From d8d3131d19bf7f2469b6f225a28e95ecc1c50ed8 Mon Sep 17 00:00:00 2001 From: ankitm123 Date: Mon, 14 Dec 2020 19:44:08 -0500 Subject: [PATCH] feat: create iam role for pipeline visualizer Signed-off-by: ankitm123 --- README.md | 4 +++- examples/jx3/outputs.tf | 5 +++++ modules/cluster/irsa.tf | 31 +++++++++++++++++++++++++++++++ modules/cluster/local.tf | 2 +- modules/cluster/outputs.tf | 5 +++++ modules/cluster/variables.tf | 6 ++++++ outputs.tf | 5 +++++ test/terraform_eks_test.go | 6 ++++++ variables.tf | 6 ++++++ 9 files changed, 68 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1c5dedd..c64a13f 100644 --- a/README.md +++ b/README.md @@ -161,6 +161,7 @@ The following sections provide a full list of configuration in- and output varia | create\_ctrlb\_role | Flag to control controller build iam role creation | `bool` | `true` | no | | create\_eks | Controls if EKS cluster and associated resources should be created or not. If you have an existing eks cluster for jx, set it to false | `bool` | `true` | no | | create\_exdns\_role | Flag to control external dns iam role creation | `bool` | `true` | no | +| create\_pipeline\_vis\_role | Flag to control pipeline visualizer role | `bool` | `true` | no | | create\_tekton\_role | Flag to control tekton iam role creation | `bool` | `true` | no | | create\_velero\_role | Flag to control velero iam role creation | `bool` | `true` | no | | create\_vpc | Controls if VPC and related resources should be created. If you have an existing vpc for jx, set it to false | `bool` | `true` | no | @@ -241,13 +242,14 @@ The following sections provide a full list of configuration in- and output varia | lts\_logs\_bucket | The bucket where logs from builds will be stored | | lts\_reports\_bucket | The bucket where test reports will be stored | | lts\_repository\_bucket | The bucket that will serve as artifacts repository | +| pipeline\_viz\_iam\_role | The IAM Role that the pipeline visualizer pod will assume to authenticate | | subdomain\_nameservers | ---------------------------------------------------------------------------- DNS ---------------------------------------------------------------------------- | | tekton\_bot\_iam\_role | The IAM Role that the build pods will assume to authenticate | | vault\_dynamodb\_table | The Vault DynamoDB table | | vault\_kms\_unseal | The Vault KMS Key for encryption | | vault\_unseal\_bucket | The Vault storage bucket | | vault\_user\_id | The Vault IAM user id | -| vault\_user\_secret | The Vault IAM user secret +| vault\_user\_secret | The Vault IAM user secret | ### Cluster Autoscaling diff --git a/examples/jx3/outputs.tf b/examples/jx3/outputs.tf index ea02695..2c2a034 100644 --- a/examples/jx3/outputs.tf +++ b/examples/jx3/outputs.tf @@ -77,6 +77,11 @@ output "cluster_autoscaler_iam_role" { description = "The IAM Role that the Jenkins X UI pod will assume to authenticate" } +output "pipeline_viz_iam_role" { + value = module.eks-jx.pipeline_viz_iam_role + description = "The IAM Role that the pipeline visualizer pod will assume to authenticate" +} + // Cluster specific output output "cluster_name" { value = module.eks-jx.cluster_name diff --git a/modules/cluster/irsa.tf b/modules/cluster/irsa.tf index ce4600d..ecda1de 100644 --- a/modules/cluster/irsa.tf +++ b/modules/cluster/irsa.tf @@ -315,3 +315,34 @@ data "aws_iam_policy_document" "cluster_autoscaler" { } } } + +// Pipeline visualizer +data "aws_iam_policy_document" "pipelines-visualizer-policy" { + count = var.create_pipeline_vis_role ? 1 : 0 + statement { + sid = "JxPipelineVisualizerPolicy" + effect = "Allow" + actions = [ + "s3:Get*", + "s3:List*", + ] + resources = [aws_s3_bucket.logs_jenkins_x.