2022-09-27 08:02:56 -04:00
|
|
|
terraform {
|
|
|
|
required_providers {
|
|
|
|
aws = {
|
|
|
|
source = "hashicorp/aws"
|
2024-06-27 03:14:10 -04:00
|
|
|
version = "5.55.0"
|
2022-09-27 08:02:56 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
provider "aws" {
|
|
|
|
region = var.region
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "random_id" "uid" {
|
|
|
|
byte_length = 8
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_iam_instance_profile" "control_plane_instance_profile" {
|
|
|
|
name = "${var.name_prefix}_control_plane_instance_profile"
|
|
|
|
role = aws_iam_role.control_plane_role.name
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_iam_role" "control_plane_role" {
|
|
|
|
name = "${var.name_prefix}_control_plane_role"
|
|
|
|
path = "/"
|
|
|
|
|
|
|
|
assume_role_policy = <<EOF
|
|
|
|
{
|
|
|
|
"Version": "2012-10-17",
|
|
|
|
"Statement": [
|
|
|
|
{
|
|
|
|
"Action": "sts:AssumeRole",
|
|
|
|
"Principal": {
|
|
|
|
"Service": "ec2.amazonaws.com"
|
|
|
|
},
|
|
|
|
"Effect": "Allow",
|
|
|
|
"Sid": ""
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
2022-10-25 04:10:46 -04:00
|
|
|
EOF
|
2022-09-27 08:02:56 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_iam_policy" "control_plane_policy" {
|
|
|
|
name = "${var.name_prefix}_control_plane_policy"
|
|
|
|
policy = <<EOF
|
|
|
|
{
|
|
|
|
"Version": "2012-10-17",
|
|
|
|
"Statement": [
|
|
|
|
{
|
|
|
|
"Effect": "Allow",
|
|
|
|
"Action": [
|
2023-07-24 04:30:53 -04:00
|
|
|
"elasticloadbalancing:DescribeTargetGroupAttributes",
|
|
|
|
"elasticloadbalancing:DescribeRules",
|
|
|
|
"shield:GetSubscriptionState",
|
|
|
|
"elasticloadbalancing:DescribeListeners",
|
|
|
|
"elasticloadbalancing:ModifyTargetGroupAttributes",
|
|
|
|
"elasticloadbalancing:DescribeTags",
|
2022-09-27 08:02:56 -04:00
|
|
|
"autoscaling:DescribeAutoScalingGroups",
|
|
|
|
"autoscaling:DescribeLaunchConfigurations",
|
|
|
|
"autoscaling:DescribeTags",
|
2023-04-03 06:10:34 -04:00
|
|
|
"ec2:AttachVolume",
|
|
|
|
"ec2:AuthorizeSecurityGroupIngress",
|
|
|
|
"ec2:CreateRoute",
|
|
|
|
"ec2:CreateSecurityGroup",
|
|
|
|
"ec2:CreateTags",
|
|
|
|
"ec2:CreateVolume",
|
|
|
|
"ec2:DeleteRoute",
|
|
|
|
"ec2:DeleteSecurityGroup",
|
|
|
|
"ec2:DeleteVolume",
|
2023-04-03 06:11:56 -04:00
|
|
|
"ec2:DescribeAvailabilityZones",
|
2023-04-03 06:10:34 -04:00
|
|
|
"ec2:DescribeImages",
|
2022-09-27 08:02:56 -04:00
|
|
|
"ec2:DescribeInstances",
|
|
|
|
"ec2:DescribeRegions",
|
|
|
|
"ec2:DescribeRouteTables",
|
|
|
|
"ec2:DescribeSecurityGroups",
|
|
|
|
"ec2:DescribeSubnets",
|
|
|
|
"ec2:DescribeVolumes",
|
2023-04-03 06:10:34 -04:00
|
|
|
"ec2:DescribeVpcs",
|
|
|
|
"ec2:DetachVolume",
|
2022-09-27 08:02:56 -04:00
|
|
|
"ec2:ModifyInstanceAttribute",
|
|
|
|
"ec2:ModifyVolume",
|
|
|
|
"ec2:RevokeSecurityGroupIngress",
|
|
|
|
"elasticloadbalancing:AddTags",
|
2023-04-03 06:10:34 -04:00
|
|
|
"elasticloadbalancing:AddTags",
|
2022-09-27 08:02:56 -04:00
|
|
|
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
|
2023-04-03 06:10:34 -04:00
|
|
|
"elasticloadbalancing:AttachLoadBalancerToSubnets",
|
2022-09-27 08:02:56 -04:00
|
|
|
"elasticloadbalancing:ConfigureHealthCheck",
|
|
|
|
"elasticloadbalancing:CreateListener",
|
2023-04-03 06:10:34 -04:00
|
|
|
"elasticloadbalancing:CreateLoadBalancer",
|
|
|
|
"elasticloadbalancing:CreateLoadBalancerListeners",
|
|
|
|
"elasticloadbalancing:CreateLoadBalancerPolicy",
|
2022-09-27 08:02:56 -04:00
|
|
|
"elasticloadbalancing:CreateTargetGroup",
|
|
|
|
"elasticloadbalancing:DeleteListener",
