Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity
38cc2c1ab0
constellation/hack/terraform/aws/iam
History
Malte Poll 97bb0f4a91
Update terraform lock files to include hashes for all platforms (#499) 
- linux_arm64
- linux_amd64
- darwin_arm64
- darwin_amd64
- windows_amd64
2022-11-09 14:23:51 +01:00
..
.terraform.lock.hcl Update terraform lock files to include hashes for all platforms (#499) 2022-11-09 14:23:51 +01:00
main.tf Update Terraform aws to v4.38.0 (#464) 2022-11-08 18:34:45 +01:00
output.tf AB#2436: Initial support for create/terminate AWS NitroTPM instances 2022-10-21 12:24:18 +02:00
README.md add brief instructions to AWS IAM Terraform script (#478) 2022-11-08 18:40:30 +01:00
variables.tf AB#2436: Initial support for create/terminate AWS NitroTPM instances 2022-10-21 12:24:18 +02:00

README.md

IAM instance profiles for AWS

This terraform script creates the necessary profiles that need to be attached to Constellation nodes.

You can create the profiles with the following commands:

mkdir constellation_aws_iam
cd constellation_aws_iam
curl --remote-name-all https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/terraform/aws/iam/{main,output,variables}.tf
terraform init
terraform apply -auto-approve -var name_prefix=my_constellation

You can either get the profile names from the Terraform output values control_plane_instance_profile and worker_nodes_instance_profile and manually add them to your Constellation configuration file.

Or you can do this with a yq command:

yq -i "
  .provider.aws.iamProfileControlPlane = $(terraform output control_plane_instance_profile) |
  .provider.aws.iamProfileWorkerNodes = $(terraform output worker_nodes_instance_profile)
  " path/to/constellation-conf.yaml

Development

iamlive

iamlive dynamically determines the minimal permissions to call a set of AWS API calls.

It uses a local proxy to intercept API calls and incrementally generate the AWS policy.

In one session start iamlive:

iamlive -mode proxy -bind-addr 0.0.0.0:10080 -force-wildcard-resource -output-file iamlive.policy.json

In another session execute terraform:

PREFIX="record-iam"
terraform init
HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform apply -auto-approve -var name_prefix=${PREFIX}
HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform destroy -auto-approve -var name_prefix=${PREFIX}

iamlive will present the generated policy, and after <CTRL-C> the iamlive process it will also write it to the specified file.