From f4ebeea15dbff475f20ca274664ce408ccffefaa Mon Sep 17 00:00:00 2001 From: maxim Date: Tue, 26 Oct 2021 10:48:10 +0600 Subject: [PATCH 1/4] refactor: use aws-iam-eks-trusted module to create all roles used in k8s --- .github/CONTRIBUTING.md | 61 +---- README-RU.md | 131 +++------- .../layer1-aws/examples/aws-rds-postgresql.tf | 36 ++- terraform/layer2-k8s/eks-cert-manager.tf | 50 +++- .../layer2-k8s/eks-cluster-autoscaler.tf | 52 +++- terraform/layer2-k8s/eks-external-dns.tf | 51 +++- terraform/layer2-k8s/eks-external-secrets.tf | 39 ++- .../layer2-k8s/eks-kube-prometheus-stack.tf | 47 +++- .../examples/eks-elk-k8s-resources.tf | 38 ++- terraform/layer2-k8s/examples/eks-elk.tf | 40 ++- .../layer2-k8s/examples/eks-gitlab-runner.tf | 39 ++- .../examples/eks-mysql-backup-wp.tf | 36 ++- terraform/layer2-k8s/examples/eks-teamcity.tf | 29 ++- terraform/modules/aws-iam-autoscaler/iam.tf | 71 ------ .../modules/aws-iam-autoscaler/outputs.tf | 4 - .../modules/aws-iam-autoscaler/variables.tf | 18 -- .../iam.tf | 240 ------------------ .../outputs.tf | 4 - terraform/modules/aws-iam-ci/iam.tf | 50 ---- terraform/modules/aws-iam-ci/outputs.tf | 4 - terraform/modules/aws-iam-ci/variables.tf | 25 -- .../iam.tf => aws-iam-eks-trusted/main.tf} | 21 +- .../outputs.tf | 2 +- .../variables.tf | 6 +- .../modules/aws-iam-external-dns/main.tf | 65 ----- .../modules/aws-iam-external-dns/outputs.tf | 4 - .../modules/aws-iam-external-dns/variables.tf | 13 - terraform/modules/aws-iam-grafana/iam.tf | 61 ----- .../modules/aws-iam-grafana/variables.tf | 13 - .../modules/aws-iam-roles/admin-group.tf | 44 ---- terraform/modules/aws-iam-roles/main.tf | 1 - terraform/modules/aws-iam-roles/outputs.tf | 15 -- terraform/modules/aws-iam-s3/iam-role.tf | 66 ----- terraform/modules/aws-iam-s3/outputs.tf | 18 -- terraform/modules/aws-iam-s3/variables.tf | 42 --- terraform/modules/aws-iam-ssm/outputs.tf | 4 - terraform/modules/aws-iam-ssm/variables.tf | 23 -- .../iam-user.tf | 15 +- .../aws-iam-user-with-policy/outputs.tf | 14 + .../variables.tf | 6 +- .../eks-aws-loadbalancer-controller/main.tf | 221 +++++++++++++++- 41 files changed, 637 insertions(+), 1082 deletions(-) delete mode 100644 terraform/modules/aws-iam-autoscaler/iam.tf delete mode 100644 terraform/modules/aws-iam-autoscaler/outputs.tf delete mode 100644 terraform/modules/aws-iam-autoscaler/variables.tf delete mode 100644 terraform/modules/aws-iam-aws-loadbalancer-controller/iam.tf delete mode 100644 terraform/modules/aws-iam-aws-loadbalancer-controller/outputs.tf delete mode 100644 terraform/modules/aws-iam-ci/iam.tf delete mode 100644 terraform/modules/aws-iam-ci/outputs.tf delete mode 100644 terraform/modules/aws-iam-ci/variables.tf rename terraform/modules/{aws-iam-ssm/iam.tf => aws-iam-eks-trusted/main.tf} (62%) rename terraform/modules/{aws-iam-grafana => aws-iam-eks-trusted}/outputs.tf (58%) rename terraform/modules/{aws-iam-aws-loadbalancer-controller => aws-iam-eks-trusted}/variables.tf (62%) delete mode 100644 terraform/modules/aws-iam-external-dns/main.tf delete mode 100644 terraform/modules/aws-iam-external-dns/outputs.tf delete mode 100644 terraform/modules/aws-iam-external-dns/variables.tf delete mode 100644 terraform/modules/aws-iam-grafana/iam.tf delete mode 100644 terraform/modules/aws-iam-grafana/variables.tf delete mode 100644 terraform/modules/aws-iam-roles/admin-group.tf delete mode 100644 terraform/modules/aws-iam-roles/main.tf delete mode 100644 terraform/modules/aws-iam-roles/outputs.tf delete mode 100644 terraform/modules/aws-iam-s3/iam-role.tf delete mode 100644 terraform/modules/aws-iam-s3/outputs.tf delete mode 100644 terraform/modules/aws-iam-s3/variables.tf delete mode 100644 terraform/modules/aws-iam-ssm/outputs.tf delete mode 100644 terraform/modules/aws-iam-ssm/variables.tf rename terraform/modules/{aws-iam-s3 => aws-iam-user-with-policy}/iam-user.tf (70%) create mode 100644 terraform/modules/aws-iam-user-with-policy/outputs.tf rename terraform/modules/{aws-iam-roles => aws-iam-user-with-policy}/variables.tf (54%) diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index c9df4308..8fd071c4 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -26,7 +26,7 @@ Please note we have a code of conduct, please follow it in all your interactions - [General configuration files](#general-configuration-files) - [Specific configuration files](#specific-configuration-files) - [Modules](#modules) - - [Project structure](#project-structure) + - [### Project structure](#-project-structure) ## Pull Request Process @@ -304,65 +304,6 @@ Examples: - `aws-ec2-pritunl` - module for creating pritunl ec2 instance ### Project structure - -``` -aws-eks-base - ┣ docker - ┣ examples - ┣ helm-charts - ┣ terraform - ┃ ┣ layer1-aws - ┃ ┃ ┣ examples - ┃ ┃ ┣ templates - ┃ ┃ ┣ aws-acm.tf - ┃ ┃ ┣ aws-eks.tf - ┃ ┃ ┣ aws-vpc.tf - ┃ ┃ ┣ locals.tf - ┃ ┃ ┣ main.tf - ┃ ┃ ┣ outputs.tf - ┃ ┃ ┣ providers.tf - ┃ ┃ ┗ variables.tf - ┃ ┣ layer2-k8s - ┃ ┃ ┣ examples - ┃ ┃ ┣ templates - ┃ ┃ ┣ eks-aws-node-termination-handler.tf - ┃ ┃ ┣ eks-cert-manager.tf - ┃ ┃ ┣ eks-certificate.tf - ┃ ┃ ┣ eks-cluster-autoscaler.tf - ┃ ┃ ┣ eks-cluster-issuer.tf - ┃ ┃ ┣ eks-external-dns.tf - ┃ ┃ ┣ eks-external-secrets.tf - ┃ ┃ ┣ eks-namespaces.tf - ┃ ┃ ┣ eks-network-policy.tf - ┃ ┃ ┣ eks-nginx-ingress-controller.tf - ┃ ┃ ┣ locals.tf - ┃ ┃ ┣ main.tf - ┃ ┃ ┣ outputs.tf - ┃ ┃ ┣ providers.tf - ┃ ┃ ┣ ssm-ps-secrets.tf - ┃ ┃ ┗ variables.tf - ┃ ┗ modules - ┃ ┃ ┣ aws-iam-alb-ingress-controller - ┃ ┃ ┣ aws-iam-autoscaler - ┃ ┃ ┣ aws-iam-ci - ┃ ┃ ┣ aws-iam-external-dns - ┃ ┃ ┣ aws-iam-grafana - ┃ ┃ ┣ aws-iam-roles - ┃ ┃ ┣ aws-iam-s3 - ┃ ┃ ┣ aws-iam-ssm - ┃ ┃ ┣ eks-rbac-ci - ┃ ┃ ┣ kubernetes-namespace - ┃ ┃ ┣ kubernetes-network-policy-namespace - ┃ ┃ ┣ pritunl - ┃ ┃ ┗ self-signed-certificate - ┣ .editorconfig - ┣ .gitignore - ┣ .gitlab-ci.yml - ┣ .pre-commit-config.yaml - ┣ README.md - ┗ README_OLD.md -``` - --- | FILE / DIRECTORY| DESCRIPTION | diff --git a/README-RU.md b/README-RU.md index 4853fdac..750795f2 100644 --- a/README-RU.md +++ b/README-RU.md @@ -42,39 +42,45 @@ ## Оглавление -- [Архитектурная схема](#архитектурная-схема) -- [Стоимость текущей инфры](#стоимость-текущей-инфры) -- [Структура неймспейсов в K8S кластере](#структура-неймспейсов-в-k8s-кластере) -- [Необходимый инструментарий](#необходимый-инструментарий) -- [Полезные экстеншены VSCode](#полезные-экстеншены-vscode) -- [AWS аккаунт](#aws-аккаунт) - - [Настройки IAM](#настройки-iam) - - [Настройка awscli](#настройка-awscli) -- [Как использовать этот репо](#как-использовать-этот-репо) - - [Подготовка](#подготовка) - - [S3 state backend](#s3-state-backend) - - [Секреты](#секреты) - - [Домен и SSL](#домен-и-ssl) - - [Работа с terraform](#работа-с-terraform) - - [init](#init) - - [plan](#plan) - - [apply](#apply) - - [terragrunt](#terragrunt) -- [Что делать после деплоя](#что-делать-после-деплоя) - - [examples](#examples) -- [Coding conventions](#coding-conventions) - - [Имена и подходы используемые в коде](#имена-и-подходы-используемые-в-коде) - - [Базовое имя проекта](#базовое-имя-проекта) - - [Формирование уникального префикса имен ресурсов](#формирование-уникального-префикса-имен-ресурсов) - - [Разделители](#разделители) - - [Формирование имен ресурсов](#формирование-имен-ресурсов) - - [Формирование имен переменных](#формирование-имен-переменных) - - [Формирование имен вывода данных](#формирование-имен-вывода-данных) - - [Название файлов, директорий и модулей терраформа](#название-файлов-директорий-и-модулей-терраформа) - - [Общие конфигурационные файлы](#общие-конфигурационные-файлы) - - [Специфичные конфигурационные файлы](#специфичные-конфигурационные-файлы) - - [Модули](#модули) - - [Структура проекта](#структура-проекта) +- [Бойлерплейт базовой AWS инфраструктуры c EKS-кластером](#бойлерплейт-базовой-aws-инфраструктуры-c-eks-кластером) + - [Преимущества этого бойлерплейта](#преимущества-этого-бойлерплейта) + - [Причины использовать этот