From 69c8eb088ef3671f899898bf77e4848a53376221 Mon Sep 17 00:00:00 2001 From: Robert Fairburn <8029478+rfairburn@users.noreply.github.com> Date: Tue, 16 Aug 2022 13:16:48 -0500 Subject: [PATCH] SandboxProd SSO access to EKS (#7172) * SandboxProd SSO access to EKS * Sandbox docker platform = linux/amd64 * Shorten SSO role ARN for EKS --- .../sandbox/JITProvisioner/deprovisioner.tf | 1 + .../sandbox/JITProvisioner/jitprovisioner.tf | 1 + infrastructure/sandbox/Monitoring/main.tf | 1 + infrastructure/sandbox/PreProvisioner/main.tf | 1 + .../sandbox/SharedInfrastructure/eks.tf | 20 +++++++++++++------ 5 files changed, 18 insertions(+), 6 deletions(-) diff --git a/infrastructure/sandbox/JITProvisioner/deprovisioner.tf b/infrastructure/sandbox/JITProvisioner/deprovisioner.tf index b1e415faaa..4cbdc85ecd 100644 --- a/infrastructure/sandbox/JITProvisioner/deprovisioner.tf +++ b/infrastructure/sandbox/JITProvisioner/deprovisioner.tf @@ -258,6 +258,7 @@ resource "docker_registry_image" "deprovisioner" { build { context = "${path.module}/deprovisioner/" pull_parent = true + platform = "linux/amd64" } depends_on = [ diff --git a/infrastructure/sandbox/JITProvisioner/jitprovisioner.tf b/infrastructure/sandbox/JITProvisioner/jitprovisioner.tf index ddd46e0e9e..13e4132d97 100644 --- a/infrastructure/sandbox/JITProvisioner/jitprovisioner.tf +++ b/infrastructure/sandbox/JITProvisioner/jitprovisioner.tf @@ -171,6 +171,7 @@ resource "docker_registry_image" "jitprovisioner" { build { context = "${path.module}/lambda/" pull_parent = true + platform = "linux/amd64" } depends_on = [ local_file.standard-query-library diff --git a/infrastructure/sandbox/Monitoring/main.tf b/infrastructure/sandbox/Monitoring/main.tf index 33baa6ae4e..cb29525b8b 100644 --- a/infrastructure/sandbox/Monitoring/main.tf +++ b/infrastructure/sandbox/Monitoring/main.tf @@ -146,6 +146,7 @@ resource "docker_registry_image" "lifecycle-lambda" { build { context = "${path.module}/lambda/" pull_parent = true + platform = "linux/amd64" } } diff --git a/infrastructure/sandbox/PreProvisioner/main.tf b/infrastructure/sandbox/PreProvisioner/main.tf index 5a9b58cde2..846e7da5f4 100644 --- a/infrastructure/sandbox/PreProvisioner/main.tf +++ b/infrastructure/sandbox/PreProvisioner/main.tf @@ -369,6 +369,7 @@ resource "docker_registry_image" "main" { build { context = "${path.module}/lambda/" pull_parent = true + platform = "linux/amd64" } depends_on = [ diff --git a/infrastructure/sandbox/SharedInfrastructure/eks.tf b/infrastructure/sandbox/SharedInfrastructure/eks.tf index c49cde8601..f0ba52b8e3 100644 --- a/infrastructure/sandbox/SharedInfrastructure/eks.tf +++ b/infrastructure/sandbox/SharedInfrastructure/eks.tf @@ -25,6 +25,16 @@ provider "kubectl" { locals { cluster_version = "1.21" + account_role_mapping = { + # Add nonprod or other deployed accounts here + 411315989055 = "AWSReservedSSO_SandboxProdAdmins_9ccaa4f25c2eada0" + } + # Role Generated by SSO but needs admin to EKS + # This hack is needed because "aws_iam_role" returns an unsusable ARN for EKS on SSO roles. + sandbox_sso_role = { + id = local.account_role_mapping[data.aws_caller_identity.current.account_id] + arn = join("", ["arn:aws:iam::", data.aws_caller_identity.current.account_id, ":role/", local.account_role_mapping[data.aws_caller_identity.current.account_id]]) + } } output "eks_cluster" { @@ -44,6 +54,8 @@ terraform { } } +data "aws_caller_identity" "current" {} + data "aws_iam_role" "admin" { name = "admin" } @@ -68,15 +80,11 @@ module "aws-eks-accelerator-for-terraform" { } } - map_roles = concat([for i in var.eks_allowed_roles : { + map_roles = [for i in concat(var.eks_allowed_roles, [data.aws_iam_role.admin, local.sandbox_sso_role]) : { rolearn = i.arn username = i.id groups = ["system:masters"] - }], [{ - rolearn = data.aws_iam_role.admin.arn - username = data.aws_iam_role.admin.id - groups = ["system:masters"] - }]) + }] fargate_profiles = { default = {