Initial implementation (#1)

aknysh · web-flow · commit 0b20d188874d · 2019-01-08T23:56:14.000-05:00
* Init repo

* Initial implementation

* Add `terraform.tfvars` to the example

* Address CR

* Address CR
diff --git a/.gitignore b/.gitignore
@@ -5,5 +5,8 @@
 *.tfstate
 *.tfstate.*
 
-# .tfvars files
-*.tfvars
+**/.idea
+**/*.iml
+
+**/.build-harness
+**/build-harness
diff --git a/.travis.yml b/.travis.yml
@@ -0,0 +1,16 @@
+addons:
+  apt:
+    packages:
+      - git
+      - make
+      - curl
+
+install:
+  - make init
+
+script:
+  - make terraform/install
+  - make terraform/get-plugins
+  - make terraform/get-modules
+  - make terraform/lint
+  - make terraform/validate
diff --git a/LICENSE b/LICENSE
@@ -178,15 +178,15 @@
    APPENDIX: How to apply the Apache License to your work.
 
       To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
+      boilerplate notice, with the fields enclosed by brackets "{}"
       replaced with your own identifying information. (Don't include
       the brackets!)  The text should be enclosed in the appropriate
       comment syntax for the file format. We also recommend that a
       file or class name and description of purpose be included on the
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2019 Cloud Posse, LLC
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
diff --git a/Makefile b/Makefile
@@ -0,0 +1,10 @@
+SHELL := /bin/bash
+
+# List of targets the `readme` target should call before generating the readme
+export README_DEPS ?= docs/targets.md docs/terraform.md
+
+-include $(shell curl -sSL -o .build-harness "https://git.io/build-harness"; echo .build-harness)
+
+## Lint terraform code
+lint:
+	$(SELF) terraform/install terraform/get-modules terraform/get-plugins terraform/lint terraform/validate
diff --git a/README.md b/README.md
diff --git a/README.yaml b/README.yaml
@@ -0,0 +1,128 @@
+---
+#
+# This is the canonical configuration for the `README.md`
+# Run `make readme` to rebuild the `README.md`
+#
+
+# Name of this project
+name: terraform-aws-kops-iam-authenticator-config
+
+# Tags of this project
+tags:
+  - aws
+  - terraform
+  - terraform-modules
+  - kops
+  - kubernetes
+  - iam
+  - iam-authenticator
+
+# Logo for this project
+#logo: docs/logo.png
+
+# License of this project
+license: "APACHE2"
+
+# Canonical GitHub repo
+github_repo: cloudposse/terraform-aws-kops-iam-authenticator-config
+
+# Badges to display
+badges:
+  - name: "Build Status"
+    image: "https://travis-ci.org/cloudposse/terraform-aws-kops-iam-authenticator-config.svg?branch=master"
+    url: "https://travis-ci.org/cloudposse/terraform-aws-kops-iam-authenticator-config"
+  - name: "Latest Release"
+    image: "https://img.shields.io/github/release/cloudposse/terraform-aws-kops-iam-authenticator-config.svg"
+    url: "https://github.com/cloudposse/terraform-aws-kops-iam-authenticator-config/releases/latest"
+  - name: "Slack Community"
+    image: "https://slack.cloudposse.com/badge.svg"
+    url: "https://slack.cloudposse.com"
+
+related:
+  - name: "terraform-aws-kops-metadata"
+    description: "Terraform module to lookup resources within a Kops cluster for easier integration with Terraform"
+    url: "https://github.com/cloudposse/terraform-aws-kops-metadata"
+  - name: "terraform-aws-kops-vpc-peering"
+    description: "Terraform module to create a peering connection between a backing services VPC and a VPC created by Kops"
+    url: "https://github.com/cloudposse/terraform-aws-kops-vpc-peering"
+  - name: "terraform-aws-kops-ecr"
+    description: "Terraform module to provision an ECR repository and grant users and kubernetes nodes access to it."
+    url: "https://github.com/cloudposse/terraform-aws-kops-ecr"
+  - name: "terraform-aws-kops-state-backend"
+    description: "Easily bootstrap kops clusters (DNS & S3 Bucket)"