бойлерплейт](#причины-использовать-этот-бойлерплейт) + - [Описание](#описание) + - [Оглавление](#оглавление) + - [Архитектурная схема](#архитектурная-схема) + - [Стоимость текущей инфры](#стоимость-текущей-инфры) + - [Структура неймспейсов в K8S кластере](#структура-неймспейсов-в-k8s-кластере) + - [Необходимый инструментарий](#необходимый-инструментарий) + - [Полезные экстеншены VSCode](#полезные-экстеншены-vscode) + - [AWS аккаунт](#aws-аккаунт) + - [Настройки IAM](#настройки-iam) + - [Настройка awscli](#настройка-awscli) + - [Как использовать этот репо](#как-использовать-этот-репо) + - [Подготовка](#подготовка) + - [S3 state backend](#s3-state-backend) + - [Входные данные](#входные-данные) + - [Секреты](#секреты) + - [Домен и SSL](#домен-и-ssl) + - [Работа с terraform](#работа-с-terraform) + - [init](#init) + - [plan](#plan) + - [apply](#apply) + - [terragrunt](#terragrunt) + - [Что делать после деплоя](#что-делать-после-деплоя) + - [examples](#examples) + - [Coding conventions](#coding-conventions) + - [Имена и подходы, используемые в коде](#имена-и-подходы-используемые-в-коде) + - [Базовое имя проекта](#базовое-имя-проекта) + - [Формирование уникального префикса имен ресурсов](#формирование-уникального-префикса-имен-ресурсов) + - [Разделители](#разделители) + - [Формирование имен ресурсов](#формирование-имен-ресурсов) + - [Формирование имен переменных](#формирование-имен-переменных) + - [Формирование имен вывода данных](#формирование-имен-вывода-данных) + - [Название файлов, директорий и модулей терраформа](#название-файлов-директорий-и-модулей-терраформа) + - [Общие конфигурационные файлы](#общие-конфигурационные-файлы) + - [Специфичные конфигурационные файлы](#специфичные-конфигурационные-файлы) + - [Модули](#модули) + - [### Структура проекта](#-структура-проекта) ## Архитектурная схема @@ -575,65 +581,6 @@ locals { - `aws-ec2-pritunl` - модуль для создания pritunl ec2 инстанса ### Структура проекта - -``` -aws-eks-base - ┣ docker - ┣ examples - ┣ helm-charts - ┣ terraform - ┃ ┣ layer1-aws - ┃ ┃ ┣ examples - ┃ ┃ ┣ templates - ┃ ┃ ┣ aws-acm.tf - ┃ ┃ ┣ aws-eks.tf - ┃ ┃ ┣ aws-vpc.tf - ┃ ┃ ┣ locals.tf - ┃ ┃ ┣ main.tf - ┃ ┃ ┣ outputs.tf - ┃ ┃ ┣ providers.tf - ┃ ┃ ┗ variables.tf - ┃ ┣ layer2-k8s - ┃ ┃ ┣ examples - ┃ ┃ ┣ templates - ┃ ┃ ┣ eks-aws-node-termination-handler.tf - ┃ ┃ ┣ eks-cert-manager.tf - ┃ ┃ ┣ eks-certificate.tf - ┃ ┃ ┣ eks-cluster-autoscaler.tf - ┃ ┃ ┣ eks-cluster-issuer.tf - ┃ ┃ ┣ eks-external-dns.tf - ┃ ┃ ┣ eks-external-secrets.tf - ┃ ┃ ┣ eks-namespaces.tf - ┃ ┃ ┣ eks-network-policy.tf - ┃ ┃ ┣ eks-nginx-ingress-controller.tf - ┃ ┃ ┣ locals.tf - ┃ ┃ ┣ main.tf - ┃ ┃ ┣ outputs.tf - ┃ ┃ ┣ providers.tf - ┃ ┃ ┣ ssm-ps-secrets.tf - ┃ ┃ ┗ variables.tf - ┃ ┗ modules - ┃ ┃ ┣ aws-iam-alb-ingress-controller - ┃ ┃ ┣ aws-iam-autoscaler - ┃ ┃ ┣ aws-iam-ci - ┃ ┃ ┣ aws-iam-external-dns - ┃ ┃ ┣ aws-iam-grafana - ┃ ┃ ┣ aws-iam-roles - ┃ ┃ ┣ aws-iam-s3 - ┃ ┃ ┣ aws-iam-ssm - ┃ ┃ ┣ eks-rbac-ci - ┃ ┃ ┣ kubernetes-namespace - ┃ ┃ ┣ kubernetes-network-policy-namespace - ┃ ┃ ┣ pritunl - ┃ ┃ ┗ self-signed-certificate - ┣ .editorconfig - ┣ .gitignore - ┣ .gitlab-ci.yml - ┣ .pre-commit-config.yaml - ┣ README.md - ┗ README_OLD.md -``` - --- | FILE / DIRECTORY| DESCRIPTION | diff --git a/terraform/layer1-aws/examples/aws-rds-postgresql.tf b/terraform/layer1-aws/examples/aws-rds-postgresql.tf index b1ff08ce..0d4a7ef7 100644 --- a/terraform/layer1-aws/examples/aws-rds-postgresql.tf +++ b/terraform/layer1-aws/examples/aws-rds-postgresql.tf @@ -139,11 +139,37 @@ resource "aws_s3_bucket_public_access_block" "rds_backups" { module "aws_iam_rds_backups" { source = "../modules/aws-iam-s3" - name = "${local.name}-rds-backups" - region = var.region - bucket_names = [aws_s3_bucket.rds_backups.id] - oidc_provider_arn = module.eks.oidc_provider_arn - create_user = true + name = "${local.name}-rds-backups" + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : [ + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:ListBucketMultipartUploads", + "s3:ListBucketVersions" + ], + "Resource" : [ + "arn:aws:s3:::${aws_s3_bucket.rds_backups.id}" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:AbortMultipartUpload", + "s3:ListMultipartUploadParts" + ], + "Resource" : [ + "arn:aws:s3:::${aws_s3_bucket.rds_backups.id}/*" + ] + } + ] + }) } module "ssm" { diff --git a/terraform/layer2-k8s/eks-cert-manager.tf b/terraform/layer2-k8s/eks-cert-manager.tf index a98b59a2..198473c3 100644 --- a/terraform/layer2-k8s/eks-cert-manager.tf +++ b/terraform/layer2-k8s/eks-cert-manager.tf @@ -1,12 +1,3 @@ -#tfsec:ignore:aws-iam-no-policy-wildcards -module "aws_iam_cert_manager" { - source = "../modules/aws-iam-external-dns" - - name = local.name - region = local.region - oidc_provider_arn = local.eks_oidc_provider_arn -} - data "template_file" "cert_manager" { template = file("${path.module}/templates/cert-manager-values.yaml") @@ -34,3 +25,44 @@ resource "kubernetes_namespace" "certmanager" { name = "certmanager" } } + +#tfsec:ignore:aws-iam-no-policy-wildcards +module "aws_iam_cert_manager" { + source = "../modules/aws-iam-eks-trusted" + + name = "${local.name}-certmanager" + region = local.region + oidc_provider_arn = local.eks_oidc_provider_arn + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : "route53:GetChange", + "Resource" : "arn:aws:route53:::change/*" + }, + { + "Effect" : "Allow", + "Action" : [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets" + ], + "Resource" : [ + "arn:aws:route53:::hostedzone/*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "route53:ListHostedZones" + ], + "Resource" : ["*"] + }, + { + "Effect" : "Allow", + "Action" : "route53:ListHostedZonesByName", + "Resource" : "*" + } + ] + }) +} diff --git a/terraform/layer2-k8s/eks-cluster-autoscaler.tf b/terraform/layer2-k8s/eks-cluster-autoscaler.tf index 1ebd2f84..7594290b 100644 --- a/terraform/layer2-k8s/eks-cluster-autoscaler.tf +++ b/terraform/layer2-k8s/eks-cluster-autoscaler.tf @@ -1,13 +1,3 @@ -#tfsec:ignore:aws-iam-no-policy-wildcards -module "aws_iam_autoscaler" { - source = "../modules/aws-iam-autoscaler" - - name = local.name - region = local.region - oidc_provider_arn = local.eks_oidc_provider_arn - eks_cluster_id = local.eks_cluster_id -} - data "template_file" "cluster_autoscaler" { template = file("${path.module}/templates/cluster-autoscaler-values.yaml") @@ -33,3 +23,45 @@ resource "helm_release" "cluster_autoscaler" { depends_on = [helm_release.prometheus_operator] } + +#tfsec:ignore:aws-iam-no-policy-wildcards +module "aws_iam_autoscaler" { + source = "../modules/aws-iam-eks-trusted" + + name = "${local.name}-autoscaler" + region = local.region + oidc_provider_arn = local.eks_oidc_provider_arn + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "clusterAutoscalerAll", + "Effect" : "Allow", + "Action" : [ + "ec2:DescribeLaunchTemplateVersions", + "autoscaling:DescribeTags", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeAutoScalingGroups", + ], + "Resource" : "*" + }, + { + "Sid" : "clusterAutoscalerOwn", + "Effect" : "Allow", + "Action" : [ + "autoscaling:UpdateAutoScalingGroup", + "autoscaling:TerminateInstanceInAutoScalingGroup", + "autoscaling:SetDesiredCapacity", + ], + "Resource" : "*", + "Condition" : { + "StringEquals" : { + "autoscaling:ResourceTag/kubernetes.io/cluster/${local.eks_cluster_id}" : ["owned"], + "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled" : ["true"] + } + } + } + ] + }) +} diff --git a/terraform/layer2-k8s/eks-external-dns.tf b/terraform/layer2-k8s/eks-external-dns.tf index 6eae20fe..f7a4f436 100644 --- a/terraform/layer2-k8s/eks-external-dns.tf +++ b/terraform/layer2-k8s/eks-external-dns.tf @@ -1,12 +1,3 @@ -#tfsec:ignore:aws-iam-no-policy-wildcards -module "aws_iam_external_dns" { - source = "../modules/aws-iam-external-dns" - - name = local.name - region = local.region - oidc_provider_arn = local.eks_oidc_provider_arn -} - data "template_file" "external_dns" { template = file("${path.module}/templates/external-dns.yaml") @@ -18,7 +9,6 @@ data "template_file" "external_dns" { } } - resource "helm_release" "external_dns" { name = "external-dns" chart = "external-dns" @@ -31,3 +21,44 @@ resource "helm_release" "external_dns" { data.template_file.external_dns.rendered, ] } + +#tfsec:ignore:aws-iam-no-policy-wildcards +module "aws_iam_external_dns" { + source = "../modules/aws-iam-eks-trusted" + + name = "${local.name}-external-dns" + region = local.region + oidc_provider_arn = local.eks_oidc_provider_arn + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : "route53:GetChange", + "Resource" : "arn:aws:route53:::change/*" + }, + { + "Effect" : "Allow", + "Action" : [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets" + ], + "Resource" : [ + "arn:aws:route53:::hostedzone/*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "route53:ListHostedZones" + ], + "Resource" : ["*"] + }, + { + "Effect" : "Allow", + "Action" : "route53:ListHostedZonesByName", + "Resource" : "*" + } + ] + }) +} diff --git a/terraform/layer2-k8s/eks-external-secrets.tf b/terraform/layer2-k8s/eks-external-secrets.tf index 128e4d0a..f6f479dd 100644 --- a/terraform/layer2-k8s/eks-external-secrets.tf +++ b/terraform/layer2-k8s/eks-external-secrets.tf @@ -1,12 +1,3 @@ -#tfsec:ignore:aws-iam-no-policy-wildcards -module "aws_iam_external_secrets" { - source = "../modules/aws-iam-ssm" - - name = local.name - region = local.region - oidc_provider_arn = local.eks_oidc_provider_arn -} - data "template_file" "external_secrets" { template = file("${path.module}/templates/external-secrets-values.yaml") @@ -39,15 +30,21 @@ resource "helm_release" "reloader" { max_history = var.helm_release_history_size } -#module "aws_iam_wp_external_secrets" { -# source = "../modules/aws-iam-ssm" -# -# name = local.name -# region = local.region -# oidc_provider_arn = local.eks_oidc_provider_arn -# resources = ["arn:aws:ssm:${local.region}:${data.aws_caller_identity.current.account_id}:parameter/wp/*"] -#} -# -#output wordpress_external_secrets_role_arn { -# value = module.aws_iam_wp_external_secrets.role_arn -#} +#tfsec:ignore:aws-iam-no-policy-wildcards +module "aws_iam_external_secrets" { + source = "../modules/aws-iam-eks-trusted" + + name = "${local.name}-ext-secrets" + region = local.region + oidc_provider_arn = local.eks_oidc_provider_arn + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : "ssm:GetParameter", + "Resource" : "*" + } + ] + }) +} diff --git a/terraform/layer2-k8s/eks-kube-prometheus-stack.tf b/terraform/layer2-k8s/eks-kube-prometheus-stack.tf index a972cc84..07bcac43 100644 --- a/terraform/layer2-k8s/eks-kube-prometheus-stack.tf +++ b/terraform/layer2-k8s/eks-kube-prometheus-stack.tf @@ -26,14 +26,6 @@ resource "random_string" "grafana_password" { special = true } -module "aws_iam_grafana" { - source = "../modules/aws-iam-grafana" - - name = local.name - region = local.region - oidc_provider_arn = local.eks_oidc_provider_arn -} - resource "helm_release" "prometheus_operator" { name = "kube-prometheus-stack" chart = "kube-prometheus-stack" @@ -48,6 +40,45 @@ resource "helm_release" "prometheus_operator" { ] } +module "aws_iam_grafana" { + source = "../modules/aws-iam-eks-trusted" + + name = "${local.name}-grafana" + region = local.region + oidc_provider_arn = local.eks_oidc_provider_arn + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "AllowReadingMetricsFromCloudWatch", + "Effect" : "Allow", + "Action" : [ + "cloudwatch:ListMetrics", + "cloudwatch:GetMetricStatistics", + "cloudwatch:GetMetricData" + ], + "Resource" : "*" + }, + { + "Sid" : "AllowReadingTagsInstancesRegionsFromEC2", + "Effect" : "Allow", + "Action" : [ + "ec2:DescribeTags", + "ec2:DescribeInstances", + "ec2:DescribeRegions" + ], + "Resource" : "*" + }, + { + "Sid" : "AllowReadingResourcesForTags", + "Effect" : "Allow", + "Action" : "tag:GetResources", + "Resource" : "*" + } + ] + }) +} + output "grafana_domain_name" { value = local.grafana_domain_name description = "Grafana dashboards address" diff --git a/terraform/layer2-k8s/examples/eks-elk-k8s-resources.tf