Merge pull request #108 from kloia/adjust-aws-sso

adjust aws sso values yaml file for passing dynamic values, adding ss…
kloia · Oct 30, 2023 · c005890 · c005890
2 parents a5c331a + 9a24783
commit c005890
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 71 deletions.
diff --git a/aws-eks-addons/README.md b/aws-eks-addons/README.md
@@ -9,6 +9,34 @@ Creates an service account and deploys aws-load-balancer-controller helm chart.
 
 ## Usage
 
+new: If you enable SSO, you need to provide "values.yaml.tpl" file. Example: values.yaml.tpl
+```
+configs:
+  cm:
+    dex.config: |
+      logger:
+        level: debug
+        format: json
+      connectors:
+      - type: saml
+        id: aws
+        name: "AWS IAM Identity Center"
+        config:
+          ssoURL: ${ssoURL}
+          caData: ${caData}
+          redirectURI: ${redirectURI}
+          entityIssuer: ${entityIssuer}
+          groupsAttr: groups
+          usernameAttr: email
+          emailAttr: email
+
+  rbac:
+    policy.csv: |
+      g, guest, role:readonly
+    # policy.default: role:readonly
+    scopes: '[groups,email]'
+```
+
 ```hcl
 
 inputs = {

diff --git a/aws-eks-addons/main.tf b/aws-eks-addons/main.tf
@@ -191,6 +191,18 @@ resource "kubernetes_ingress_v1" "alb_ingress_connect_istio" {
   ]
 }
 
+
+data "aws_ssm_parameter" "sso_ca_data_network_account" {
+  provider = aws.network_infra
+  name = "${var.sso_ca_data_network_account}"
+}
+
+data "aws_ssm_parameter" "sso_url_network_account" {
+  provider = aws.network_infra
+  name = "${var.sso_url_network_account}"
+}
+
+
 resource "helm_release" "argocd" {
   count            = var.deploy_argocd ? 1 : 0
   name             = "argocd"
@@ -300,6 +312,15 @@ resource "helm_release" "argocd" {
     value = ""
   }
 
+  values = var.enable_sso ?  [templatefile("${path.module}/values.yaml.tpl",{
+    caData = "${data.aws_ssm_parameter.sso_ca_data_network_account.value}",
+    ssoURL = "${data.aws_ssm_parameter.sso_url_network_account.value}",
+    redirectURI = "${var.sso_callback_url}"
+    entityIssuer = "${var.sso_callback_url}"
+
+  })
+  ] : []
+
   // SSO Values
   // configmap url
   dynamic "set" {
@@ -310,35 +331,6 @@ resource "helm_release" "argocd" {
     }
   }
 
-   dynamic "set" {
-    for_each = var.enable_sso ? [1] : []
-    content {
-    name = "configs.cm.dex" 
-    value = var.saml_dex_config
-    }
-  }
-
-  // readonly to everybody
-  dynamic "set" {
-    for_each = var.enable_sso ? [1] : []
-    content {
-    name = "configs.rbac.policy.default"
-    value = "role:readonly"
-    }
-  }
-
-
-  dynamic "set" {
-    for_each = var.enable_sso ? [1] : []
-    content {
-    name = "configs.rbac.policy.csv"
-    value = var.policy_csv
-    }
-  }
-
-
-
-
   depends_on = [
     kubernetes_ingress_v1.alb_ingress_connect_nginx
   ]
@@ -471,7 +463,7 @@ resource "kubectl_manifest" "argocd_bootstrapper_application" {
             }
             argoWorkflow: {
               enable: var.deploy_argo_workflow
-              targetRevision: var.argo_workflow_target_revision
+              targetRevision: "0.36.1"
               values: { 
                 server: {
                   ingress: {

diff --git a/aws-eks-addons/variables.tf b/aws-eks-addons/variables.tf
@@ -203,14 +203,6 @@ variable "argo_workflow_extra_args" {
   type        = list(any)
   default     = []
 }
-
-variable "argo_workflow_target_revision" {
-  description = "value of the targetRevision field of argo workflow"
-  default = "0.36.1"
-}
-
-
-
 # karpenter
 
 variable "deploy_karpenter" {
@@ -330,46 +322,26 @@ variable "karpenter_node_template_throughput" {
 }
 
 variable "enable_sso" {
-  default = true
+  default = false
   description = "Creation control logic of AWS SSO integration at ArgoCD"
 }
 
+variable "sso_ca_data_network_account" {
+  default = ""
+  description = "Value of the CA data for AWS SSO integration at ArgoCD"
+}
 
-variable "policy_csv" {
-  default = <<-EOT
-      policy.csv: |
-        g, PlatformTestAccountArgoCD, role:admin
-        g, [email protected], role:admin
-        g, guest, role:readonly
-EOT
-  description = "policy csv content for argocd rbac"
-}
-
-
-variable "saml_dex_config" {
-  description = "Dex configuration for AWS SSO"
-  default = <<-EOT
-      dex.config: |
-        logger:
-          level: debug
-          format: json
-        connectors:
-        - type: saml
-          id: aws
-          name: "AWS IAM Identity Center"
-          config:
-            ssoURL: <your-single-sign-on-url>
-            caData: <your-ca-data>
-            redirectURI: https://<your-base-url>/api/dex/callback
-            entityIssuer: https://<your-base-url>/api/dex/callback
-            usernameAttr: email
-            emailAttr: email
-            groupsAttr: groups
-EOT
+variable "sso_url_network_account" {
+  default = ""
+  description = "Value of the Single Sign-On URL for AWS SSO."
+}
+
+variable "sso_callback_url" {
+  default = ""
+  description = "value of the callback url for AWS SSO integration at ArgoCD"
 }
 
 variable "gitops_url" {
   description = "url of the argocd"
   default = "https://gitops.platform.mycompany.com"
 }
-