Skip to content

Instantly share code, notes, and snippets.

@adaniline-traderev
Created February 26, 2019 14:44
Show Gist options
  • Save adaniline-traderev/420c72afdb2185f257f7f386a3015ed1 to your computer and use it in GitHub Desktop.
Save adaniline-traderev/420c72afdb2185f257f7f386a3015ed1 to your computer and use it in GitHub Desktop.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as util from "./util";
import * as iam from "./lib";
const baseline = new iam.BaselineIam("baselineIam", {
groups: {
// Create default EKS admins group.
defineEksAdminsGroup: true,
defineRoute53AdminsGroup: true
},
});
//
// EKS management user. Deploys EKS, passes AWS IAM Role ARNs to EKS, so that workloads can be
// correlated to AWS IAM.
//
const eksAdminCiUser = new util.BotUser("eksAdminCiUser", {
groupMembership: {
groups: [
baseline.groups.eksAdmins!.name,
baseline.groups.useExistingIamRoles!.name, // To use pass role ARNs to k8s RoleBindings.
],
},
});
const eksAdminCiUserKey = eksAdminCiUser.createAccessKey("eksAdminCiUser");
export const eksUserCiUserAccessKey = {
id: eksAdminCiUserKey.id,
secret: eksAdminCiUserKey.secret,
};
const route53User = new util.BotUser("router53User", {
groupMembership: {
groups: [
baseline.groups.route53Admins!.name
]
},
});
const route53UserKey = route53User.createAccessKey("route53User");
export const route53UserAccessKey = {
id: route53UserKey.id,
secret: route53UserKey.secret,
};
const kubeAppRole = util.newRoleWithPolicies(
"kubeAppRole",
{
description: "Infrastructure management role for CI users",
assumeRolePolicy: eksAdminCiUser.user.arn.apply(util.assumeRolePolicy),
},
{
ecrPowerUser: aws.iam.AmazonEC2ContainerRegistryPowerUser,
passRole: baseline.policies.useExistingIamRoles!.arn,
},
);
export const kubeAppRoleArn = kubeAppRole.arn;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment