18298bfeb7
Rewrote AWS Terraform deployment for AWS Kargo. It supports now multiple Availability Zones, AWS Loadbalancer for Kubernetes API, Bastion Host, ... For more information see README
138 lines
2.9 KiB
HCL
138 lines
2.9 KiB
HCL
#Add AWS Roles for Kubernetes
|
|
|
|
resource "aws_iam_role" "kube-master" {
|
|
name = "kubernetes-${var.aws_cluster_name}-master"
|
|
assume_role_policy = <<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "sts:AssumeRole",
|
|
"Principal": {
|
|
"Service": "ec2.amazonaws.com"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
}
|
|
|
|
resource "aws_iam_role" "kube-worker" {
|
|
name = "kubernetes-${var.aws_cluster_name}-node"
|
|
assume_role_policy = <<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "sts:AssumeRole",
|
|
"Principal": {
|
|
"Service": "ec2.amazonaws.com"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
}
|
|
|
|
#Add AWS Policies for Kubernetes
|
|
|
|
resource "aws_iam_role_policy" "kube-master" {
|
|
name = "kubernetes-${var.aws_cluster_name}-master"
|
|
role = "${aws_iam_role.kube-master.id}"
|
|
policy = <<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": ["ec2:*"],
|
|
"Resource": ["*"]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": ["elasticloadbalancing:*"],
|
|
"Resource": ["*"]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": ["route53:*"],
|
|
"Resource": ["*"]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "s3:*",
|
|
"Resource": [
|
|
"arn:aws:s3:::kubernetes-*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
}
|
|
|
|
resource "aws_iam_role_policy" "kube-worker" {
|
|
name = "kubernetes-${var.aws_cluster_name}-node"
|
|
role = "${aws_iam_role.kube-worker.id}"
|
|
policy = <<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "s3:*",
|
|
"Resource": [
|
|
"arn:aws:s3:::kubernetes-*"
|
|
]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "ec2:Describe*",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "ec2:AttachVolume",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "ec2:DetachVolume",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": ["route53:*"],
|
|
"Resource": ["*"]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"ecr:GetAuthorizationToken",
|
|
"ecr:BatchCheckLayerAvailability",
|
|
"ecr:GetDownloadUrlForLayer",
|
|
"ecr:GetRepositoryPolicy",
|
|
"ecr:DescribeRepositories",
|
|
"ecr:ListImages",
|
|
"ecr:BatchGetImage"
|
|
],
|
|
"Resource": "*"
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
}
|
|
|
|
|
|
#Create AWS Instance Profiles
|
|
|
|
resource "aws_iam_instance_profile" "kube-master" {
|
|
name = "kube_${var.aws_cluster_name}_master_profile"
|
|
roles = ["${aws_iam_role.kube-master.name}"]
|
|
}
|
|
|
|
resource "aws_iam_instance_profile" "kube-worker" {
|
|
name = "kube_${var.aws_cluster_name}_node_profile"
|
|
roles = ["${aws_iam_role.kube-worker.name}"]
|
|
}
|