SandboxProd SSO access to EKS (#7172)

* SandboxProd SSO access to EKS * Sandbox docker platform = linux/amd64 * Shorten SSO role ARN for EKS
2026-05-24 09:28:54 +00:00 · 2022-08-16 13:16:48 -05:00 · 2022-08-16 13:16:48 -05:00 · 69c8eb088e
commit 69c8eb088e
parent 953d03ef4f
5 changed files with 18 additions and 6 deletions
--- a/infrastructure/sandbox/JITProvisioner/deprovisioner.tf
+++ b/infrastructure/sandbox/JITProvisioner/deprovisioner.tf
@ -258,6 +258,7 @@ resource "docker_registry_image" "deprovisioner" {
  build {
    context     = "${path.module}/deprovisioner/"
    pull_parent = true
+    platform    = "linux/amd64"
  }

  depends_on = [
--- a/infrastructure/sandbox/JITProvisioner/jitprovisioner.tf
+++ b/infrastructure/sandbox/JITProvisioner/jitprovisioner.tf
@ -171,6 +171,7 @@ resource "docker_registry_image" "jitprovisioner" {
  build {
    context     = "${path.module}/lambda/"
    pull_parent = true
+    platform    = "linux/amd64"
  }
  depends_on = [
    local_file.standard-query-library
--- a/infrastructure/sandbox/Monitoring/main.tf
+++ b/infrastructure/sandbox/Monitoring/main.tf
@ -146,6 +146,7 @@ resource "docker_registry_image" "lifecycle-lambda" {
  build {
    context     = "${path.module}/lambda/"
    pull_parent = true
+    platform    = "linux/amd64"
  }
 }

--- a/infrastructure/sandbox/PreProvisioner/main.tf
+++ b/infrastructure/sandbox/PreProvisioner/main.tf
@ -369,6 +369,7 @@ resource "docker_registry_image" "main" {
  build {
    context     = "${path.module}/lambda/"
    pull_parent = true
+    platform    = "linux/amd64"
  }

  depends_on = [
--- a/infrastructure/sandbox/SharedInfrastructure/eks.tf
+++ b/infrastructure/sandbox/SharedInfrastructure/eks.tf
@ -25,6 +25,16 @@ provider "kubectl" {

 locals {
  cluster_version = "1.21"
+  account_role_mapping = {
+    # Add nonprod or other deployed accounts here
+    411315989055 = "AWSReservedSSO_SandboxProdAdmins_9ccaa4f25c2eada0"
+  }
+  # Role Generated by SSO but needs admin to EKS
+  # This hack is needed because "aws_iam_role" returns an unsusable ARN for EKS on SSO roles.
+  sandbox_sso_role = {
+    id  = local.account_role_mapping[data.aws_caller_identity.current.account_id]
+    arn = join("", ["arn:aws:iam::", data.aws_caller_identity.current.account_id, ":role/", local.account_role_mapping[data.aws_caller_identity.current.account_id]])
+  }
 }

 output "eks_cluster" {
@ -44,6 +54,8 @@ terraform {
  }
 }

+data "aws_caller_identity" "current" {}
+
 data "aws_iam_role" "admin" {
  name = "admin"
 }
@ -68,15 +80,11 @@ module "aws-eks-accelerator-for-terraform" {
    }
  }

-  map_roles = concat([for i in var.eks_allowed_roles : {
+  map_roles = [for i in concat(var.eks_allowed_roles, [data.aws_iam_role.admin, local.sandbox_sso_role]) : {
    rolearn  = i.arn
    username = i.id
    groups   = ["system:masters"]
-    }], [{
-    rolearn  = data.aws_iam_role.admin.arn
-    username = data.aws_iam_role.admin.id
-    groups   = ["system:masters"]
-  }])
+    }]

  fargate_profiles = {
    default = {