Channels
#golang
Title
r
ripe-shampoo-80285
06/04/2021, 2:58 AMAny Pulumi golang based example for setting AWS EKS IRSA?
b
bored-table-20691
06/04/2021, 3:13 AMI just did this yesterday. I’ll share it when I’m at a computer in a little bit - probably 30-60 minutes.
Creating the IRSA resources:
Copy code
func (tenant *Tenant) CreateIRSA() error {
ctx := tenant.pulumiCtx
oidcUrlRef := tenant.infraStack.GetStringOutput(pulumi.String("eks-oidc-url"))
oidcArnRef := tenant.infraStack.GetStringOutput(pulumi.String("eks-oidc-arn"))
serviceAccountName := fmt.Sprintf("tenant-%s-s3-sa", tenant.name)
roleName := fmt.Sprintf("tenant-%s-s3-role", tenant.name)
policyName := fmt.Sprintf("tenant-%s-s3-policy", tenant.name)
allow := "Allow"
assumeRolePolicy := pulumi.All(tenant.namespace.Metadata.Name(), oidcUrlRef, oidcArnRef).ApplyT(func(args []interface{}) (string, error) {
namespaceName := args[0].(*string)
oidcUrl := args[1].(string)
oidcArn := args[2].(string)
source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Actions: []string{
"sts:AssumeRoleWithWebIdentity",
},
Conditions: []iam.GetPolicyDocumentStatementCondition{
{
Test: "StringEquals",
Values: []string{fmt.Sprintf("system:serviceaccount:%s:%s", *namespaceName, serviceAccountName)},
Variable: fmt.Sprintf("%s:sub", strings.TrimPrefix(oidcUrl, "https://")),
},
},
Effect: &allow,
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Identifiers: []string{oidcArn},
Type: "Federated",
},
},
},
},
}, nil)
if err != nil {
return "", err
}
return source.Json, nil
})
serviceRole, err := iam.NewRole(ctx, roleName, &iam.RoleArgs{
AssumeRolePolicy: assumeRolePolicy,
})
if err != nil {
return err
}
infraBucket := tenant.infraStack.GetStringOutput(pulumi.String("bucket"))
s3PolicyDoc := pulumi.All(infraBucket).ApplyT(func(args []interface{}) (string, error) {
bucket := args[0].(string)
bucketArn := fmt.Sprintf("arn:aws:s3:::%s", bucket)
auditLogPrefix := fmt.Sprintf("tenants/logs/audit/tenant=%s", tenant.name)
analyticsLogPrefix := fmt.Sprintf("tenants/logs/analytics/tenant=%s", tenant.name)
fsAuditLogPrefix := fmt.Sprintf("tenants/logs/fs-audit/tenant=%s", tenant.name)
operationaLogPrefix := fmt.Sprintf("tenants/logs/operational/tenant=%s", tenant.name)
source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
// Some base bucket policies
{
Actions: []string{
"s3:HeadBucket",
},
Resources: []string{
bucketArn,
},
Effect: &allow,
},
// Allowing listing the log dirs
{
Actions: []string{
"s3:ListBucket",
},
Resources: []string{
bucketArn,
},
Conditions: []iam.GetPolicyDocumentStatementCondition{
{
Test: "StringLike",
Values: []string{
fmt.Sprintf("%s", auditLogPrefix),
fmt.Sprintf("%s/*", auditLogPrefix),
fmt.Sprintf("%s", analyticsLogPrefix),
fmt.Sprintf("%s/*", analyticsLogPrefix),
fmt.Sprintf("%s", fsAuditLogPrefix),
fmt.Sprintf("%s/*", fsAuditLogPrefix),
fmt.Sprintf("%s", operationaLogPrefix),
fmt.Sprintf("%s/*", operationaLogPrefix),
},
Variable: "s3:prefix",
},
},
Effect: &allow,
},
// Allow read/write/delete on the logging buckets
{
Actions: []string{
"s3:DeleteObject",
"s3:GetEncryptionConfiguration",
"s3:GetObject",
"s3:GetObjectTagging",
"s3:PutObject",
},
Resources: []string{
fmt.Sprintf("%s/%s", bucketArn, auditLogPrefix),
fmt.Sprintf("%s/%s/*", bucketArn, auditLogPrefix),
fmt.Sprintf("%s/%s", bucketArn, analyticsLogPrefix),
fmt.Sprintf("%s/%s/*", bucketArn, analyticsLogPrefix),
fmt.Sprintf("%s/%s", bucketArn, fsAuditLogPrefix),
fmt.Sprintf("%s/%s/*", bucketArn, fsAuditLogPrefix),
fmt.Sprintf("%s/%s", bucketArn, operationaLogPrefix),
fmt.Sprintf("%s/%s/*", bucketArn, operationaLogPrefix),
},
Effect: &allow,
},
// Only allow reading the lake bucket
{
Actions: []string{
"s3:GetObject",
"s3:GetObjectTagging",
"s3:HeadBucket",
"s3:ListBucket",
},
Resources: []string{
"arn:aws:s3:::okera-lake",
"arn:aws:s3:::okera-lake/*",
},
Effect: &allow,
},
},
}, nil)
if err != nil {
return "", err
}
return source.Json, nil
})
s3Policy, err := iam.NewPolicy(ctx, policyName, &iam.PolicyArgs{
Description: pulumi.Sprintf("S3 permissions for tenant %s", tenant.name),
Policy: s3PolicyDoc,
Tags: pulumi.StringMap{
"tenant": pulumi.String(tenant.name),
},
})
if err != nil {
return err
}
_, err = iam.NewRolePolicyAttachment(ctx, fmt.Sprintf("%s-attachment", policyName), &iam.RolePolicyAttachmentArgs{
PolicyArn: s3Policy.Arn,
Role: serviceRole,
})
if err != nil {
return err
}
serviceAccount, err := corev1.NewServiceAccount(ctx, serviceAccountName, &corev1.ServiceAccountArgs{
Metadata: &metav1.ObjectMetaArgs{
Namespace: tenant.namespace.Metadata.Name(),
Name: pulumi.String(serviceAccountName),
Annotations: pulumi.StringMap{
"<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>": serviceRole.Arn,
},
},
})
if err != nil {
return err
}
tenant.serviceAccount = serviceAccount
return nil
} Copy code
...
