diff --git a/patterns/sso-iam-identity-center/aws-auth/README.md b/patterns/sso-iam-identity-center/aws-auth/README.md index f1625d0a56..8a2e4f2d3a 100644 --- a/patterns/sso-iam-identity-center/aws-auth/README.md +++ b/patterns/sso-iam-identity-center/aws-auth/README.md @@ -16,7 +16,7 @@ With the active users, use one of the `terraform output` examples to configure y ### Admin user example -```bash +```sh configure_sso_admin = < @@ -47,7 +47,7 @@ EOT ### Read-only user example -```bash +```sh configure_sso_user = < @@ -78,7 +78,7 @@ EOT With the `kubeconfig` configured, you'll be able to run `kubectl` commands in your Amazon EKS Cluster with the impersonated user. The read-only user has a `cluster-viewer` Kubernetes role bound to it's group, whereas the admin user, has the `admin` Kubernetes role bound to it's group. -```bash +```sh kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE amazon-guardduty aws-guardduty-agent-bl2v2 1/1 Running 0 3h54m @@ -96,13 +96,13 @@ kube-system kube-proxy-q1fmc 1/1 Running 0 3h54 If not revoked after the cluster creation, it's possible to use the `configure_kubectl` output to assume the *Cluster creator* role with `cluster-admin` access. -```bash +```sh configure_kubectl = "aws eks --region us-west-2 update-kubeconfig --name iam-identity-center" ``` ## Destroy -```bash +```sh terraform destroy -target module.developers_team -target module.operators._team -auto-approve terraform destroy -target module.eks -auto-approve terraform destroy -auto-approve diff --git a/patterns/sso-iam-identity-center/aws-auth/main.tf b/patterns/sso-iam-identity-center/aws-auth/main.tf index 43389e7fb3..35762e3bd6 100644 --- a/patterns/sso-iam-identity-center/aws-auth/main.tf +++ b/patterns/sso-iam-identity-center/aws-auth/main.tf @@ -2,6 +2,18 @@ provider "aws" { region = local.region } +provider "kubernetes" { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } +} + data "aws_availability_zones" "available" {} locals { diff --git a/patterns/sso-iam-identity-center/aws-auth/outputs.tf b/patterns/sso-iam-identity-center/aws-auth/outputs.tf index 850a6d2cee..f2e30d5075 100644 --- a/patterns/sso-iam-identity-center/aws-auth/outputs.tf +++ b/patterns/sso-iam-identity-center/aws-auth/outputs.tf @@ -14,7 +14,7 @@ output "configure_sso_admins" { Attempting to automatically open the SSO authorization page in your default browser. If the browser does not open or you wish to use a different device to authorize this request, open the following URL: - https://device.sso.us-west-2.amazonaws.com/ + https://device.sso.${local.region}.amazonaws.com/ Then enter the code: @@ -43,7 +43,7 @@ output "configure_sso_users" { Attempting to automatically open the SSO authorization page in your default browser. If the browser does not open or you wish to use a different device to authorize this request, open the following URL: - https://device.sso.us-west-2.amazonaws.com/ + https://device.sso.${local.region}.amazonaws.com/ Then enter the code: diff --git a/patterns/sso-iam-identity-center/aws-auth/sso.tf b/patterns/sso-iam-identity-center/aws-auth/sso.tf index 6276d2ec90..3adf0a7f09 100644 --- a/patterns/sso-iam-identity-center/aws-auth/sso.tf +++ b/patterns/sso-iam-identity-center/aws-auth/sso.tf @@ -1,18 +1,6 @@ # Pre requisite # Enable AWS IAM Identity Manager (https://console.aws.amazon.com/singlesignon/home/) -provider "kubernetes" { - host = module.eks.cluster_endpoint - cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] - } -} - data "aws_caller_identity" "current" {} data "aws_ssoadmin_instances" "this" {} @@ -21,7 +9,7 @@ resource "aws_ssoadmin_permission_set" "admin" { name = "EKSClusterAdmin" description = "Amazon EKS Cluster Admins." instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] - relay_state = "https://s3.console.aws.amazon.com/s3/home?region=us-west-2#" + relay_state = "https://s3.console.aws.amazon.com/s3/home?region=${local.region}#" session_duration = "PT1H" } @@ -29,7 +17,7 @@ resource "aws_ssoadmin_permission_set" "user" { name = "EKSClusterUser" description = "Amazon EKS Cluster Users." instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] - relay_state = "https://s3.console.aws.amazon.com/s3/home?region=us-west-2#" + relay_state = "https://s3.console.aws.amazon.com/s3/home?region=${local.region}#" session_duration = "PT1H" } diff --git a/patterns/sso-iam-identity-center/cam/README.md