diff --git a/bootstrap/terraform/aws-bootstrap-cluster-api/aws-lb-controller.tf b/bootstrap/terraform/aws-bootstrap-cluster-api/aws-lb-controller.tf deleted file mode 100644 index a45301848..000000000 --- a/bootstrap/terraform/aws-bootstrap-cluster-api/aws-lb-controller.tf +++ /dev/null @@ -1,261 +0,0 @@ -module "assumable_role_alb" { - count = var.enable_aws_lb_controller ? 1 : 0 - - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" - version = "3.14.0" - create_role = true - role_name = "${var.cluster_name}-alb" - provider_url = replace(local.cluster_oidc_issuer_url, "https://", "") - role_policy_arns = [aws_iam_policy.alb[0].arn] - oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${var.alb_serviceaccount}"] -} - -resource "aws_iam_policy" "alb" { - count = var.enable_aws_lb_controller ? 1 : 0 - - name_prefix = "alb-contrller" - description = "aws load balancer controller policy for cluster ${local.cluster_id}" - policy = <<-POLICY - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribeVpcs", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeSubnets", - "ec2:DescribeSecurityGroups", - "ec2:DescribeInstances", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeTags", - "ec2:GetCoipPoolUsage", - "ec2:DescribeCoipPools", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeListenerCertificates", - "elasticloadbalancing:DescribeSSLPolicies", - "elasticloadbalancing:DescribeRules", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:DescribeTags" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "cognito-idp:DescribeUserPoolClient", - "acm:ListCertificates", - "acm:DescribeCertificate", - "iam:ListServerCertificates", - "iam:GetServerCertificate", - "waf-regional:GetWebACL", - "waf-regional:GetWebACLForResource", - "waf-regional:AssociateWebACL", - "waf-regional:DisassociateWebACL", - "wafv2:GetWebACL", - "wafv2:GetWebACLForResource", - "wafv2:AssociateWebACL", - "wafv2:DisassociateWebACL", - "shield:GetSubscriptionState", - "shield:DescribeProtection", - "shield:CreateProtection", - "shield:DeleteProtection" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateSecurityGroup" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" - ], - "Resource": "arn:aws:ec2:*:*:security-group/*", - "Condition": { - "StringEquals": { - "ec2:CreateAction": "CreateSecurityGroup" - }, - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Resource": "arn:aws:ec2:*:*:security-group/*", - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress", - "ec2:DeleteSecurityGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:CreateRule", - "elasticloadbalancing:DeleteRule" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" - ], - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:SetIpAddressType", - "elasticloadbalancing:SetSecurityGroups", - "elasticloadbalancing:SetSubnets", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:DeleteTargetGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" - ], - "Condition": { - "StringEquals": { - "elasticloadbalancing:CreateAction": [ - "CreateTargetGroup", - "CreateLoadBalancer" - ] - }, - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:DeregisterTargets" - ], - "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:SetWebAcl", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:AddListenerCertificates", - "elasticloadbalancing:RemoveListenerCertificates", - "elasticloadbalancing:ModifyRule" - ], - "Resource": "*" - } - ] - } - POLICY -} \ No newline at end of file diff --git a/bootstrap/terraform/aws-bootstrap-cluster-api/capa-sa.tf b/bootstrap/terraform/aws-bootstrap-cluster-api/capa-sa.tf deleted file mode 100644 index 59c19fd70..000000000 --- a/bootstrap/terraform/aws-bootstrap-cluster-api/capa-sa.tf +++ /dev/null @@ -1,370 +0,0 @@ -module "asummable_role_capa" { - # count = var.enable_cluster_capa ? 