Created
February 26, 2019 14:44
-
-
Save adaniline-traderev/420c72afdb2185f257f7f386a3015ed1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import * as pulumi from "@pulumi/pulumi"; | |
import * as aws from "@pulumi/aws"; | |
import * as util from "./util"; | |
import * as iam from "./lib"; | |
const baseline = new iam.BaselineIam("baselineIam", { | |
groups: { | |
// Create default EKS admins group. | |
defineEksAdminsGroup: true, | |
defineRoute53AdminsGroup: true | |
}, | |
}); | |
// | |
// EKS management user. Deploys EKS, passes AWS IAM Role ARNs to EKS, so that workloads can be | |
// correlated to AWS IAM. | |
// | |
const eksAdminCiUser = new util.BotUser("eksAdminCiUser", { | |
groupMembership: { | |
groups: [ | |
baseline.groups.eksAdmins!.name, | |
baseline.groups.useExistingIamRoles!.name, // To use pass role ARNs to k8s RoleBindings. | |
], | |
}, | |
}); | |
const eksAdminCiUserKey = eksAdminCiUser.createAccessKey("eksAdminCiUser"); | |
export const eksUserCiUserAccessKey = { | |
id: eksAdminCiUserKey.id, | |
secret: eksAdminCiUserKey.secret, | |
}; | |
const route53User = new util.BotUser("router53User", { | |
groupMembership: { | |
groups: [ | |
baseline.groups.route53Admins!.name | |
] | |
}, | |
}); | |
const route53UserKey = route53User.createAccessKey("route53User"); | |
export const route53UserAccessKey = { | |
id: route53UserKey.id, | |
secret: route53UserKey.secret, | |
}; | |
const kubeAppRole = util.newRoleWithPolicies( | |
"kubeAppRole", | |
{ | |
description: "Infrastructure management role for CI users", | |
assumeRolePolicy: eksAdminCiUser.user.arn.apply(util.assumeRolePolicy), | |
}, | |
{ | |
ecrPowerUser: aws.iam.AmazonEC2ContainerRegistryPowerUser, | |
passRole: baseline.policies.useExistingIamRoles!.arn, | |
}, | |
); | |
export const kubeAppRoleArn = kubeAppRole.arn; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment