feat: initial commit for module iam_users#6
Conversation
Terraform Format and Style 🖌
|
modules/eks/variables.tf
Outdated
| description = "Account ID of the current IAM user" | ||
| } | ||
|
|
||
| variable "iam_role_arns" { |
There was a problem hiding this comment.
Can you please put the proper type here? Also maybe we can call this "iam_role_mapping" or something to indicate that it's not just ARNs.
modules/iam_users/outputs.tf
Outdated
| name = r.name | ||
| } | ||
| ] | ||
| description = "List of role and users" |
There was a problem hiding this comment.
How about "List of mappings of users to roles"
modules/iam_users/main.tf
Outdated
| resource "aws_iam_role" "access_assumerole" { | ||
| count = length(local.role_users) | ||
| name = "${var.project}-kubernetes-${local.role_users[count.index].name}-${var.environment}" | ||
| assume_role_policy = data.aws_iam_policy_document.access_assumerole_policy[count.index].json |
There was a problem hiding this comment.
Sorry, these shouldn't be roles. We'll either want groups or to attach policies directly to users. Probably groups.
There was a problem hiding this comment.
Well this is kind of combining two things.. We need a way to specify a user's access to AWS resources, and then also a way to specify access to k8s. AWS access should probably be controlled via groups, and k8s access should be via roles, but then we also need a way to specify the access within k8s that each role has. Right now it's hard-coded below.
There was a problem hiding this comment.
Maybe we can chat more about this tomorrow.
Terraform Format and Style 🖌
|
Terraform Format and Style 🖌
|
modules/eks/README.md
Outdated
| | cluster\_version | EKS cluster version number to use. Incrementing this will start a cluster upgrade | `any` | n/a | yes | | ||
| | environment | The environment (development/staging/production) | `any` | n/a | yes | | ||
| | iam\_account\_id | Account ID of the current IAM user | `any` | n/a | yes | | ||
| | iam\_role\_arns | IAM roles with arn | `any` | n/a | yes | |
There was a problem hiding this comment.
Docs need to be regenerated with pre-commit run -a
Terraform Format and Style 🖌
|
Terraform Format and Style 🖌
|
modules/user_access/main.tf
Outdated
| policy_arn = aws_iam_policy.access_group[count.index].arn | ||
| } | ||
|
|
||
| ## Group policy |
There was a problem hiding this comment.
Can you remove this if it's not necessary?
modules/user_access/main.tf
Outdated
| #} | ||
|
|
||
| ## Users | ||
| resource "aws_iam_user" "access_user" { |
There was a problem hiding this comment.
As discussed in slack we'll need to consider how to give a user access to both prod and staging resources. Most likely conditionally use a -resource or data here.
There was a problem hiding this comment.
done with remote state
modules/user_access/main.tf
Outdated
| metadata { | ||
| name = var.roles[count.index].name | ||
| } | ||
| rule { |
There was a problem hiding this comment.
We'll have to talk about how to configure this per group as well.
Terraform Format and Style 🖌
|
Terraform Format and Style 🖌
|
Terraform Format and Style 🖌
|
modules/user_access/README.md
Outdated
| @@ -0,0 +1,36 @@ | |||
| # eks | |||
There was a problem hiding this comment.
Wrong name and description
| group = aws_iam_group.access_group[count.index].name | ||
| policy_arn = aws_iam_policy.access_group[count.index].arn | ||
| } | ||
|
|
There was a problem hiding this comment.
Instead of having the assumerole policy included in the policy that is passed in, we should be creating it here. (this code from zero-aws-eks-stack:)
statement {
effect = "Allow"
actions = [
"iam:ListRoles",
"sts:AssumeRole"
]
resources = ["arn:aws:iam::<% index .Params `accountId` %>:role/<% .Name %>-kubernetes-developer-prod"]
}
It shouldn't be up to the user to have to include that policy block, we can create it dynamically here.
There was a problem hiding this comment.
done automatically in module side
Terraform Format and Style 🖌
|
Description
Please explain the changes you made here and link to any relevant issues.
Checklist