moolen/eks-import.yaml

## eks-import.yaml
apiVersion: eks.aws.upbound.io/v1beta1
kind: Cluster
metadata:
  name: mj-eso
  namespace: default
  annotations:
    crossplane.io/external-name: mj-eso
spec:
  forProvider:
    region: eu-central-1
  managementPolicies: ["Observe"]
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: Subnet
metadata:
  name: subnet-1
  annotations:
    crossplane.io/external-name: subnet-0cf3034a523ce87ab
spec:
  forProvider:
    region: eu-central-1
  managementPolicies: ["Observe"]
---
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
  name: node-role
  annotations:
    crossplane.io/external-name: example-eks-node-group-20231105213352012800000007
spec:
  forProvider: {}
  managementPolicies: ["Observe"]

## funcs.yaml
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
  name: function-patch-and-transform
spec:
  package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.2.1
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
  name: function-go-templating
spec:
  package: xpkg.upbound.io/crossplane-contrib/function-go-templating:v0.2.2
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
  name: function-auto-ready
spec:
  package: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.2.1
---

## images
      image: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.2.1
      image: xpkg.upbound.io/crossplane-contrib/function-go-templating:v0.2.2
      image: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.2.1
      image: xpkg.upbound.io/crossplane/crossplane:v1.14.0
      image: xpkg.upbound.io/upbound/provider-aws-ec2:v0.43.1
      image: xpkg.upbound.io/upbound/provider-aws-eks:v0.43.1
      image: xpkg.upbound.io/upbound/provider-aws-iam:v0.43.1
      image: xpkg.upbound.io/upbound/provider-aws-s3:v0.37.0
      image: xpkg.upbound.io/upbound/provider-family-aws:v0.43.1

## irsa-composition.yaml
# also see awslabs IRSA implementation:
# https://github.com/awslabs/crossplane-on-eks/tree/main/compositions/upbound-aws-provider/irsa
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: irsa
spec:
  compositeTypeRef:
    apiVersion: iam.foo.tech/v1alpha1
    kind: IRSA
  mode: Pipeline
  pipeline:
  - step: create-role
    functionRef:
      name: function-go-templating
    input:
      apiVersion: gotemplating.fn.crossplane.io/v1beta1
      kind: GoTemplate
      source: Inline
      inline:
        template: |
          apiVersion: iam.aws.upbound.io/v1beta1
          kind: Role
          metadata:
            name: irsa-role
            annotations:
              gotemplating.fn.crossplane.io/composition-resource-name: "irsarole"
              gotemplating.fn.crossplane.io/ready: "True"
          spec:
            {{- $resource := .observed.composite.resource }}
            {{- $spec := $resource.spec }}
            forProvider:
              description: "IAM Role for IRSA"
              assumeRolePolicy: |
                {
                  "Version": "2012-10-17",
                  "Statement": [
                      {
                        "Effect": "Allow",
                        "Principal": {
                          "Federated": "arn:aws:iam::{{ $spec.accountID }}:oidc-provider/{{ $spec.oidcProvider }}"
                        },
                        "Action": "sts:AssumeRoleWithWebIdentity",
                        "Condition": {
                          "StringEquals": {
                            "{{ $spec.oidcProvider }}:sub": "system:serviceaccount:{{ $spec.serviceAccountRef.namespace }}:{{ $spec.serviceAccountRef.name }}",
                            "{{ $spec.oidcProvider }}:aud": "sts.amazonaws.com"
                          }
                        }
                      }
                  ]
                }
              inlinePolicy:
                - name: "irsa-{{ $resource.metadata.name }}"
                  policy: {{ printf "%#v" $spec.policy }}

            providerConfigRef:
              name: "{{ $spec.providerConfigRef }}"

  - step: patch-and-transform
    functionRef:
      name: function-patch-and-transform
    input:
      apiVersion: pt.fn.crossplane.io/v1beta1
      kind: Resources
      resources:
      - name: irsarole
        patches:
        - type: ToCompositeFieldPath
          fromFieldPath: "status.atProvider.id"
          toFieldPath: "status.roleId"

  - step: automatically-detect-readiness
    functionRef:
      name: function-auto-ready

## irsa-xr.yaml
apiVersion: iam.foo.tech/v1alpha1
kind: IRSA
metadata:
  name: my-irsa-role
  namespace: "default"
spec:
  accountID: "XXXXXXXXXXXXXX"
  oidcProvider: "oidc.eks.eu-central-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXX"
  providerConfigRef: "default"
  serviceAccountRef:
    name: "my-irsa"
    namespace: "default"
  policy: |
    {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": "s3:GetObject",
              "Resource": "arn:aws:s3:::my-pod-secrets-bucket"
          }
      ]
    }


