[EKS] separate iam(roles/policies) from eks module

.gitignore

@@ -77,3 +77,4 @@ terraform.rc
 /aws/packer/todo/todo
 *.tgz
 *.DS_Store
+*.plan

aws/lab/global/iam/eks-policies.tf

@@ -0,0 +1,20 @@
+################################################
+#   Node Group IAM role policies & attachments #
+################################################
+
+resource "aws_iam_role_policy_attachment" "eks_node_group_role_policy_attachment" {
+  for_each   = toset(var.node_group_role_policies)
+  policy_arn = each.value
+  role       = aws_iam_role.eks_node_group_iam_role.name
+}
+
+
+################################################
+#   Cluster IAM role policies & attachments    #
+################################################
+resource "aws_iam_role_policy_attachment" "eks_cluster_role_policy_attachment" {
+  for_each = toset(var.cluster_role_policies)
+
+  policy_arn = each.value
+  role       = aws_iam_role.cluster_iam_role.name
+}

aws/lab/global/iam/eks-roles.tf

@@ -0,0 +1,69 @@
+data "aws_partition" "current" {}
+
+locals {
+  tags = {
+    account     = var.app.account
+    project     = "infra"
+    application = "eks"
+    team        = "sre"
+  }
+}
+
+################################################
+#   IAM ROLE for self managed node groups      #
+################################################
+data "aws_iam_policy_document" "eks_node_group_assume_role_policy" {
+  statement {
+    sid     = "EKSNodeAssumeRole"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.${data.aws_partition.current.dns_suffix}"]
+    }
+  }
+}
+
+resource "aws_iam_role" "eks_node_group_iam_role" {
+  name                  = var.node_group_iam_role_name
+  description           = "eks ${var.app.account} self managed node group IAM role"
+  assume_role_policy    = data.aws_iam_policy_document.eks_node_group_assume_role_policy.json
+  force_detach_policies = true
+  tags                  = local.tags
+}
+
+resource "aws_iam_instance_profile" "eks_node_group_profile" {
+  role = aws_iam_role.eks_node_group_iam_role.name
+  name = var.node_group_iam_role_name
+  lifecycle {
+    create_before_destroy = true
+  }
+  tags = local.tags
+}
+
+################################################
+#   IAM ROLE for eks cluster                   #
+################################################
+data "aws_iam_policy_document" "eks_cluster_assume_role_policy" {
+
+  statement {
+    sid     = "EKSClusterAssumeRole"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["eks.${data.aws_partition.current.dns_suffix}"]
+    }
+  }
+}
+
+resource "aws_iam_role" "cluster_iam_role" {
+  name                  = var.cluster_iam_role_name
+  description           = "eks ${var.app.account} cluster IAM role"
+  assume_role_policy    = data.aws_iam_policy_document.eks_cluster_assume_role_policy.json
+  force_detach_policies = true
+  tags                  = local.tags
+}
+
+
+

aws/lab/global/iam/provider.tf

@@ -0,0 +1,23 @@
+terraform {
+
+  backend "s3" {
+    bucket         = "todo-tf-state-lab"
+    key            = "lab/us-east-2/global/iam.tf"
+    region         = "us-east-2"
+    encrypt        = true
+    kms_key_id     = "alias/todo-tf-state-key"
+    dynamodb_table = "todo-tf-state-lab"
+  }
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "= 4.18.0"
+    }
+  }
+
+  required_version = "= 1.2.2"
+}
+
+provider "aws" {
+  region = var.app.region
+}

aws/lab/global/iam/variables.tf

@@ -0,0 +1,30 @@
+variable "app" {
+  default = {
+    account = "lab"
+    region  = "us-east-2"
+  }
+}
+
+variable "cluster_iam_role_name" {
+  default = "lab-eks-cluster-role"
+}
+
+variable "cluster_role_policies" {
+  default = [
+    "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
+    "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
+  ]
+}
+
+variable "node_group_iam_role_name" {
+  default = "lab-eks-node-group-role"
+}
+
+variable "node_group_role_policies" {
+  default = [
+    "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
+    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
+    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
+    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  ]
+}

aws/lab/global/route53/provider.tf

@@ -2,11 +2,23 @@ terraform {
 
   backend "s3" {
     bucket         = "todo-tf-state-lab"
-    key            = "lab/global/route53.tf"
+    key            = "lab/us-east-2/global/route53.tf"
     region         = "us-east-2"
     encrypt        = true
     kms_key_id     = "alias/todo-tf-state-key"
     dynamodb_table = "todo-tf-state-lab"
   }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "= 4.18.0"
+    }
+  }
+
   required_version = "= 1.2.2"
+}
+
+provider "aws" {
+  region = var.app.region
 }

aws/lab/global/route53/variables.tf

@@ -2,6 +2,7 @@ variable "app" {
   default = {
     environment = "dev"
     account     = "lab"
+    region      = "us-east-2"
   }
 }
 

