feat: consolidate to use runner_install_role (#11)

nuonco · Jun 20, 2024 · 82c730f · 82c730f
1 parent 77f042c
commit 82c730f
Show file tree

Hide file tree

Showing 5 changed files with 85 additions and 114 deletions.
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/dns.tf b/dns.tf
@@ -15,13 +15,13 @@ resource "aws_route53_zone" "public" {
 
 resource "aws_route53_record" "caa" {
   zone_id = aws_route53_zone.public.zone_id
-  name = var.public_root_domain
-  type = "CAA"
-  ttl = 300
+  name    = var.public_root_domain
+  type    = "CAA"
+  ttl     = 300
   records = [
-  "0 issue \"letsencrypt.org\"",
-  "0 issue \"amazon.com\"",
-  "0 issue \"amazonaws.com\"",
-  "0 issue \"amazontrust.com\"",
+    "0 issue \"letsencrypt.org\"",
+    "0 issue \"amazon.com\"",
+    "0 issue \"amazonaws.com\"",
+    "0 issue \"amazontrust.com\"",
   ]
 }
diff --git a/eks.tf b/eks.tf
@@ -9,33 +9,15 @@ locals {
 
   # allow installing the runner in the cluster
   aws_auth_role_install_access = {
-    rolearn  = var.external_access_role_arns[0],
+    rolearn  = var.runner_install_role,
     username = "install:{{SessionName}}"
     groups = [
       "system:masters",
     ]
   }
-  # Allow for updates via terraform
-  aws_auth_role_terraform_access = {
-    rolearn  = var.assume_role_arn
-    username = "terraform:{{SessionName}}"
-    groups = [
-      "system:masters",
-    ]
-  }
-  # give vendor admin access to cluster
-  aws_auth_role_admin_access = {
-    rolearn  = var.admin_access_role_arn
-    username = "terraform:{{SessionName}}"
-    groups = [
-      "system:masters",
-    ]
-  }
+
   # only add admin access role if variable was set
-  aws_auth_roles = (var.admin_access_role_arn == "" ?
-    [local.aws_auth_role_install_access, local.aws_auth_role_terraform_access] :
-    [local.aws_auth_role_install_access, local.aws_auth_role_terraform_access, local.aws_auth_role_admin_access]
-  )
+  aws_auth_roles = [local.aws_auth_role_install_access]
 }
 
 resource "aws_kms_key" "eks" {

diff --git a/variables.tf b/variables.tf
@@ -50,12 +50,6 @@ variable "default_instance_type" {
   description = "The EC2 instance type to use for the EKS cluster's default node group."
 }
 
-variable "admin_access_role_arn" {
-  description = "Optional role to provide admin access to the cluster."
-  type        = string
-  default     = ""
-}
-
 variable "additional_tags" {
   type        = map(any)
   description = "Extra tags to append to the default tags that will be added to install resources."
@@ -74,16 +68,6 @@ variable "region" {
   description = "The region to launch the cluster in"
 }
 
-variable "assume_role_arn" {
-  type        = string
-  description = "The role arn to assume during provisioning of this sandbox."
-}
-
-variable "external_access_role_arns" {
-  type        = list(string)
-  description = "Roles for external access to the cluster."
-}
-
 variable "waypoint_odr_namespace" {
   type        = string
   description = "Namespace in which the ODR IAM Role's service account presides."
@@ -115,3 +99,8 @@ variable "enable_nginx_ingress_controller" {
   default     = "true"
   description = "Toggle the nginx-ingress controller in the EKS cluster."
 }
+
+variable "runner_install_role" {
+  type        = string
+  description = "The role that is used to install the runner, and should be granted access."
+}
diff --git a/vpc.tf b/vpc.tf
@@ -40,12 +40,12 @@ module "vpc" {
   public_subnet_tags = {
     "kubernetes.io/cluster/${var.nuon_id}" = "shared"
     "kubernetes.io/role/elb"               = 1
-    "visibility" = "public"
+    "visibility"                           = "public"
   }
 
   private_subnet_tags = {
     "kubernetes.io/cluster/${var.nuon_id}" = "shared"
     "kubernetes.io/role/internal-elb"      = 1
-    "visibility" = "private"
+    "visibility"                           = "private"
   }
 }