1 : 0 - - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" - version = "3.14.0" - create_role = true - role_name = "${var.cluster_name}-capa-controller" - provider_url = replace(local.cluster_oidc_issuer_url, "https://", "") - role_policy_arns = [aws_iam_policy.capa_controller.arn, aws_iam_policy.capa_controller_eks.arn] - oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${var.capa_serviceaccount}", "system:serviceaccount:${var.namespace}:${var.capi_serviceaccount}"] -} - -resource "aws_iam_policy" "capa_controller" { - # count = var.enable_cluster_capa ? 1 : 0 - - name_prefix = "cluster-capa" - description = "EKS cluster api provider aws policy for cluster ${var.cluster_name}" - policy = data.aws_iam_policy_document.capa_controller.json -} - -resource "aws_iam_policy" "capa_controller_eks" { - # count = var.enable_cluster_capa ? 1 : 0 - - name_prefix = "cluster-capa" - description = "EKS cluster api provider aws policy for cluster ${var.cluster_name}" - policy = data.aws_iam_policy_document.capa_controller_eks.json -} - -data "aws_iam_policy_document" "capa_controller" { - statement { - sid = "" - effect = "Allow" - resources = ["*"] - - actions = [ - "ec2:AttachNetworkInterface", - "ec2:DetachNetworkInterface", - "ec2:AllocateAddress", - "ec2:AssignIpv6Addresses", - "ec2:AssignPrivateIpAddresses", - "ec2:UnassignPrivateIpAddresses", - "ec2:AssociateRouteTable", - "ec2:AttachInternetGateway", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateInternetGateway", - "ec2:CreateEgressOnlyInternetGateway", - "ec2:CreateNatGateway", - "ec2:CreateNetworkInterface", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpc", - "ec2:ModifyVpcAttribute", - "ec2:DeleteInternetGateway", - "ec2:DeleteEgressOnlyInternetGateway", - "ec2:DeleteNatGateway", - "ec2:DeleteRouteTable", - "ec2:ReplaceRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteSubnet", - "ec2:DeleteTags", - "ec2:DeleteVpc", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeInstanceTypes", - "ec2:DescribeInternetGateways", - "ec2:DescribeEgressOnlyInternetGateways", - "ec2:DescribeInstanceTypes", - "ec2:DescribeImages", - "ec2:DescribeNatGateways", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeNetworkInterfaceAttribute", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "ec2:DescribeVpcAttribute", - "ec2:DescribeVolumes", - "ec2:DescribeTags", - "ec2:DetachInternetGateway", - "ec2:DisassociateRouteTable", - "ec2:DisassociateAddress", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyNetworkInterfaceAttribute", - "ec2:ModifySubnetAttribute", - "ec2:ReleaseAddress", - "ec2:RevokeSecurityGroupIngress", - "ec2:RunInstances", - "ec2:TerminateInstances", - "tag:GetResources", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:RemoveTags", - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeInstanceRefreshes", - "ec2:CreateLaunchTemplate", - "ec2:CreateLaunchTemplateVersion", - "ec2:DescribeLaunchTemplates", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DeleteLaunchTemplate", - "ec2:DeleteLaunchTemplateVersions", - "ec2:DescribeKeyPairs", - "ec2:ModifyInstanceMetadataOptions", - ] - } - - statement { - sid = "" - effect = "Allow" - resources = ["arn:*:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*"] - - actions = [ - "autoscaling:CreateAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup", - "autoscaling:CreateOrUpdateTags", - "autoscaling:StartInstanceRefresh", - "autoscaling:DeleteAutoScalingGroup", - "autoscaling:DeleteTags", - ] - } - - statement { - sid = "" - effect = "Allow" - resources = ["arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"] - actions = ["iam:CreateServiceLinkedRole"] - - condition { - test = "StringLike" - variable = "iam:AWSServiceName" - values = ["autoscaling.amazonaws.com"] - } - } - - statement { - sid = "" - effect = "Allow" - resources = ["arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"] - actions = ["iam:CreateServiceLinkedRole"] - - condition { - test = "StringLike" - variable = "iam:AWSServiceName" - values = ["elasticloadbalancing.amazonaws.com"] - } - } - - statement { - sid = "" - effect = "Allow" - resources = ["arn:*:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot"] - actions = ["iam:CreateServiceLinkedRole"] - - condition { - test = "StringLike" - variable = "iam:AWSServiceName" - values = ["spot.amazonaws.com"] - } - } - - statement { - sid = "" - effect = "Allow" - resources = ["arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io"] - actions = ["iam:PassRole"] - } - - statement { - sid = "" - effect = "Allow" - resources = ["arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/*"] - - actions = [ - "secretsmanager:CreateSecret", - "secretsmanager:DeleteSecret", - "secretsmanager:TagResource", - ] - } -} - -data "aws_iam_policy_document" "capa_controller_eks" { - - statement { - sid = "" - effect = "Allow" - resources = ["arn:*:ssm:*:*:parameter/aws/service/eks/optimized-ami/*"] - actions = ["ssm:GetParameter"] - } - - statement { - sid = "" - effect = "Allow" - resources = ["arn:*:iam::*:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS"] - actions = ["iam:CreateServiceLinkedRole"] - - condition { - test = "StringLike" - variable = "iam:AWSServiceName" - values = ["eks.amazonaws.com"] - } - } - - statement { - sid = "" - effect = "Allow" - resources = ["arn:*:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup"] - actions = ["iam:CreateServiceLinkedRole"] - - condition { - test = "StringLike" - variable = "iam:AWSServiceName" - values = ["eks-nodegroup.amazonaws.com"] - } - } - - statement { - sid = "" - effect = "Allow" - resources = ["arn:aws:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate"] - actions = ["iam:CreateServiceLinkedRole"] - - condition { - test = "StringLike" - variable = "iam:AWSServiceName" - values = ["eks-fargate.amazonaws.com"] - } - } - - statement { - sid = "" - effect = "Allow" - resources = ["*"] - - actions = [ - "iam:ListOpenIDConnectProviders", - "iam:GetOpenIDConnectProvider", - "iam:CreateOpenIDConnectProvider", - "iam:AddClientIDToOpenIDConnectProvider", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:DeleteOpenIDConnectProvider", - "iam:TagOpenIDConnectProvider", - ] - } - - statement { - sid = "" - effect = "Allow" - resources = ["arn:*:iam::*:role/*"] - - actions = [ - "iam:GetRole", - "iam:ListAttachedRolePolicies", - "iam:DetachRolePolicy", - "iam:DeleteRole", - "iam:CreateRole", - "iam:TagRole", - "iam:UntagRole", - "iam:AttachRolePolicy", - ] - } - - statement { - sid = "" - effect = "Allow" - resources = [ - "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", - "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", - ] - actions = ["iam:GetPolicy"] - } - - statement { - sid = "" - effect = "Allow" - - resources = [ - "arn:*:eks:*:*:cluster/*", - "arn:*:eks:*:*:nodegroup/*/*/*", - ] - - actions = [ - "eks:DescribeCluster", - "eks:ListClusters", - "eks:CreateCluster", - "eks:TagResource", - "eks:UpdateClusterVersion", - "eks:DeleteCluster", - "eks:UpdateClusterConfig", - "eks:UntagResource", - "eks:UpdateNodegroupVersion", - "eks:DescribeNodegroup", - "eks:DeleteNodegroup", - "eks:UpdateNodegroupConfig", - "eks:CreateNodegroup", - "eks:AssociateEncryptionConfig", - "eks:ListIdentityProviderConfigs", - "eks:AssociateIdentityProviderConfig", - "eks:DescribeIdentityProviderConfig", - "eks:DisassociateIdentityProviderConfig", - ] - } - - statement { - sid = "" - effect = "Allow" - resources = ["*"] - - actions = [ - "ec2:AssociateVpcCidrBlock", - "ec2:DisassociateVpcCidrBlock", - "eks:ListAddons", - "eks:CreateAddon", - "eks:DescribeAddonVersions", - "eks:DescribeAddon", - "eks:DeleteAddon", - "eks:UpdateAddon", - "eks:TagResource", - "eks:DescribeFargateProfile", - "eks:CreateFargateProfile", - "eks:DeleteFargateProfile", - ] - } - - statement { - sid = "" - effect = "Allow" - resources = ["*"] - actions = ["iam:PassRole"] - - condition { - test = "StringEquals" - variable = "iam:PassedToService" - values = ["eks.amazonaws.com"] - } - } - - statement { - sid = "" - effect = "Allow" - resources = ["*"] - - actions = [ - "kms:CreateGrant", - "kms:DescribeKey", - ] - - condition { - test = "ForAnyValue:StringLike" - variable = "kms:ResourceAliases" - values = ["alias/cluster-api-provider-aws-*"] - } - } -} diff --git a/bootstrap/terraform/aws-bootstrap-cluster-api/certmanager.tf b/bootstrap/terraform/aws-bootstrap-cluster-api/certmanager.tf deleted file mode 100644 index 0d5657279..000000000 --- a/bootstrap/terraform/aws-bootstrap-cluster-api/certmanager.tf +++ /dev/null @@ -1,39 +0,0 @@ -module "assumable_role_certmanager" { - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" - version = "3.14.0" - create_role = true - role_name = "${var.cluster_name}-certmanager" - provider_url = replace(local.cluster_oidc_issuer_url, "https://", "") - role_policy_arns = [aws_iam_policy.certmanager.arn] - oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${var.certmanager_serviceaccount}"] -} - -resource "aws_iam_policy" "certmanager" { - name_prefix = "certmanager" - description = "certmanager permissions for ${local.cluster_id}" - policy = <<-POLICY - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "route53:GetChange", - "Resource": "arn:aws:route53:::change/*" - }, - { - "Effect": "Allow", - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets" - ], - "Resource": "arn:aws:route53:::hostedzone/*" - }, - { - "Effect": "Allow", - "Action": "route53:ListHostedZonesByName", - "Resource": "*" - } - ] - } - POLICY -} \ No newline at end of file diff --git a/bootstrap/terraform/aws-bootstrap-cluster-api/data.tf b/bootstrap/terraform/aws-bootstrap-cluster-api/data.tf deleted file mode 100644 index 0e2ce8dbf..000000000 --- a/bootstrap/terraform/aws-bootstrap-cluster-api/data.tf +++ /dev/null @@ -1 +0,0 @@ -data "aws_partition" "current" {} diff --git a/bootstrap/terraform/aws-bootstrap-cluster-api/ebs-csi-driver.tf b/bootstrap/terraform/aws-bootstrap-cluster-api/ebs-csi-driver.tf deleted file mode 100644 index f622f8259..000000000 --- a/bootstrap/terraform/aws-bootstrap-cluster-api/ebs-csi-driver.tf +++ /dev/null @@ -1,178 +0,0 @@ -module "assumable_role_ebs_csi" { - count = var.enable_ebs_csi_driver ? 1 : 0 - - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" - version = "3.14.0" - create_role = true - role_name = "${var.cluster_name}-ebs-csi" - provider_url = replace(local.cluster_oidc_issuer_url, "https://", "") - role_policy_arns = [aws_iam_policy.ebs_csi[0].arn] - oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${var.ebs_csi_serviceaccount}"] -} - -resource "aws_iam_policy" "ebs_csi" { - count = var.enable_ebs_csi_driver ? 