Versions Compared

Old Version 5

changes.mady.by.user Joe Ferris

Saved on

compared with

New Version Current

changes.mady.by.user Joe Ferris

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You can use the service-account-role module from Flightdeck to the service account and an IAM role with the proper trust policy:

Code Block
module "servicepod_role" {
  source = "github.com/thoughtbot/flightdeck//aws/service-account-role?ref=v0.9.0"

  cluster_names    = ["example-sandbox-v1"]
  name             = "example-servicepods"
  
  # Your manifests must use a service account with the same name and namespace
  service_accounts = ["example:example-staging:example"]
}

You can then create IAM policies and attach them to the role:

Code Block
resource "aws_iam_policy" "reports_bucket" {
  name   = "example-bucket"
  policy = module.example_bucket.policy_json
}

resource "aws_iam_role_policy_attachment" "reports_bucket" {
  policy_arn = aws_iam_policy.example_bucket.arn
  role       = module.service_role.name
}

You can pass this role to the Flightdeck application-config module to set up the proper service account and annotations to map pods to the role:

Code Block
module "staging_sandbox_v1" {
  source    = "github.com/thoughtbot/flightdeck//aws/application-config"

  # This must match the service account and namespace declared above
  namespace               = "example-staging"
  pod_service_account     = "example"
  
  pod_iam_role            = module.pod_role.arn
}

Deploy Role

If you’re using GitHub Actions, you can use the EKS deploy role module to create your deploy role:

...

You can then use Kubernetes role bindings to assign permissions to the role.

If you’re using the Flightdeck application-config module, you can include the deploy group as part of your configuration:

Code Block
module "staging_sandbox_v1" {
  providers = { kubernetes = kubernetes.sandbox_v1 }
  source    = "github.com/thoughtbot/flightdeck//aws/application-config"

  deploy_group = "example-staging-deploy"
}

Flightdeck also includes a module to provide write access to a single namespace if you’re configuring your deploy role separately:

Code Block
module "deploy_servicerole_accountbindings" {
  source     = "github.com/thoughtbot/flightdeck//aws/deploy-role-bindings"

  group         = "example-deploy"
  name          = "deploy"
  namespace     = "example-staging"
}

Developer Role

You can use the SSO permission set roles module to assign permission sets to groups in your cluster. You can use the developer group module to map it to a roleIf you’re using the Flightdeck application-config module, you can include the developer group as part of your configuration:

Code Block
module "ssostaging_sandbox_roles"v1" {
  providers = { kubernetes = kubernetes.sandbox_v1 }
  source    = "github.com/thoughtbot/terraform-aws-sso-permission-set-roles?ref=v0.2.0"
}

flightdeck//aws/application-config"

  developer_group = "example-staging-developer"
}

Flightdeck also includes a module to provide read access to a single namespace if you’re configuring your developer role separately:

Code Block
module "developer_servicerole_accountbindings" {
  source     = "github.com/thoughtbot/flightdeck//aws/developer-role-bindings"

  enable_exec = false
  group       = "example-developer"
  name        = "developer"
  namespace   = "example-staging"
}

...

Code Block
module "platform" {
  source = "github.com/thoughtbot/flightdeck//aws/platform?ref=v0.9.0"

  # Other config

  custom_roles = {
    example-developer = module.permission_setsso_roles.by_name_without_path.DeveloperAccess
  }
}

module "sso_roles" {
  source = "github.com/thoughtbot/terraform-aws-sso-permission-set-roles?ref=v0.2.0"
}