From 00dad40b467cb4f86b0b26a4e188b6fccfeed8be Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 12 Jun 2024 16:07:33 +0000 Subject: [PATCH 1/3] IAM policy and role Signed-off-by: Jacob Woffenden --- .../iam-policies.tf | 21 +++++++++++++++++++ .../analytical-platform-compute/iam-roles.tf | 18 ++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index a4415e889fc..7e431bcff29 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -120,3 +120,24 @@ module "mlflow_iam_policy" { policy = data.aws_iam_policy_document.mlflow.json } + +data "aws_iam_policy_document" "gha_mojas_airflow" { + statement { + sid = "EKSAccess" + effect = "Allow" + actions = ["eks:DescribeCluster"] + resources = [module.eks.cluster_arn] + } +} + +module "gha_mojas_airflow_iam_policy" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + + source = "terraform-aws-modules/iam/aws//modules/iam-policy" + version = "5.39.1" + + name_prefix = "github-actions-mojas-airflow" + + policy = data.aws_iam_policy_document.gha_mojas_airflow.json +} diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf index 51330e607dd..1ae3d446a58 100644 --- a/terraform/environments/analytical-platform-compute/iam-roles.tf +++ b/terraform/environments/analytical-platform-compute/iam-roles.tf @@ -192,3 +192,21 @@ module "mlflow_iam_role" { tags = local.tags } + +module "gha_mojas_airflow_iam_role" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + version = "5.39.1" + + name = "github-actions-mojas-airflow" + + policies = { + GHAMoJASAirflow = module.gha_mojas_airflow_iam_policy.arn + } + + subjects = ["moj-analytical-services/airflow:*"] + + tags = local.tags +} From 265266a2c3c08fd5dfce25d4ff4ca2821b6867ac Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 12 Jun 2024 16:40:24 +0000 Subject: [PATCH 2/3] Add role, rolebinding and cluster access entry mapping Signed-off-by: Jacob Woffenden --- .../analytical-platform-compute/eks-cluster.tf | 6 ++++++ .../kubernetes-role-bindings.tf | 17 +++++++++++++++++ .../kubernetes-roles.tf | 17 +++++++++++++++++ 3 files changed, 40 insertions(+) diff --git a/terraform/environments/analytical-platform-compute/eks-cluster.tf b/terraform/environments/analytical-platform-compute/eks-cluster.tf index 3f2ee2ae364..558ec9446b4 100644 --- a/terraform/environments/analytical-platform-compute/eks-cluster.tf +++ b/terraform/environments/analytical-platform-compute/eks-cluster.tf @@ -151,6 +151,12 @@ module "eks" { username = "data-engineering-airflow" kubernetes_groups = ["airflow"] } + github-actions-mojas-airflow = { + # principal_arn doesn't use the module output because they reference each other + principal_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/github-actions-mojas-airflow" + username = "github-actions-mojas-airflow" + kubernetes_groups = ["airflow-serviceaccount-management"] + } } tags = local.tags diff --git a/terraform/environments/analytical-platform-compute/kubernetes-role-bindings.tf b/terraform/environments/analytical-platform-compute/kubernetes-role-bindings.tf index bf1e3b21833..26e694454d3 100644 --- a/terraform/environments/analytical-platform-compute/kubernetes-role-bindings.tf +++ b/terraform/environments/analytical-platform-compute/kubernetes-role-bindings.tf @@ -14,3 +14,20 @@ resource "kubernetes_role_binding" "airflow_execution" { name = "airflow" } } + +resource "kubernetes_role_binding" "airflow_serviceaccount_management" { + metadata { + name = "airflow-serviceaccount-management" + namespace = kubernetes_namespace.airflow.metadata[0].name + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "Role" + name = kubernetes_role.airflow_serviceaccount_management.metadata[0].name + } + subject { + api_group = "rbac.authorization.k8s.io" + kind = "Group" + name = "airflow-serviceaccount-management" + } +} diff --git a/terraform/environments/analytical-platform-compute/kubernetes-roles.tf b/terraform/environments/analytical-platform-compute/kubernetes-roles.tf index b8e84430b78..d5af3410560 100644 --- a/terraform/environments/analytical-platform-compute/kubernetes-roles.tf +++ b/terraform/environments/analytical-platform-compute/kubernetes-roles.tf @@ -32,3 +32,20 @@ resource "kubernetes_role" "airflow_execution" { ] } } + +resource "kubernetes_role" "airflow_serviceaccount_management" { + metadata { + name = "airflow-serviceaccount-management" + namespace = kubernetes_namespace.airflow.metadata[0].name + } + rule { + api_groups = [""] + resources = ["serviceaccounts"] + verbs = [ + "create", + "delete", + "get", + "update" + ] + } +} From be0e6218cbd35a951d610c367ba7d5602c097cce Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 12 Jun 2024 16:55:36 +0000 Subject: [PATCH 3/3] Update verbs Signed-off-by: Jacob Woffenden --- .../environments/analytical-platform-compute/kubernetes-roles.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/analytical-platform-compute/kubernetes-roles.tf b/terraform/environments/analytical-platform-compute/kubernetes-roles.tf index d5af3410560..6b939284e1a 100644 --- a/terraform/environments/analytical-platform-compute/kubernetes-roles.tf +++ b/terraform/environments/analytical-platform-compute/kubernetes-roles.tf @@ -45,6 +45,7 @@ resource "kubernetes_role" "airflow_serviceaccount_management" { "create", "delete", "get", + "list", "update" ] }