+    url: "https://github.com/cloudposse/terraform-aws-kops-state-backend"
+  - name: "terraform-aws-kops-external-dns"
+    description: "Terraform module to provision an IAM role for external-dns running in a Kops cluster, and attach an IAM policy to the role with permissions to modify Route53 record sets"
+    url: "https://github.com/cloudposse/terraform-aws-kops-external-dns"
+  - name: "terraform-aws-kops-route53"
+    description: "Terraform module to lookup the IAM role associated with `kops` masters, and attach an IAM policy to the role with permissions to modify Route53 record sets"
+    url: "https://github.com/cloudposse/terraform-aws-kops-route53"
+  - name: "terraform-aws-kops-vault-backend"
+    description: "Terraform module to provision an S3 bucket for HashiCorp Vault secrets storage, and an IAM role and policy with permissions for Kops nodes to access the bucket"
+    url: "https://github.com/cloudposse/terraform-aws-kops-vault-backend"
+  - name: "terraform-aws-kops-chart-repo"
+    description: "Terraform module to provision an S3 bucket for Helm chart repository, and an IAM role and policy with permissions for Kops nodes to access the bucket"
+    url: "https://github.com/cloudposse/terraform-aws-kops-chart-repo"
+  - name: "terraform-aws-eks-cluster"
+    description: "Terraform module to provision an EKS cluster on AWS"
+    url: "https://github.com/cloudposse/terraform-aws-eks-cluster"
+  - name: "terraform-aws-eks-workers"
+    description: "Terraform module to provision an AWS AutoScaling Group, IAM Role, and Security Group for EKS Workers"
+    url: "https://github.com/cloudposse/terraform-aws-eks-workers"
+  - name: "terraform-aws-ec2-autoscale-group"
+    description: "Terraform module to provision AutoScaling Group and Launch Template on AWS"
+    url: "https://github.com/cloudposse/terraform-aws-ec2-autoscale-group"
+
+# Short description of this project
+description: |-
+  Terraform module to create and apply a [`Kubernetes`](https://kubernetes.io/) ConfigMap to map AWS IAM roles to Kubernetes users/groups.
+  This will configure clusters managed by [`kops`](https://github.com/kubernetes/kops) to use [`aws-iam-authenticator`](https://github.com/kubernetes-sigs/aws-iam-authenticator),
+  allowing to use AWS IAM credentials to authenticate to a Kubernetes cluster.
+
+
+# How to use this project
+usage: |-
+
+  ```hcl
+    module "iam_authenticator_config" {
+      source                = "git::https://github.com/cloudposse/terraform-aws-kops-iam-authenticator-config.git?ref=master"
+      cluster_id            = "us-west-2.testing.example.com"
+      kube_config_path =    "/.kube/config"
+      admin_iam_role_arn    = "arn:aws:iam::000000000000:role/KubernetesAdmin"
+      admin_k8s_username    = "kubernetes-admin"
+      admin_k8s_groups      = ["system:masters"]
+      readonly_iam_role_arn = "arn:aws:iam::000000000000:role/KubernetesReadonly"
+      readonly_k8s_username = "kubernetes-readonly"
+      readonly_k8s_groups   = ["system:authenticated"]
+    }
+  ```
+
+references:
+  - name: "Kops Authentication"
+    description: "Describes what support Kops has for configuring authentication systems"
+    url: "https://github.com/kubernetes/kops/blob/master/docs/authentication.md"
+  - name: "aws-iam-authenticator"
+    description: "A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster"
+    url: "https://github.com/kubernetes-sigs/aws-iam-authenticator"
+  - name: "Getting Started with Terraform Kubernetes provider"
+    description: "Getting Started with Terraform Kubernetes provider"
+    url: "https://www.terraform.io/docs/providers/kubernetes/guides/getting-started.html"
+  - name: "Terraform Kubernetes Provider"
+    description: "Terraform Kubernetes Provider with examples"
+    url: "https://www.terraform.io/docs/providers/kubernetes/index.html"
