Merge pull request #43 from provectus/jenkins-iam-role

Added IAM roles for Jenkins master and agents

Author: usbulat

example/README.md

@@ -63,3 +63,7 @@ Refresh tfstate
 
 Recreate resources
 `terraform taint module.system.null_resource.helm_init`
+
+If `terraform destroy` command fails, run
+`destroy_fix.sh`
+and try `terraform destroy` again

example/destroy_fix.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+terraform show | grep -e "module.*helm" | tr -d '# :' | xargs terraform state rm
+terraform show | grep -e "module.*route53" | tr -d '# :' | xargs terraform state rm
+
+terraform state rm module.nginx.kubernetes_namespace.ingress-system
+terraform state rm module.system.kubernetes_namespace.cert-manager

example/example.tfvars

@@ -64,6 +64,37 @@ elasticDataSize = "30Gi"
 
 #Jenkins
 jenkins_password = "password"
+# Uncomment to attach S3 readonly policy for Jenkins master and agent IAM roles, or customize to add needed policies
+//agent_policy = <<EOF
+//{
+//  "Version": "2012-10-17",
+//  "Statement": [
+//    {
+//      "Effect": "Allow",
+//      "Action": [
+//        "s3:Get*",
+//        "s3:List*"
+//      ],
+//      "Resource": "*"
+//    }
+//  ]
+//}
+//EOF
+//master_policy = <<EOF
+//{
+//  "Version": "2012-10-17",
+//  "Statement": [
+//    {
+//      "Effect": "Allow",
+//      "Action": [
+//        "s3:Get*",
+//        "s3:List*"
+//      ],
+//      "Resource": "*"
+//    }
+//  ]
+//}
+//EOF
 
 #Grafana
 grafana_password = "password"

example/modules.tf

@@ -134,5 +134,14 @@ module "jenkins" {
   domains          = var.domains
   jenkins_password = var.jenkins_password
 
+  environment        = var.environment
+  project            = var.project
+  cluster_name       = var.cluster_name
+  cluster_oidc_url   = module.kubernetes.cluster_oidc_url
+  cluster_oidc_arn   = module.system.oidc_arn
+
+  master_policy      = var.master_policy
+  agent_policy       = var.agent_policy
+
   config_path = "${path.module}/kubeconfig_${var.cluster_name}"
 }

example/variables.tf

@@ -168,6 +168,16 @@ variable "jenkins_password" {
   default     = "password"
 }
 
+variable "agent_policy" {
+  description = "Policy attached to Jenkins agents IAM role"
+  default = ""
+}
+
+variable "master_policy" {
+  description = "Policy attached to Jenkins master IAM role"
+  default = ""
+}
+
 #Grafana
 variable "grafana_password" {
   description = "Password for grafana admin"

modules/cicd/jenkins/main.tf

@@ -25,6 +25,35 @@ resource "helm_release" "jenkins" {
     value = "true"
   }
 
+  set {
+    name  = "serviceAccountAgent.name"
+    value = "jenkins-agent"
+  }
+
+  set {
+    name  = "serviceAccountAgent.create"
+    value = true
+  }
+
+  set_string {
+    name  = "serviceAccountAgent.annotations.eks\\.amazonaws\\.com/role-arn"
+    value = aws_iam_role.jenkins_agent.arn
+  }
+
+  set {
+    name  = "serviceAccount.name"
+    value = "jenkins-master"
+  }
+
+  set {
+    name  = "serviceAccount.create"
+    value = true
+  }
+
+  set_string {
+    name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
+    value = aws_iam_role.jenkins_master.arn
+  }
 
