Skip to content

Commit

Permalink
AWS CN (#129)
Browse files Browse the repository at this point in the history 
* add support for AWS CN

* allow customizing GS staff user account

* fix last ARN

* add aws partition
  • Loading branch information
@paurosello
paurosello authored Nov 26, 2024
1 parent 76b9557 commit 461fc64
Show file tree
Hide file tree
Showing 10 changed files with 56 additions and 22 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Add support for removing some IAM permissions from the capa controller role in BYOVPC installations.
- CAPA role CloudFormation template: switch from inline to managed policies for the CAPA IAM role.
- Add CAPA permissions for ASG lifecycle hooks
- Add support for AWS China
- Add support for custom GS staff account

## [4.2.0] - 2024-09-04

Expand Down
2 changes: 2 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,8 @@ export INSTALLATION_NAME=test
export MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN=irsa.test.gaws.gigantic.io
# Optional: only set to true if this installation is going to be used exclusively to create WCs on existing VPCs and subnets
# export BYOVPC=true
# Optional: only set this to aws-cn if the installation is in China
# export AWS_PARTITION=aws-cn
chmod +x setup.sh
./setup.sh
```
Expand Down
2 changes: 1 addition & 1 deletion admin-role/iam-giantswarm-cp.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ data "aws_iam_policy_document" "giantswarm-admin" {

principals {
type = "AWS"
identifiers = "arn:aws:iam::084190472784:root"
identifiers = "arn:${var.aws_partition}:iam::${var.gs_user_account}:root"
}

actions = ["sts:AssumeRole"]
Expand Down
12 changes: 12 additions & 0 deletions admin-role/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,15 @@ variable "admin_role_name" {
type = string
default = "GiantSwarmAdmin"
}

variable "aws_partition" {
type = string
description = "AWS partition used for ARN referencing, use aws-cn for China regions"
default = "aws"
}

variable "gs_user_account" {
type = string
description = "AWS account where GS staff users are located"
default = "084190472784"
}
4 changes: 3 additions & 1 deletion capa-controller-role/cleanup.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,11 @@ NC='\033[0m'

ROLE_NAME="giantswarm-${INSTALLATION_NAME}-capa-controller"
AWS_ACCOUNT_ID="$(aws sts get-caller-identity --output text --query 'Account')"
AWS_PARTITION=${AWS_PARTITION:-aws}
GS_USER_ACCOUNT=${GS_USER_ACCOUNT:-"084190472784"}

POL_TYPES=("capa-controller" "capa-controller-vpc" "dns-controller" "eks-controller" "iam-controller" "irsa-operator" "resolver-rules-operator" "network-topology-operator" "mc-bootstrap" "crossplane")
POL_ARN_PREFIX="arn:aws:iam::${AWS_ACCOUNT_ID}:policy"
POL_ARN_PREFIX="arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:policy"

function echo_fail_or_success {
s=$1
Expand Down
2 changes: 2 additions & 0 deletions capa-controller-role/giantswarm-capa-role.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ resource "aws_iam_role" "giantswarm-capa-controller-role" {
INSTALLATION_NAME = var.installation_name
AWS_ACCOUNT_ID = data.aws_caller_identity.current.account_id
MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN = var.management_cluster_oidc_provider_domain
AWS_PARTITION = var.aws_partition
GS_USER_ACCOUNT = var.gs_user_account
})
tags = local.tags
}
Expand Down
36 changes: 18 additions & 18 deletions capa-controller-role/import.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,107 +11,107 @@ import {
import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-capa-controller-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-capa-controller-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-capa-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-capa-controller-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-capa-controller-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-capa-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-dns-controller-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-dns-controller-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-dns-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-dns-controller-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-dns-controller-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-dns-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-eks-controller-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-eks-controller-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-eks-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-eks-controller-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-eks-controller-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-eks-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-iam-controller-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-iam-controller-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-iam-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-iam-controller-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-iam-controller-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-iam-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-irsa-controller-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-irsa-controller-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-irsa-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-irsa-controller-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-irsa-controller-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-irsa-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-network-topology-controller-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-network-topology-controller-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-network-topology-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-network-topology-controller-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-network-topology-controller-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-network-topology-controller-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-resolver-rules-operator-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-resolver-rules-operator-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-resolver-rules-operator-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-resolver-rules-operator-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-resolver-rules-operator-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-resolver-rules-operator-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-mc-bootstrap-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-mc-bootstrap-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-mc-bootstrap-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-mc-bootstrap-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-mc-bootstrap-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-mc-bootstrap-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_policy.giantswarm-crossplane-policy
id = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-crossplane-policy"
id = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-crossplane-policy"
}

import {
for_each = local.existing_install_for_each
to = aws_iam_role_policy_attachment.giantswarm-crossplane-policy-attachment
id = "giantswarm-${var.installation_name}-capa-controller/arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-crossplane-policy"
id = "giantswarm-${var.installation_name}-capa-controller/arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/giantswarm-${var.installation_name}-crossplane-policy"
}
2 changes: 2 additions & 0 deletions capa-controller-role/setup.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ ROLE_NAME="giantswarm-${INSTALLATION_NAME}-capa-controller"
POL_TYPES=("capa-controller" "dns-controller" "eks-controller" "iam-controller" "irsa-operator" "resolver-rules-operator" "network-topology-operator" "mc-bootstrap" "crossplane")
TAGS="Key=installation,Value=${INSTALLATION_NAME}"
BYOVPC=${BYOVPC:-false}
AWS_PARTITION=${AWS_PARTITION:-aws}
GS_USER_ACCOUNT=${GS_USER_ACCOUNT:-"084190472784"}

if [ "$BYOVPC" == "false" ]; then
# This policy is not needed in BYO VPC installations
Expand Down
4 changes: 2 additions & 2 deletions capa-controller-role/trusted-entities.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::084190472784:user/${INSTALLATION_NAME}-capa-controller"
"AWS": "arn:${AWS_PARTITION}:iam::${GS_USER_ACCOUNT}:user/${INSTALLATION_NAME}-capa-controller"
},
"Action": "sts:AssumeRole",
"Condition": {}
},
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN}"
"Federated": "arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:oidc-provider/${MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
Expand Down
12 changes: 12 additions & 0 deletions capa-controller-role/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,18 @@ variable "installation_name" {
description = "If you dont know what `installation_name` value is suppose to be, ask Giant Swarm staff and they will provide it."
}

variable "aws_partition" {
type = string
description = "AWS partition used for ARN referencing, use aws-cn for China regions"
default = "aws"
}

variable "gs_user_account" {
type = string
description = "AWS account where GS staff users are located"
default = "084190472784"
}

variable "management_cluster_oidc_provider_domain" {
type = string
description = "OIDC provider domain of the management cluster"
Expand Down

0 comments on commit 461fc64

Please sign in to comment.