Grant explicitely GithubCI role to K8s

Orbitalize · Dec 8, 2023 · 07bc714 · 07bc714
1 parent 1f9ffb9
commit 07bc714
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 4 deletions.
diff --git a/deploy/operations/ci/aws-1/kubernetes_admin_access.tf b/deploy/operations/ci/aws-1/kubernetes_admin_access.tf
@@ -24,7 +24,14 @@ resource "kubernetes_config_map_v1_data" "aws-auth" {
           "system:masters"
         ]
         rolearn  = var.aws_iam_administrator_role
-        username = "aws-administrator"
+        username = "interuss-aws-administrator"
+      },
+      {
+        groups   = [
+          "system:masters"
+        ]
+        rolearn  = var.aws_iam_ci_role
+        username = "interuss-ci"
       }
     ])
   }

diff --git a/deploy/operations/ci/aws-1/local_variables.tf b/deploy/operations/ci/aws-1/local_variables.tf
@@ -9,3 +9,13 @@ variable "aws_iam_administrator_role" {
     Example: `arn:aws:iam::123456789012:role/AdminRole`
   EOT
 }
+
+variable "aws_iam_ci_role" {
+  type        = string
+  description = <<-EOT
+    AWS IAM administrator role
+    ARN of the role assumed by administrators when login into the AWS InterUSS account.
+
+    Example: `arn:aws:iam::123456789012:role/CiRole`
+  EOT
+}
diff --git a/deploy/operations/ci/aws-1/providers.tf b/deploy/operations/ci/aws-1/providers.tf
@@ -4,10 +4,12 @@ provider "aws" {
 
 data "aws_eks_cluster_auth" "kubernetes_cluster" {
   name = var.cluster_name
+  depends_on = [module.terraform-aws-kubernetes]
 }
 
 data "aws_eks_cluster" "kubernetes_cluster" {
   name = var.cluster_name
+  depends_on = [module.terraform-aws-kubernetes]
 }
 
 provider kubernetes {

diff --git a/deploy/operations/ci/aws-1/terraform.tfvars b/deploy/operations/ci/aws-1/terraform.tfvars
@@ -26,4 +26,5 @@ crdb_locality       = "interuss_dss-ci-aws-ue1"
 crdb_external_nodes = []
 
 aws_iam_permissions_boundary = "arn:aws:iam::301042233698:policy/GithubCIPermissionBoundaries20231130225039606500000001"
-aws_iam_administrator_role = "arn:aws:iam::301042233698:role/AWSReservedSSO_AdministratorAccess_9b637c80b830ea2c"
+aws_iam_administrator_role = "arn:aws:iam::301042233698:role/AWSReservedSSO_AdministratorAccess_9b637c80b830ea2c"
+aws_iam_ci_role = "arn:aws:iam::301042233698:role/InterUSSGithubCI"
diff --git a/deploy/operations/ci/aws-1/test.sh b/deploy/operations/ci/aws-1/test.sh
@@ -19,7 +19,6 @@ clean () {
 
 terraform init
 clean
-terraform plan
-#terraform apply -auto-approve
+terraform apply -auto-approve
 clean