Skip to content

Latest commit

 

History

History

aws-eks-namespace

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

AWS EKS Namespace

Use this module to quickly bootstrap an environment for project running on EKS cluster.

This module creates:

  • a Kubernetes namespace
  • IAM user groups (for administrators and developers)
  • optional CI role
  • bindings between IAM roles and Kubernetes RBAC roles
  • set of ECR, S3 and EKS permissions for IAM roles
  • set of RBAC permissions for RBAC roles

Requirements

Name Version
terraform >= 1.0
aws >= 4.0, < 5.0
kubernetes >= 2.0, < 3.0

Providers

Name Version
aws >= 4.0, < 5.0
kubernetes >= 2.0, < 3.0

Modules

Name Source Version
administrators ../aws-eks-iam-role-group n/a
aws_namespace ./aws n/a
developers ../aws-eks-iam-role-group n/a

Resources

Name Type
aws_iam_user.ci resource
kubernetes_namespace.namespace resource

Inputs

Name Description Type Default Required
additional_admin_role_principals List of additional role principal ARNs. Principals are able to directly assume admin role. list(string) [] no
additional_developer_role_principals List of additional role principal ARNs. Principals are able to directly assume developer role. list(string) [] no
admin_kubernetes_role_rules Standard set of Kubernetes role rules to add to admin group. If not changed, it contains safe, namespace-scoped defaults fitting most use case cases.
list(object({
resources = list(string)
api_groups = list(string)
verbs = list(string)
}))
null no
admin_kubernetes_role_rules_extra Additional Kubernetes role rules to add to admin group.
list(object({
resources = list(string)
api_groups = list(string)
verbs = list(string)
}))
[] no
administrators List of IAM user names that will be added to administrators group. list(string) [] no
administrators_iam_policies { name: arn } map of policies to attach to administrators group. map(string) {} no
create_ci_iam_user Whether to create a dedicated IAM user for CI bool false no
developer_kubernetes_role_rules Standard set of Kubernetes role rules to add to developer group. If not changed, it contains safe defaults fitting most use case cases.
list(object({
resources = list(string)
api_groups = list(string)
verbs = list(string)
}))
null no
developer_kubernetes_role_rules_extra Additional Kubernetes role rules to add to developer group.
list(object({
resources = list(string)
api_groups = list(string)
verbs = list(string)
}))
[] no
developers List of IAM user names that will be added to developers group. list(string) [] no
developers_iam_policies { name: arn } map of policies to attach to developers group. map(string) {} no
ecr_arn_list ECR repository ARN list. If not provided there will be created ECR repo with the same name as namespace list(string) [] no
iam_path AWS IAM base path for all resources created for namespace string null no
labels Labels that are going to be attached to namespace map(string) {} no
namespace The name of namespace to be created on a cluster string n/a yes

Outputs

Name Description
administrator_role AWS IAM role ID with all necessary permissions for managing Kubernetes, assumable by administrators group.
administrators_aws_auth_entry An IAM-Kubernetes binding for administrators group, that has to be put to 'aws-auth' ConfigMap.
administrators_group AWS IAM group name for administrators group.
administrators_iam_policies All AWS IAM policies assigned to administrators group.
administrators_kubernetes_group Kubernetes group for administrators IAM group. Can be used in 'aws-auth' ConfigMap as element of 'groups' entry.
administrators_kubernetes_role Kubernetes role for administrators IAM group. Can be used in 'aws-auth' ConfigMap as 'username' entry.
ci_user n/a
ci_user_arn n/a
developer_role AWS IAM role ID with all necessary permissions for monitoring Kubernetes, assumable by developers group.
developers_aws_auth_entry An IAM-Kubernetes binding for developers group, that has to be put to 'aws-auth' ConfigMap.
developers_group AWS IAM group name for developers group.
developers_iam_policies All AWS IAM policies assigned to developers group.
developers_kubernetes_group Kubernetes group for developers IAM group. Can be used in 'aws-auth' ConfigMap as element of 'groups' entry.
developers_kubernetes_role Kubernetes role for developers IAM group. Can be used in 'aws-auth' ConfigMap as 'username' entry.
namespace n/a