## irsa-xrd.yaml
apiVersion: apiextensions.crossplane.io/v1
kind: CompositeResourceDefinition
metadata:
  name: irsas.iam.foo.tech
spec:
  group: iam.foo.tech
  names:
    kind: IRSA
    plural: irsas
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        type: object
        properties:
          spec:
            type: object
            properties:
              debug:
                type: string
              accountID:
                type: string
              oidcProvider:
                type: string
              providerConfigRef:
                type: string
              serviceAccountRef:
                type: object
                properties:
                  name:
                    type: string
                  namespace:
                    type: string
                required:
                  - name
              policy:
                type: string
            required:
              - accountID
              - oidcProvider
              - serviceAccountRef
              - policy
          status:
            type: object
            properties:
              roleId:
                type: string
    served: true
    referenceable: true
  claimNames:
    kind: IRSAClaim
    plural: irsasclaim

## node-group.yaml
apiVersion: eks.aws.upbound.io/v1beta1
kind: NodeGroup
metadata:
  name: "new-ng"
spec:
  forProvider:
    region: eu-central-1
    amiType: AL2_x86_64
    scalingConfig:
      - desiredSize: 1
        maxSize: 1
        minSize: 1
    instanceTypes:
      - t3.medium
    clusterNameRef:
      name: mj-eso
    diskSize: 100
    subnetIdRefs:
      - name: subnet-1
    nodeRoleArnRef:
      name: node-role
    labels:
      foo: bar


## provider-aws.yaml
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-aws
spec:
  package: xpkg.upbound.io/upbound/provider-aws:v0.43.1
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-aws-eks
spec:
  package: xpkg.upbound.io/upbound/provider-aws-eks:v0.43.1
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-aws-ec2
spec:
  package: xpkg.upbound.io/upbound/provider-aws-ec2:v0.43.1
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-aws-iam
spec:
  package: xpkg.upbound.io/upbound/provider-aws-iam:v0.43.1
---


## quickstart.sh
helm repo add \
crossplane-stable https://charts.crossplane.io/stable
helm repo update

helm upgrade --install crossplane \
crossplane-stable/crossplane \
--namespace crossplane-system \
--create-namespace \
--set "args={--enable-environment-configs}"

kubectl create secret \
generic aws-secret \
-n crossplane-system \
--from-file=creds=./aws-credentials.txt || true

cat <<EOF | kubectl apply -f -
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-aws-s3
spec:
  package: xpkg.upbound.io/upbound/provider-aws-s3:v0.37.0
EOF

cat <<EOF | kubectl apply -f -
apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  name: default
spec:
  credentials:
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: aws-secret
      key: creds
EOF
	apiVersion: eks.aws.upbound.io/v1beta1
	kind: Cluster
	metadata:
	name: mj-eso
	namespace: default
	annotations:
	crossplane.io/external-name: mj-eso
	spec:
	forProvider:
	region: eu-central-1
	managementPolicies: ["Observe"]
	---
	apiVersion: ec2.aws.upbound.io/v1beta1
	kind: Subnet
	metadata:
	name: subnet-1
	annotations:
	crossplane.io/external-name: subnet-0cf3034a523ce87ab
	spec:
	forProvider:
	region: eu-central-1
	managementPolicies: ["Observe"]
	---
	apiVersion: iam.aws.upbound.io/v1beta1
	kind: Role
	metadata:
	name: node-role
	annotations:
	crossplane.io/external-name: example-eks-node-group-20231105213352012800000007
	spec:
	forProvider: {}
	managementPolicies: ["Observe"]
	apiVersion: pkg.crossplane.io/v1beta1
	kind: Function
	metadata:
	name: function-patch-and-transform
	spec:
	package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.2.1
	---
	apiVersion: pkg.crossplane.io/v1beta1
	kind: Function
	metadata:
	name: function-go-templating
	spec:
	package: xpkg.upbound.io/crossplane-contrib/function-go-templating:v0.2.2
	---
	apiVersion: pkg.crossplane.io/v1beta1
	kind: Function
	metadata:
	name: function-auto-ready
	spec:
	package: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.2.1
	---
	image: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.2.1
	image: xpkg.upbound.io/crossplane-contrib/function-go-templating:v0.2.2
	image: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.2.1
	image: xpkg.upbound.io/crossplane/crossplane:v1.14.0
	image: xpkg.upbound.io/upbound/provider-aws-ec2:v0.43.1
	image: xpkg.upbound.io/upbound/provider-aws-eks:v0.43.1
	image: xpkg.upbound.io/upbound/provider-aws-iam:v0.43.1
	image: xpkg.upbound.io/upbound/provider-aws-s3:v0.37.0
	image: xpkg.upbound.io/upbound/provider-family-aws:v0.43.1
	# also see awslabs IRSA implementation:
	# https://github.com/awslabs/crossplane-on-eks/tree/main/compositions/upbound-aws-provider/irsa
	apiVersion: apiextensions.crossplane.io/v1
	kind: Composition
	metadata:
	name: irsa
	spec:
	compositeTypeRef:
	apiVersion: iam.foo.tech/v1alpha1
	kind: IRSA
	mode: Pipeline
	pipeline:
	- step: create-role
	functionRef:
	name: function-go-templating
	input:
	apiVersion: gotemplating.fn.crossplane.io/v1beta1
	kind: GoTemplate
	source: Inline
	inline:
	template: \|
	apiVersion: iam.aws.upbound.io/v1beta1
	kind: Role
	metadata:
	name: irsa-role
	annotations:
	gotemplating.fn.crossplane.io/composition-resource-name: "irsarole"
	gotemplating.fn.crossplane.io/ready: "True"
	spec:
	{{- $resource := .observed.composite.resource }}
	{{- $spec := $resource.spec }}
	forProvider:
	description: "IAM Role for IRSA"
	assumeRolePolicy: \|
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"Federated": "arn:aws:iam::{{ $spec.accountID }}:oidc-provider/{{ $spec.oidcProvider }}"
	},
	"Action": "sts:AssumeRoleWithWebIdentity",
	"Condition": {
	"StringEquals": {
	"{{ $spec.oidcProvider }}:sub": "system:serviceaccount:{{ $spec.serviceAccountRef.namespace }}:{{ $spec.serviceAccountRef.name }}",
	"{{ $spec.oidcProvider }}:aud": "sts.amazonaws.com"
	}
	}
	}
	]
	}
	inlinePolicy:
	- name: "irsa-{{ $resource.metadata.name }}"
	policy: {{ printf "%#v" $spec.policy }}