+  - name: "Kubernetes RBAC Authorization"
+    description: "Using Kubernetes RBAC Authorization"
+    url: "https://kubernetes.io/docs/reference/access-authn-authz/rbac"
+
+include:
+  - "docs/targets.md"
+  - "docs/terraform.md"
+
+# Contributors to this project
+contributors:
+  - name: "Erik Osterman"
+    homepage: "https://github.com/osterman"
+    github: "osterman"
+  - name: "Andriy Knysh"
+    homepage: "https://github.com/aknysh"
+    github: "aknysh"
diff --git a/config.tpl b/config.tpl
@@ -0,0 +1,9 @@
+clusterID: ${cluster_id}
+  server:
+    mapRoles:
+    - roleARN: ${admin_iam_role_arn}
+      username: ${admin_k8s_username}
+      groups: ${admin_k8s_groups}
+    - roleARN: ${readonly_iam_role_arn}
+      username: ${readonly_k8s_username}
+      groups: ${readonly_k8s_groups}
diff --git a/docs/targets.md b/docs/targets.md
@@ -0,0 +1,10 @@
+## Makefile Targets
+```
+Available targets:
+
+  help                                Help screen
+  help/all                            Display help for all targets
+  help/short                          This help short screen
+  lint                                Lint terraform code
+
+```
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -0,0 +1,19 @@
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| admin_iam_role_arn | IAM Role with admin permissions to map to `admin_k8s_username` | string | - | yes |
+| admin_k8s_groups | List of Kubernetes groups to be mapped to `admin_iam_role_arn` | list | `<list>` | no |
+| admin_k8s_username | Kubernetes admin username to be mapped to `admin_iam_role_arn` | string | `` | no |
+| cluster_id | A unique-per-cluster identifier to prevent replay attacks. Good choices are a random token or a domain name that will be unique to your cluster | string | - | yes |
+| kube_config_path | Path to the kube config file. Can be sourced from `KUBE_CONFIG` or `KUBECONFIG` | string | - | yes |
+| readonly_iam_role_arn | IAM Role with readonly permissions to map to `readonly_k8s_username` | string | - | yes |
+| readonly_k8s_groups | List of Kubernetes groups to be mapped to `readonly_iam_role_arn` | list | `<list>` | no |
+| readonly_k8s_username | Kubernetes readonly username to be mapped to `readonly_iam_role_arn` | string | `` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| kubeconfig_path | kubeconfig path |
+
diff --git a/examples/complete/.gitignore b/examples/complete/.gitignore
@@ -0,0 +1,4 @@
+.terraform
+**/.terraform/*
+*.tfstate
+*.tfstate.*
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -0,0 +1,9 @@
+module "iam_authenticator_config" {
+  source                = "../../"
+  admin_iam_role_arn    = "${var.admin_iam_role_arn}"
+  admin_k8s_username    = "${var.admin_k8s_username}"
+  admin_k8s_groups      = "${var.admin_k8s_groups}"
+  readonly_iam_role_arn = "${var.readonly_iam_role_arn}"
+  readonly_k8s_username = "${var.readonly_k8s_username}"
+  readonly_k8s_groups   = "${var.readonly_k8s_groups}"
+}
diff --git a/examples/complete/terraform.tfvars.example b/examples/complete/terraform.tfvars.example
@@ -0,0 +1,15 @@
+cluster_id = "us-west-2.testing.example.com"
+
+kube_config_path = "/.kube/config"
+
+admin_iam_role_arn = "arn:aws:iam::000000000000:role/KubernetesAdmin"
+
+admin_k8s_username = "kubernetes-admin"
+
+admin_k8s_groups = ["system:masters"]
+
+readonly_iam_role_arn = "arn:aws:iam::000000000000:role/KubernetesReadonly"
+
+readonly_k8s_username = "kubernetes-readonly"
+
+readonly_k8s_groups = ["system:authenticated"]
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -0,0 +1,39 @@
+variable "cluster_id" {
+  type        = "string"
+  description = "A unique-per-cluster identifier to prevent replay attacks. Good choices are a random token or a domain name that will be unique to your cluster"
+}
+
+variable "kube_config_path" {
