diff --git a/terraform/aws/analytical-platform-data-production/airflow/eks.tf b/terraform/aws/analytical-platform-data-production/airflow/eks.tf index 96624596aa..7bfa3010f0 100644 --- a/terraform/aws/analytical-platform-data-production/airflow/eks.tf +++ b/terraform/aws/analytical-platform-data-production/airflow/eks.tf @@ -145,19 +145,6 @@ resource "aws_eks_node_group" "dev_node_group_high_memory" { } } -resource "kubernetes_namespace" "dev_kube2iam" { - provider = kubernetes.dev-airflow-cluster - metadata { - annotations = { - "iam.amazonaws.com/allowed-roles" = jsonencode(["*"]) - } - labels = { - "app.kubernetes.io/managed-by" = "terraform" - } - name = "kube2iam-system" - } - timeouts {} -} resource "kubernetes_config_map" "dev_aws_auth_configmap" { provider = kubernetes.dev-airflow-cluster @@ -175,51 +162,6 @@ resource "kubernetes_config_map" "dev_aws_auth_configmap" { } -resource "kubernetes_namespace" "dev_airflow" { - provider = kubernetes.dev-airflow-cluster - metadata { - - name = "airflow" - annotations = { - "iam.amazonaws.com/allowed-roles" = jsonencode(["airflow_dev*"]) - } - labels = { - "app.kubernetes.io/managed-by" = "Terraform" - } - } - timeouts {} -} - -resource "kubernetes_namespace" "kyverno_dev" { - provider = kubernetes.dev-airflow-cluster - metadata { - name = "kyverno" - labels = { - "app.kubernetes.io/managed-by" = "Terraform" - } - } - timeouts {} -} - -resource "kubernetes_namespace" "cluster_autoscaler_system" { - provider = kubernetes.dev-airflow-cluster - metadata { - name = "cluster-autoscaler-system" - annotations = { - "iam.amazonaws.com/allowed-roles" = jsonencode(["airflow-dev-cluster-autoscaler-role"]) - } - labels = { - "app.kubernetes.io/managed-by" = "Terraform" - } - } - timeouts {} -} - -moved { - from = kubernetes_namespace.cluster-autoscaler-system - to = kubernetes_namespace.cluster_autoscaler_system -} - ###################################### ########### EKS PRODUCTION ########### ###################################### diff --git a/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf b/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf index 8c85a537ae..45de78072d 100644 --- a/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf +++ b/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf @@ -261,6 +261,50 @@ data "aws_iam_policy_document" "airflow_dev_eks_assume_role_policy" { } +##### Airflow Dev IRSA +data "aws_iam_policy_document" "airflow_dev_monitoring_inline_role_policy" { + statement { + sid = "readwrite" + actions = [ + "s3:GetObject", + "s3:GetObjectAcl", + "s3:GetObjectVersion", + "s3:GetObjectTagging", + "s3:DeleteObject", + "s3:DeleteObjectVersion", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:PutObjectTagging", + "s3:RestoreObject" + ] + effect = "Allow" + resources = ["arn:aws:s3:::airflow-monitoring/airflow-scheduling-testing/*"] + } + + statement { + sid = "list" + actions = [ + "s3:ListBucket", + "s3:ListAllMyBuckets", + "s3:GetBucketLocation" + ] + effect = "Allow" + resources = ["arn:aws:s3:::airflow-monitoring/"] + } +} + +module "airflow_dev_monitoring_iam_policy" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/iam/aws//modules/iam-policy" + version = "5.39.1" + + name = "airflow_dev_monitoring" + + policy = data.aws_iam_policy_document.airflow_dev_monitoring_inline_role_policy.json +} + + ############################ AIRFLOW PRODUCTION INFRASTRUCTURE data "aws_iam_policy_document" "airflow_prod_execution_assume_role_policy" { diff --git a/terraform/aws/analytical-platform-data-production/airflow/iam-roles.tf b/terraform/aws/analytical-platform-data-production/airflow/iam-roles.tf index a0fb5b855a..7bc4bc4eb2 100644 --- a/terraform/aws/analytical-platform-data-production/airflow/iam-roles.tf +++ b/terraform/aws/analytical-platform-data-production/airflow/iam-roles.tf @@ -86,6 +86,29 @@ resource "aws_iam_role" "airflow_dev_eks_role" { ] } +#### Airflow Dev IRSA +module "airflow_dev_monitoring_iam_role" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "5.39.1" + + create_role = true + + role_name = "airflow-monitoring-dev" + + role_policy_arns = { + policy = module.airflow_dev_monitoring_iam_policy.arn + } + + oidc_providers = { + one = { + provider_arn = resource.aws_iam_openid_connect_provider.analytical_platform_development.arn + namespace_service_accounts = ["airflow:airflow"] + } + } +} + #################################################################################### ######################### AIRFLOW PRODUCTION INFRASTRUCTURE ######################## #################################################################################### diff --git a/terraform/aws/analytical-platform-data-production/airflow/kubernetes-namespaces.tf b/terraform/aws/analytical-platform-data-production/airflow/kubernetes-namespaces.tf new file mode 100644 index 0000000000..83082520d3 --- /dev/null +++ b/terraform/aws/analytical-platform-data-production/airflow/kubernetes-namespaces.tf @@ -0,0 +1,58 @@ +resource "kubernetes_namespace" "dev_kube2iam" { + provider = kubernetes.dev-airflow-cluster + metadata { + annotations = { + "iam.amazonaws.com/allowed-roles" = jsonencode(["*"]) + } + labels = { + "app.kubernetes.io/managed-by" = "terraform" + } + name = "kube2iam-system" + } + timeouts {} +} + +resource "kubernetes_namespace" "dev_airflow" { + provider = kubernetes.dev-airflow-cluster + metadata { + + name = "airflow" + annotations = { + "iam.amazonaws.com/allowed-roles" = jsonencode(["airflow_dev*"]) + } + labels = { + "app.kubernetes.io/managed-by" = "Terraform" + } + } + timeouts {} +} + +resource "kubernetes_namespace" "kyverno_dev" { + provider = kubernetes.dev-airflow-cluster + metadata { + name = "kyverno" + labels = { + "app.kubernetes.io/managed-by" = "Terraform" + } + } + timeouts {} +} + +resource "kubernetes_namespace" "cluster_autoscaler_system" { + provider = kubernetes.dev-airflow-cluster + metadata { + name = "cluster-autoscaler-system" + annotations = { + "iam.amazonaws.com/allowed-roles" = jsonencode(["airflow-dev-cluster-autoscaler-role"]) + } + labels = { + "app.kubernetes.io/managed-by" = "Terraform" + } + } + timeouts {} +} + +moved { + from = kubernetes_namespace.cluster-autoscaler-system + to = kubernetes_namespace.cluster_autoscaler_system +} diff --git a/terraform/aws/analytical-platform-data-production/airflow/kubernetes-service-accounts.tf b/terraform/aws/analytical-platform-data-production/airflow/kubernetes-service-accounts.tf new file mode 100644 index 0000000000..aef4adb283 --- /dev/null +++ b/terraform/aws/analytical-platform-data-production/airflow/kubernetes-service-accounts.tf @@ -0,0 +1,9 @@ +resource "kubernetes_service_account" "airflow" { + metadata { + namespace = kubernetes_namespace.dev_airflow.metadata[0].name + name = "airflow" + annotations = { + "eks.amazonaws.com/role-arn" = module.airflow_dev_monitoring_iam_role.iam_role_arn + } + } +}