c12s-kubespray/contrib/terraform/aws/modules/iam/main.tf

#Add AWS Roles for Kubernetes

resource "aws_iam_role" "kube_control_plane" {
  name = "kubernetes-${var.aws_cluster_name}-master"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      }
      }
  ]
}
EOF
}

resource "aws_iam_role" "kube-worker" {
  name = "kubernetes-${var.aws_cluster_name}-node"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      }
      }
  ]
}
EOF
}

#Add AWS Policies for Kubernetes

resource "aws_iam_role_policy" "kube_control_plane" {
  name = "kubernetes-${var.aws_cluster_name}-master"
  role = aws_iam_role.kube_control_plane.id

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["ec2:*"],
      "Resource": ["*"]
    },
    {
      "Effect": "Allow",
      "Action": ["elasticloadbalancing:*"],
      "Resource": ["*"]
    },
    {
      "Effect": "Allow",
      "Action": ["route53:*"],
      "Resource": ["*"]
    },
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::kubernetes-*"
      ]
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "kube-worker" {
  name = "kubernetes-${var.aws_cluster_name}-node"
  role = aws_iam_role.kube-worker.id

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
        {
          "Effect": "Allow",
          "Action": "s3:*",
          "Resource": [
            "arn:aws:s3:::kubernetes-*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": "ec2:Describe*",
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": "ec2:AttachVolume",
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": "ec2:DetachVolume",
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": ["route53:*"],
          "Resource": ["*"]
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecr:GetAuthorizationToken",
            "ecr:BatchCheckLayerAvailability",
            "ecr:GetDownloadUrlForLayer",
            "ecr:GetRepositoryPolicy",
            "ecr:DescribeRepositories",
            "ecr:ListImages",
            "ecr:BatchGetImage"
          ],
          "Resource": "*"
        }
      ]
}
EOF
}

#Create AWS Instance Profiles

resource "aws_iam_instance_profile" "kube_control_plane" {
  name = "kube_${var.aws_cluster_name}_master_profile"
  role = aws_iam_role.kube_control_plane.name
}

resource "aws_iam_instance_profile" "kube-worker" {
  name = "kube_${var.aws_cluster_name}_node_profile"
  role = aws_iam_role.kube-worker.name
}
Rewrote AWS Terraform for Kargo Rewrote AWS Terraform deployment for AWS Kargo. It supports now multiple Availability Zones, AWS Loadbalancer for Kubernetes API, Bastion Host, ... For more information see README 2017-03-01 17:25:58 +00:00			`#Add AWS Roles for Kubernetes`

Replace kube-master with kube_control_plane (#7256) This replaces kube-master with kube_control_plane because of [1]: The Kubernetes project is moving away from wording that is considered offensive. A new working group WG Naming was created to track this work, and the word "master" was declared as offensive. A proposal was formalized for replacing the word "master" with "control plane". This means it should be removed from source code, documentation, and user-facing configuration from Kubernetes and its sub-projects. NOTE: The reason why this changes it to kube_control_plane not kube-control-plane is for valid group names on ansible. [1]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint/README.md#motivation 2021-03-24 00:26:05 +00:00			`resource "aws_iam_role" "kube_control_plane" {`
Run terraform fmt and add step to CI (#4405) * Run terraform fmt * Add terraform fmt to .terraform-validate CI step * Add tf-validate-aws CI step * Revert "Add tf-validate-aws CI step" This reverts commit e007225fac831d263613ae9ab2998d11c3e8673d. 2019-04-08 09:22:24 +00:00			`name = "kubernetes-${var.aws_cluster_name}-master"`

			`assume_role_policy = <<EOF`
Rewrote AWS Terraform for Kargo Rewrote AWS Terraform deployment for AWS Kargo. It supports now multiple Availability Zones, AWS Loadbalancer for Kubernetes API, Bastion Host, ... For more information see README 2017-03-01 17:25:58 +00:00			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Action": "sts:AssumeRole",`
			`"Principal": {`
			`"Service": "ec2.amazonaws.com"`
			`}`
			`}`
			`]`
			`}`
			`EOF`
			`}`

