Add IRSA to airflow dev environment (#4455)

* Add IRSA to airflow dev environment * fixed s3 arns and removed hard-coding * update policy statements, split out namespaces --------- Co-authored-by: julialawrence <98329494+julialawrence@users.noreply.github.com> Co-authored-by: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk>
ministryofjustice · Jun 4, 2024 · eb999b3 · eb999b3
1 parent 62f79dd
commit eb999b3
Show file tree

Hide file tree

Showing 5 changed files with 134 additions and 58 deletions.
diff --git a/terraform/aws/analytical-platform-data-production/airflow/eks.tf b/terraform/aws/analytical-platform-data-production/airflow/eks.tf
@@ -145,19 +145,6 @@ resource "aws_eks_node_group" "dev_node_group_high_memory" {
   }
 }
 
-resource "kubernetes_namespace" "dev_kube2iam" {
-  provider = kubernetes.dev-airflow-cluster
-  metadata {
-    annotations = {
-      "iam.amazonaws.com/allowed-roles" = jsonencode(["*"])
-    }
-    labels = {
-      "app.kubernetes.io/managed-by" = "terraform"
-    }
-    name = "kube2iam-system"
-  }
-  timeouts {}
-}
 
 resource "kubernetes_config_map" "dev_aws_auth_configmap" {
   provider = kubernetes.dev-airflow-cluster
@@ -175,51 +162,6 @@ resource "kubernetes_config_map" "dev_aws_auth_configmap" {
 
 }
 
-resource "kubernetes_namespace" "dev_airflow" {
-  provider = kubernetes.dev-airflow-cluster
-  metadata {
-
-    name = "airflow"
-    annotations = {
-      "iam.amazonaws.com/allowed-roles" = jsonencode(["airflow_dev*"])
-    }
-    labels = {
-      "app.kubernetes.io/managed-by" = "Terraform"
-    }
-  }
-  timeouts {}
-}
-
-resource "kubernetes_namespace" "kyverno_dev" {
-  provider = kubernetes.dev-airflow-cluster
-  metadata {
-    name = "kyverno"
-    labels = {
-      "app.kubernetes.io/managed-by" = "Terraform"
-    }
-  }
-  timeouts {}
-}
-
-resource "kubernetes_namespace" "cluster_autoscaler_system" {
-  provider = kubernetes.dev-airflow-cluster
-  metadata {
-    name = "cluster-autoscaler-system"
-    annotations = {
-      "iam.amazonaws.com/allowed-roles" = jsonencode(["airflow-dev-cluster-autoscaler-role"])
-    }
-    labels = {
-      "app.kubernetes.io/managed-by" = "Terraform"
-    }
-  }
-  timeouts {}
-}
-
-moved {
-  from = kubernetes_namespace.cluster-autoscaler-system
-  to   = kubernetes_namespace.cluster_autoscaler_system
-}
-
 ######################################
 ########### EKS PRODUCTION ###########
 ######################################

diff --git a/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf b/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf
@@ -261,6 +261,50 @@ data "aws_iam_policy_document" "airflow_dev_eks_assume_role_policy" {
 
 }
 
+##### Airflow Dev IRSA
+data "aws_iam_policy_document" "airflow_dev_monitoring_inline_role_policy" {
+  statement {
+    sid = "readwrite"
+    actions = [
+      "s3:GetObject",
+      "s3:GetObjectAcl",
+      "s3:GetObjectVersion",
+      "s3:GetObjectTagging",
+      "s3:DeleteObject",
+      "s3:DeleteObjectVersion",
+      "s3:PutObject",
+      "s3:PutObjectAcl",
+      "s3:PutObjectTagging",
+      "s3:RestoreObject"
+    ]
+    effect    = "Allow"
+    resources = ["arn:aws:s3:::airflow-monitoring/airflow-scheduling-testing/*"]
+  }
+
+  statement {
+    sid = "list"
+    actions = [
+      "s3:ListBucket",
+      "s3:ListAllMyBuckets",
+      "s3:GetBucketLocation"
+    ]
+    effect    = "Allow"
+    resources = ["arn:aws:s3:::airflow-monitoring/"]
+  }
+}
+
+module "airflow_dev_monitoring_iam_policy" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "5.39.1"
+
+  name = "airflow_dev_monitoring"
+
+  policy = data.aws_iam_policy_document.airflow_dev_monitoring_inline_role_policy.json
+}
+
+
 ############################ AIRFLOW PRODUCTION INFRASTRUCTURE
 
