Skip to content

Commit

Permalink
Refactor capa-controller-role module to not use CF
Browse files Browse the repository at this point in the history 
We found that importing existing resources into CF might be problematic, so migrating existing setups will be difficult

Instead we choose to use standalone TF resources with the corresponding import blocks.
  • Loading branch information
@iuriaranda
iuriaranda committed Dec 19, 2024
1 parent bed82ef commit af7c278
Show file tree
Hide file tree
Showing 19 changed files with 1,006 additions and 643 deletions.
125 changes: 125 additions & 0 deletions aws-account-setup/imports.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_role.giantswarm_capa_controller_role
id = "giantswarm-${each.value.name}-capa-controller"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_policy.giantswarm_capa_controller_policy
id = "arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-capa-controller-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_role_policy_attachment.giantswarm_capa_controller_policy_attachment
id = "giantswarm-${each.value.name}-capa-controller/arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-capa-controller-policy"
}

import {
for_each = local.mc_account_map_no_byovpc
to = module.capa_controller_role[each.key].aws_iam_policy.giantswarm_capa_controller_vpc_policy[0]
id = "arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-capa-controller-vpc-policy"
}

import {
for_each = local.mc_account_map_no_byovpc
to = module.capa_controller_role[each.key].aws_iam_role_policy_attachment.giantswarm_capa_controller_vpc_policy_attachment[0]
id = "giantswarm-${each.value.name}-capa-controller/arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-capa-controller-vpc-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_policy.giantswarm_dns_controller_policy
id = "arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-dns-controller-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_role_policy_attachment.giantswarm_dns_controller_policy_attachment
id = "giantswarm-${each.value.name}-capa-controller/arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-dns-controller-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_policy.giantswarm_eks_controller_policy
id = "arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-eks-controller-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_role_policy_attachment.giantswarm_eks_controller_policy_attachment
id = "giantswarm-${each.value.name}-capa-controller/arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-eks-controller-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_policy.giantswarm_iam_controller_policy
id = "arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-iam-controller-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_role_policy_attachment.giantswarm_iam_controller_policy_attachment
id = "giantswarm-${each.value.name}-capa-controller/arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-iam-controller-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_policy.giantswarm_irsa_controller_policy
id = "arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-irsa-controller-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_role_policy_attachment.giantswarm_irsa_controller_policy_attachment
id = "giantswarm-${each.value.name}-capa-controller/arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-irsa-controller-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_policy.giantswarm_network_topology_controller_policy
id = "arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-network-topology-controller-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_role_policy_attachment.giantswarm_network_topology_controller_policy_attachment
id = "giantswarm-${each.value.name}-capa-controller/arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-network-topology-controller-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_policy.giantswarm_resolver_rules_operator_policy
id = "arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-resolver-rules-operator-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_role_policy_attachment.giantswarm_resolver_rules_operator_policy_attachment
id = "giantswarm-${each.value.name}-capa-controller/arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-resolver-rules-operator-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_policy.giantswarm_mc_bootstrap_policy
id = "arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-mc-bootstrap-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_role_policy_attachment.giantswarm_mc_bootstrap_policy_attachment
id = "giantswarm-${each.value.name}-capa-controller/arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-mc-bootstrap-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_policy.giantswarm_crossplane_policy
id = "arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-crossplane-policy"
}

import {
for_each = local.mc_account_map
to = module.capa_controller_role[each.key].aws_iam_role_policy_attachment.giantswarm_crossplane_policy_attachment
id = "giantswarm-${each.value.name}-capa-controller/arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:policy/giantswarm-${each.value.name}-crossplane-policy"
}
58 changes: 49 additions & 9 deletions aws-account-setup/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,15 @@
terraform {
required_providers {
aws = {
source = "opentofu/aws"
version = "5.81.0"
}
}
}

locals {
gs_user_account = "084190472784"

mc_account_flat = flatten([
for mc_name, mc in var.management_clusters : [
for account in mc.aws_account : {
Expand All @@ -12,35 +23,64 @@ locals {
mc_account_map = {
for i in local.mc_account_flat : "${i.name}-${i.aws_account.account_id}" => i
}

mc_account_map_no_byovpc = {
for i in local.mc_account_flat : "${i.name}-${i.aws_account.account_id}" => i if !i.aws_account.byovpc
}

aws_account_list = distinct([
for mc in local.mc_account_flat : {
account_id = mc.aws_account.account_id
aws_partition = mc.aws_account.aws_partition
}
])

aws_account_map = {
for account in local.aws_account_list : account.account_id => account.aws_partition
}
}

provider "aws" {
alias = "main"
region = each.value.aws_account.region
for_each = local.mc_account_map
region = "eu-west-1" # Irrelevant as we are only creating IAM stuff
for_each = local.aws_account_map

assume_role {
role_arn = "arn:${each.value.aws_account.aws_partition}:iam::${each.value.aws_account.account_id}:role/GiantSwarmAdmin"
role_arn = "arn:${each.value}:iam::${each.key}:role/GiantSwarmAdmin"
}

allowed_account_ids = [each.key]

ignore_tags {
keys = ["maintainer", "owner", "repo"]
}
}

# module "gs_admin_role" {
# source = "../admin-role"
# for_each = local.aws_account_map
# providers = {
# aws = aws.main[each.key]
# }

# gs_user_account = local.gs_user_account
# aws_partition = each.value
# }

module "capa_controller_role" {
source = "../capa-controller-role"
for_each = local.mc_account_map
providers = {
aws = aws.main[each.key]
aws = aws.main[each.value.aws_account.account_id]
}

installation_name = each.value.name
management_cluster_oidc_provider_domain = each.value.oidc_provider_domain
byovpc = each.value.aws_account.byovpc
# gs_user_account = TODO
gs_user_account = local.gs_user_account
aws_partition = each.value.aws_account.aws_partition

# TBD
# additional_policies = each.value.aws_account.additional_policies
# additional_policies_arns = each.value.aws_account.additional_policies_arns
}

output "mc_account_setup" {
value = {for k, v in module.mc_account_setup : k => v}
}
3 changes: 3 additions & 0 deletions aws-account-setup/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
output "capa_controller_roles" {
value = {for k, v in module.capa_controller_role : k => v}
}
1 change: 0 additions & 1 deletion aws-account-setup/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ variable "management_clusters" {
type = map(object({
aws_account = list(object({
account_id = string
region = string
aws_partition = string
byovpc = bool
additional_policies = list(string)
Expand Down
Loading

0 comments on commit af7c278

Please sign in to comment.