feat: create iam role for pipeline visualizer

Signed-off-by: ankitm123 <[email protected]>
jenkins-x · Dec 15, 2020 · d8d3131 · d8d3131
1 parent 2377334
commit d8d3131
Show file tree

Hide file tree

Showing 9 changed files with 68 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -161,6 +161,7 @@ The following sections provide a full list of configuration in- and output varia
 | create\_ctrlb\_role | Flag to control controller build iam role creation | `bool` | `true` | no |
 | create\_eks | Controls if EKS cluster and associated resources should be created or not. If you have an existing eks cluster for jx, set it to false | `bool` | `true` | no |
 | create\_exdns\_role | Flag to control external dns iam role creation | `bool` | `true` | no |
+| create\_pipeline\_vis\_role | Flag to control pipeline visualizer role | `bool` | `true` | no |
 | create\_tekton\_role | Flag to control tekton iam role creation | `bool` | `true` | no |
 | create\_velero\_role | Flag to control velero iam role creation | `bool` | `true` | no |
 | create\_vpc | Controls if VPC and related resources should be created. If you have an existing vpc for jx, set it to false | `bool` | `true` | no |
@@ -241,13 +242,14 @@ The following sections provide a full list of configuration in- and output varia
 | lts\_logs\_bucket | The bucket where logs from builds will be stored |
 | lts\_reports\_bucket | The bucket where test reports will be stored |
 | lts\_repository\_bucket | The bucket that will serve as artifacts repository |
+| pipeline\_viz\_iam\_role | The IAM Role that the pipeline visualizer pod will assume to authenticate |
 | subdomain\_nameservers | ---------------------------------------------------------------------------- DNS ---------------------------------------------------------------------------- |
 | tekton\_bot\_iam\_role | The IAM Role that the build pods will assume to authenticate |
 | vault\_dynamodb\_table | The Vault DynamoDB table |
 | vault\_kms\_unseal | The Vault KMS Key for encryption |
 | vault\_unseal\_bucket | The Vault storage bucket |
 | vault\_user\_id | The Vault IAM user id |
-| vault\_user\_secret | The Vault IAM user secret 
+| vault\_user\_secret | The Vault IAM user secret |
 
 ### Cluster Autoscaling
 

diff --git a/examples/jx3/outputs.tf b/examples/jx3/outputs.tf
@@ -77,6 +77,11 @@ output "cluster_autoscaler_iam_role" {
   description = "The IAM Role that the Jenkins X UI pod will assume to authenticate"
 }
 
+output "pipeline_viz_iam_role" {
+  value       = module.eks-jx.pipeline_viz_iam_role
+  description = "The IAM Role that the pipeline visualizer pod will assume to authenticate"
+}
+
 // Cluster specific output
 output "cluster_name" {
   value       = module.eks-jx.cluster_name

diff --git a/modules/cluster/irsa.tf b/modules/cluster/irsa.tf
@@ -315,3 +315,34 @@ data "aws_iam_policy_document" "cluster_autoscaler" {
     }
   }
 }
+
+// Pipeline visualizer
+data "aws_iam_policy_document" "pipelines-visualizer-policy" {
+  count = var.create_pipeline_vis_role ? 1 : 0
+  statement {
+    sid    = "JxPipelineVisualizerPolicy"
+    effect = "Allow"
+    actions = [
+      "s3:Get*",
+      "s3:List*",
+    ]
+    resources = [aws_s3_bucket.logs_jenkins_x.*.arn[0]]
+  }
+}
+
+resource "aws_iam_policy" "pipeline-visualizer" {
+  count       = var.create_pipeline_vis_role ? 1 : 0
+  name_prefix = "jx-pipelines-visualizer"
+  description = "JenkinsX pipline visualizer policy for cluster ${var.cluster_name}"
+  policy      = data.aws_iam_policy_document.pipelines-visualizer-policy[count.index].json
+}
+
+module "iam_assumable_role_pipeline_visualizer" {
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "~> v2.13.0"
+  create_role                   = var.create_pipeline_vis_role
+  role_name                     = "${local.cluster_trunc}-jx-pipelines-visualizer"
+  provider_url                  = local.oidc_provider_url
+  role_policy_arns              = [aws_iam_policy.pipeline-visualizer[0].arn]
+  oidc_fully_qualified_subjects = ["system:serviceaccount:${local.jenkins-x-namespace}:jx-pipelines-visualizer"]
+}
diff --git a/modules/cluster/local.tf b/modules/cluster/local.tf
@@ -10,6 +10,6 @@ locals {
   generated_seed         = random_string.suffix.result
   oidc_provider_url      = replace(var.create_eks ? module.eks.cluster_oidc_issuer_url : data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")
   jenkins-x-namespace    = "jx"
-  cluster_trunc          = substr(var.cluster_name, 0, 40)
+  cluster_trunc          = substr(var.cluster_name, 0, 35)
   cert-manager-namespace = "cert-manager"
 }
diff --git a/modules/cluster/outputs.tf b/modules/cluster/outputs.tf
@@ -58,3 +58,8 @@ output "cluster_autoscaler_iam_role" {
   value       = module.iam_assumable_role_cluster_autoscaler.this_iam_role_name
   description = "The IAM Role that the Cluster Autoscaler pod will assume to authenticate"
 }
+
+output "pipeline_viz_iam_role" {
+  value       = module.iam_assumable_role_pipeline_visualizer.this_iam_role_name
+  description = "The IAM Role that the pipeline visualizer pod will assume to authenticate"
+}
diff --git a/modules/cluster/variables.tf b/modules/cluster/variables.tf
@@ -337,3 +337,9 @@ variable "create_autoscaler_role" {
   type        = bool
   default     = true
 }
+
+variable "create_pipeline_vis_role" {
+  description = "Flag to control pipeline visualizer role"
+  type        = bool
+  default     = true
+}
diff --git a/outputs.tf b/outputs.tf
@@ -76,6 +76,11 @@ output "cluster_autoscaler_iam_role" {
   description = "The IAM Role that the Jenkins X UI pod will assume to authenticate"
 }
 
+output "pipeline_viz_iam_role" {
+  value       = module.cluster.pipeline_viz_iam_role
+  description = "The IAM Role that the pipeline visualizer pod will assume to authenticate"
+}
+
 // ----------------------------------------------------------------------------
 // Vault Resources
 // ----------------------------------------------------------------------------

diff --git a/test/terraform_eks_test.go b/test/terraform_eks_test.go
@@ -91,6 +91,12 @@ func TestTerraformEksJX(t *testing.T) {
 	})
 	assert.NoError(t, err)
 
+	pVizRole := terraform.Output(t, tfOptions, "pipeline_viz_iam_role")
+	_, err = iamClient.GetRole(&iam.GetRoleInput{
+		RoleName: aws.String(pVizRole),
+	})
+	assert.NoError(t, err)
+
 	// Vault
 	vaultBucket := terraform.Output(t, tfOptions, "vault_unseal_bucket")
 	aws2.AssertS3BucketExists(t, region, vaultBucket)

diff --git a/variables.tf b/variables.tf
@@ -505,3 +505,9 @@ variable "manage_subdomain" {
   default     = true
   type        = bool
 }
+
+variable "create_pipeline_vis_role" {
+  description = "Flag to control pipeline visualizer role"
+  type        = bool
+  default     = true
+}