1 : 0 - - name_prefix = "ebs-csi" - description = "EKS EBS CSI policy for cluster ${local.cluster_id}" - policy = data.aws_iam_policy_document.ebs_csi.json -} - -data "aws_iam_policy_document" "ebs_csi" { - statement { - sid = "ebsCSIAll" - effect = "Allow" - resources = ["*"] - - actions = [ - "ec2:CreateSnapshot", - "ec2:AttachVolume", - "ec2:DetachVolume", - "ec2:ModifyVolume", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeSnapshots", - "ec2:DescribeTags", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - ] - } - - statement { - sid = "ebsCSICreateTags" - effect = "Allow" - - resources = [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*", - ] - - actions = ["ec2:CreateTags"] - - condition { - test = "StringEquals" - variable = "ec2:CreateAction" - - values = [ - "CreateVolume", - "CreateSnapshot", - ] - } - } - - statement { - sid = "ebsCSIDeleteTags" - effect = "Allow" - - resources = [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*", - ] - - actions = ["ec2:DeleteTags"] - } - - statement { - sid = "ebsCSICreateVolume1" - effect = "Allow" - resources = ["*"] - actions = ["ec2:CreateVolume"] - - condition { - test = "StringLike" - variable = "aws:RequestTag/ebs.csi.aws.com/cluster" - values = ["true"] - } - } - - statement { - sid = "ebsCSICreateVolume2" - effect = "Allow" - resources = ["*"] - actions = ["ec2:CreateVolume"] - - condition { - test = "StringLike" - variable = "aws:RequestTag/CSIVolumeName" - values = ["*"] - } - } - - statement { - sid = "ebsCSICreateVolume3" - effect = "Allow" - resources = ["*"] - actions = ["ec2:CreateVolume"] - - condition { - test = "StringLike" - variable = "aws:RequestTag/kubernetes.io/cluster/*" - values = ["owned"] - } - } - - statement { - sid = "ebsCSIDeleteVolume1" - effect = "Allow" - resources = ["*"] - actions = ["ec2:DeleteVolume"] - - condition { - test = "StringLike" - variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster" - values = ["true"] - } - } - - statement { - sid = "ebsCSIDeleteVolume2" - effect = "Allow" - resources = ["*"] - actions = ["ec2:DeleteVolume"] - - condition { - test = "StringLike" - variable = "ec2:ResourceTag/CSIVolumeName" - values = ["*"] - } - } - - statement { - sid = "ebsCSIDeleteVolume3" - effect = "Allow" - resources = ["*"] - actions = ["ec2:DeleteVolume"] - - condition { - test = "StringLike" - variable = "ec2:ResourceTag/kubernetes.io/cluster/*" - values = ["owned"] - } - } - - statement { - sid = "ebsCSIDeleteSnapshot1" - effect = "Allow" - resources = ["*"] - actions = ["ec2:DeleteSnapshot"] - - condition { - test = "StringLike" - variable = "ec2:ResourceTag/CSIVolumeSnapshotName" - values = ["*"] - } - } - - statement { - sid = "ebsCSIDeleteSnapshot2" - effect = "Allow" - resources = ["*"] - actions = ["ec2:DeleteSnapshot"] - - condition { - test = "StringLike" - variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster" - values = ["true"] - } - } -} diff --git a/bootstrap/terraform/aws-bootstrap-cluster-api/existing.tf b/bootstrap/terraform/aws-bootstrap-cluster-api/existing.tf deleted file mode 100644 index eef978d70..000000000 --- a/bootstrap/terraform/aws-bootstrap-cluster-api/existing.tf +++ /dev/null @@ -1,24 +0,0 @@ -data "aws_eks_cluster" "cluster" { - count = var.create_cluster ? 0 : 1 - name = var.cluster_name -} - -data "aws_vpc" "vpc" { - count = var.create_cluster ? 0 : 1 - id = local.vpc_id -} - -data "aws_subnet" "worker_private_subnets" { - count = length(local.worker_private_subnet_ids) - id = local.worker_private_subnet_ids[count.index] -} - -data "aws_subnet" "private_subnets" { - count = length(local.private_subnet_ids) - id = local.private_subnet_ids[count.index] -} - -data "aws_subnet" "public_subnets" { - count = length(local.public_subnet_ids) - id = local.public_subnet_ids[count.index] -} diff --git a/bootstrap/terraform/aws-bootstrap-cluster-api/irsa-autoscaler.tf b/bootstrap/terraform/aws-bootstrap-cluster-api/irsa-autoscaler.tf deleted file mode 100644 index cd6fdf192..000000000 --- a/bootstrap/terraform/aws-bootstrap-cluster-api/irsa-autoscaler.tf +++ /dev/null @@ -1,63 +0,0 @@ -module "asummable_role_autoscaler" { - count = var.enable_cluster_autoscaler ? 