			`resource "aws_iam_role" "kube-worker" {`
Run terraform fmt and add step to CI (#4405) * Run terraform fmt * Add terraform fmt to .terraform-validate CI step * Add tf-validate-aws CI step * Revert "Add tf-validate-aws CI step" This reverts commit e007225fac831d263613ae9ab2998d11c3e8673d. 2019-04-08 09:22:24 +00:00			`name = "kubernetes-${var.aws_cluster_name}-node"`

			`assume_role_policy = <<EOF`
Rewrote AWS Terraform for Kargo Rewrote AWS Terraform deployment for AWS Kargo. It supports now multiple Availability Zones, AWS Loadbalancer for Kubernetes API, Bastion Host, ... For more information see README 2017-03-01 17:25:58 +00:00			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Action": "sts:AssumeRole",`
			`"Principal": {`
			`"Service": "ec2.amazonaws.com"`
			`}`
			`}`
			`]`
			`}`
			`EOF`
			`}`

			`#Add AWS Policies for Kubernetes`

Replace kube-master with kube_control_plane (#7256) This replaces kube-master with kube_control_plane because of [1]: The Kubernetes project is moving away from wording that is considered offensive. A new working group WG Naming was created to track this work, and the word "master" was declared as offensive. A proposal was formalized for replacing the word "master" with "control plane". This means it should be removed from source code, documentation, and user-facing configuration from Kubernetes and its sub-projects. NOTE: The reason why this changes it to kube_control_plane not kube-control-plane is for valid group names on ansible. [1]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint/README.md#motivation 2021-03-24 00:26:05 +00:00			`resource "aws_iam_role_policy" "kube_control_plane" {`
Run terraform fmt and add step to CI (#4405) * Run terraform fmt * Add terraform fmt to .terraform-validate CI step * Add tf-validate-aws CI step * Revert "Add tf-validate-aws CI step" This reverts commit e007225fac831d263613ae9ab2998d11c3e8673d. 2019-04-08 09:22:24 +00:00			`name = "kubernetes-${var.aws_cluster_name}-master"`
Replace kube-master with kube_control_plane (#7256) This replaces kube-master with kube_control_plane because of [1]: The Kubernetes project is moving away from wording that is considered offensive. A new working group WG Naming was created to track this work, and the word "master" was declared as offensive. A proposal was formalized for replacing the word "master" with "control plane". This means it should be removed from source code, documentation, and user-facing configuration from Kubernetes and its sub-projects. NOTE: The reason why this changes it to kube_control_plane not kube-control-plane is for valid group names on ansible. [1]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint/README.md#motivation 2021-03-24 00:26:05 +00:00			`role = aws_iam_role.kube_control_plane.id`
Run terraform fmt and add step to CI (#4405) * Run terraform fmt * Add terraform fmt to .terraform-validate CI step * Add tf-validate-aws CI step * Revert "Add tf-validate-aws CI step" This reverts commit e007225fac831d263613ae9ab2998d11c3e8673d. 2019-04-08 09:22:24 +00:00
			`policy = <<EOF`
Rewrote AWS Terraform for Kargo Rewrote AWS Terraform deployment for AWS Kargo. It supports now multiple Availability Zones, AWS Loadbalancer for Kubernetes API, Bastion Host, ... For more information see README 2017-03-01 17:25:58 +00:00			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Action": ["ec2:*"],`
			`"Resource": ["*"]`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": ["elasticloadbalancing:*"],`
			`"Resource": ["*"]`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": ["route53:*"],`
			`"Resource": ["*"]`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": "s3:*",`
			`"Resource": [`
			`"arn:aws:s3:::kubernetes-*"`
			`]`
			`}`
			`]`
			`}`
			`EOF`
			`}`

