mozilla · amitchell-moz · Dec 3, 2024 · Dec 5, 2024 · Dec 5, 2024 · Dec 5, 2024
diff --git a/aws_gke_oidc_config/.terraform.lock.hcl b/aws_gke_oidc_config/.terraform.lock.hcl
diff --git a/aws_gke_oidc_config/README.md b/aws_gke_oidc_config/README.md
@@ -0,0 +1,45 @@
+<!-- BEGIN_TF_DOCS -->
+# AWS-GKE OIDC Config
+This module will create an AWS OIDC config that creates a trust relationship between a GKE cluster & AWS account.
+
+Once this module has been invoked for a given account + GKE cluster, the `aws_gke_oidc_role` module can be used
+to create any number of roles to be used by GKE workloads.
+
+See the `aws_gke_oidc_role` for complete usage instructions
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.37 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.76.0 |
+| <a name="provider_tls"></a> [tls](#provider\_tls) | 4.0.6 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_openid_connect_provider.gke_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
+| [tls_certificate.gke_oidc](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_gcp_project_id"></a> [gcp\_project\_id](#input\_gcp\_project\_id) | ID of the GKE cluster's project | `string` | n/a | yes |
+| <a name="input_gcp_region"></a> [gcp\_region](#input\_gcp\_region) | GKE cluster's GCP region | `string` | n/a | yes |
+| <a name="input_gke_cluster_name"></a> [gke\_cluster\_name](#input\_gke\_cluster\_name) | GKE cluster name | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/aws_gke_oidc_config/examples/main.tf b/aws_gke_oidc_config/examples/main.tf
@@ -0,0 +1,10 @@
+/*
+ * Creates an OIDC trust relationship between the global-platform-admin-mgmt cluster & the authenticated AWS account.
+ */
+
+module "oidc_config" {
+  source           = "../."
+  gcp_region       = "us-west1"
+  gcp_project_id   = "moz-fx-platform-mgmt-global"
+  gke_cluster_name = "global-platform-admin-mgmt"
+}
diff --git a/aws_gke_oidc_config/main.tf b/aws_gke_oidc_config/main.tf
@@ -0,0 +1,25 @@
+/* 
+ * # AWS-GKE OIDC Config 
+ * This module will create an AWS OIDC config that creates a trust relationship between a GKE cluster & AWS account.
+ *
+ * Once this module has been invoked for a given account + GKE cluster, the `aws_gke_oidc_role` module can be used
+ * to create any number of roles to be used by GKE workloads.
+ *
+ * See the `aws_gke_oidc_role` for complete usage instructions
+*/
+
+resource "aws_iam_openid_connect_provider" "gke_oidc" {
+  url = "https://container.googleapis.com/v1/projects/${var.gcp_project_id}/locations/${var.gcp_region}/clusters/${var.gke_cluster_name}"
+
+  client_id_list = [
+    "sts.amazonaws.com"
+  ]
+
+  thumbprint_list = [
+    data.tls_certificate.gke_oidc.certificates.0.sha1_fingerprint
+  ]
+}
+
+data "tls_certificate" "gke_oidc" {
+  url = "https://container.googleapis.com/v1/projects/${var.gcp_project_id}/locations/${var.gcp_region}/clusters/${var.gke_cluster_name}"
+}
diff --git a/aws_gke_oidc_config/variables.tf b/aws_gke_oidc_config/variables.tf
@@ -0,0 +1,16 @@
+### Required 
+
+variable "gcp_region" {
+  description = "GKE cluster's GCP region"
+  type        = string
+}
+
+variable "gcp_project_id" {
+  description = "ID of the GKE cluster's project"
+  type        = string
+}
+
+variable "gke_cluster_name" {
+  description = "GKE cluster name"
+  type        = string
+}
diff --git a/aws_gke_oidc_config/versions.tf b/aws_gke_oidc_config/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.37"
+    }
+  }
+  required_version = "~> 1.0"
+}
diff --git a/aws_gke_oidc_role/README.md b/aws_gke_oidc_role/README.md
@@ -0,0 +1,80 @@
+<!-- BEGIN_TF_DOCS -->
+# AWS-GKE OIDC Role
+This module will create an AWS role that will allow a specified GKE service account to assume it.
