diff --git a/infra/vultr-kubernetes/dns.tf b/infra/vultr-kubernetes/dns.tf new file mode 100644 index 0000000..39ec409 --- /dev/null +++ b/infra/vultr-kubernetes/dns.tf @@ -0,0 +1,66 @@ +# Policy to allow VKE to mess with our DNS stuff +################################################ +data aws_iam_policy_document vke { + version = "2012-10-17" + statement { + effect = "Allow" + actions = [ + "route53:ChangeResourceRecordSets" + ] + resources = [ + "arn:aws:route53:::hostedzone/*" + ] + } + statement { + effect = "Allow" + actions = [ + "route53:ListHostedZones", + "route53:ListResourceRecordSets", + "route53:ListTagsForResource" + ] + resources = [ "*" ] + } +} +resource aws_iam_policy vke { + name = "vke-dns-pol" + policy = data.aws_iam_policy_document.vke.json +} + +# Here we have the assume (required) for the role to assume a principal +####################################################################### +data aws_iam_policy_document assume { + statement { + actions = [ "sts:AssumeRole" ] + principals { + type = "Service" + identifiers = [ "ec2.amazonaws.com" ] + } + } +} + +resource aws_iam_role vke { + name = "vke-dns-role" + assume_role_policy = data.aws_iam_policy_document.assume.json +} + +# Finally we attach the role and policy together +resource aws_iam_role_policy_attachment vke { + role = aws_iam_role.vke.name + policy_arn = aws_iam_policy.vke.arn +} + +# Next we create a user with these permissions + +resource aws_iam_user vke { + name = "vke-dns-user" + path = "/" + tags = { + Name = "vke-dns-user" + Description = "For VKE to update DNS records" + } +} + +resource aws_iam_access_key vke { + user = aws_iam_user.vke.name +} + diff --git a/infra/vultr-kubernetes/output.tf b/infra/vultr-kubernetes/output.tf new file mode 100644 index 0000000..d45b410 --- /dev/null +++ b/infra/vultr-kubernetes/output.tf @@ -0,0 +1,11 @@ +# Need to get access to those creds for the vke user + +output vke_secret_id { + value = aws_iam_access_key.vke.id + sensitive = true +} + +output vke_secret_key { + value = aws_iam_access_key.vke.secret + sensitive = true +}