			`resource "aws_iam_role_policy" "kube-worker" {`
Run terraform fmt and add step to CI (#4405) * Run terraform fmt * Add terraform fmt to .terraform-validate CI step * Add tf-validate-aws CI step * Revert "Add tf-validate-aws CI step" This reverts commit e007225fac831d263613ae9ab2998d11c3e8673d. 2019-04-08 09:22:24 +00:00			`name = "kubernetes-${var.aws_cluster_name}-node"`
Terraform quoted references are now deprecated (#6203) 2020-06-05 07:05:43 +00:00			`role = aws_iam_role.kube-worker.id`
Run terraform fmt and add step to CI (#4405) * Run terraform fmt * Add terraform fmt to .terraform-validate CI step * Add tf-validate-aws CI step * Revert "Add tf-validate-aws CI step" This reverts commit e007225fac831d263613ae9ab2998d11c3e8673d. 2019-04-08 09:22:24 +00:00
			`policy = <<EOF`
Rewrote AWS Terraform for Kargo Rewrote AWS Terraform deployment for AWS Kargo. It supports now multiple Availability Zones, AWS Loadbalancer for Kubernetes API, Bastion Host, ... For more information see README 2017-03-01 17:25:58 +00:00			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Action": "s3:*",`
			`"Resource": [`
			`"arn:aws:s3:::kubernetes-*"`
			`]`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": "ec2:Describe*",`
			`"Resource": "*"`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": "ec2:AttachVolume",`
			`"Resource": "*"`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": "ec2:DetachVolume",`
			`"Resource": "*"`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": ["route53:*"],`
			`"Resource": ["*"]`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": [`
			`"ecr:GetAuthorizationToken",`
			`"ecr:BatchCheckLayerAvailability",`
			`"ecr:GetDownloadUrlForLayer",`
			`"ecr:GetRepositoryPolicy",`
			`"ecr:DescribeRepositories",`
			`"ecr:ListImages",`
			`"ecr:BatchGetImage"`
			`],`
			`"Resource": "*"`
			`}`
			`]`
			`}`
			`EOF`
			`}`

			`#Create AWS Instance Profiles`

Replace kube-master with kube_control_plane (#7256) This replaces kube-master with kube_control_plane because of [1]: The Kubernetes project is moving away from wording that is considered offensive. A new working group WG Naming was created to track this work, and the word "master" was declared as offensive. A proposal was formalized for replacing the word "master" with "control plane". This means it should be removed from source code, documentation, and user-facing configuration from Kubernetes and its sub-projects. NOTE: The reason why this changes it to kube_control_plane not kube-control-plane is for valid group names on ansible. [1]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint/README.md#motivation 2021-03-24 00:26:05 +00:00			`resource "aws_iam_instance_profile" "kube_control_plane" {`
Run terraform fmt and add step to CI (#4405) * Run terraform fmt * Add terraform fmt to .terraform-validate CI step * Add tf-validate-aws CI step * Revert "Add tf-validate-aws CI step" This reverts commit e007225fac831d263613ae9ab2998d11c3e8673d. 2019-04-08 09:22:24 +00:00			`name = "kube_${var.aws_cluster_name}_master_profile"`
Replace kube-master with kube_control_plane (#7256) This replaces kube-master with kube_control_plane because of [1]: The Kubernetes project is moving away from wording that is considered offensive. A new working group WG Naming was created to track this work, and the word "master" was declared as offensive. A proposal was formalized for replacing the word "master" with "control plane". This means it should be removed from source code, documentation, and user-facing configuration from Kubernetes and its sub-projects. NOTE: The reason why this changes it to kube_control_plane not kube-control-plane is for valid group names on ansible. [1]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint/README.md#motivation 2021-03-24 00:26:05 +00:00			`role = aws_iam_role.kube_control_plane.name`
Rewrote AWS Terraform for Kargo Rewrote AWS Terraform deployment for AWS Kargo. It supports now multiple Availability Zones, AWS Loadbalancer for Kubernetes API, Bastion Host, ... For more information see README 2017-03-01 17:25:58 +00:00			`}`

			`resource "aws_iam_instance_profile" "kube-worker" {`
Run terraform fmt and add step to CI (#4405) * Run terraform fmt * Add terraform fmt to .terraform-validate CI step * Add tf-validate-aws CI step * Revert "Add tf-validate-aws CI step" This reverts commit e007225fac831d263613ae9ab2998d11c3e8673d. 2019-04-08 09:22:24 +00:00			`name = "kube_${var.aws_cluster_name}_node_profile"`
Terraform quoted references are now deprecated (#6203) 2020-06-05 07:05:43 +00:00			`role = aws_iam_role.kube-worker.name`
Rewrote AWS Terraform for Kargo Rewrote AWS Terraform deployment for AWS Kargo. It supports now multiple Availability Zones, AWS Loadbalancer for Kubernetes API, Bastion Host, ... For more information see README 2017-03-01 17:25:58 +00:00			`}`