	providerConfigRef:
	name: "{{ $spec.providerConfigRef }}"

	- step: patch-and-transform
	functionRef:
	name: function-patch-and-transform
	input:
	apiVersion: pt.fn.crossplane.io/v1beta1
	kind: Resources
	resources:
	- name: irsarole
	patches:
	- type: ToCompositeFieldPath
	fromFieldPath: "status.atProvider.id"
	toFieldPath: "status.roleId"

	- step: automatically-detect-readiness
	functionRef:
	name: function-auto-ready
	apiVersion: apiextensions.crossplane.io/v1
	kind: CompositeResourceDefinition
	metadata:
	name: irsas.iam.foo.tech
	spec:
	group: iam.foo.tech
	names:
	kind: IRSA
	plural: irsas
	versions:
	- name: v1alpha1
	schema:
	openAPIV3Schema:
	type: object
	properties:
	spec:
	type: object
	properties:
	debug:
	type: string
	accountID:
	type: string
	oidcProvider:
	type: string
	providerConfigRef:
	type: string
	serviceAccountRef:
	type: object
	properties:
	name:
	type: string
	namespace:
	type: string
	required:
	- name
	policy:
	type: string
	required:
	- accountID
	- oidcProvider
	- serviceAccountRef
	- policy
	status:
	type: object
	properties:
	roleId:
	type: string
	served: true
	referenceable: true
	claimNames:
	kind: IRSAClaim
	plural: irsasclaim
	apiVersion: eks.aws.upbound.io/v1beta1
	kind: NodeGroup
	metadata:
	name: "new-ng"
	spec:
	forProvider:
	region: eu-central-1
	amiType: AL2_x86_64
	scalingConfig:
	- desiredSize: 1
	maxSize: 1
	minSize: 1
	instanceTypes:
	- t3.medium
	clusterNameRef:
	name: mj-eso
	diskSize: 100
	subnetIdRefs:
	- name: subnet-1
	nodeRoleArnRef:
	name: node-role
	labels:
	foo: bar
	apiVersion: pkg.crossplane.io/v1
	kind: Provider
	metadata:
	name: provider-aws
	spec:
	package: xpkg.upbound.io/upbound/provider-aws:v0.43.1
	---
	apiVersion: pkg.crossplane.io/v1
	kind: Provider
	metadata:
	name: provider-aws-eks
	spec:
	package: xpkg.upbound.io/upbound/provider-aws-eks:v0.43.1
	---
	apiVersion: pkg.crossplane.io/v1
	kind: Provider
	metadata:
	name: provider-aws-ec2
	spec:
	package: xpkg.upbound.io/upbound/provider-aws-ec2:v0.43.1
	---
	apiVersion: pkg.crossplane.io/v1
	kind: Provider
	metadata:
	name: provider-aws-iam
	spec:
	package: xpkg.upbound.io/upbound/provider-aws-iam:v0.43.1
	---
	helm repo add \
	crossplane-stable https://charts.crossplane.io/stable
	helm repo update

	helm upgrade --install crossplane \
	crossplane-stable/crossplane \
	--namespace crossplane-system \
	--create-namespace \
	--set "args={--enable-environment-configs}"

	kubectl create secret \
	generic aws-secret \
	-n crossplane-system \
	--from-file=creds=./aws-credentials.txt \|\| true

	cat <<EOF \| kubectl apply -f -
	apiVersion: pkg.crossplane.io/v1
	kind: Provider
	metadata:
	name: provider-aws-s3
	spec:
	package: xpkg.upbound.io/upbound/provider-aws-s3:v0.37.0
	EOF

	cat <<EOF \| kubectl apply -f -
	apiVersion: aws.upbound.io/v1beta1
	kind: ProviderConfig
	metadata:
	name: default
	spec:
	credentials:
	source: Secret
	secretRef:
	namespace: crossplane-system
	name: aws-secret
	key: creds
	EOF