+
+Requires that `../aws_gke_oidc_config` has been applied for a given AWS account + GKE cluster combination
+if you get an error about the `aws_iam_openid_connect_provider` data source being missing, apply that module.
+
+After creating these resources, add the following environment variables, volumes, and volume mounts to your pod definition:
+* env:
+```
+- name: AWS_REGION
+  value: <YOUR_AWS_REGION_HERE>
+- name: AWS_ROLE_ARN
+  value: <ROLE_ARN FROM OUTPUT HERE>
+- name: AWS_WEB_IDENTITY_TOKEN_FILE
+  value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
+- name: AWS_STS_REGIONAL_ENDPOINTS
+  value: regional
+```
+* volumes:
+```
+- name: aws-token
+  projected:
+    defaultMode: 420
+    sources:
+    - serviceAccountToken:
+        audience: sts.amazonaws.com
+        expirationSeconds: 86400
+        path: token
+```
+* volumeMounts:
+```
+- mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount/
+  name: aws-token
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.37 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.37 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_iam_assumable_role_for_oidc"></a> [iam\_assumable\_role\_for\_oidc](#module\_iam\_assumable\_role\_for\_oidc) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> v5.9 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_openid_connect_provider.gke_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region | `string` | n/a | yes |
+| <a name="input_gcp_project_id"></a> [gcp\_project\_id](#input\_gcp\_project\_id) | GKE cluster's project ID | `string` | n/a | yes |
+| <a name="input_gcp_region"></a> [gcp\_region](#input\_gcp\_region) | GKE cluster's GCP region | `string` | n/a | yes |
+| <a name="input_gke_cluster_name"></a> [gke\_cluster\_name](#input\_gke\_cluster\_name) | GKE cluster name | `string` | n/a | yes |
+| <a name="input_gke_namespace"></a> [gke\_namespace](#input\_gke\_namespace) | Namespace for GKE workload | `string` | n/a | yes |
+| <a name="input_gke_service_account"></a> [gke\_service\_account](#input\_gke\_service\_account) | GKE service account to grant role assumption privilleges | `string` | n/a | yes |
+| <a name="input_iam_policy_arns"></a> [iam\_policy\_arns](#input\_iam\_policy\_arns) | One or more policy arns to attach to created AWS role | `list(string)` | n/a | yes |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | Name to give the AWS role | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to the AWS role | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | ARN for the GKE-AWS connector role |
+<!-- END_TF_DOCS -->
diff --git a/aws_gke_oidc_role/examples/.terraform.lock.hcl b/aws_gke_oidc_role/examples/.terraform.lock.hcl
diff --git a/aws_gke_oidc_role/examples/role_and_config/.terraform.lock.hcl b/aws_gke_oidc_role/examples/role_and_config/.terraform.lock.hcl
diff --git a/aws_gke_oidc_role/examples/role_and_config/main.tf b/aws_gke_oidc_role/examples/role_and_config/main.tf
@@ -0,0 +1,23 @@
+/*
+* Example of creating both an OIDC config & role to utilize it
+*/
+
+module "oidc_config" {
+  source           = "../../../aws_gke_oidc_config/"
+  gcp_region       = "us-west1"
+  gcp_project_id   = "moz-fx-platform-mgmt-global"
+  gke_cluster_name = "global-platform-admin-mgmt"
+}
+
+module "oidc_role" {
+  depends_on          = [module.oidc_config]
+  source              = "../.././"
+  role_name           = "opst-1509-oidc-test"
+  aws_region          = "us-west-1"
+  gcp_region          = "us-west1"
+  gke_cluster_name    = "global-platform-admin-mgmt"
+  gcp_project_id      = "moz-fx-platform-mgmt-global"
+  gke_namespace       = "atlantis-sandbox"
+  gke_service_account = "atlantis-sandbox"
+  iam_policy_arns     = []
+}
diff --git a/aws_gke_oidc_role/examples/role_and_config/providers.tf b/aws_gke_oidc_role/examples/role_and_config/providers.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+# Configure the AWS Provider
+provider "aws" {
+  region = "us-west-2"
+}
diff --git a/aws_gke_oidc_role/examples/role_with_policy/.terraform.lock.hcl b/aws_gke_oidc_role/examples/role_with_policy/.terraform.lock.hcl