b/terraform/layer2-k8s/examples/eks-elk-k8s-resources.tf index 579bcb18..8a970d21 100644 --- a/terraform/layer2-k8s/examples/eks-elk-k8s-resources.tf +++ b/terraform/layer2-k8s/examples/eks-elk-k8s-resources.tf @@ -71,11 +71,37 @@ resource "random_string" "elasticsearch_password" { } module "aws_iam_elastic_stack" { - source = "../modules/aws-iam-s3" + source = "../modules/aws-iam-user-with-policy" - name = "${local.name}-elk" - region = local.region - bucket_names = [local.elastic_stack_bucket_name] - oidc_provider_arn = local.eks_oidc_provider_arn - create_user = true + name = "${local.name}-elk" + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : [ + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:ListBucketMultipartUploads", + "s3:ListBucketVersions" + ], + "Resource" : [ + "arn:aws:s3:::${local.elastic_stack_bucket_name}" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:AbortMultipartUpload", + "s3:ListMultipartUploadParts" + ], + "Resource" : [ + "arn:aws:s3:::${local.elastic_stack_bucket_name}/*" + ] + } + ] + }) } diff --git a/terraform/layer2-k8s/examples/eks-elk.tf b/terraform/layer2-k8s/examples/eks-elk.tf index a900fe67..6013a224 100644 --- a/terraform/layer2-k8s/examples/eks-elk.tf +++ b/terraform/layer2-k8s/examples/eks-elk.tf @@ -125,13 +125,39 @@ resource "random_string" "kibana_password" { } module "aws_iam_elastic_stack" { - source = "../modules/aws-iam-s3" - - name = "${local.name}-elk" - region = local.region - bucket_names = [local.elastic_stack_bucket_name] - oidc_provider_arn = local.eks_oidc_provider_arn - create_user = true + source = "../modules/aws-iam-user-with-policy" + + name = "${local.name}-elk" + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : [ + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:ListBucketMultipartUploads", + "s3:ListBucketVersions" + ], + "Resource" : [ + "arn:aws:s3:::${local.elastic_stack_bucket_name}" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:AbortMultipartUpload", + "s3:ListMultipartUploadParts" + ], + "Resource" : [ + "arn:aws:s3:::${local.elastic_stack_bucket_name}/*" + ] + } + ] + }) } output "kibana_domain_name" { diff --git a/terraform/layer2-k8s/examples/eks-gitlab-runner.tf b/terraform/layer2-k8s/examples/eks-gitlab-runner.tf index ebf7000b..763ba669 100644 --- a/terraform/layer2-k8s/examples/eks-gitlab-runner.tf +++ b/terraform/layer2-k8s/examples/eks-gitlab-runner.tf @@ -13,16 +13,6 @@ locals { } -module "aws_iam_gitlab_runner" { - source = "../modules/aws-iam-ci" - - name = local.name - region = local.region - oidc_provider_arn = local.eks_oidc_provider_arn - eks_cluster_id = local.eks_cluster_id - s3_bucket_name = local.gitlab_runner_cache_bucket_name -} - module "eks_rbac_gitlab_runner" { source = "../modules/eks-rbac-ci" @@ -45,5 +35,32 @@ resource "helm_release" "gitlab_runner" { ] } +module "aws_iam_gitlab_runner" { + source = "../modules/aws-iam-eks-trusted" - + name = "${local.name}-ci" + region = local.region + oidc_provider_arn = local.eks_oidc_provider_arn + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : [ + "ecr:*", + ], + "Resource" : "*" + }, + { + "Effect" : "Allow", + "Action" : [ + "s3:*" + ], + "Resource" : [ + "arn:aws:s3:::${local.gitlab_runner_cache_bucket_name}", + "arn:aws:s3:::${local.gitlab_runner_cache_bucket_name}/*" + ] + } + ] + }) +} diff --git a/terraform/layer2-k8s/examples/eks-mysql-backup-wp.tf b/terraform/layer2-k8s/examples/eks-mysql-backup-wp.tf index 16ea526b..ee513847 100644 --- a/terraform/layer2-k8s/examples/eks-mysql-backup-wp.tf +++ b/terraform/layer2-k8s/examples/eks-mysql-backup-wp.tf @@ -1,11 +1,37 @@ module "aws_iam_wp_buckup_s3" { - source = "../modules/aws-iam-s3" + source = "../modules/aws-iam-user-with-policy" name = "${local.name}-rds-wp" - region = local.region - bucket_names = [local.wp_db_backup_bucket] - oidc_provider_arn = local.eks_oidc_provider_arn - create_user = true + policy = policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : [ + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:ListBucketMultipartUploads", + "s3:ListBucketVersions" + ], + "Resource" : [ + "arn:aws:s3:::${local.wp_db_backup_bucket}" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:AbortMultipartUpload", + "s3:ListMultipartUploadParts" + ], + "Resource" : [ + "arn:aws:s3:::${local.wp_db_backup_bucket}/*" + ] + } + ] + }) } resource "kubernetes_secret" "wp_backup_s3" { diff --git a/terraform/layer2-k8s/examples/eks-teamcity.tf b/terraform/layer2-k8s/examples/eks-teamcity.tf index af198a8e..9a66d4e5 100644 --- a/terraform/layer2-k8s/examples/eks-teamcity.tf +++ b/terraform/layer2-k8s/examples/eks-teamcity.tf @@ -2,15 +2,6 @@ locals { teamcity_domain_name = "teamcity-${local.domain_suffix}" } -module "aws_iam_teamcity" { - source = "../modules/aws-iam-ci" - - name = "${local.name}-teamcity" - region = local.region - oidc_provider_arn = local.eks_oidc_provider_arn - eks_cluster_id = local.eks_cluster_id -} - module "eks_rbac_teamcity" { source = "../modules/eks-rbac-ci" @@ -64,6 +55,26 @@ resource "kubernetes_storage_class" "teamcity" { } } +module "aws_iam_teamcity" { + source = "../modules/aws-iam-eks-trusted" + + name = "${local.name}-teamcity" + region = local.region + oidc_provider_arn = local.eks_oidc_provider_arn + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : [ + "ecr:*", + ], + "Resource" : "*" + } + ] + }) +} + output "teamcity_domain_name" { value = local.teamcity_domain_name description = "Teamcity server" diff --git a/terraform/modules/aws-iam-autoscaler/iam.tf b/terraform/modules/aws-iam-autoscaler/iam.tf deleted file mode 100644 index b9142108..00000000 --- a/terraform/modules/aws-iam-autoscaler/iam.tf +++ /dev/null @@ -1,71 +0,0 @@ -resource "aws_iam_role" "this" { - name_prefix = "${var.name}-autoscaler" - assume_role_policy = < Date: Tue, 26 Oct 2021 10:52:31 +0600 Subject: [PATCH 2/4] fix terraform fmt complains --- terraform/layer2-k8s/examples/eks-mysql-backup-wp.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/layer2-k8s/examples/eks-mysql-backup-wp.tf b/terraform/layer2-k8s/examples/eks-mysql-backup-wp.tf index ee513847..3deeade2 100644 --- a/terraform/layer2-k8s/examples/eks-mysql-backup-wp.tf +++ b/terraform/layer2-k8s/examples/eks-mysql-backup-wp.tf @@ -1,8 +1,8 @@ module "aws_iam_wp_buckup_s3" { source = "../modules/aws-iam-user-with-policy" - name = "${local.name}-rds-wp" - policy = policy = jsonencode({ + name = "${local.name}-rds-wp" + policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [ { From 6c804f24178b38aa668fd1c08649bcd29a8744d0 Mon Sep 17 00:00:00 2001 From: maxim Date: Tue, 26 Oct 2021 11:19:47 +0600 Subject: [PATCH 3/4] fix documentation related to tfsec (README.md) --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 305ed79f..7d331f62 100644 --- a/README.md +++ b/README.md @@ -481,16 +481,16 @@ We use GitHub Actions and [tfsec](https://github.com/aquasecurity/tfsec) to chec | layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access | Resource 'module.eks:aws_eks_cluster.this[0]' has public access is explicitly set to enabled | By default we create public accessible EKS cluster from anywhere | | layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access-to-cidr | Resource 'module.eks:aws_eks_cluster.this[0]' has public access cidr explicitly set to wide open | By default we create public accessible EKS cluster from anywhere | | layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.workers_egress_internet[0]' defines a fully open egress security group rule | We use recommended option. [More info](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) | -| modules/aws-iam-ssm/iam.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_secrets:data.aws_iam_policy_document.this' defines a policy with wildcarded resources. | We use aws-iam-ssm module for external-secrets and grant it access to all secrets. | -| modules/aws-iam-autoscaler/iam.