 //TODO: fix it for multi domains
   set {
@@ -51,3 +80,112 @@ resource "helm_release" "jenkins" {
     file("${path.module}/values.yml")
   ]
 }
+
+# Enabling IAM Roles for Service Accounts
+data "aws_iam_policy_document" "jenkins_agent_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(var.cluster_oidc_url, "https://", "")}:sub"
+      values   = ["system:serviceaccount:jenkins:jenkins-agent"]
+    }
+
+    principals {
+      identifiers = [var.cluster_oidc_arn]
+      type        = "Federated"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "jenkins_master_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(var.cluster_oidc_url, "https://", "")}:sub"
+      values   = ["system:serviceaccount:jenkins:jenkins-master"]
+    }
+
+    principals {
+      identifiers = [var.cluster_oidc_arn]
+      type        = "Federated"
+    }
+  }
+}
+
+# Create role for jenkins agents
+resource "aws_iam_role" "jenkins_agent" {
+  depends_on = [
+    var.module_depends_on
+  ]
+  assume_role_policy = data.aws_iam_policy_document.jenkins_agent_assume_role_policy.json
+  name               = "${var.cluster_name}_jenkins_agent"
+
+  tags = {
+    Environment = var.environment
+    Project     = var.project
+  }
+}
+
+# Create role for jenkins master
+resource "aws_iam_role" "jenkins_master" {
+  depends_on = [
+    var.module_depends_on
+  ]
+  assume_role_policy = data.aws_iam_policy_document.jenkins_master_assume_role_policy.json
+  name               = "${var.cluster_name}_jenkins_master"
+
+  tags = {
+    Environment = var.environment
+    Project     = var.project
+  }
+}
+
+# Creating agent policy
+resource "aws_iam_policy" "agent_policy" {
+  count = var.agent_policy == "" ? 0 : 1
+  depends_on = [
+    var.module_depends_on
+  ]
+  name   = "${var.cluster_name}_agent_policy"
+  policy = var.agent_policy
+}
+
+# Creating master policy
+resource "aws_iam_policy" "master_policy" {
+  count = var.master_policy == "" ? 0 : 1
+  depends_on = [
+    var.module_depends_on
+  ]
+  name   = "${var.cluster_name}_master_policy"
+  policy = var.master_policy
+}
+
+# Attaching agent_policy policy to role jenkins_agent
+resource "aws_iam_role_policy_attachment" "jenkins_agent" {
+  count = var.agent_policy == "" ? 0 : 1
+  depends_on = [
+    var.module_depends_on,
+    aws_iam_role.jenkins_agent,
+    aws_iam_policy.agent_policy
+  ]
+  role       = aws_iam_role.jenkins_agent.name
+  policy_arn = aws_iam_policy.agent_policy[count.index].arn
+}
+
+# Attaching master_policy policy to role jenkins_master
+resource "aws_iam_role_policy_attachment" "jenkins_master" {
+  count = var.master_policy == "" ? 0 : 1
+  depends_on = [
+    var.module_depends_on,
+    aws_iam_role.jenkins_master,
+    aws_iam_policy.master_policy
+  ]
+  role       = aws_iam_role.jenkins_master.name
+  policy_arn = aws_iam_policy.master_policy[count.index].arn
+}

modules/cicd/jenkins/values.yml

@@ -491,11 +491,11 @@ agent:
   # Raw yaml template for the Pod. For example this allows usage of toleration for agent pods.
   # https://github.com/jenkinsci/kubernetes-plugin#using-yaml-to-define-pod-templates
   # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-  yamlTemplate: ""
-  # yamlTemplate: |-
-  #   apiVersion: v1
-  #   kind: Pod
-  #   spec:
+  yamlTemplate: |-
+    apiVersion: v1
+    kind: Pod
+    spec:
+      serviceAccountName: jenkins-agent
   #     tolerations:
   #     - key: "key"
   #       operator: "Equal"

modules/cicd/jenkins/variables.tf

@@ -16,3 +16,40 @@ variable "config_path" {
   description = "location of the kubeconfig file"
   default     = "~/.kube/config"
 }
+
+#Deploy environment name
+variable "environment" {
+  type        = string
+  description = "Environment Use in tags and annotations for identify EKS cluster"
+}
+
+variable "project" {
+  type        = string
+  description = "Project Use in tags and annotations for identify EKS cluster"
+}
+
+variable "cluster_name" {
+  description = "Name of the kubernetes cluster"
+}
+
+variable "cluster_oidc_arn" {
+  type        = string
+  description = "OIDC EKS cluster arn"
+  default     = ""
+}
+
+variable "cluster_oidc_url" {
+  type        = string
+  description = "OIDC EKS cluster endpoint"
+  default     = ""
+}
+
+variable "agent_policy" {
+  description = "Policy attached to Jenkins agents IAM role"
+  default = ""
+}
+
+variable "master_policy" {
+  description = "Policy attached to Jenkins master IAM role"
+  default = ""
+}

modules/system/output.tf

@@ -5,3 +5,7 @@ output "kubernetes_service_account" {
 output "cert-manager" {
   value = "${helm_release.cert-manager}"
 }
+
+output "oidc_arn" {
+  value = "${aws_iam_openid_connect_provider.cluster.arn}"
+}