aws/lab/us-east-2/dev/eks/cluster/node_groups.tf

@@ -1,18 +1,15 @@
 locals {
-
-  node_group_iam_role_name = "${var.app.account}-${var.app.environment}-eks-node-group-role"
-
   self_managed_node_groups = [
     {
-      name                         = "node_group_01"
-      platform                     = "bottlerocket"
-      instance_type                = "m5.large"
-      ami_id                       = data.aws_ami.eks_default_bottlerocket.id
-      asg_min_size                 = 1
-      asg_desired_capacity         = 2
-      asg_max_size                 = 3
-      key_name                     = aws_key_pair.this.key_name
-      bootstrap_extra_args         = <<-EOT
+      name                 = "node_group_01"
+      platform             = "bottlerocket"
+      instance_type        = "m5.large"
+      ami_id               = data.aws_ami.eks_default_bottlerocket.id
+      asg_min_size         = 1
+      asg_desired_capacity = 2
+      asg_max_size         = 3
+      key_name             = aws_key_pair.this.key_name
+      bootstrap_extra_args = <<-EOT
           # The admin host container provides SSH access and runs with "superpowers".
           # It is disabled by default, but can be disabled explicitly.
           [settings.host-containers.admin]
@@ -27,8 +24,6 @@ locals {
           [settings.kubernetes.node-labels]
           ingress = "allowed"
           EOT
-      iam_role_name                = local.node_group_iam_role_name
-      iam_role_additional_policies = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"]
     }
   ]
 }

aws/lab/us-east-2/dev/eks/cluster/variables.tf

@@ -2,6 +2,7 @@ variable "app" {
   default = {
     environment = "dev"
     account     = "lab"
+    id          = "{ACCOUNT_ID}FIXME"
     region      = "us-east-2"
   }
 }

aws/modules/eks/cluster/cloudwatch.tf

@@ -0,0 +1,20 @@
+resource "aws_cloudwatch_log_group" "eks_cluster_log_group" {
+  name              = "/aws/eks/${local.cluster_name}/cluster"
+  retention_in_days = 90
+  tags              = local.tags
+}
+
+resource "aws_iam_role_policy" "eks_cluster_cloudwatch_inline_policy" {
+  name = "${local.cluster_name}_cloudwatch_inline_policy"
+  role = data.aws_iam_role.cluster_iam_role.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action   = ["logs:CreateLogGroup"]
+        Effect   = "Deny"
+        Resource = aws_cloudwatch_log_group.eks_cluster_log_group.arn
+      },
+    ]
+  })
+}

aws/modules/eks/cluster/data-sources.tf

@@ -6,6 +6,14 @@ data "aws_vpc" "selected" {
   id = var.vpc_id
 }
 
+data "aws_iam_role" "cluster_iam_role" {
+  name = local.cluster_iam_role_name
+}
+
+data "aws_iam_instance_profile" "node_group_iam_instance_profile" {
+  name = local.node_group_iam_instance_profile_name
+}
+
 # This policy is required for the KMS key used for EKS root volumes, so the cluster is allowed to enc/dec/attach encrypted EBS volumes
 data "aws_iam_policy_document" "ebs" {
   # Copy of default KMS policy that lets you manage it

aws/modules/eks/cluster/kms.tf

@@ -1,13 +1,53 @@
 resource "aws_kms_key" "eks" {
-  description             = "EKS Secret Encryption Key"
-  deletion_window_in_days = 7
-  enable_key_rotation     = true
-  tags                    = local.tags
+  description              = "EKS Secret Encryption Key"
+  policy                   = data.aws_iam_policy_document.eks.json
+  customer_master_key_spec = "SYMMETRIC_DEFAULT"
+  enable_key_rotation      = true
+  deletion_window_in_days  = 7
+  tags                     = local.tags
 }
 
-resource "aws_kms_key" "ebs" {
-  description             = "Customer managed key to encrypt self managed node group volumes"
-  deletion_window_in_days = 7
-  policy                  = data.aws_iam_policy_document.ebs.json
-  tags                    = local.tags
+resource "aws_kms_alias" "eks" {
+  name          = "alias/${var.app.account}-${var.app.environment}-eks"
+  target_key_id = aws_kms_key.eks.key_id
+}
+
+data "aws_iam_policy_document" "eks" {
+  statement {
+    sid       = "All access to root user"
+    actions   = ["kms:*"]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${var.app.id}:root"]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "eks_cluster_encryption" {
+  policy_arn = aws_iam_policy.eks_cluster_encryption.arn
+  role       = data.aws_iam_role.cluster_iam_role.name
+}
+
+resource "aws_iam_policy" "eks_cluster_encryption" {
+  name        = "${data.aws_iam_role.cluster_iam_role.name}-ClusterEncryption"
+  description = "eks cluster ${local.cluster_name} encryption policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ListGrants",
+          "kms:DescribeKey",
+        ]
+        Effect   = "Allow"
+        Resource = aws_kms_key.eks.arn
+      },
+    ]
+  })
+  tags = local.tags
 }