*.arn[0]] + } +} + +resource "aws_iam_policy" "pipeline-visualizer" { + count = var.create_pipeline_vis_role ? 1 : 0 + name_prefix = "jx-pipelines-visualizer" + description = "JenkinsX pipline visualizer policy for cluster ${var.cluster_name}" + policy = data.aws_iam_policy_document.pipelines-visualizer-policy[count.index].json +} + +module "iam_assumable_role_pipeline_visualizer" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" + version = "~> v2.13.0" + create_role = var.create_pipeline_vis_role + role_name = "${local.cluster_trunc}-jx-pipelines-visualizer" + provider_url = local.oidc_provider_url + role_policy_arns = [aws_iam_policy.pipeline-visualizer[0].arn] + oidc_fully_qualified_subjects = ["system:serviceaccount:${local.jenkins-x-namespace}:jx-pipelines-visualizer"] +} diff --git a/modules/cluster/local.tf b/modules/cluster/local.tf index 5ae165f..032258b 100644 --- a/modules/cluster/local.tf +++ b/modules/cluster/local.tf @@ -10,6 +10,6 @@ locals { generated_seed = random_string.suffix.result oidc_provider_url = replace(var.create_eks ? module.eks.cluster_oidc_issuer_url : data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "") jenkins-x-namespace = "jx" - cluster_trunc = substr(var.cluster_name, 0, 40) + cluster_trunc = substr(var.cluster_name, 0, 35) cert-manager-namespace = "cert-manager" } diff --git a/modules/cluster/outputs.tf b/modules/cluster/outputs.tf index cdbbd48..966e22e 100644 --- a/modules/cluster/outputs.tf +++ b/modules/cluster/outputs.tf @@ -58,3 +58,8 @@ output "cluster_autoscaler_iam_role" { value = module.iam_assumable_role_cluster_autoscaler.this_iam_role_name description = "The IAM Role that the Cluster Autoscaler pod will assume to authenticate" } + +output "pipeline_viz_iam_role" { + value = module.iam_assumable_role_pipeline_visualizer.this_iam_role_name + description = "The IAM Role that the pipeline visualizer pod will assume to authenticate" +} diff --git a/modules/cluster/variables.tf b/modules/cluster/variables.tf index e5380c1..1c8bcbd 100644 --- a/modules/cluster/variables.tf +++ b/modules/cluster/variables.tf @@ -337,3 +337,9 @@ variable "create_autoscaler_role" { type = bool default = true } + +variable "create_pipeline_vis_role" { + description = "Flag to control pipeline visualizer role" + type = bool + default = true +} diff --git a/outputs.tf b/outputs.tf index e4a3a3f..b5638f0 100644 --- a/outputs.tf +++ b/outputs.tf @@ -76,6 +76,11 @@ output "cluster_autoscaler_iam_role" { description = "The IAM Role that the Jenkins X UI pod will assume to authenticate" } +output "pipeline_viz_iam_role" { + value = module.cluster.pipeline_viz_iam_role + description = "The IAM Role that the pipeline visualizer pod will assume to authenticate" +} + // ---------------------------------------------------------------------------- // Vault Resources // ---------------------------------------------------------------------------- diff --git a/test/terraform_eks_test.go b/test/terraform_eks_test.go index efdd63d..889a23a 100644 --- a/test/terraform_eks_test.go +++ b/test/terraform_eks_test.go @@ -91,6 +91,12 @@ func TestTerraformEksJX(t *testing.T) { }) assert.NoError(t, err) + pVizRole := terraform.Output(t, tfOptions, "pipeline_viz_iam_role") + _, err = iamClient.GetRole(&iam.GetRoleInput{ + RoleName: aws.String(pVizRole), + }) + assert.NoError(t, err) + // Vault vaultBucket := terraform.Output(t, tfOptions, "vault_unseal_bucket") aws2.AssertS3BucketExists(t, region, vaultBucket) diff --git a/variables.tf b/variables.tf index 3d65039..07a1c61 100644 --- a/variables.tf +++ b/variables.tf @@ -505,3 +505,9 @@ variable "manage_subdomain" { default = true type = bool } + +variable "create_pipeline_vis_role" { + description = "Flag to control pipeline visualizer role" + type = bool + default = true +}