From b71182d910fbd2e22d632c3595f7e980cc459c2e Mon Sep 17 00:00:00 2001
From: shockrah <dev@shockrah.xyz>
Date: Sun, 4 Feb 2024 21:09:15 -0800
Subject: [PATCH] Creating user for DNS updates from K8s cluster

---
 infra/vultr-kubernetes/dns.tf    | 66 ++++++++++++++++++++++++++++++++
 infra/vultr-kubernetes/output.tf | 11 ++++++
 2 files changed, 77 insertions(+)
 create mode 100644 infra/vultr-kubernetes/dns.tf
 create mode 100644 infra/vultr-kubernetes/output.tf

diff --git a/infra/vultr-kubernetes/dns.tf b/infra/vultr-kubernetes/dns.tf
new file mode 100644
index 0000000..39ec409
--- /dev/null
+++ b/infra/vultr-kubernetes/dns.tf
@@ -0,0 +1,66 @@
+# Policy to allow VKE to mess with our DNS stuff
+################################################
+data aws_iam_policy_document vke {
+    version = "2012-10-17"
+    statement {
+        effect = "Allow"
+        actions = [
+            "route53:ChangeResourceRecordSets"
+        ]
+        resources = [
+            "arn:aws:route53:::hostedzone/*"
+        ]
+    }
+    statement {
+        effect = "Allow"
+        actions = [
+            "route53:ListHostedZones",
+            "route53:ListResourceRecordSets",
+            "route53:ListTagsForResource"
+        ]
+        resources = [ "*" ]
+    }
+}
+resource aws_iam_policy vke {
+  name = "vke-dns-pol"
+  policy = data.aws_iam_policy_document.vke.json
+}
+
+# Here we have the assume (required) for the role to assume a principal
+#######################################################################
+data aws_iam_policy_document assume {
+  statement {
+    actions = [ "sts:AssumeRole" ]
+    principals {
+      type = "Service"
+      identifiers = [ "ec2.amazonaws.com" ]
+    }
+  }
+}
+
+resource aws_iam_role vke {
+  name = "vke-dns-role"
+  assume_role_policy = data.aws_iam_policy_document.assume.json
+}
+
+# Finally we attach the role and policy together
+resource aws_iam_role_policy_attachment vke {
+  role = aws_iam_role.vke.name
+  policy_arn = aws_iam_policy.vke.arn
+}
+
+# Next we create a user with these permissions
+
+resource aws_iam_user vke {
+    name = "vke-dns-user"
+    path = "/"
+    tags = {
+        Name = "vke-dns-user"
+        Description = "For VKE to update DNS records"
+    }
+}
+
+resource aws_iam_access_key vke {
+    user = aws_iam_user.vke.name
+}
+
diff --git a/infra/vultr-kubernetes/output.tf b/infra/vultr-kubernetes/output.tf
new file mode 100644
index 0000000..d45b410
--- /dev/null
+++ b/infra/vultr-kubernetes/output.tf
@@ -0,0 +1,11 @@
+# Need to get access to those creds for the vke user
+
+output vke_secret_id {
+  value = aws_iam_access_key.vke.id
+  sensitive =  true
+}
+
+output vke_secret_key {
+  value = aws_iam_access_key.vke.secret
+  sensitive = true
+}