|
2023-04-03 06:10:34 -04:00
|
|
|
"elasticloadbalancing:DeleteLoadBalancer",
|
|
|
|
"elasticloadbalancing:DeleteLoadBalancerListeners",
|
2022-09-27 08:02:56 -04:00
|
|
|
"elasticloadbalancing:DeleteTargetGroup",
|
2023-04-03 06:10:34 -04:00
|
|
|
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
|
|
|
|
"elasticloadbalancing:DeregisterTargets",
|
2022-09-27 08:02:56 -04:00
|
|
|
"elasticloadbalancing:DescribeListeners",
|
2023-04-03 06:10:34 -04:00
|
|
|
"elasticloadbalancing:DescribeLoadBalancerAttributes",
|
2022-09-27 08:02:56 -04:00
|
|
|
"elasticloadbalancing:DescribeLoadBalancerPolicies",
|
2023-04-03 06:10:34 -04:00
|
|
|
"elasticloadbalancing:DescribeLoadBalancers",
|
2022-09-27 08:02:56 -04:00
|
|
|
"elasticloadbalancing:DescribeTargetGroups",
|
|
|
|
"elasticloadbalancing:DescribeTargetHealth",
|
2023-04-03 06:10:34 -04:00
|
|
|
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
|
2022-09-27 08:02:56 -04:00
|
|
|
"elasticloadbalancing:ModifyListener",
|
2023-04-03 06:10:34 -04:00
|
|
|
"elasticloadbalancing:ModifyLoadBalancerAttributes",
|
2022-09-27 08:02:56 -04:00
|
|
|
"elasticloadbalancing:ModifyTargetGroup",
|
2023-04-03 06:10:34 -04:00
|
|
|
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
|
2022-09-27 08:02:56 -04:00
|
|
|
"elasticloadbalancing:RegisterTargets",
|
2023-04-03 06:10:34 -04:00
|
|
|
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
|
2022-09-27 08:02:56 -04:00
|
|
|
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
|
|
|
|
"iam:CreateServiceLinkedRole",
|
2022-10-24 17:35:51 -04:00
|
|
|
"kms:DescribeKey",
|
2023-04-03 06:10:34 -04:00
|
|
|
"logs:CreateLogStream",
|
2022-10-24 17:35:51 -04:00
|
|
|
"logs:DescribeLogGroups",
|
|
|
|
"logs:ListTagsLogGroup",
|
2022-11-04 09:56:13 -04:00
|
|
|
"logs:PutLogEvents",
|
2023-05-19 07:57:31 -04:00
|
|
|
"tag:GetResources",
|
|
|
|
"ec2:DescribeLaunchTemplateVersions",
|
|
|
|
"autoscaling:SetDesiredCapacity",
|
|
|
|
"autoscaling:TerminateInstanceInAutoScalingGroup",
|
|
|
|
"ec2:DescribeInstanceStatus",
|
|
|
|
"ec2:CreateLaunchTemplateVersion",
|
|
|
|
"ec2:ModifyLaunchTemplate"
|
2022-09-27 08:02:56 -04:00
|
|
|
],
|
|
|
|
"Resource": [
|
|
|
|
"*"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
EOF
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_iam_role_policy_attachment" "attach_control_plane_policy" {
|
|
|
|
role = aws_iam_role.control_plane_role.name
|
|
|
|
policy_arn = aws_iam_policy.control_plane_policy.arn
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_iam_instance_profile" "worker_node_instance_profile" {
|
|
|
|
name = "${var.name_prefix}_worker_node_instance_profile"
|
2023-04-27 05:52:32 -04:00
|
|
|
role = aws_iam_role.worker_node_role.name
|
2022-09-27 08:02:56 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_iam_role" "worker_node_role" {
|
|
|
|
name = "${var.name_prefix}_worker_node_role"
|
|
|
|
path = "/"
|
|
|
|
|
|
|
|
assume_role_policy = <<EOF
|
|
|
|
{
|
|
|
|
"Version": "2012-10-17",
|
|
|
|
"Statement": [
|
|
|
|
{
|
|
|
|
"Action": "sts:AssumeRole",
|
|
|
|
"Principal": {
|
|
|
|
"Service": "ec2.amazonaws.com"
|
|
|
|
},
|
|
|
|
"Effect": "Allow",
|
|
|
|
"Sid": ""
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
2022-10-25 04:10:46 -04:00
|
|
|
EOF
|
2022-09-27 08:02:56 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_iam_policy" "worker_node_policy" {
|
|
|
|
name = "${var.name_prefix}_worker_node_policy"
|
|
|
|
policy = <<EOF
|
|
|
|
{
|
|
|
|
"Version": "2012-10-17",
|
|
|
|
"Statement": [
|
|
|
|
{
|
|
|
|
"Effect": "Allow",
|
|
