From 07bc714dbd8a1c029a27ff7a789f2dbdafa183d0 Mon Sep 17 00:00:00 2001 From: Michael Barroco Date: Fri, 8 Dec 2023 06:23:31 -0500 Subject: [PATCH] Grant explicitely GithubCI role to K8s --- deploy/operations/ci/aws-1/kubernetes_admin_access.tf | 9 ++++++++- deploy/operations/ci/aws-1/local_variables.tf | 10 ++++++++++ deploy/operations/ci/aws-1/providers.tf | 2 ++ deploy/operations/ci/aws-1/terraform.tfvars | 3 ++- deploy/operations/ci/aws-1/test.sh | 3 +-- 5 files changed, 23 insertions(+), 4 deletions(-) diff --git a/deploy/operations/ci/aws-1/kubernetes_admin_access.tf b/deploy/operations/ci/aws-1/kubernetes_admin_access.tf index 1bc4f761c..5e808c2f7 100644 --- a/deploy/operations/ci/aws-1/kubernetes_admin_access.tf +++ b/deploy/operations/ci/aws-1/kubernetes_admin_access.tf @@ -24,7 +24,14 @@ resource "kubernetes_config_map_v1_data" "aws-auth" { "system:masters" ] rolearn = var.aws_iam_administrator_role - username = "aws-administrator" + username = "interuss-aws-administrator" + }, + { + groups = [ + "system:masters" + ] + rolearn = var.aws_iam_ci_role + username = "interuss-ci" } ]) } diff --git a/deploy/operations/ci/aws-1/local_variables.tf b/deploy/operations/ci/aws-1/local_variables.tf index a4bf50497..628c3875e 100644 --- a/deploy/operations/ci/aws-1/local_variables.tf +++ b/deploy/operations/ci/aws-1/local_variables.tf @@ -9,3 +9,13 @@ variable "aws_iam_administrator_role" { Example: `arn:aws:iam::123456789012:role/AdminRole` EOT } + +variable "aws_iam_ci_role" { + type = string + description = <<-EOT + AWS IAM administrator role + ARN of the role assumed by administrators when login into the AWS InterUSS account. + + Example: `arn:aws:iam::123456789012:role/CiRole` + EOT +} diff --git a/deploy/operations/ci/aws-1/providers.tf b/deploy/operations/ci/aws-1/providers.tf index 542349e86..8daa12fe7 100644 --- a/deploy/operations/ci/aws-1/providers.tf +++ b/deploy/operations/ci/aws-1/providers.tf @@ -4,10 +4,12 @@ provider "aws" { data "aws_eks_cluster_auth" "kubernetes_cluster" { name = var.cluster_name + depends_on = [module.terraform-aws-kubernetes] } data "aws_eks_cluster" "kubernetes_cluster" { name = var.cluster_name + depends_on = [module.terraform-aws-kubernetes] } provider kubernetes { diff --git a/deploy/operations/ci/aws-1/terraform.tfvars b/deploy/operations/ci/aws-1/terraform.tfvars index 4f503cf21..90a5e8458 100644 --- a/deploy/operations/ci/aws-1/terraform.tfvars +++ b/deploy/operations/ci/aws-1/terraform.tfvars @@ -26,4 +26,5 @@ crdb_locality = "interuss_dss-ci-aws-ue1" crdb_external_nodes = [] aws_iam_permissions_boundary = "arn:aws:iam::301042233698:policy/GithubCIPermissionBoundaries20231130225039606500000001" -aws_iam_administrator_role = "arn:aws:iam::301042233698:role/AWSReservedSSO_AdministratorAccess_9b637c80b830ea2c" \ No newline at end of file +aws_iam_administrator_role = "arn:aws:iam::301042233698:role/AWSReservedSSO_AdministratorAccess_9b637c80b830ea2c" +aws_iam_ci_role = "arn:aws:iam::301042233698:role/InterUSSGithubCI" diff --git a/deploy/operations/ci/aws-1/test.sh b/deploy/operations/ci/aws-1/test.sh index 28ec045a6..cda5a9244 100755 --- a/deploy/operations/ci/aws-1/test.sh +++ b/deploy/operations/ci/aws-1/test.sh @@ -19,7 +19,6 @@ clean () { terraform init clean -terraform plan -#terraform apply -auto-approve +terraform apply -auto-approve clean