Skip to content

aws-ia/terraform-aws-eks-blueprints-teams

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Amazon EKS Blueprints Teams Terraform module

Terraform module which creates multi-tenancy resources on Amazon EKS.

Usage

See tests directory for working tests to reference:

Standalone - Admin Team

module "admin_team" {
  source = "aws-ia/eks-blueprints-teams/aws"

  name = "admin-team"

  # Enables elevated, admin privileges for this team
  enable_admin = true
  users        = ["arn:aws:iam::111122223333:role/my-admin-role"]
  cluster_arn  = "arn:aws:eks:us-west-2:111122223333:cluster/my-cluster"

  tags = {
    Environment = "dev"
  }
}

Standalone - Developer Team

module "development_team" {
  source = "aws-ia/eks-blueprints-teams/aws"

  name = "development-team"

  users             = ["arn:aws:iam::012345678901:role/my-developer"]
  cluster_arn       = "arn:aws:eks:us-west-2:012345678901:cluster/my-cluster"
  oidc_provider_arn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"

  # Labels applied to all Kubernetes resources
  # More specific labels can be applied to individual resources under `namespaces` below
  labels = {
    team = "development"
  }

  # Annotations applied to all Kubernetes resources
  # More specific labels can be applied to individual resources under `namespaces` below
  annotations = {
    team = "development"
  }

  namespaces = {
    default = {
      # Provides access to an existing namespace
      create = false
    }

    development = {
      labels = {
        projectName = "project-awesome",
      }

      resource_quota = {
        hard = {
          "requests.cpu"    = "1000m",
          "requests.memory" = "4Gi",
          "limits.cpu"      = "2000m",
          "limits.memory"   = "8Gi",
          "pods"            = "10",
          "secrets"         = "10",
          "services"        = "10"
        }
      }

      limit_range = {
        limit = [
          {
            type = "Pod"
            max = {
              cpu    = "200m"
              memory = "1Gi"
            }
          },
          {
            type = "PersistentVolumeClaim"
            min = {
              storage = "24M"
            }
          },
          {
            type = "Container"
            default = {
              cpu    = "50m"
              memory = "24Mi"
            }
          }
        ]
      }

      network_policy = {
        pod_selector = {
          match_expressions = [{
            key      = "name"
            operator = "In"
            values   = ["webfront", "api"]
          }]
        }

        ingress = [{
          ports = [
            {
              port     = "http"
              protocol = "TCP"
            },
            {
              port     = "53"
              protocol = "TCP"
            },
            {
              port     = "53"
              protocol = "UDP"
            }
          ]

          from = [
            {
              namespace_selector = {
                match_labels = {
                  name = "default"
                }
              }
            },
            {
              ip_block = {
                cidr = "10.0.0.0/8"
                except = [
                  "10.0.0.0/24",
                  "10.0.1.0/24",
                ]
              }
            }
          ]
        }]

        egress = [] # single empty rule to allow all egress traffic

        policy_types = ["Ingress", "Egress"]
      }
    }
  }

  tags = {
    Environment = "dev"
  }
}

Multiple Teams

You can utilize a module level for_each to create multiple teams with the same configuration, and even allow some of those values to be defaults that can be overridden.

module "development_team" {
  source = "aws-ia/eks-blueprints-teams/aws"

  for_each = {
    one = {
      # Add any additional variables here and update definition below to use
      users = ["arn:aws:iam::012345678901:role/developers-one"]
    }
    two = {
      users = ["arn:aws:iam::012345678901:role/developers-two"]
    }
    three = {
      users = ["arn:aws:iam::012345678901:role/developers-three"]
    }
  }

  name = "${each.key}-team"

  users             = each.value.users
  cluster_arn       = "arn:aws:eks:us-west-2:012345678901:cluster/my-cluster"
  oidc_provider_arn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"

  # Labels applied to all Kubernetes resources
  # More specific labels can be applied to individual resources under `namespaces` below
  labels = {
    team = each.key
  }

