gitadmin/gitops-ack-kro-argocd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit from kro/examples/aws/eks-cluster-mgmt

Browse Source
This commit is contained in:
joaogac
2026-04-21 09:55:53 -03:00
parent 0585444299
commit 7d11fd5889
66 changed files with 3667 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
terraform/hub/eks-capability-iam.tf
+153
View File
@@ -0,0 +1,153 @@
# IAM role for ACK controllers with assume role capability
resource "aws_iam_role" "ack_controller" {
name = "${local.name}-ack-controller"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Service = "capabilities.eks.amazonaws.com"
}
Action = [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
})
tags = local.tags
}
# IAM policy allowing the role to assume any role
resource "aws_iam_policy" "ack_assume_role" {
name = "${local.name}-ack-assume-role"
description = "Policy allowing ACK controller to assume any role"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"sts:AssumeRole",
"sts:TagSession"
]
Resource = "*"
}
]
})
tags = local.tags
}
# Attach the assume role policy to the ACK controller role
resource "aws_iam_role_policy_attachment" "ack_assume_role" {
role = aws_iam_role.ack_controller.name
policy_arn = aws_iam_policy.ack_assume_role.arn
}
# Grant ACK controller role admin access to EKS cluster
resource "aws_eks_access_entry" "ack_controller" {
cluster_name = module.eks.cluster_name
principal_arn = aws_iam_role.ack_controller.arn
type = "STANDARD"
}
resource "aws_eks_access_policy_association" "ack_controller_admin" {
cluster_name = module.eks.cluster_name
principal_arn = aws_iam_role.ack_controller.arn
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
access_scope {
type = "cluster"
}
depends_on = [aws_eks_access_entry.ack_controller]
}
# IAM role for kro capability
resource "aws_iam_role" "kro_controller" {
name = "${local.name}-kro-controller"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Service = "capabilities.eks.amazonaws.com"
}
Action = [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
})
tags = local.tags
}
# Grant kro controller role admin access to EKS cluster
resource "aws_eks_access_entry" "kro_controller" {
cluster_name = module.eks.cluster_name
principal_arn = aws_iam_role.kro_controller.arn
type = "STANDARD"
}
resource "aws_eks_access_policy_association" "kro_controller_admin" {
cluster_name = module.eks.cluster_name
principal_arn = aws_iam_role.kro_controller.arn
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
access_scope {
type = "cluster"
}
depends_on = [aws_eks_access_entry.kro_controller]
}
# IAM role for argocd capability
resource "aws_iam_role" "argocd_controller" {
name = "${local.name}-argocd-controller"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Service = "capabilities.eks.amazonaws.com"
}
Action = [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
})
tags = local.tags
}
# Grant argocd controller role admin access to EKS cluster
resource "aws_eks_access_entry" "argocd_controller" {
cluster_name = module.eks.cluster_name
principal_arn = aws_iam_role.argocd_controller.arn
type = "STANDARD"
}
resource "aws_eks_access_policy_association" "argocd_controller_admin" {
cluster_name = module.eks.cluster_name
principal_arn = aws_iam_role.argocd_controller.arn
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
access_scope {
type = "cluster"
}
depends_on = [aws_eks_access_entry.argocd_controller]
}