +- working AWS credentials set to the desired target account +- located on the `capa-controller-role` directory of this git repo +- user `${INSTALLATION}-capa-controller` created in GiantSwarm root account `084190472784` -In case you are adding a new organization that runs in a new AWS Account, you -need to apply step `1` and `3`. With the outputs you can run this `gsctl` -command to setup the new configuration. +### Setup -`gsctl update organization set-credentials --aws-operator-role $(terraform output aws-operator-role) --aws-admin-role $(terraform output giantswarm-admin-role)` +``` +export INSTALLATION_NAME=test +chmod +x setup.sh +./setup.sh +``` -It is explained here. -https://docs.giantswarm.io/guides/prepare-aws-account-for-tenant-clusters/#configure-org +### Cleanup + +``` +export INSTALLATION_NAME=test +chmod +x cleanup.sh +./cleanup.sh +``` \ No newline at end of file diff --git a/admin-role/cloud-formation-template.yaml b/admin-role/cloud-formation-template.yaml new file mode 100644 index 0000000..bb9a5f1 --- /dev/null +++ b/admin-role/cloud-formation-template.yaml @@ -0,0 +1,95 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: CloudFormation template for bootstrapping the admin role in your AWS account. + +Parameters: + AdminRoleName: + Type: String + Default: "GiantSwarmAdmin" + +Resources: + GiantSwarmAdminRole: + Type: "AWS::IAM::Role" + Properties: + RoleName: !Ref AdminRoleName + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: "Allow" + Principal: + AWS: "arn:aws:iam::084190472784:root" + Action: "sts:AssumeRole" + + GiantSwarmAdminPolicy: + Type: "AWS::IAM::Policy" + Properties: + PolicyName: "GiantSwarmAdmin" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + - "acm:*" + - "autoscaling:*" + - "cloudformation:*" + - "cloudfront:*" + - "cloudwatch:*" + - "dynamodb:*" + - "ec2:*" + - "ecr:*" + - "elasticfilesystem:*" + - "elasticloadbalancing:*" + - "events:*" + - "ram:*" + - "iam:AddRoleToInstanceProfile" + - "iam:AttachRolePolicy" + - "iam:CreateAccessKey" + - "iam:CreateInstanceProfile" + - "iam:CreatePolicy" + - "iam:CreatePolicyVersion" + - "iam:CreateRole" + - "iam:CreateServiceLinkedRole" + - "iam:DeleteAccessKey" + - "iam:DeleteInstanceProfile" + - "iam:DeletePolicy" + - "iam:DeletePolicyVersion" + - "iam:DeleteRole" + - "iam:DeleteRolePolicy" + - "iam:DeleteServiceLinkedRole" + - "iam:DetachRolePolicy" + - "iam:GenerateServiceLastAccessedDetails" + - "iam:Get*" + - "iam:List*" + - "iam:PassRole" + - "iam:PutRolePolicy" + - "iam:RemoveRoleFromInstanceProfile" + - "iam:TagRole" + - "iam:UpdateAccessKey" + - "iam:UpdateAssumeRolePolicy" + - "iam:UpdateRoleDescription" + - "kms:*" + - "logs:*" + - "route53:*" + - "route53domains:*" + - "route53resolver:*" + - "s3:*" + - "sts:AssumeRole" + - "sts:DecodeAuthorizationMessage" + - "sts:GetFederationToken" + - "support:*" + - "trustedadvisor:*" + - "sqs:*" + - "iam:CreateOpenIDConnectProvider" + - "iam:DeleteOpenIDConnectProvider" + - "iam:TagOpenIDConnectProvider" + - "iam:UntagOpenIDConnectProvider" + - "iam:UpdateOpenIDConnectProviderThumbprint" + - "iam:RemoveClientIDFromOpenIDConnectProvider" + - "iam:AddClientIDToOpenIDConnectProvider" + Resource: "*" + Roles: + - !Ref GiantSwarmAdminRole + +Outputs: + GiantSwarmAdminRoleArn: + Description: "The ARN of the IAM role" + Value: !GetAtt GiantSwarmAdminRole.Arn diff --git a/admin-role/iam-giantswarm-cp.tf b/admin-role/iam-giantswarm-cp.tf index 04d1a97..8b11890 100644 --- a/admin-role/iam-giantswarm-cp.tf +++ b/admin-role/iam-giantswarm-cp.tf @@ -9,7 +9,7 @@ data "aws_iam_policy_document" "giantswarm-admin" { principals { type = "AWS" - identifiers = var.principal_arns_giantswarm_root_account + identifiers = "arn:aws:iam::084190472784:root" } actions = ["sts:AssumeRole"] diff --git a/admin-role/variables.tf b/admin-role/variables.tf index 7988dea..cb7c981 100644 --- a/admin-role/variables.tf +++ b/admin-role/variables.tf @@ -1,9 +1,3 @@ -variable "principal_arns_giantswarm_root_account" { - type = list(string) - description = "ARNs of accounts, groups, or users with the ability to assume this role." - default =["arn:aws:iam::084190472784:root"] -} - variable "admin_role_name" { type = string default = "GiantSwarmAdmin" diff --git a/aws-operator-role/iam-giantswarm.tf b/aws-operator-role/iam-giantswarm.tf deleted file mode 100644 index c12f139..0000000 --- a/aws-operator-role/iam-giantswarm.tf +++ /dev/null @@ -1,34 +0,0 @@ -locals { - operator_role_name = "GiantSwarmAWSOperator" -} - -resource "aws_iam_policy" "giantswarm-aws-operator" { - name = local.operator_role_name - policy = templatefile("${path.module}/iam-policy.json", { - account_id = "${var.target_account_id}" - arn_prefix = "${var.arn_prefix}" - }) -} - -resource "aws_iam_role" "giantswarm-aws-operator" { - name = local.operator_role_name - assume_role_policy = data.aws_iam_policy_document.giantswarm-aws-operator.json -} - -resource "aws_iam_role_policy_attachment" "giantswarm-aws-operator" { - role = aws_iam_role.giantswarm-aws-operator.name - policy_arn = aws_iam_policy.giantswarm-aws-operator.arn -} - -data "aws_iam_policy_document" "giantswarm-aws-operator" { - statement { - effect = "Allow" - - principals { - type = "AWS" - identifiers = ["${var.arn_prefix}:iam::${var.main_account_id}:user/${var.operator_user_name}"] - } - - actions = ["sts:AssumeRole"] - } -} diff --git a/aws-operator-role/iam-policy.json b/aws-operator-role/iam-policy.json deleted file mode 100644 index 96b1686..0000000 --- a/aws-operator-role/iam-policy.json +++ /dev/null @@ -1,193 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "autoscaling:*", - "cloudformation:*", - "ec2:*", - "elasticloadbalancing:*", - "iam:AddRoleToInstanceProfile", - "iam:AttachRolePolicy", - "iam:CreateInstanceProfile", - "iam:CreateOpenIDConnectProvider", - "iam:DeleteOpenIDConnectProvider", - "iam:ListOpenIDConnectProviderTags", - "iam:TagOpenIDConnectProvider", - "iam:UntagOpenIDConnectProvider", - "iam:ListOpenIDConnectProviders", - "iam:GetOpenIDConnectProvider", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:RemoveClientIDFromOpenIDConnectProvider", - "iam:AddClientIDToOpenIDConnectProvider", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:CreateServiceLinkedRole", - "iam:DeleteInstanceProfile", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DeleteRolePolicy", - "iam:DeleteServiceLinkedRole", - "iam:DetachRolePolicy", - "iam:GetAccount*", - "iam:GetInstanceProfile", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:GetServiceLinkedRoleDeletionStatus", - "iam:GetUser", - "iam:GetUserPolicy", - "iam:ListAttachedRolePolicies", - "iam:ListAttachedUserPolicies", - "iam:ListInstanceProfilesForRole", - "iam:ListPolicies", - "iam:ListRolePolicies", - "iam:ListRoles", - "iam:PassRole", - "iam:PutRolePolicy", - "iam:RemoveRoleFromInstanceProfile", - "iam:TagRole", - "iam:ListRoleTags", - "iam:UntagRole", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateRoleDescription", - "kms:*", - "logs:*", - "route53:*", - "route53resolver:*", - "sts:AssumeRole", - "sts:DecodeAuthorizationMessage", - "sts:GetFederationToken", - "servicequotas:*", - "support:*", - "trustedadvisor:*", - "ssm:GetParameter" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "sqs:*" - ], - "Resource": "${arn_prefix}:sqs:*:${account_id}:*-g8s-*" - }, - { - "Effect": "Allow", - "Action": [ - "events:*" - ], - "Resource": "${arn_prefix}:events:*:${account_id}:*-g8s-*" - }, - { - "Effect": "Allow", - "Action": [ - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:DeleteObject", - "s3:GetBucketLogging", - "s3:GetObject", - "s3:ListBucket", - "s3:PutBucketAcl", - "s3:PutBucketLogging", - "s3:PutBucketTagging", - "s3:PutObjectAcl", - "s3:PutObject", - "s3:PutBucketPolicy", - "s3:PutBucketPublicAccessBlock", - "s3:PutEncryptionConfiguration", - "s3:PutLifecycleConfiguration", - "s3:PutBucketOwnershipControls" - ], - "Resource": "${arn_prefix}:s3:::*-g8s-*" - }, - { - "Effect": "Allow", - "Action": [ - "iam:AttachRolePolicy", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DeleteRolePolicy", - "iam:DeleteServiceLinkedRole", - "iam:DetachRolePolicy", - "iam:PassRole", - "iam:PutRolePolicy", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateRoleDescription" - ], - "Resource": [ - "${arn_prefix}:iam::${account_id}:role/*-EC2-K8S-Role", - "${arn_prefix}:iam::${account_id}:role/*-IAMManager-Role", - "${arn_prefix}:iam::${account_id}:role/*-Route53Manager-Role", - "${arn_prefix}:iam::${account_id}:role/*-vpc-peer-access", - "${arn_prefix}:iam::${account_id}:role/gs-*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "iam:AddRoleToInstanceProfile", - "iam:CreateInstanceProfile", - "iam:DeleteInstanceProfile", - "iam:RemoveRoleFromInstanceProfile" - ], - "Resource": [ - "${arn_prefix}:iam::${account_id}:instance-profile/*-EC2-K8S-Role", - "${arn_prefix}:iam::${account_id}:instance-profile/gs-*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "iam:ListRoleTags", - "iam:TagRole" - ], - "Resource": [ - "${arn_prefix}:iam::${account_id}:role/gs-*", - "${arn_prefix}:iam::${account_id}:role/*-IAMManager-Role", - "${arn_prefix}:iam::${account_id}:role/*-Route53Manager-Role" - ] - }, - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": "${arn_prefix}:iam::${account_id}:role/aws-service-role/*" - }, - { - "Effect": "Allow", - "Action": [ - "cloudfront:TagResource", - "cloudfront:UntagResource", - "cloudfront:GetCloudFrontOriginAccessIdentity", - "cloudfront:CreateCloudFrontOriginAccessIdentity", - "cloudfront:DeleteCloudFrontOriginAccessIdentity", - "cloudfront:GetDistribution", - "cloudfront:CreateDistribution", - "cloudfront:UpdateDistribution", - "cloudfront:DeleteDistribution", - "cloudfront:ListDistributions", - "cloudfront:ListTagsForResource" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "acm:RequestCertificate", - "acm:AddTagsToCertificate", - "acm:DescribeCertificate", - "acm:ListCertificates", - "acm:DeleteCertificate" - ], - "Resource": "*" - } - ] -} diff --git a/aws-operator-role/outputs.tf b/aws-operator-role/outputs.tf deleted file mode 100644 index b3c083e..0000000 --- a/aws-operator-role/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "aws-operator-role" { - value = aws_iam_role.giantswarm-aws-operator.arn -} diff --git a/aws-operator-role/variables.tf b/aws-operator-role/variables.tf deleted file mode 100644 index 9b0b8dc..0000000 --- a/aws-operator-role/variables.tf +++ /dev/null @@ -1,21 +0,0 @@ -variable "arn_prefix" { - type = string - description = "AWS ARN prefix which is different for CN regions (arn:aws-cn)" - default = "arn:aws" -} - -variable "main_account_id" { - type = string - description = "AWS account ID of the control plane account" -} - -variable "target_account_id" { - type = string - description = "AWS account ID of the tenant or the control plane account" -} - -variable "operator_user_name" { - type = string - default = "GiantSwarmAWSOperator" - description = "Name of the aws-operator user in the main account which can assume the role" -} diff --git a/aws-operator-user/iam-giantswarm-cp.tf b/aws-operator-user/iam-giantswarm-cp.tf deleted file mode 100644 index 09b88d2..0000000 --- a/aws-operator-user/iam-giantswarm-cp.tf +++ /dev/null @@ -1,17 +0,0 @@ -resource "aws_iam_user" "giantswarm-aws-operator" { - name = "GiantSwarmAWSOperator" -} - -resource "aws_iam_policy" "giantswarm-policy" { - name = "GiantSwarmUserAWSOperator" - policy = file("${path.module}/iam-policy.json") -} - -resource "aws_iam_user_policy_attachment" "giantswarm-aws-operator-user" { - user = aws_iam_user.giantswarm-aws-operator.name - policy_arn = aws_iam_policy.giantswarm-policy.arn -} - -resource "aws_iam_access_key" "giantswarm-aws-operator-user" { - user = aws_iam_user.giantswarm-aws-operator.name -} diff --git a/aws-operator-user/iam-policy.json b/aws-operator-user/iam-policy.json deleted file mode 100644 index ced30c1..0000000 --- a/aws-operator-user/iam-policy.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "autoscaling:*", - "cloudformation:*", - "cloudwatch:*", - "dynamodb:*", - "ec2:*", - "ecr:*", - "elasticloadbalancing:*", - "events:*", - "iam:AddRoleToInstanceProfile", - "iam:AttachRolePolicy", - "iam:CreateInstanceProfile", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:CreateServiceLinkedRole", - "iam:DeleteInstanceProfile", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DeleteRolePolicy", - "iam:DeleteServiceLinkedRole", - "iam:DetachRolePolicy", - "iam:GetAccount*", - "iam:GetInstanceProfile", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:GetServiceLinkedRoleDeletionStatus", - "iam:GetUser", - "iam:GetUserPolicy", - "iam:ListAttachedRolePolicies", - "iam:ListAttachedUserPolicies", - "iam:ListInstanceProfilesForRole", - "iam:ListPolicies", - "iam:ListRolePolicies", - "iam:ListRoles", - "iam:PassRole", - "iam:PutRolePolicy", - "iam:RemoveRoleFromInstanceProfile", - "iam:UpdateAssumeRolePolicy", - "iam:TagRole", - "iam:UpdateRoleDescription", - "kms:*", - "logs:*", - "route53:*", - "route53domains:*", - "s3:*", - "sts:AssumeRole", - "sts:DecodeAuthorizationMessage", - "sts:GetFederationToken", - "servicequotas:*", - "support:*", - "trustedadvisor:*", - "iam:CreateOpenIDConnectProvider", - "iam:DeleteOpenIDConnectProvider", - "iam:ListOpenIDConnectProviderTags", - "iam:TagOpenIDConnectProvider", - "iam:UntagOpenIDConnectProvider", - "iam:ListOpenIDConnectProviders", - "iam:GetOpenIDConnectProvider", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:RemoveClientIDFromOpenIDConnectProvider", - "iam:AddClientIDToOpenIDConnectProvider" - ], - "Resource": "*" - } - ] -} diff --git a/aws-operator-user/outputs.tf b/aws-operator-user/outputs.tf deleted file mode 100644 index 3055391..0000000 --- a/aws-operator-user/outputs.tf +++ /dev/null @@ -1,8 +0,0 @@ -output "user-access-key-id" { - value = "${aws_iam_access_key.giantswarm-aws-operator-user.id}" -} - -output "user-access-key-secret" { - value = "${aws_iam_access_key.giantswarm-aws-operator-user.secret}" - sensitive = true -} diff --git a/capa-controller-role/README.md b/capa-controller-role/README.md deleted file mode 100644 index c23c68a..0000000 --- a/capa-controller-role/README.md +++ /dev/null @@ -1,72 +0,0 @@ -# Cluster API AWS provider role -If you don't know what the `INSTALLATION_NAME` value is supposed to be, ask Giant Swarm staff and they will provide it. - -## with aws cli -### requirements -- `awscli` installed -- `envsubst` tool -- `jq` installed -- working AWS credentials set to the desired target account -- located on the `capa-controller-role` directory of this git repo -- user `${INSTALLATION}-capa-controller` created in GiantSwarm account `084190472784` - -### commands to execute -``` -export INSTALLATION_NAME=test -export ROLE_NAME="giantswarm-${INSTALLATION_NAME}-capa-controller" -# for china replace this with proper AWS China account, for AWS Global leave this as it is for all cases -export AWS_ACCOUNT=084190472784 - -envsubst < ./trusted-entities.json > ${INSTALLATION_NAME}-trusted-entities.json -aws iam create-role --role-name "${ROLE_NAME}" --description "Giant Swarm managed role for k8s cluster creation" --assume-role-policy-document file://${INSTALLATION_NAME}-trusted-entities.json -rm -f ${INSTALLATION_NAME}-trusted-entities.json - -CAPA_POLICY_ARN=$(aws iam create-policy --policy-name "giantswarm-${INSTALLATION_NAME}-capa-controller-policy" --description "Giant Swarm managed policy for k8s cluster creation" --policy-document file://capa-controller-policy.json | jq -r '.Policy.Arn') -aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${CAPA_POLICY_ARN}" - -DNS_POLICY_ARN=$(aws iam create-policy --policy-name "giantswarm-${INSTALLATION_NAME}-dns-controller-policy" --description "Giant Swarm managed policy for k8s cluster creation" --policy-document file://dns-controller-policy.json | jq -r '.Policy.Arn') -aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${DNS_POLICY_ARN}" - -EKS_POLICY_ARN=$(aws iam create-policy --policy-name "giantswarm-${INSTALLATION_NAME}-eks-controller-policy" --description "Giant Swarm managed policy for k8s cluster creation" --policy-document file://eks-controller-policy.json | jq -r '.Policy.Arn') -aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${EKS_POLICY_ARN}" - -IAM_POLICY_ARN=$(aws iam create-policy --policy-name "giantswarm-${INSTALLATION_NAME}-iam-controller-policy" --description "Giant Swarm managed policy for k8s cluster creation" --policy-document file://iam-controller-policy.json | jq -r '.Policy.Arn') -aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${IAM_POLICY_ARN}" - -IRSA_POLICY_ARN=$(aws iam create-policy --policy-name "giantswarm-${INSTALLATION_NAME}-irsa-controller-policy" --description "Giant Swarm managed policy for k8s cluster creation" --policy-document file://irsa-operator-policy.json | jq -r '.Policy.Arn') -aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${IRSA_POLICY_ARN}" - -NETWORK_TOPOLOGY_POLICY_ARN=$(aws iam create-policy --policy-name "giantswarm-${INSTALLATION_NAME}-network-topology-controller-policy" --description "Giant Swarm managed policy for k8s cluster creation" --policy-document file://network-topology-operator-policy.json | jq -r '.Policy.Arn') -aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${NETWORK_TOPOLOGY_POLICY_ARN}" - -RESOLVER_RULES_POLICY_ARN=$(aws iam create-policy --policy-name "giantswarm-${INSTALLATION_NAME}-resolver-rule-operator-policy" --description "Giant Swarm managed policy for k8s cluster creation" --policy-document file://resolver-rules-operator-policy.json | jq -r '.Policy.Arn') -aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${RESOLVER_RULES_POLICY_ARN}" - -MC_BOOTSTRAP_POLICY_ARN=$(aws iam create-policy --policy-name "giantswarm-${INSTALLATION_NAME}-mc-bootstrap-policy" --description "Giant Swarm managed policy for k8s cluster cleanup" --policy-document file://mc-bootstrap-policy.json | jq -r '.Policy.Arn') -aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${MC_BOOTSTRAP_POLICY_ARN}" - -CROSSPLANE_ARN=$(aws iam create-policy --policy-name "giantswarm-${INSTALLATION_NAME}-crossplane-policy" --description "Giant Swarm managed policy for k8s cluster creation" --policy-document file://crossplane-policy.json | jq -r '.Policy.Arn') -aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${CROSSPLANE_ARN}" -``` - -### for cleanup execute -``` -export INSTALLATION_NAME=test -chmod +x cleanup.sh -./cleanup.sh -``` - -## with terraform -### requirements -- `terraform` installed -- working AWS credentials set to the desired target account -- AWS region has to be set either via aws profile or via env `AWS_REGION` - -### adjust `variables.tf` -- `principal_arns_giantswarm_root_account` - can be adjusted to be more strict and specify user which will assume the role - ie `arn:aws:iam::084190472784:user/${INSTALLATION_NAME}-capa-controller` - -### execute -``` -terraform init . -terraform apply -var="installation_name=test" -``` diff --git a/capa-controller-role/cleanup.sh b/capa-controller-role/cleanup.sh old mode 100644 new mode 100755 index 24ea96b..7d191d6 --- a/capa-controller-role/cleanup.sh +++ b/capa-controller-role/cleanup.sh @@ -10,7 +10,7 @@ NC='\033[0m' ROLE_NAME="giantswarm-${INSTALLATION_NAME}-capa-controller" AWS_ACCOUNT_ID="$(aws sts get-caller-identity --output text --query 'Account')" -POL_TYPES=("capa-controller" "dns-controller" "eks-controller" "iam-controller" "irsa-controller" "resolver-rule-operator" "network-topology-controller" "mc-bootstrap" "crossplane") +POL_TYPES=("capa-controller" "dns-controller" "eks-controller" "iam-controller" "irsa-operator" "resolver-rules-operator" "network-topology-operator" "mc-bootstrap" "crossplane") POL_ARN_PREFIX="arn:aws:iam::${AWS_ACCOUNT_ID}:policy" function echo_fail_or_success { diff --git a/capa-controller-role/cloud-formation-template.yaml b/capa-controller-role/cloud-formation-template.yaml new file mode 100644 index 0000000..c725140 --- /dev/null +++ b/capa-controller-role/cloud-formation-template.yaml @@ -0,0 +1,484 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: CloudFormation template for bootstrapping the CAPA controller role in your AWS account. + +Parameters: + InstallationName: + Type: String + Description: "The name of the management cluster." + ManagementClusterAccountID: + Type: String + Description: "The AWS account ID of the management cluster." + +Resources: + GiantSwarmCapaControllerRole: + Type: "AWS::IAM::Role" + Properties: + RoleName: !Sub "giantswarm-${InstallationName}-capa-controller" + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: "Allow" + Principal: + AWS: !Sub "arn:aws:iam::${ManagementClusterAccountID}:user/${InstallationName}-capa-controller" + Action: "sts:AssumeRole" + + GiantSwarmCapaControllerPolicy: + Type: "AWS::IAM::Policy" + Properties: + PolicyName: !Sub "giantswarm-${InstallationName}-capa-controller-policy" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + - "ec2:AllocateAddress" + - "ec2:AssociateRouteTable" + - "ec2:AssociateVpcCidrBlock" + - "ec2:AttachInternetGateway" + - "ec2:AuthorizeSecurityGroupIngress" + - "ec2:CreateInternetGateway" + - "ec2:CreateNatGateway" + - "ec2:CreateRoute" + - "ec2:CreateRouteTable" + - "ec2:CreateSecurityGroup" + - "ec2:CreateSubnet" + - "ec2:CreateTags" + - "ec2:CreateVpc" + - "ec2:CreateVpcEndpoint" + - "ec2:ModifyVpcAttribute" + - "ec2:ModifyVpcEndpoint" + - "ec2:DeleteInternetGateway" + - "ec2:DeleteNatGateway" + - "ec2:DeleteNetworkInterface" + - "ec2:DeleteRouteTable" + - "ec2:DeleteSecurityGroup" + - "ec2:DeleteSubnet" + - "ec2:DeleteTags" + - "ec2:DeleteVpc" + - "ec2:DeleteVpcEndpoints" + - "ec2:DetachNetworkInterface" + - "ec2:DescribeAccountAttributes" + - "ec2:DescribeAddresses" + - "ec2:DescribeAvailabilityZones" + - "ec2:DescribeInstances" + - "ec2:DescribeInstanceTypes" + - "ec2:DescribeInternetGateways" + - "ec2:DescribeImages" + - "ec2:DescribeNatGateways" + - "ec2:DescribeNetworkInterfaces" + - "ec2:DescribeNetworkInterfaceAttribute" + - "ec2:DescribeRouteTables" + - "ec2:DescribeSecurityGroups" + - "ec2:DescribeSecurityGroupRules" + - "ec2:DescribeSubnets" + - "ec2:DescribeVpcs" + - "ec2:DescribeVpcAttribute" + - "ec2:DescribeVpcEndpoints" + - "ec2:DescribeVolumes" + - "ec2:DetachInternetGateway" + - "ec2:DisassociateRouteTable" + - "ec2:DisassociateAddress" + - "ec2:DisassociateVpcCidrBlock" + - "ec2:ModifyInstanceAttribute" + - "ec2:ModifyNetworkInterfaceAttribute" + - "ec2:ModifySubnetAttribute" + - "ec2:ReleaseAddress" + - "ec2:RevokeSecurityGroupIngress" + - "ec2:RevokeSecurityGroupEgress" + - "ec2:RunInstances" + - "ec2:TerminateInstances" + - "tag:GetResources" + - "elasticloadbalancing:*" + - "autoscaling:DescribeAutoScalingGroups" + - "autoscaling:DescribeInstanceRefreshes" + - "autoscaling:SuspendProcesses" + - "autoscaling:DescribeAutoScalingInstances" + - "autoscaling:TerminateInstanceInAutoScalingGroup" + - "ec2:CreateLaunchTemplate" + - "ec2:CreateLaunchTemplateVersion" + - "ec2:DescribeLaunchTemplates" + - "ec2:DescribeLaunchTemplateVersions" + - "ec2:DeleteLaunchTemplate" + - "ec2:DeleteLaunchTemplateVersions" + - "s3:CreateBucket" + - "s3:DeleteBucket" + - "s3:GetObject" + - "s3:PutObject" + - "s3:DeleteObject" + - "s3:PutBucketPolicy" + - "s3:ListBucket" + - "s3:PutBucketAcl" + - "s3:PutLifecycleConfiguration" + - "s3:PutBucketOwnershipControls" + - "s3:PutBucketTagging" + Resource: "*" + - Effect: "Allow" + Action: + - "autoscaling:CreateAutoScalingGroup" + - "autoscaling:UpdateAutoScalingGroup" + - "autoscaling:CreateOrUpdateTags" + - "autoscaling:StartInstanceRefresh" + - "autoscaling:DeleteAutoScalingGroup" + - "autoscaling:DeleteTags" + Resource: "arn:*:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*" + - Effect: "Allow" + Action: + - "iam:CreateServiceLinkedRole" + Resource: "arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" + Condition: + StringLike: + "iam:AWSServiceName": "autoscaling.amazonaws.com" + - Effect: "Allow" + Action: + - "iam:CreateServiceLinkedRole" + Resource: "arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing" + Condition: + StringLike: + "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" + - Effect: "Allow" + Action: + - "iam:CreateServiceLinkedRole" + Resource: "arn:*:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot" + Condition: + StringLike: + "iam:AWSServiceName": "spot.amazonaws.com" + - Effect: "Allow" + Action: + - "iam:PassRole" + Resource: "arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io" + - Effect: "Allow" + Action: + - "secretsmanager:CreateSecret" + - "secretsmanager:DeleteSecret" + - "secretsmanager:TagResource" + Resource: "arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/*" + - Effect: "Allow" + Action: + - "iam:ListOpenIDConnectProviders" + - "iam:CreateOpenIDConnectProvider" + - "iam:AddClientIDToOpenIDConnectProvider" + - "iam:UpdateOpenIDConnectProviderThumbprint" + - "iam:DeleteOpenIDConnectProvider" + Resource: "*" + - Effect: "Allow" + Action: + - "events:DeleteRule" + - "events:DescribeRule" + - "events:ListTargetsByRule" + - "events:PutRule" + - "events:PutTargets" + - "events:RemoveTargets" + - "sqs:CreateQueue" + - "sqs:DeleteMessage" + - "sqs:DeleteQueue" + - "sqs:GetQueueAttributes" + - "sqs:GetQueueUrl" + - "sqs:ReceiveMessage" + - "sqs:SetQueueAttributes" + Resource: "*" + Roles: + - !Ref GiantSwarmCapaControllerRole + + GiantSwarmDNSControllerPolicy: + Type: "AWS::IAM::Policy" + Properties: + PolicyName: !Sub "giantswarm-${InstallationName}-dns-controller-policy" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + - "route53:*" + - "route53domains:*" + - "route53resolver:*" + Resource: "*" + Roles: + - !Ref GiantSwarmCapaControllerRole + + GiantSwarmCrossplanePolicy: + Type: "AWS::IAM::Policy" + Properties: + PolicyName: !Sub "giantswarm-${InstallationName}-crossplane-policy" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + - "ec2:AuthorizeSecurityGroupEgress" + - "ec2:AuthorizeSecurityGroupIngress" + - "ec2:CreateSecurityGroup" + - "ec2:DeleteSecurityGroup" + - "ec2:DescribeSecurityGroupRules" + - "ec2:DescribeSecurityGroups" + - "ec2:RevokeSecurityGroupEgress" + - "ec2:RevokeSecurityGroupIngress" + Resource: "*" + Roles: + - !Ref GiantSwarmCapaControllerRole + + GiantSwarmEKSControllerPolicy: + Type: "AWS::IAM::Policy" + Properties: + PolicyName: !Sub "giantswarm-${InstallationName}-eks-controller-policy" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: "ssm:GetParameter" + Resource: "arn:*:ssm:*:*:parameter/aws/service/eks/optimized-ami/*" + - Effect: "Allow" + Action: "iam:CreateServiceLinkedRole" + Resource: "arn:*:iam::*:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS" + Condition: + StringLike: + "iam:AWSServiceName": "eks.amazonaws.com" + - Effect: "Allow" + Action: "iam:CreateServiceLinkedRole" + Resource: "arn:*:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup" + Condition: + StringLike: + "iam:AWSServiceName": "eks-nodegroup.amazonaws.com" + - Effect: "Allow" + Action: "iam:CreateServiceLinkedRole" + Resource: "arn:*:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate" + Condition: + StringLike: + "iam:AWSServiceName": "eks-fargate.amazonaws.com" + - Effect: "Allow" + Action: + - "iam:GetRole" + - "iam:ListAttachedRolePolicies" + Resource: "arn:*:iam::*:role/*" + - Effect: "Allow" + Action: "iam:GetPolicy" + Resource: + - "arn:*:iam::*:policy/AmazonEKSClusterPolicy" + - "arn:*:iam::*:policy/AmazonEKSWorkerNodePolicy" + - "arn:*:iam::*:policy/AmazonEKS_CNI_Policy" + - "arn:*:iam::*:policy/AmazonEC2ContainerRegistryReadOnly" + - "arn:*:iam::*:policy/AmazonEKSClusterPolicy" + - Effect: "Allow" + Action: + - "eks:DescribeCluster" + - "eks:ListClusters" + - "eks:CreateCluster" + - "eks:TagResource" + - "eks:UpdateClusterVersion" + - "eks:DeleteCluster" + - "eks:UpdateClusterConfig" + - "eks:UntagResource" + - "eks:UpdateNodegroupVersion" + - "eks:DescribeNodegroup" + - "eks:DeleteNodegroup" + - "eks:UpdateNodegroupConfig" + - "eks:CreateNodegroup" + - "eks:AssociateEncryptionConfig" + - "eks:ListIdentityProviderConfigs" + - "eks:AssociateIdentityProviderConfig" + - "eks:DescribeIdentityProviderConfig" + - "eks:DisassociateIdentityProviderConfig" + Resource: + - "arn:*:eks:*:*:cluster/*" + - "arn:*:eks:*:*:nodegroup/*/*/*" + - Effect: "Allow" + Action: + - "ec2:AssociateVpcCidrBlock" + - "ec2:DisassociateVpcCidrBlock" + - "eks:ListAddons" + - "eks:CreateAddon" + - "eks:DescribeAddonVersions" + - "eks:DescribeAddon" + - "eks:DeleteAddon" + - "eks:UpdateAddon" + - "eks:TagResource" + - "eks:DescribeFargateProfile" + - "eks:CreateFargateProfile" + - "eks:DeleteFargateProfile" + - "eks:ListIdentityProviderConfigs" + - "eks:DescribeIdentityProviderConfig" + Resource: "*" + - Effect: "Allow" + Action: "iam:PassRole" + Resource: "*" + Condition: + StringEquals: + "iam:PassedToService": "eks.amazonaws.com" + - Effect: "Allow" + Action: + - "kms:CreateGrant" + - "kms:DescribeKey" + Resource: "*" + Condition: + ForAnyValue:StringLike: + "kms:ResourceAliases": "alias/cluster-api-provider-aws-*" + Roles: + - !Ref GiantSwarmCapaControllerRole + + GiantSwarmIAMControllerPolicy: + Type: "AWS::IAM::Policy" + Properties: + PolicyName: !Sub "giantswarm-${InstallationName}-iam-controller-policy" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + - "iam:GetRole" + - "iam:ListAttachedRolePolicies" + - "iam:DetachRolePolicy" + - "iam:DeleteRole" + - "iam:CreateRole" + - "iam:TagRole" + - "iam:AttachRolePolicy" + - "iam:PutRolePolicy" + - "iam:ListRolePolicies" + - "iam:DeleteRolePolicy" + - "iam:*" + Resource: "arn:*:iam::*:role/*" + - Effect: "Allow" + Action: + - "iam:CreateInstanceProfile" + - "iam:AddRoleToInstanceProfile" + - "iam:RemoveRoleFromInstanceProfile" + - "iam:DeleteInstanceProfile" + - "iam:*" + Resource: "arn:*:iam::*:instance-profile/*" + Roles: + - !Ref GiantSwarmCapaControllerRole + + GiantSwarmIRSAControllerPolicy: + Type: "AWS::IAM::Policy" + Properties: + PolicyName: !Sub "giantswarm-${InstallationName}-irsa-controller-policy" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + - "iam:CreateOpenIDConnectProvider" + - "iam:DeleteOpenIDConnectProvider" + - "iam:ListOpenIDConnectProviderTags" + - "iam:TagOpenIDConnectProvider" + - "iam:UntagOpenIDConnectProvider" + - "iam:ListOpenIDConnectProviders" + - "iam:GetOpenIDConnectProvider" + - "iam:UpdateOpenIDConnectProviderThumbprint" + - "iam:RemoveClientIDFromOpenIDConnectProvider" + - "iam:AddClientIDToOpenIDConnectProvider" + - "cloudfront:TagResource" + - "cloudfront:UntagResource" + - "cloudfront:GetCloudFrontOriginAccessIdentity" + - "cloudfront:CreateCloudFrontOriginAccessIdentity" + - "cloudfront:DeleteCloudFrontOriginAccessIdentity" + - "cloudfront:GetDistribution" + - "cloudfront:CreateDistribution" + - "cloudfront:UpdateDistribution" + - "cloudfront:DeleteDistribution" + - "cloudfront:ListDistributions" + - "cloudfront:ListTagsForResource" + Resource: "*" + - Effect: "Allow" + Action: + - "s3:CreateBucket" + - "s3:DeleteBucket" + - "s3:DeleteObject" + - "s3:GetBucketLogging" + - "s3:GetObject" + - "s3:ListBucket" + - "s3:PutBucketAcl" + - "s3:PutBucketLogging" + - "s3:PutBucketOwnershipControls" + - "s3:PutBucketTagging" + - "s3:PutObjectAcl" + - "s3:PutObject" + - "s3:PutBucketPolicy" + - "s3:PutBucketPublicAccessBlock" + - "s3:PutEncryptionConfiguration" + - "s3:PutLifecycleConfiguration" + - "s3:PutObjectAcl" + Resource: "arn:*:s3:::*-g8s-*" + - Effect: "Allow" + Action: + - "acm:RequestCertificate" + - "acm:AddTagsToCertificate" + - "acm:DescribeCertificate" + - "acm:ListCertificates" + - "acm:DeleteCertificate" + Resource: "*" + Roles: + - !Ref GiantSwarmCapaControllerRole + + GiantSwarmMCBootstrapPolicy: + Type: "AWS::IAM::Policy" + Properties: + PolicyName: !Sub "giantswarm-${InstallationName}-mc-bootstrap-policy" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: "ec2:DeleteVolume" + Resource: "*" + Roles: + - !Ref GiantSwarmCapaControllerRole + + GiantSwarmNetworkTopologyControllerPolicy: + Type: "AWS::IAM::Policy" + Properties: + PolicyName: !Sub "giantswarm-${InstallationName}-network-topology-controller-policy" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + - "ec2:CreateTags" + - "ec2:DeleteTags" + - "ec2:DescribeTransitGateways" + - "ec2:DescribeTransitGatewayVpcAttachments" + - "ec2:DescribeTransitGatewayAttachments" + - "ec2:CreateTransitGateway" + - "ec2:CreateTransitGatewayVpcAttachment" + - "ec2:DeleteTransitGateway" + - "ec2:DeleteTransitGatewayVpcAttachment" + - "ec2:CreateManagedPrefixList" + - "ec2:DescribeManagedPrefixLists" + - "ec2:ModifyManagedPrefixList" + - "ec2:GetManagedPrefixListEntries" + - "ec2:DeleteRoute" + - "ec2:CreateRoute" + - "ec2:DescribeRouteTables" + - "sns:Publish" + Resource: "*" + Roles: + - !Ref GiantSwarmCapaControllerRole + + GiantSwarmResolverRulesOperatorPolicy: + Type: "AWS::IAM::Policy" + Properties: + PolicyName: !Sub "giantswarm-${InstallationName}-resolver-rules-operator-policy" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + - "ec2:CreateSecurityGroup" + - "ec2:DeleteSecurityGroup" + - "ec2:DescribeSecurityGroups" + - "ec2:DescribeSecurityGroupRules" + - "ec2:RevokeSecurityGroupIngress" + - "ec2:AuthorizeSecurityGroupIngress" + - "ram:*" + - "sts:AssumeRole" + - "route53resolver:*" + - "ec2:CreateNetworkInterface" + - "ec2:DescribeNetworkInterfaces" + - "ec2:DescribeAvailabilityZones" + - "ec2:DeleteNetworkInterface" + - "ec2:DescribeSubnets" + Resource: "*" + Roles: + - !Ref GiantSwarmCapaControllerRole + +Outputs: + GiantSwarmCapaControllerRoleArn: + Description: "The ARN of the IAM role for the CAPA controller" + Value: !GetAtt GiantSwarmCapaControllerRole.Arn diff --git a/capa-controller-role/giantswarm-capa-role.tf b/capa-controller-role/giantswarm-capa-role.tf index 0d13be6..866f747 100644 --- a/capa-controller-role/giantswarm-capa-role.tf +++ b/capa-controller-role/giantswarm-capa-role.tf @@ -9,7 +9,7 @@ data "aws_iam_policy_document" "giantswarm-capa-controller" { principals { type = "AWS" - identifiers = var.principal_arns_giantswarm_root_account + identifiers = "arn:aws:iam::${var.management_cluster_account_id}:user/${var.installation_name}-capa-controller" } actions = ["sts:AssumeRole"] diff --git a/capa-controller-role/setup.sh b/capa-controller-role/setup.sh new file mode 100755 index 0000000..c277375 --- /dev/null +++ b/capa-controller-role/setup.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +set -u + +BLUE='\033[0;34m' +RED='\033[0;31m' +GREEN='\033[0;32m' +NC='\033[0m' + +ROLE_NAME="giantswarm-${INSTALLATION_NAME}-capa-controller" +POL_TYPES=("capa-controller" "dns-controller" "eks-controller" "iam-controller" "irsa-operator" "resolver-rules-operator" "network-topology-operator" "mc-bootstrap" "crossplane") + +function echo_fail_or_success { + s=$1 + if [ "$s" != 0 ]; then + echo -e "${RED} failed${NC}. Please review the required permissions and try again." + else + echo -e "${GREEN} success${NC}" + fi +} + +function create_role { + export AWS_ACCOUNT="$(aws sts get-caller-identity --output text --query 'Account')" + envsubst < ./trusted-entities.json > ${INSTALLATION_NAME}-trusted-entities.json + aws iam create-role --role-name "${ROLE_NAME}" --description "Giant Swarm managed role for k8s cluster creation" --assume-role-policy-document file://${INSTALLATION_NAME}-trusted-entities.json + rm -f ${INSTALLATION_NAME}-trusted-entities.json +} + +function create_policy { + policy_arn=$(aws iam create-policy --policy-name $2 --description "Giant Swarm managed policy for k8s cluster creation" --policy-document file://$1-policy.json | jq -r '.Policy.Arn') + aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${policy_arn}" +} + +export AWS_PAGER="" +echo -n "|_ Creating the role ${ROLE_NAME}..." +create_role +echo_fail_or_success "$?" + +# Create policies +for pol_type in ${POL_TYPES[@]}; do + pol_name="giantswarm-${INSTALLATION_NAME}-${pol_type}-policy" + + echo -n "|_ Create policy ${pol_name}..." + create_policy "${pol_type}" "${pol_name}" + echo_fail_or_success "$?" +done + +exit 0 diff --git a/capa-controller-role/variables.tf b/capa-controller-role/variables.tf index 5d90c56..7783e54 100644 --- a/capa-controller-role/variables.tf +++ b/capa-controller-role/variables.tf @@ -1,8 +1,6 @@ -variable "principal_arns_giantswarm_root_account" { - type = list(string) - description = "ARNs of accounts, groups, or users with the ability to assume this role." - # if you know installation name you can restrict this to 'arn:aws:iam::084190472784:user/${INSTALLATION_NAME}-capa-controller' - default = ["arn:aws:iam::084190472784:root"] +variable "management_cluster_account_id" { + type = string + description = "AWS account ID of the management cluster" } variable "installation_name" {