|
|
"Action": [
|
2023-04-03 06:10:34 -04:00
|
|
|
"ec2:DescribeImages",
|
2022-09-27 08:02:56 -04:00
|
|
|
"ec2:DescribeInstances",
|
|
|
|
"ec2:DescribeRegions",
|
|
|
|
"ecr:BatchCheckLayerAvailability",
|
2023-04-03 06:10:34 -04:00
|
|
|
"ecr:BatchGetImage",
|
|
|
|
"ecr:DescribeRepositories",
|
|
|
|
"ecr:GetAuthorizationToken",
|
2022-09-27 08:02:56 -04:00
|
|
|
"ecr:GetDownloadUrlForLayer",
|
|
|
|
"ecr:GetRepositoryPolicy",
|
|
|
|
"ecr:ListImages",
|
2023-04-03 06:10:34 -04:00
|
|
|
"logs:CreateLogStream",
|
2022-10-24 17:35:51 -04:00
|
|
|
"logs:DescribeLogGroups",
|
|
|
|
"logs:ListTagsLogGroup",
|
2022-11-04 09:56:13 -04:00
|
|
|
"logs:PutLogEvents",
|
2023-04-03 06:10:34 -04:00
|
|
|
"tag:GetResources"
|
2022-09-27 08:02:56 -04:00
|
|
|
],
|
|
|
|
"Resource": "*"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
EOF
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_iam_role_policy_attachment" "attach_worker_node_policy" {
|
|
|
|
role = aws_iam_role.worker_node_role.name
|
|
|
|
policy_arn = aws_iam_policy.worker_node_policy.arn
|
|
|
|
}
|
2023-04-27 05:52:32 -04:00
|
|
|
|
|
|
|
// Add all permissions here, which are needed by the bootstrapper
|
|
|
|
resource "aws_iam_policy" "constellation_bootstrapper_policy" {
|
|
|
|
name = "${var.name_prefix}_constellation_bootstrapper_policy"
|
|
|
|
policy = <<EOF
|
|
|
|
{
|
|
|
|
"Version": "2012-10-17",
|
|
|
|
"Statement": [
|
|
|
|
{
|
|
|
|
"Effect": "Allow",
|
|
|
|
"Action": [
|
|
|
|
"elasticloadbalancing:DescribeLoadBalancers"
|
|
|
|
],
|
|
|
|
"Resource": "*"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
EOF
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_iam_role_policy_attachment" "attach_bootstrapper_policy_worker" {
|
|
|
|
role = aws_iam_role.worker_node_role.name
|
|
|
|
policy_arn = aws_iam_policy.constellation_bootstrapper_policy.arn
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_iam_role_policy_attachment" "attach_bootstrapper_policy_control_plane" {
|
|
|
|
role = aws_iam_role.control_plane_role.name
|
|
|
|
policy_arn = aws_iam_policy.constellation_bootstrapper_policy.arn
|
|
|
|
}
|
2023-06-22 08:15:05 -04:00
|
|
|
|
|
|
|
// TODO(msanft): incorporate this into the custom worker node policy
|
|
|
|
resource "aws_iam_role_policy_attachment" "csi_driver_policy_worker" {
|
|
|
|
role = aws_iam_role.worker_node_role.name
|
|
|
|
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
|
|
|
|
}
|
|
|
|
|
|
|
|
// TODO(msanft): incorporate this into the custom control-plane node policy
|
|
|
|
resource "aws_iam_role_policy_attachment" "csi_driver_policy_control_plane" {
|
|
|
|
role = aws_iam_role.control_plane_role.name
|
|
|
|
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
|
|
|
|
}
|
2024-05-10 02:51:32 -04:00
|
|
|
|
|
|
|
// This policy is required by the AWS load balancer controller and can be found at
|
|
|
|
// https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/b44633a/docs/install/iam_policy.json.
|
|
|
|
resource "aws_iam_policy" "lb_policy" {
|
|
|
|
name = "${var.name_prefix}_lb_policy"
|
|
|
|
policy = file("${path.module}/alb_policy.json")
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_iam_role_policy_attachment" "attach_lb_policy_worker" {
|
|
|
|
role = aws_iam_role.worker_node_role.name
|
|
|
|
policy_arn = aws_iam_policy.lb_policy.arn
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_iam_role_policy_attachment" "attach_lb_policy_control_plane" {
|
|
|
|
role = aws_iam_role.control_plane_role.name
|
|
|
|
policy_arn = aws_iam_policy.lb_policy.arn
|
|
|
|
}
|