c12s-kubespray/contrib/terraform/aws/modules/iam/main.tf

#Add AWS Roles for Kubernetes

resource "aws_iam_role" "kube-master" {
    name = "kubernetes-${var.aws_cluster_name}-master"
    assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      }
      }
  ]
}
EOF
}

resource "aws_iam_role" "kube-worker" {
    name = "kubernetes-${var.aws_cluster_name}-node"
    assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      }
      }
  ]
}
EOF
}

#Add AWS Policies for Kubernetes

resource "aws_iam_role_policy" "kube-master" {
    name = "kubernetes-${var.aws_cluster_name}-master"
    role = "${aws_iam_role.kube-master.id}"
    policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["ec2:*"],
      "Resource": ["*"]
    },
    {
      "Effect": "Allow",
      "Action": ["elasticloadbalancing:*"],
      "Resource": ["*"]
    },
    {
      "Effect": "Allow",
      "Action": ["route53:*"],
      "Resource": ["*"]
    },
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::kubernetes-*"
      ]
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "kube-worker" {
    name = "kubernetes-${var.aws_cluster_name}-node"
    role = "${aws_iam_role.kube-worker.id}"
    policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
        {
          "Effect": "Allow",
          "Action": "s3:*",
          "Resource": [
            "arn:aws:s3:::kubernetes-*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": "ec2:Describe*",
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": "ec2:AttachVolume",
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": "ec2:DetachVolume",
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": ["route53:*"],
          "Resource": ["*"]
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecr:GetAuthorizationToken",
            "ecr:BatchCheckLayerAvailability",
            "ecr:GetDownloadUrlForLayer",
            "ecr:GetRepositoryPolicy",
            "ecr:DescribeRepositories",
            "ecr:ListImages",
            "ecr:BatchGetImage"
          ],
          "Resource": "*"
        }
      ]
}
EOF
}


#Create AWS Instance Profiles

resource "aws_iam_instance_profile" "kube-master" {
    name = "kube_${var.aws_cluster_name}_master_profile"
    roles = ["${aws_iam_role.kube-master.name}"]
}

resource "aws_iam_instance_profile" "kube-worker" {
    name = "kube_${var.aws_cluster_name}_node_profile"
    roles = ["${aws_iam_role.kube-worker.name}"]
}
Rewrote AWS Terraform for Kargo Rewrote AWS Terraform deployment for AWS Kargo. It supports now multiple Availability Zones, AWS Loadbalancer for Kubernetes API, Bastion Host, ... For more information see README 2017-03-01 17:25:58 +00:00			`#Add AWS Roles for Kubernetes`

			`resource "aws_iam_role" "kube-master" {`
			`name = "kubernetes-${var.aws_cluster_name}-master"`
			`assume_role_policy = <<EOF`
			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Action": "sts:AssumeRole",`
			`"Principal": {`
			`"Service": "ec2.amazonaws.com"`
			`}`
			`}`
			`]`
			`}`
			`EOF`
			`}`

			`resource "aws_iam_role" "kube-worker" {`
			`name = "kubernetes-${var.aws_cluster_name}-node"`
			`assume_role_policy = <<EOF`
			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Action": "sts:AssumeRole",`
			`"Principal": {`
			`"Service": "ec2.amazonaws.com"`
			`}`
			`}`
			`]`
			`}`
			`EOF`
			`}`

			`#Add AWS Policies for Kubernetes`

			`resource "aws_iam_role_policy" "kube-master" {`
			`name = "kubernetes-${var.aws_cluster_name}-master"`
			`role = "${aws_iam_role.kube-master.id}"`
			`policy = <<EOF`
			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Action": ["ec2:*"],`
			`"Resource": ["*"]`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": ["elasticloadbalancing:*"],`
			`"Resource": ["*"]`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": ["route53:*"],`
			`"Resource": ["*"]`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": "s3:*",`
			`"Resource": [`
			`"arn:aws:s3:::kubernetes-*"`
			`]`
			`}`
			`]`
			`}`
			`EOF`
			`}`

			`resource "aws_iam_role_policy" "kube-worker" {`
			`name = "kubernetes-${var.aws_cluster_name}-node"`
			`role = "${aws_iam_role.kube-worker.id}"`
			`policy = <<EOF`
			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Action": "s3:*",`
			`"Resource": [`
			`"arn:aws:s3:::kubernetes-*"`
			`]`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": "ec2:Describe*",`
			`"Resource": "*"`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": "ec2:AttachVolume",`
			`"Resource": "*"`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": "ec2:DetachVolume",`
			`"Resource": "*"`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": ["route53:*"],`
			`"Resource": ["*"]`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": [`
			`"ecr:GetAuthorizationToken",`
			`"ecr:BatchCheckLayerAvailability",`
			`"ecr:GetDownloadUrlForLayer",`
			`"ecr:GetRepositoryPolicy",`
			`"ecr:DescribeRepositories",`
			`"ecr:ListImages",`
			`"ecr:BatchGetImage"`
			`],`
			`"Resource": "*"`
			`}`
			`]`
			`}`
			`EOF`
			`}`


			`#Create AWS Instance Profiles`

			`resource "aws_iam_instance_profile" "kube-master" {`
			`name = "kube_${var.aws_cluster_name}_master_profile"`
			`roles = ["${aws_iam_role.kube-master.name}"]`
			`}`

			`resource "aws_iam_instance_profile" "kube-worker" {`
			`name = "kube_${var.aws_cluster_name}_node_profile"`
			`roles = ["${aws_iam_role.kube-worker.name}"]`
			`}`