b/patterns/sso-iam-identity-center/cam/README.md index 372049c3ad..132a63072a 100644 --- a/patterns/sso-iam-identity-center/cam/README.md +++ b/patterns/sso-iam-identity-center/cam/README.md @@ -16,7 +16,7 @@ With the active users, use one of the `terraform output` examples to configure y ### Admin user example -```bash +```sh configure_sso_admin = < @@ -48,7 +48,7 @@ EOT ### Read-only user example -```bash +```sh configure_sso_user = < @@ -79,7 +79,7 @@ EOT With the `kubeconfig` configured, you'll be able to run `kubectl` commands in your Amazon EKS Cluster with the impersonated user. The read-only user has a `cluster-viewer` Kubernetes role bound to it's group, whereas the admin user, has the `admin` Kubernetes role bound to it's group. -```bash +```sh kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE amazon-guardduty aws-guardduty-agent-bl2v2 1/1 Running 0 3h54m @@ -97,7 +97,7 @@ kube-system kube-proxy-q1fmc 1/1 Running 0 3h54 If not revoked after the cluster creation, it's possible to use the `configure_kubectl` output to assume the *Cluster creator* role with `cluster-admin` access. -```bash +```sh configure_kubectl = "aws eks --region us-west-2 update-kubeconfig --name iam-identity-center" ``` @@ -105,7 +105,7 @@ configure_kubectl = "aws eks --region us-west-2 update-kubeconfig --name iam-ide If you revoked the *Cluster creator* `cluster-admin` permission, you may need to re-associate the `AmazonEKSClusterAdminPolicy` access entry to run `terraform destroy`. -```bash +```sh terraform destroy -target module.developers_team -auto-approve terraform destroy -target module.eks -auto-approve terraform destroy -auto-approve diff --git a/patterns/sso-iam-identity-center/cam/main.tf b/patterns/sso-iam-identity-center/cam/main.tf index 625a04a7b5..46b7bf3875 100644 --- a/patterns/sso-iam-identity-center/cam/main.tf +++ b/patterns/sso-iam-identity-center/cam/main.tf @@ -2,6 +2,18 @@ provider "aws" { region = local.region } +provider "kubernetes" { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } +} + data "aws_availability_zones" "available" {} locals { diff --git a/patterns/sso-iam-identity-center/cam/outputs.tf b/patterns/sso-iam-identity-center/cam/outputs.tf index 850a6d2cee..f2e30d5075 100644 --- a/patterns/sso-iam-identity-center/cam/outputs.tf +++ b/patterns/sso-iam-identity-center/cam/outputs.tf @@ -14,7 +14,7 @@ output "configure_sso_admins" { Attempting to automatically open the SSO authorization page in your default browser. If the browser does not open or you wish to use a different device to authorize this request, open the following URL: - https://device.sso.us-west-2.amazonaws.com/ + https://device.sso.${local.region}.amazonaws.com/ Then enter the code: @@ -43,7 +43,7 @@ output "configure_sso_users" { Attempting to automatically open the SSO authorization page in your default browser. If the browser does not open or you wish to use a different device to authorize this request, open the following URL: - https://device.sso.us-west-2.amazonaws.com/ + https://device.sso.${local.region}.amazonaws.com/ Then enter the code: diff --git a/patterns/sso-iam-identity-center/cam/sso.tf b/patterns/sso-iam-identity-center/cam/sso.tf index 6276d2ec90..3adf0a7f09 100644 --- a/patterns/sso-iam-identity-center/cam/sso.tf +++ b/patterns/sso-iam-identity-center/cam/sso.tf @@ -1,18 +1,6 @@ # Pre requisite # Enable AWS IAM Identity Manager (https://console.aws.amazon.com/singlesignon/home/) -provider "kubernetes" { - host = module.eks.cluster_endpoint - cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] - } -} - data "aws_caller_identity" "current" {} data "aws_ssoadmin_instances" "this" {} @@ -21,7 +9,7 @@ resource "aws_ssoadmin_permission_set" "admin" { name = "EKSClusterAdmin" description = "Amazon EKS Cluster Admins." instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] - relay_state = "https://s3.console.aws.amazon.com/s3/home?region=us-west-2#" + relay_state = "https://s3.console.aws.amazon.com/s3/home?region=${local.region}#" session_duration = "PT1H" } @@ -29,7 +17,7 @@ resource "aws_ssoadmin_permission_set" "user" { name = "EKSClusterUser" description = "Amazon EKS Cluster Users." instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] - relay_state = "https://s3.console.aws.amazon.com/s3/home?region=us-west-2#" + relay_state = "https://s3.console.aws.amazon.com/s3/home?region=${local.region}#" session_duration = "PT1H" }