Spec: &corev1.PodSpecArgs{
ServiceAccountName: tenant.serviceAccount.Metadata.Name(),
...tenant.infraStackStackReferencer
ripe-shampoo-80285
06/04/2021, 12:51 PM@bored-table-20691 Thank you very much for sharing the example!
How do you export oidc provier url? I can do this:
ctx.Export("ekd-oidc-url", cluster.Core.OidcProvider()), but url is an output in OidcProvider which itself is an output. How do I flatten the nested output?
b
bored-table-20691
06/04/2021, 6:16 PMYou’re using
pulumi-eksYou should be able to just reference the URL member of
OidcProvider()iam.OpenIdConnectProviderIn my case I’m not using
pulumi-eks Copy code
eksCluster, err := eks.LookupCluster(ctx, &eks.LookupClusterArgs{
Name: okeraCfg.Require("eks"),
})
if err != nil {
return err
}
awsAccount := okeraCfg.Require("aws-account")
oidcUrl := eksCluster.Identities[0].Oidcs[0].Issuer
oidcArn := fmt.Sprintf("arn:aws:iam::%s:oidc-provider/%s", awsAccount, strings.TrimPrefix(oidcUrl, "https://"))
kubeconfig := kube.GenerateKubeconfig(
eksCluster.Endpoint,
eksCluster.CertificateAuthority.Data,
eksCluster.Name)
ctx.Export("kubeconfig", pulumi.ToSecret(kubeconfig))
ctx.Export("eks-oidc-url", pulumi.String(oidcUrl))
ctx.Export("eks-oidc-arn", pulumi.String(oidcArn))r
ripe-shampoo-80285
06/04/2021, 6:52 PM@bored-table-20691 yes, I'm using pulumi-eks. The OidcProvider() returns iam.OpenIdConnectProviderOutput rather than iam.OpenIdConnectProvider. Hence Url is a nested Output. We would need a way to flatten the nested Output. Much like I used to do this in Scala to flatten Future[Future[]].
Let me see if I can use your approach as a workaround. Again, much appreciated for the help.
b
bored-table-20691
06/04/2021, 6:58 PM@ripe-shampoo-80285 is there an issue with Url being a nested output?
r
ripe-shampoo-80285
06/04/2021, 7:03 PMYeah, not sure how to export Url in this case. For example,
I cannot access Url like this: cluster.Core.OidcProvider().Url
I tried to do the following and it doesn't work either (no error, but no eks-oidc-url in the outputs either).
cluster.Core.OidcProvider().ApplyT(func(p *iam.OpenIdConnectProvider) *iam.OpenIdConnectProvider {
ctx.Export("eks-oidc-url", p.Url)
ctx.Export("eks-oidc-arn", p.Arn)
return p
})
b
bored-table-20691
06/04/2021, 10:19 PMYeah I’d have to try, but I don’t have an example with
pulumi-eksr
ripe-shampoo-80285
06/05/2021, 2:35 AMThanks Itay, you have been super helpful. Really appreciate! I am using your approach as workaround for the time being, it works!
b
bored-table-20691
06/05/2021, 4:30 AMNo problem, glad it works. It’s been a process to piece out these examples - a combination of finding Go examples, converting TypeScript ones to go, and then just auto-complete 🙂
b
bright-sandwich-93783
07/06/2021, 9:49 PM@bored-table-20691 sorry to resurrect this thread. EKS reccomends you to annotate the
aws-nodekube-systemb
bored-table-20691
07/06/2021, 11:25 PM@bright-sandwich-93783 no worries at all. I unfortunately (or maybe fortunately?) have never had to do that. What’s the link to the AWS docs for this?
3 Views