1 : 0 - - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" - version = "3.14.0" - create_role = true - role_name = "${var.cluster_name}-cluster-autoscaler" - provider_url = replace(local.cluster_oidc_issuer_url, "https://", "") - role_policy_arns = [aws_iam_policy.cluster_autoscaler[0].arn] - oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${var.autoscaler_serviceaccount}"] -} - -resource "aws_iam_policy" "cluster_autoscaler" { - count = var.enable_cluster_autoscaler ? 1 : 0 - - name_prefix = "cluster-autoscaler" - description = "EKS cluster-autoscaler policy for cluster ${local.cluster_id}" - policy = data.aws_iam_policy_document.cluster_autoscaler.json -} - -data "aws_iam_policy_document" "cluster_autoscaler" { - statement { - sid = "clusterAutoscalerAll" - effect = "Allow" - - actions = [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DescribeInstanceTypes", - "eks:DescribeNodegroup", - ] - - resources = ["*"] - } - - statement { - sid = "clusterAutoscalerOwn" - effect = "Allow" - - actions = [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup", - ] - - resources = ["*"] - - condition { - test = "StringEquals" - variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${local.cluster_id}" - values = ["owned"] - } - - condition { - test = "StringEquals" - variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled" - values = ["true"] - } - } -} \ No newline at end of file diff --git a/bootstrap/terraform/aws-bootstrap-cluster-api/irsa-externaldns.tf b/bootstrap/terraform/aws-bootstrap-cluster-api/irsa-externaldns.tf deleted file mode 100644 index 527d9b9bd..000000000 --- a/bootstrap/terraform/aws-bootstrap-cluster-api/irsa-externaldns.tf +++ /dev/null @@ -1,40 +0,0 @@ -module "assumable_role_externaldns" { - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" - version = "3.14.0" - create_role = true - role_name = "${var.cluster_name}-externaldns" - provider_url = replace(local.cluster_oidc_issuer_url, "https://", "") - role_policy_arns = [aws_iam_policy.externaldns.arn] - oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${var.externaldns_serviceaccount}"] -} - -resource "aws_iam_policy" "externaldns" { - name_prefix = "externaldns" - description = "externaldns policy for cluster ${local.cluster_id}" - policy = data.aws_iam_policy_document.externaldns.json -} - -data "aws_iam_policy_document" "externaldns" { - statement { - sid = "externaldnsedit" - effect = "Allow" - - actions = [ - "route53:ChangeResourceRecordSets" - ] - - resources = ["arn:aws:route53:::hostedzone/*"] - } - - statement { - sid = "externaldnslist" - effect = "Allow" - - actions = [ - "route53:ListHostedZones", - "route53:ListResourceRecordSets" - ] - - resources = ["*"] - } -} \ No newline at end of file diff --git a/bootstrap/terraform/aws-bootstrap-cluster-api/irsa.tf b/bootstrap/terraform/aws-bootstrap-cluster-api/irsa.tf deleted file mode 100644 index 33e5d4c9c..000000000 --- a/bootstrap/terraform/aws-bootstrap-cluster-api/irsa.tf +++ /dev/null @@ -1,6 +0,0 @@ -resource "aws_iam_openid_connect_provider" "oidc_provider" { - count = var.enable_irsa ? 0 : 1 - client_id_list = [local.sts_principal] - thumbprint_list = [var.eks_oidc_root_ca_thumbprint] - url = local.cluster_oidc_issuer_url -} diff --git a/bootstrap/terraform/aws-bootstrap-cluster-api/locals.tf b/bootstrap/terraform/aws-bootstrap-cluster-api/locals.tf deleted file mode 100644 index 7634fb7f9..000000000 --- a/bootstrap/terraform/aws-bootstrap-cluster-api/locals.tf +++ /dev/null @@ -1,12 +0,0 @@ -locals { - sts_principal = "sts.