...
You can use the service-account-role module from Flightdeck to the service account and an IAM role with the proper trust policy:
Code Block |
---|
module "servicepod_role" { source = "github.com/thoughtbot/flightdeck//aws/service-account-role?ref=v0.9.0" cluster_names = ["example-sandbox-v1"] name = "example-servicepods" # Your manifests must use a service account with the same name and namespace service_accounts = ["example:example-staging:example"] } |
You can then create IAM policies and attach them to the role:
Code Block |
---|
resource "aws_iam_policy" "reports_bucket" {
name = "example-bucket"
policy = module.example_bucket.policy_json
}
resource "aws_iam_role_policy_attachment" "reports_bucket" {
policy_arn = aws_iam_policy.example_bucket.arn
role = module.service_role.name
} |
You can pass this role to the Flightdeck application-config module to set up the proper service account and annotations to map pods to the role:
Code Block |
---|
module "staging_sandbox_v1" { source = "github.com/thoughtbot/flightdeck//aws/application-config" # This must match the service account and namespace declared above namespace = "example-staging" pod_service_account = "example" pod_iam_role = module.pod_role.arn } |
Deploy Role
If you’re using GitHub Actions, you can use the EKS deploy role module to create your deploy role:
...
You can then use Kubernetes role bindings to assign permissions to the role.
If you’re using the Flightdeck application-config module, you can include the deploy group as part of your configuration:
Code Block |
---|
module "staging_sandbox_v1" { providers = { kubernetes = kubernetes.sandbox_v1 } source = "github.com/thoughtbot/flightdeck//aws/application-config" deploy_group = "example-staging-deploy" } |
Flightdeck also includes a module to provide write access to a single namespace if you’re configuring your deploy role separately:
Code Block |
---|
module "deploy_servicerole_accountbindings" { source = "github.com/thoughtbot/flightdeck//aws/deploy-role-bindings" group = "example-deploy" name = "deploy" namespace = "example-staging" } |
Developer Role
You can use the SSO permission set roles module to assign permission sets to groups in your cluster. You can use the developer group module to map it to a roleIf you’re using the Flightdeck application-config module, you can include the developer group as part of your configuration:
Code Block |
---|
module "ssostaging_sandbox_roles"v1" { providers = { kubernetes = kubernetes.sandbox_v1 } source = "github.com/thoughtbot/terraform-aws-sso-permission-set-roles?ref=v0.2.0" } flightdeck//aws/application-config" developer_group = "example-staging-developer" } |
Flightdeck also includes a module to provide read access to a single namespace if you’re configuring your developer role separately:
Code Block |
---|
module "developer_servicerole_accountbindings" { source = "github.com/thoughtbot/flightdeck//aws/developer-role-bindings" enable_exec = false group = "example-developer" name = "developer" namespace = "example-staging" } |
...
Code Block |
---|
module "platform" { source = "github.com/thoughtbot/flightdeck//aws/platform?ref=v0.9.0" # Other config custom_roles = { example-developer = module.permission_setsso_roles.by_name_without_path.DeveloperAccess } } module "sso_roles" { source = "github.com/thoughtbot/terraform-aws-sso-permission-set-roles?ref=v0.2.0" } |