-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
89 lines (69 loc) · 2.22 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
module "sso_roles" {
source = "github.com/thoughtbot/terraform-aws-sso-permission-set-roles?ref=v0.2.0"
}
module "pod_role" {
source = "github.com/thoughtbot/flightdeck//aws/service-account-role?ref=v0.9.0"
cluster_names = var.cluster_names
name = "${local.instance_name}-pods"
service_accounts = ["${local.instance_name}:${local.service_account_name}"]
}
module "pod_policy" {
count = var.s3_enabled ? 1 : 0
source = "github.com/thoughtbot/flightdeck//aws/service-account-policy?ref=v0.9.0"
name = "${local.instance_name}-pods"
policy_documents = module.s3_bucket[*].policy_json
role_names = [module.pod_role.name]
}
module "cluster" {
source = "github.com/thoughtbot/flightdeck//aws/cluster-name?ref=v0.9.0"
name = var.cluster_names[0]
}
module "network" {
source = "github.com/thoughtbot/flightdeck//aws/network-data?ref=v0.9.0"
tags = module.cluster.shared_tags
}
locals {
execution_role_arns = concat(var.execution_role_arns, values(data.aws_iam_role.execution)[*].arn)
instance_name = "${var.name}-${var.stage}"
service_account_name = coalesce(var.service_account_name, var.name)
read_permission_set_roles = [
for name in var.read_permission_sets :
module.sso_roles.by_name[name]
]
read_principals = concat(
local.execution_role_arns,
local.read_permission_set_roles,
[module.pod_role.arn],
)
readwrite_permission_set_roles = [
for name in var.readwrite_permission_sets :
module.sso_roles.by_name[name]
]
readwrite_principals = concat(
local.execution_role_arns,
local.readwrite_permission_set_roles
)
secret_permission_set_roles = [
for name in var.secret_permission_sets :
module.sso_roles.by_name[name]
]
secret_write_principals = concat(
local.execution_role_arns,
local.secret_permission_set_roles
)
secret_read_principals = concat(
local.secret_write_principals,
[module.pod_role.arn]
)
secrets = concat(
module.postgres_admin_login[*],
module.redis_token[*],
module.secret_key[*],
module.opensearch[0][*],
values(module.developer_managed_secrets),
)
}
data "aws_iam_role" "execution" {
for_each = toset(var.execution_role_names)
name = each.value
}