Creating user for DNS updates from K8s cluster
This commit is contained in:
parent
f60c5b9a35
commit
b71182d910
66
infra/vultr-kubernetes/dns.tf
Normal file
66
infra/vultr-kubernetes/dns.tf
Normal file
@ -0,0 +1,66 @@
|
||||
# Policy to allow VKE to mess with our DNS stuff
|
||||
################################################
|
||||
data aws_iam_policy_document vke {
|
||||
version = "2012-10-17"
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = [
|
||||
"route53:ChangeResourceRecordSets"
|
||||
]
|
||||
resources = [
|
||||
"arn:aws:route53:::hostedzone/*"
|
||||
]
|
||||
}
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = [
|
||||
"route53:ListHostedZones",
|
||||
"route53:ListResourceRecordSets",
|
||||
"route53:ListTagsForResource"
|
||||
]
|
||||
resources = [ "*" ]
|
||||
}
|
||||
}
|
||||
resource aws_iam_policy vke {
|
||||
name = "vke-dns-pol"
|
||||
policy = data.aws_iam_policy_document.vke.json
|
||||
}
|
||||
|
||||
# Here we have the assume (required) for the role to assume a principal
|
||||
#######################################################################
|
||||
data aws_iam_policy_document assume {
|
||||
statement {
|
||||
actions = [ "sts:AssumeRole" ]
|
||||
principals {
|
||||
type = "Service"
|
||||
identifiers = [ "ec2.amazonaws.com" ]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource aws_iam_role vke {
|
||||
name = "vke-dns-role"
|
||||
assume_role_policy = data.aws_iam_policy_document.assume.json
|
||||
}
|
||||
|
||||
# Finally we attach the role and policy together
|
||||
resource aws_iam_role_policy_attachment vke {
|
||||
role = aws_iam_role.vke.name
|
||||
policy_arn = aws_iam_policy.vke.arn
|
||||
}
|
||||
|
||||
# Next we create a user with these permissions
|
||||
|
||||
resource aws_iam_user vke {
|
||||
name = "vke-dns-user"
|
||||
path = "/"
|
||||
tags = {
|
||||
Name = "vke-dns-user"
|
||||
Description = "For VKE to update DNS records"
|
||||
}
|
||||
}
|
||||
|
||||
resource aws_iam_access_key vke {
|
||||
user = aws_iam_user.vke.name
|
||||
}
|
||||
|
||||
11
infra/vultr-kubernetes/output.tf
Normal file
11
infra/vultr-kubernetes/output.tf
Normal file
@ -0,0 +1,11 @@
|
||||
# Need to get access to those creds for the vke user
|
||||
|
||||
output vke_secret_id {
|
||||
value = aws_iam_access_key.vke.id
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
output vke_secret_key {
|
||||
value = aws_iam_access_key.vke.secret
|
||||
sensitive = true
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user