 data "aws_iam_policy_document" "airflow_prod_execution_assume_role_policy" {

diff --git a/terraform/aws/analytical-platform-data-production/airflow/iam-roles.tf b/terraform/aws/analytical-platform-data-production/airflow/iam-roles.tf
@@ -86,6 +86,29 @@ resource "aws_iam_role" "airflow_dev_eks_role" {
   ]
 }
 
+#### Airflow Dev IRSA
+module "airflow_dev_monitoring_iam_role" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.39.1"
+
+  create_role = true
+
+  role_name = "airflow-monitoring-dev"
+
+  role_policy_arns = {
+    policy = module.airflow_dev_monitoring_iam_policy.arn
+  }
+
+  oidc_providers = {
+    one = {
+      provider_arn               = resource.aws_iam_openid_connect_provider.analytical_platform_development.arn
+      namespace_service_accounts = ["airflow:airflow"]
+    }
+  }
+}
+
 ####################################################################################
 ######################### AIRFLOW PRODUCTION INFRASTRUCTURE ########################
 ####################################################################################

diff --git a/terraform/aws/analytical-platform-data-production/airflow/kubernetes-namespaces.tf b/terraform/aws/analytical-platform-data-production/airflow/kubernetes-namespaces.tf
@@ -0,0 +1,58 @@
+resource "kubernetes_namespace" "dev_kube2iam" {
+  provider = kubernetes.dev-airflow-cluster
+  metadata {
+    annotations = {
+      "iam.amazonaws.com/allowed-roles" = jsonencode(["*"])
+    }
+    labels = {
+      "app.kubernetes.io/managed-by" = "terraform"
+    }
+    name = "kube2iam-system"
+  }
+  timeouts {}
+}
+
+resource "kubernetes_namespace" "dev_airflow" {
+  provider = kubernetes.dev-airflow-cluster
+  metadata {
+
+    name = "airflow"
+    annotations = {
+      "iam.amazonaws.com/allowed-roles" = jsonencode(["airflow_dev*"])
+    }
+    labels = {
+      "app.kubernetes.io/managed-by" = "Terraform"
+    }
+  }
+  timeouts {}
+}
+
+resource "kubernetes_namespace" "kyverno_dev" {
+  provider = kubernetes.dev-airflow-cluster
+  metadata {
+    name = "kyverno"
+    labels = {
+      "app.kubernetes.io/managed-by" = "Terraform"
+    }
+  }
+  timeouts {}
+}
+
+resource "kubernetes_namespace" "cluster_autoscaler_system" {
+  provider = kubernetes.dev-airflow-cluster
+  metadata {
+    name = "cluster-autoscaler-system"
+    annotations = {
+      "iam.amazonaws.com/allowed-roles" = jsonencode(["airflow-dev-cluster-autoscaler-role"])
+    }
+    labels = {
+      "app.kubernetes.io/managed-by" = "Terraform"
+    }
+  }
+  timeouts {}
+}
+
+moved {
+  from = kubernetes_namespace.cluster-autoscaler-system
+  to   = kubernetes_namespace.cluster_autoscaler_system
+}
diff --git a/terraform/aws/analytical-platform-data-production/airflow/kubernetes-service-accounts.tf b/terraform/aws/analytical-platform-data-production/airflow/kubernetes-service-accounts.tf
@@ -0,0 +1,9 @@
+resource "kubernetes_service_account" "airflow" {
+  metadata {
+    namespace = kubernetes_namespace.dev_airflow.metadata[0].name
+    name      = "airflow"
+    annotations = {
+      "eks.amazonaws.com/role-arn" = module.airflow_dev_monitoring_iam_role.iam_role_arn
+    }
+  }
+}