Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS CN #129

Merged
merged 4 commits into from
Nov 26, 2024
Merged

AWS CN #129

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
71bd55a
add support for AWS CN
paurosello Nov 26, 2024
3ade9ef
allow customizing GS staff user account
paurosello Nov 26, 2024
d93387a
fix last ARN
paurosello Nov 26, 2024
93c08fe
add aws partition
paurosello Nov 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Add support for removing some IAM permissions from the capa controller role in BYOVPC installations.
- CAPA role CloudFormation template: switch from inline to managed policies for the CAPA IAM role.
- Add CAPA permissions for ASG lifecycle hooks
- Add support for AWS China
- Add support for custom GS staff account

## [4.2.0] - 2024-09-04

Expand Down
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,8 @@ export INSTALLATION_NAME=test
export MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN=irsa.test.gaws.gigantic.io
# Optional: only set to true if this installation is going to be used exclusively to create WCs on existing VPCs and subnets
# export BYOVPC=true
# Optional: only set this to aws-cn if the installation is in China
# export AWS_PARTITION=aws-cn
chmod +x setup.sh
./setup.sh
```
Expand Down
2 changes: 1 addition & 1 deletion admin-role/iam-giantswarm-cp.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ data "aws_iam_policy_document" "giantswarm-admin" {

principals {
type = "AWS"
identifiers = "arn:aws:iam::084190472784:root"
identifiers = "arn:aws:iam::${var.gs_user_account}:root"
}

actions = ["sts:AssumeRole"]
Expand Down
6 changes: 6 additions & 0 deletions admin-role/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,9 @@ variable "admin_role_name" {
type = string
default = "GiantSwarmAdmin"
}

variable "gs_user_account" {
type = string
description = "AWS account where GS staff users are located"
default = "084190472784"
}
4 changes: 3 additions & 1 deletion capa-controller-role/cleanup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,11 @@ NC='\033[0m'

ROLE_NAME="giantswarm-${INSTALLATION_NAME}-capa-controller"
AWS_ACCOUNT_ID="$(aws sts get-caller-identity --output text --query 'Account')"
AWS_PARTITION=${AWS_PARTITION:-aws}
GS_USER_ACCOUNT=${GS_USER_ACCOUNT:-"084190472784"}

POL_TYPES=("capa-controller" "capa-controller-vpc" "dns-controller" "eks-controller" "iam-controller" "irsa-operator" "resolver-rules-operator" "network-topology-operator" "mc-bootstrap" "crossplane")
POL_ARN_PREFIX="arn:aws:iam::${AWS_ACCOUNT_ID}:policy"
POL_ARN_PREFIX="arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:policy"

function echo_fail_or_success {
s=$1
Expand Down
2 changes: 2 additions & 0 deletions capa-controller-role/giantswarm-capa-role.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ resource "aws_iam_role" "giantswarm-capa-controller-role" {
INSTALLATION_NAME = var.installation_name
AWS_ACCOUNT_ID = data.aws_caller_identity.current.account_id
MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN = var.management_cluster_oidc_provider_domain
AWS_PARTITION = var.aws_partition
GS_USER_ACCOUNT = var.gs_user_account
})
tags = local.tags
}
Expand Down
36 changes: 18 additions & 18 deletions capa-controller-role/import.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,107 +11,107 @@ import {
import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-capa-controller-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-capa-controller-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-capa-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-capa-controller-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-capa-controller-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-capa-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-dns-controller-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-dns-controller-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-dns-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-dns-controller-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-dns-controller-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-dns-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-eks-controller-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-eks-controller-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-eks-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-eks-controller-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-eks-controller-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-eks-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-iam-controller-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-iam-controller-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-iam-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-iam-controller-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-iam-controller-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-iam-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-irsa-controller-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-irsa-controller-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-irsa-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-irsa-controller-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-irsa-controller-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-irsa-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-network-topology-controller-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-network-topology-controller-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-network-topology-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-network-topology-controller-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-network-topology-controller-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-network-topology-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-resolver-rules-operator-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-resolver-rules-operator-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-resolver-rules-operator-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-resolver-rules-operator-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-resolver-rules-operator-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-resolver-rules-operator-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-mc-bootstrap-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-mc-bootstrap-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-mc-bootstrap-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-mc-bootstrap-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-mc-bootstrap-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-mc-bootstrap-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-crossplane-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-crossplane-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-crossplane-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-crossplane-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-crossplane-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-crossplane-policy"
}
2 changes: 2 additions & 0 deletions capa-controller-role/setup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ ROLE_NAME="giantswarm-${INSTALLATION_NAME}-capa-controller"
POL_TYPES=("capa-controller" "dns-controller" "eks-controller" "iam-controller" "irsa-operator" "resolver-rules-operator" "network-topology-operator" "mc-bootstrap" "crossplane")
TAGS="Key=installation,Value=${INSTALLATION_NAME}"
BYOVPC=${BYOVPC:-false}
AWS_PARTITION=${AWS_PARTITION:-aws}
GS_USER_ACCOUNT=${GS_USER_ACCOUNT:-"084190472784"}

if [ "$BYOVPC" == "false" ]; then
# This policy is not needed in BYO VPC installations
Expand Down
4 changes: 2 additions & 2 deletions capa-controller-role/trusted-entities.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::084190472784:user/${INSTALLATION_NAME}-capa-controller"
"AWS": "arn:${AWS_PARTITION}:iam::${GS_USER_ACCOUNT}:user/${INSTALLATION_NAME}-capa-controller"
},
"Action": "sts:AssumeRole",
"Condition": {}
},
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN}"
"Federated": "arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:oidc-provider/${MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
Expand Down
12 changes: 12 additions & 0 deletions capa-controller-role/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,18 @@ variable "installation_name" {
description = "If you dont know what `installation_name` value is suppose to be, ask Giant Swarm staff and they will provide it."
}

variable "aws_partition" {
type = string
description = "AWS partition used for ARN referencing, use aws-cn for China regions"
default = "aws"
}

variable "gs_user_account" {
type = string
description = "AWS account where GS staff users are located"
default = "084190472784"
}

variable "management_cluster_oidc_provider_domain" {
type = string
description = "OIDC provider domain of the management cluster"
Expand Down