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_autoscaler:data.aws_iam_policy_document.this' defines a policy with wildcarded resources | We use condition to allow run actions only for certain autoscaling groups | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_secrets:aws_iam_role_policy.this' defines a policy with wildcarded resources. | We use this policy for external-secrets and grant it access to all secrets. | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_autoscaler:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use condition to allow run actions only for certain autoscaling groups | | modules/kubernetes-network-policy-namespace/main.tf | kubernetes-network-no-public-ingress | Resource 'module.dev_ns_network_policy:kubernetes_network_policy.deny-all' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | | modules/kubernetes-network-policy-namespace/main.tf | kubernetes-network-no-public-egress | Resource 'module.dev_ns_network_policy:kubernetes_network_policy.deny-all' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | | kubernetes-network-policy-namespace/main.tf | kubernetes-network-no-public-egress | Resource 'module.dev_ns_network_policy:kubernetes_network_policy.allow-from-this' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | | modules/kubernetes-network-policy-namespace/main.tf | kubernetes-network-no-public-egress | Resource 'module.dev_ns_network_policy:kubernetes_network_policy.allow-from-ns[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/aws-iam-aws-loadbalancer-controller/iam.tf | aws-iam-no-policy-wildcards | Resource 'module.eks_alb_ingress[0]:module.aws_iam_aws_loadbalancer_controller:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use recommended [policy](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json) | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.eks_alb_ingress[0]:module.aws_iam_aws_loadbalancer_controller:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use recommended [policy](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json) | | layer2-k8s/locals.tf | general-secrets-sensitive-in-local | Local 'locals.' includes a potentially sensitive value which is defined within the project | tfsec complains on helm_repo_external_secrets url because it contains the word *secret* | -| modules/aws-iam-external-dns/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_dns:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use the policy from the [documentation](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy) -| modules/aws-iam-external-dns/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_cert_manager:aws_iam_role_policy.this' defines a policy with wildcarded resources | Certmanager uses Route53 to create DNS records and validate wildcard certificates. By default we allow it to manage all zones | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_dns:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use the policy from the [documentation](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy) +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_cert_manager:aws_iam_role_policy.this' defines a policy with wildcarded resources | Certmanager uses Route53 to create DNS records and validate wildcard certificates. By default we allow it to manage all zones | ## Contributing From 65be586916c23fd00c973d6ad169ab385a4fc7b9 Mon Sep 17 00:00:00 2001 From: maxim Date: Tue, 26 Oct 2021 11:51:37 +0600 Subject: [PATCH 4/4] fix module path for module.aws_iam_rds_backups --- terraform/layer1-aws/examples/aws-rds-postgresql.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/layer1-aws/examples/aws-rds-postgresql.tf b/terraform/layer1-aws/examples/aws-rds-postgresql.tf index 0d4a7ef7..a200f0f2 100644 --- a/terraform/layer1-aws/examples/aws-rds-postgresql.tf +++ b/terraform/layer1-aws/examples/aws-rds-postgresql.tf @@ -137,7 +137,7 @@ resource "aws_s3_bucket_public_access_block" "rds_backups" { } module "aws_iam_rds_backups" { - source = "../modules/aws-iam-s3" + source = "../modules/aws-iam-user-with-policy" name = "${local.name}-rds-backups" policy = jsonencode({