diff --git a/infra/aws/terraform/.gitignore b/infra/aws/terraform/.gitignore index dc704e0db7c..153bde343f5 100644 --- a/infra/aws/terraform/.gitignore +++ b/infra/aws/terraform/.gitignore @@ -13,12 +13,6 @@ plan.out # Crash log files crash.log -# Exclude all .tfvars files, which are likely to contain sentitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject -# to change depending on the environment. -*.tfvars - # Ignore override files as they are usually used to override resources locally and so # are not checked in override.tf diff --git a/infra/aws/terraform/artifacts.k8s.io/atlantis.config b/infra/aws/terraform/artifacts.k8s.io/atlantis.config new file mode 100644 index 00000000000..318387c7561 --- /dev/null +++ b/infra/aws/terraform/artifacts.k8s.io/atlantis.config @@ -0,0 +1,3 @@ +assume_role = { + role_arn = "arn:aws:iam::354561287328:role/OrganizationAccountAccessRole" +} diff --git a/infra/aws/terraform/artifacts.k8s.io/atlantis.tfvars b/infra/aws/terraform/artifacts.k8s.io/atlantis.tfvars new file mode 100644 index 00000000000..429a8434c99 --- /dev/null +++ b/infra/aws/terraform/artifacts.k8s.io/atlantis.tfvars @@ -0,0 +1 @@ +atlantis_role_arn = "arn:aws:iam::354561287328:role/OrganizationAccountAccessRole" diff --git a/infra/aws/terraform/artifacts.k8s.io/main.tf b/infra/aws/terraform/artifacts.k8s.io/main.tf index b1fb6b0c1c6..1091de45705 100644 --- a/infra/aws/terraform/artifacts.k8s.io/main.tf +++ b/infra/aws/terraform/artifacts.k8s.io/main.tf @@ -20,7 +20,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = "~> 5.0" } } @@ -34,90 +34,144 @@ terraform { # Provider for AWS non-region-specific operations provider "aws" { region = "us-east-2" + assume_role { + role_arn = var.atlantis_role_arn + } } # Per-region providers provider "aws" { alias = "ap-northeast-1" region = "ap-northeast-1" + assume_role { + role_arn = var.atlantis_role_arn + } } provider "aws" { alias = "ap-northeast-2" region = "ap-northeast-2" + assume_role { + role_arn = var.atlantis_role_arn + } } provider "aws" { alias = "ap-northeast-3" region = "ap-northeast-3" + assume_role { + role_arn = var.atlantis_role_arn + } } provider "aws" { alias = "ap-south-1" region = "ap-south-1" + assume_role { + role_arn = var.atlantis_role_arn + } } provider "aws" { alias = "ap-southeast-1" region = "ap-southeast-1" + assume_role { + role_arn = var.atlantis_role_arn + } } provider "aws" { alias = "ap-southeast-2" region = "ap-southeast-2" + assume_role { + role_arn = var.atlantis_role_arn + } } provider "aws" { alias = "ca-central-1" region = "ca-central-1" + assume_role { + role_arn = var.atlantis_role_arn + } } provider "aws" { alias = "eu-central-1" region = "eu-central-1" + assume_role { + role_arn = var.atlantis_role_arn + } } provider "aws" { alias = "eu-north-1" region = "eu-north-1" + assume_role { + role_arn = var.atlantis_role_arn + } } provider "aws" { alias = "eu-west-1" region = "eu-west-1" + assume_role { + role_arn = var.atlantis_role_arn + } } provider "aws" { alias = "eu-west-2" region = "eu-west-2" + assume_role { + role_arn = var.atlantis_role_arn + } } provider "aws" { alias = "eu-west-3" region = "eu-west-3" + assume_role { + role_arn = var.atlantis_role_arn + } } provider "aws" { alias = "sa-east-1" region = "sa-east-1" + assume_role { + role_arn = var.atlantis_role_arn + } } provider "aws" { alias = "us-east-1" region = "us-east-1" + assume_role { + role_arn = var.atlantis_role_arn + } } provider "aws" { alias = "us-east-2" region = "us-east-2" + assume_role { + role_arn = var.atlantis_role_arn + } } provider "aws" { alias = "us-west-1" region = "us-west-1" + assume_role { + role_arn = var.atlantis_role_arn + } } provider "aws" { alias = "us-west-2" region = "us-west-2" + assume_role { + role_arn = var.atlantis_role_arn + } } diff --git a/infra/aws/terraform/artifacts.k8s.io/s3/versions.tf b/infra/aws/terraform/artifacts.k8s.io/s3/versions.tf index 68b4cda9f71..8ce57c6db9f 100644 --- a/infra/aws/terraform/artifacts.k8s.io/s3/versions.tf +++ b/infra/aws/terraform/artifacts.k8s.io/s3/versions.tf @@ -19,8 +19,7 @@ terraform { required_providers { aws = { - source = "hashicorp/aws" - version = "~> 4.0" + source = "hashicorp/aws" } } } diff --git a/infra/aws/terraform/artifacts.k8s.io/variables.tf b/infra/aws/terraform/artifacts.k8s.io/variables.tf index c83f5f0d6c8..ef6a8513f54 100644 --- a/infra/aws/terraform/artifacts.k8s.io/variables.tf +++ b/infra/aws/terraform/artifacts.k8s.io/variables.tf @@ -17,10 +17,15 @@ limitations under the License. variable "prefix" { description = "Prefix for every resource so that the resources can be created without using the same names. Useful for testing and staging" type = string - default = "test-" + default = "prod-" validation { condition = can(regex(".*-$|^$", var.prefix)) error_message = "The string must end with a hyphen or be empty." } } + +variable "atlantis_role_arn" { + description = "The ARN of the Atlantis IAM role" + default = null +} diff --git a/infra/aws/terraform/management-account/iam-bentheelder.tf b/infra/aws/terraform/management-account/iam-bentheelder.tf deleted file mode 100644 index 129ab00edb9..00000000000 --- a/infra/aws/terraform/management-account/iam-bentheelder.tf +++ /dev/null @@ -1,28 +0,0 @@ -/* -Copyright 2023 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - - -resource "aws_iam_user" "bentheelder" { - name = "bentheelder" -} -resource "aws_iam_user_policy_attachment" "bentheelder_billing" { - user = aws_iam_user.bentheelder.name - policy_arn = "arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess" -} -resource "aws_iam_user_login_profile" "bentheelder_login" { - user = aws_iam_user.bentheelder.name - password_reset_required = false -} diff --git a/infra/aws/terraform/management-account/iam-roles.tf b/infra/aws/terraform/management-account/iam-roles.tf deleted file mode 100644 index a879a6e5009..00000000000 --- a/infra/aws/terraform/management-account/iam-roles.tf +++ /dev/null @@ -1,20 +0,0 @@ -/* -Copyright 2023 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - - -resource "aws_iam_service_linked_role" "access_analyzer" { - aws_service_name = "access-analyzer.amazonaws.com" -} diff --git a/infra/aws/terraform/management-account/iam.tf b/infra/aws/terraform/management-account/iam.tf new file mode 100644 index 00000000000..5e13a1baa53 --- /dev/null +++ b/infra/aws/terraform/management-account/iam.tf @@ -0,0 +1,62 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Service Linked Roles +resource "aws_iam_service_linked_role" "access_analyzer" { + aws_service_name = "access-analyzer.amazonaws.com" +} + + +// Atlantis + +resource "aws_iam_openid_connect_provider" "utility_cluster" { + url = "https://container.googleapis.com/v1/projects/k8s-infra-prow/locations/us-central1/clusters/utility" + client_id_list = ["sts.amazonaws.com"] + thumbprint_list = ["08745487e891c19e3078c1f2a07e452950ef36f6"] +} + +resource "aws_iam_role" "atlantis" { + name = "atlantis" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + "Effect" : "Allow", + "Principal" : { + "Federated" : aws_iam_openid_connect_provider.utility_cluster.arn + }, + "Action" : "sts:AssumeRoleWithWebIdentity", + "Condition" : { + "StringEquals" : { + "container.googleapis.com/v1/projects/k8s-infra-prow/locations/us-central1/clusters/utility:sub" : "system:serviceaccount:atlantis:atlantis" + } + } + } + ] + }) + + max_session_duration = 43200 + + tags = { + service = "atlantis" + } +} + + +resource "aws_iam_role_policy_attachment" "atlantis" { + role = aws_iam_role.atlantis.name + policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" +} diff --git a/infra/aws/terraform/management-account/provider.tf b/infra/aws/terraform/management-account/provider.tf index 88caa3d06ca..37c706770c4 100644 --- a/infra/aws/terraform/management-account/provider.tf +++ b/infra/aws/terraform/management-account/provider.tf @@ -30,7 +30,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.93.0" + version = "~> 6.17.0" } } }