  # Annotations applied to all Kubernetes resources
  # More specific labels can be applied to individual resources under `namespaces` below
  annotations = {
    team = each.key
  }

  namespaces = {
    (each.key) = {
      labels = {
        projectName = "project-awesome",
      }

      resource_quota = {
        hard = {
          "requests.cpu"    = "1000m",
          "requests.memory" = "4Gi",
          "limits.cpu"      = "2000m",
          "limits.memory"   = "8Gi",
          "pods"            = "10",
          "secrets"         = "10",
          "services"        = "10"
        }
      }

      limit_range = {
        limit = [
          {
            type = "Pod"
            max = {
              cpu    = "200m"
              memory = "1Gi"
            }
          },
          {
            type = "PersistentVolumeClaim"
            min = {
              storage = "24M"
            }
          },
          {
            type = "Container"
            default = {
              cpu    = "50m"
              memory = "24Mi"
            }
          }
        ]
      }
    }
  }

  tags = {
    Environment = "dev"
  }
}

Support & Feedback

Important

EKS Blueprints for Terraform is maintained by AWS Solution Architects. It is not part of an AWS service and support is provided as a best-effort by the EKS Blueprints community. To provide feedback, please use the issues templates provided. If you are interested in contributing to EKS Blueprints, see the Contribution guide.

Requirements

Name Version
terraform >= 1.0
aws >= 4.47
kubernetes >= 2.17

Providers

Name Version
aws >= 4.47
kubernetes >= 2.17

Modules

No modules.

Resources

Name Type
aws_iam_policy.admin resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.admin resource
aws_iam_role_policy_attachment.this resource
kubernetes_cluster_role_binding_v1.this resource
kubernetes_cluster_role_v1.this resource
kubernetes_limit_range_v1.this resource
kubernetes_namespace_v1.this resource
kubernetes_network_policy_v1.this resource
kubernetes_resource_quota_v1.this resource
kubernetes_role_binding_v1.this resource
kubernetes_secret_v1.service_account_token resource
kubernetes_service_account_v1.this resource
aws_iam_policy_document.admin data source
aws_iam_policy_document.this data source

Inputs

Name Description Type Default Required
admin_policy_name Name to use on admin IAM policy created string "" no
annotations A map of Kubernetes annotations to add to all resources map(string) {} no
cluster_arn The Amazon Resource Name (ARN) of the cluster string "" no
cluster_role_name Name to use on Kubernetes cluster role created string "" no
create_cluster_role Determines whether a Kubernetes cluster role is created bool true no
create_iam_role Determines whether an IAM role is created or to use an existing IAM role bool true no
create_role Determines whether a Kubernetes role is created. Note: the role created is a cluster role but its bound to only namespaced role bindings bool true no
enable_admin Determines whether an IAM role policy is created to grant admin access to the Kubernetes cluster bool false no
iam_role_arn Existing IAM role ARN for the node group. Required if create_iam_role is set to false string null no
iam_role_description Description of the role string null no
iam_role_max_session_duration Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours number null no
iam_role_name Name to use on IAM role created string null no
iam_role_path IAM role path string null no
iam_role_permissions_boundary ARN of the policy that is used to set the permissions boundary for the IAM role string null no
iam_role_policies IAM policies to be added to the IAM role created map(string) {} no
iam_role_use_name_prefix Determines whether the IAM role name (iam_role_name) is used as a prefix bool true no
labels A map of Kubernetes labels to add to all resources map(string) {} no
name A common name used across resources created unless a more specific resource name is provdied string "" no
namespaces A map of Kubernetes namespace definitions to create any {} no
oidc_provider_arn ARN of the OIDC provider created by the EKS cluster string "" no
principal_arns A list of IAM principal arns to support passing wildcards for AWS Identity Center (SSO) roles. Reference list(string) [] no
role_name Name to use on Kubernetes role created string "" no
tags A map of tags to add to all AWS resources map(string) {} no
users A list of IAM user and/or role ARNs that can assume the IAM role created list(string) [] no

Outputs

Name Description
aws_auth_configmap_role Dictionary containing the necessary details for adding the role created to the aws-auth configmap
iam_role_arn The Amazon Resource Name (ARN) specifying the IAM role
iam_role_name The name of the IAM role
iam_role_unique_id Stable and unique string identifying the IAM role
namespaces Map of Kubernetes namespaces created and their attributes
rbac_group The name of the Kubernetes RBAC group

License

Apache-2.0 Licensed. See LICENSE