+  type        = "string"
+  description = "Path to the kube config file. Can be sourced from `KUBE_CONFIG` or `KUBECONFIG`"
+}
+
+variable "admin_iam_role_arn" {
+  type        = "string"
+  description = "IAM Role with admin permissions to map to `admin_k8s_username`"
+}
+
+variable "admin_k8s_username" {
+  type        = "string"
+  description = "Kubernetes admin username to be mapped to `admin_iam_role_arn`"
+}
+
+variable "admin_k8s_groups" {
+  type        = "list"
+  description = "List of Kubernetes groups to be mapped to `admin_iam_role_arn`"
+}
+
+variable "readonly_iam_role_arn" {
+  type        = "string"
+  description = "IAM Role with readonly permissions to map to `readonly_k8s_username`"
+}
+
+variable "readonly_k8s_username" {
+  type        = "string"
+  description = "Kubernetes readonly username to be mapped to `readonly_iam_role_arn`"
+}
+
+variable "readonly_k8s_groups" {
+  type        = "list"
+  description = "List of Kubernetes groups to be mapped to `readonly_iam_role_arn`"
+}
diff --git a/main.tf b/main.tf
@@ -0,0 +1,37 @@
+data "template_file" "config" {
+  template = "${file("${path.module}/config.tpl")}"
+
+  vars {
+    cluster_id            = "${var.cluster_id}"
+    admin_iam_role_arn    = "${var.admin_iam_role_arn}"
+    admin_k8s_username    = "${var.admin_k8s_username}"
+    admin_k8s_groups      = "${jsonencode(var.admin_k8s_groups)}"
+    readonly_iam_role_arn = "${var.readonly_iam_role_arn}"
+    readonly_k8s_username = "${var.readonly_k8s_username}"
+    readonly_k8s_groups   = "${jsonencode(var.readonly_k8s_groups)}"
+  }
+}
+
+# https://www.terraform.io/docs/providers/kubernetes/guides/getting-started.html
+# https://www.terraform.io/docs/providers/kubernetes/index.html
+provider "kubernetes" {
+  config_path      = "${var.kube_config_path}"
+  load_config_file = true
+}
+
+# https://github.com/kubernetes/kops/blob/master/docs/authentication.md
+# https://github.com/kubernetes-sigs/aws-iam-authenticator
+resource "kubernetes_config_map" "aws_iam_authenticator" {
+  metadata {
+    name      = "aws-iam-authenticator"
+    namespace = "kube-system"
+
+    labels = {
+      k8s-app = "aws-iam-authenticator"
+    }
+  }
+
+  data {
+    "config.yaml" = "${data.template_file.config.rendered}"
+  }
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,4 @@
+output "kubeconfig_path" {
+  description = "kubeconfig path"
+  value       = "${var.kube_config_path}"
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,43 @@
+variable "cluster_id" {
+  type        = "string"
+  description = "A unique-per-cluster identifier to prevent replay attacks. Good choices are a random token or a domain name that will be unique to your cluster"
+}
+
+variable "kube_config_path" {
+  type        = "string"
+  description = "Path to the kube config file. Can be sourced from `KUBE_CONFIG` or `KUBECONFIG`"
+}
+
+variable "admin_iam_role_arn" {
+  type        = "string"
+  description = "IAM Role with admin permissions to map to `admin_k8s_username`"
+}
+
+variable "admin_k8s_username" {
+  type        = "string"
+  description = "Kubernetes admin username to be mapped to `admin_iam_role_arn`"
+  default     = ""
+}
+
+variable "admin_k8s_groups" {
+  type        = "list"
+  description = "List of Kubernetes groups to be mapped to `admin_iam_role_arn`"
+  default     = []
+}
+
+variable "readonly_iam_role_arn" {
+  type        = "string"
+  description = "IAM Role with readonly permissions to map to `readonly_k8s_username`"
+}
+
+variable "readonly_k8s_username" {
+  type        = "string"
+  description = "Kubernetes readonly username to be mapped to `readonly_iam_role_arn`"
+  default     = ""
+}
+
+variable "readonly_k8s_groups" {
+  type        = "list"
+  description = "List of Kubernetes groups to be mapped to `readonly_iam_role_arn`"
+  default     = []
+}