${data.aws_partition.current.dns_suffix}" - create_vpc = var.create_cluster && var.create_vpc ? true : false - private_subnet_ids = var.create_cluster ? module.vpc[0].private_subnets_ids : var.private_subnet_ids - public_subnet_ids = var.create_cluster ? module.vpc[0].public_subnets_ids : var.public_subnet_ids - worker_private_subnet_ids = var.create_cluster ? module.vpc[0].worker_private_subnets_ids : var.worker_private_subnet_ids - vpc_id = var.create_cluster ? module.vpc[0].vpc_id : data.aws_eks_cluster.cluster[0].vpc_config[0].vpc_id - cluster_id = var.create_cluster ? module.cluster[0].cluster_id : data.aws_eks_cluster.cluster[0].id - cluster_config = try(var.create_cluster ? module.cluster[0].config_map_aws_auth : tomap(false), {}) - cluster_oidc_issuer_url = var.create_cluster ? module.cluster[0].cluster_oidc_issuer_url : data.aws_eks_cluster.cluster[0].identity[0].oidc.0.issuer - cluster_endpoint = var.create_cluster ? module.cluster[0].cluster_endpoint : data.aws_eks_cluster.cluster[0].endpoint -} diff --git a/bootstrap/terraform/aws-bootstrap-cluster-api/output.tf b/bootstrap/terraform/aws-bootstrap-cluster-api/output.tf deleted file mode 100644 index 9d0b6d8ac..000000000 --- a/bootstrap/terraform/aws-bootstrap-cluster-api/output.tf +++ /dev/null @@ -1,66 +0,0 @@ - -output "cluster_name" { - value = local.cluster_id -} - -output "cluster_endpoint" { - value = local.cluster_endpoint -} - -output "cluster_oidc_issuer_url" { - value = local.cluster_oidc_issuer_url -} - -output "cluster_private_subnets" { - value = data.aws_subnet.private_subnets -} - -output "cluster_worker_private_subnets" { - value = data.aws_subnet.worker_private_subnets -} - -output "cluster_public_subnets" { - value = data.aws_subnet.public_subnets -} - -output "cluster_private_subnet_ids" { - value = local.private_subnet_ids -} - -output "cluster_worker_private_subnet_ids" { - value = local.worker_private_subnet_ids -} - -output "cluster_public_subnet_ids" { - value = local.public_subnet_ids -} - -output "worker_role_arn" { - value = var.create_cluster ? module.cluster[0].worker_iam_role_arn : "" -} - -output "node_groups" { - value = try(var.create_cluster ?[for d in merge(module.single_az_node_groups[0].node_groups, module.multi_az_node_groups[0].node_groups): d]: tomap(false), {}) -} - -output "vpc" { - value = try(var.create_cluster ? module.vpc[0] : tomap(false), data.aws_vpc.vpc[0]) -} - -output "vpc_cidr" { - value = var.create_cluster ? module.vpc[0].vpc_cidr_block : data.aws_vpc.vpc[0].cidr_block -} - - -output "cluster" { - value = try(var.create_cluster ? module.cluster[0] : tomap(false), data.aws_eks_cluster.cluster[0]) -} - -output "cluster_service_ipv4_cidr" { - value = var.create_cluster ? module.cluster[0].cluster_service_ipv4_cidr : data.aws_eks_cluster.cluster[0].kubernetes_network_config[0].service_ipv4_cidr -} - -output "capa_iam_role_arn" { - description = "ARN of IAM role that allows access to the Harbor S3 buckets." - value = module.asummable_role_capa.this_iam_role_arn -} \ No newline at end of file diff --git a/bootstrap/terraform/aws-bootstrap-cluster-api/s3-vpc-endpoint.tf b/bootstrap/terraform/aws-bootstrap-cluster-api/s3-vpc-endpoint.tf deleted file mode 100644 index 2a25a331c..000000000 --- a/bootstrap/terraform/aws-bootstrap-cluster-api/s3-vpc-endpoint.tf +++ /dev/null @@ -1,12 +0,0 @@ -data "aws_route_table" "worker_private_subnets_route_table" { - count = var.enable_vpc_s3_endpoint && length(local.worker_private_subnet_ids) > 0 ? length(local.worker_private_subnet_ids) : 0 - subnet_id = local.worker_private_subnet_ids[count.index] -} - -resource "aws_vpc_endpoint" "s3" { - count = var.enable_vpc_s3_endpoint && length(local.worker_private_subnet_ids) > 0 ? 1 : 0 - vpc_id = local.vpc_id - service_name = "com.amazonaws.${var.aws_region}.s3" - auto_accept = true - route_table_ids = data.aws_route_table.worker_private_subnets_route_table[*].id -} \ No newline at end of file