feat: add Kubernetes IAM policy and update role attachment logic base… (#27)

* feat: add Kubernetes IAM policy and update role attachment logic based on deploy type

* fix: remove unnecessary S3 ListBucket action from IAM policy template

* feat: add IAM roles and policies for AutoMQ BYOC node deployment in Kubernetes

* feat: add documentation links for IAM role policies in aws.tf

Author: Gezi-lzq

aws.tf

@@ -233,7 +233,81 @@ resource "aws_iam_role" "automq_byoc_role" {
   }
 }
 
+resource "aws_iam_role" "automq_byoc_node_role" {
+  count = var.automq_byoc_default_deploy_type == "k8s" ? 1 : 0
+  name = "automq-byoc-node-role-${var.automq_byoc_env_id}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+      },
+    ]
+  })
+
+  tags = {
+    automqVendor        = "automq"
+    automqEnvironmentID = var.automq_byoc_env_id
+  }
+}
+
+# https://docs.aws.amazon.com/zh_cn/eks/latest/userguide/create-node-role.html
+resource "aws_iam_role_policy_attachment" "nodes-AmazonEKSWorkerNodePolicy" {  
+  count = var.automq_byoc_default_deploy_type == "k8s" ? 1 : 0
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"  
+  role       = aws_iam_role.automq_byoc_node_role[0].name  
+}
+
+resource "aws_iam_role_policy_attachment" "nodes-AmazonEKS_CNI_Policy" {  
+  count = var.automq_byoc_default_deploy_type == "k8s" ? 1 : 0
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"  
+  role       = aws_iam_role.automq_byoc_node_role[0].name  
+}
+
+resource "aws_iam_role_policy_attachment" "nodes-AmazonEC2ContainerRegistryReadOnly" {  
+  count = var.automq_byoc_default_deploy_type == "k8s" ? 1 : 0
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"  
+  role       = aws_iam_role.automq_byoc_node_role[0].name  
+}
+
+# https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/deploy/installation/#option-b-attach-iam-policies-to-nodes
+resource "aws_iam_role_policy" "aws_load-balancer_policy" {
+  count = var.automq_byoc_default_deploy_type == "k8s" ? 1 : 0
+  name = "aws-load-balancer-controller-service-policy-${var.automq_byoc_env_id}"
+  role = aws_iam_role.automq_byoc_node_role[0].name
+
+  policy = file("${path.module}/tpls/aws_load_balancer_controller_service_policy.json.tpl")
+}
+
+# https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md
+resource "aws_iam_role_policy" "aws_cluster_auto_scaler_policy" {
+  count = var.automq_byoc_default_deploy_type == "k8s" ? 1 : 0
+  name = "aws-cluster-auto-scaler-policy-${var.automq_byoc_env_id}"
+  role = aws_iam_role.automq_byoc_node_role[0].name
+
+  policy = file("${path.module}/tpls/aws_cluster_auto_scaler_policy.json.tpl")
+}
+
+resource "aws_iam_role_policy" "automq_s3_policy" {
+  count = var.automq_byoc_default_deploy_type == "k8s" ? 1 : 0
+  name = "automq-s3-policy-${var.automq_byoc_env_id}"
+  role = aws_iam_role.automq_byoc_node_role[0].name
+
+  policy = templatefile("${path.module}/tpls/automq_node_s3_policy.json.tpl", {
+    automq_data_bucket = local.automq_data_bucket
+    automq_ops_bucket  = local.automq_ops_bucket
+  })
+}
+
+
 resource "aws_iam_policy" "automq_byoc_policy" {
+  count = var.automq_byoc_default_deploy_type == "vm" ? 1 : 0
   name        = "automq-byoc-service-policy-${var.automq_byoc_env_id}"
   description = "Custom policy for automq_byoc service"
 
@@ -248,9 +322,25 @@ resource "aws_iam_policy" "automq_byoc_policy" {
   }
 }
 
+resource "aws_iam_policy" "automq_byoc_k8s_policy" {
+  count = var.automq_byoc_default_deploy_type == "k8s" ? 1 : 0
+  name        = "automq-byoc-service-k8s-policy-${var.automq_byoc_env_id}"
+  description = "Custom policy for automq_byoc service"
+
+  policy = templatefile("${path.module}/tpls/automq_byoc_role_k8s_policy.json.tpl", {
+    automq_data_bucket = local.automq_data_bucket
+    automq_ops_bucket  = local.automq_ops_bucket
+  })
+
+  tags = {
+    automqVendor        = "automq"
+    automqEnvironmentID = var.automq_byoc_env_id
+  }
+}
+
 resource "aws_iam_role_policy_attachment" "automq_byoc_role_attachment" {
   role       = aws_iam_role.automq_byoc_role.name
-  policy_arn = aws_iam_policy.automq_byoc_policy.arn
+  policy_arn = var.automq_byoc_default_deploy_type == "k8s" ? aws_iam_policy.automq_byoc_k8s_policy[0].arn : aws_iam_policy.automq_byoc_policy[0].arn
 }
 
 resource "aws_iam_instance_profile" "automq_byoc_instance_profile" {

outputs.tf

@@ -28,6 +28,16 @@ output "automq_byoc_instance_id" {
   value = aws_instance.automq_byoc_console.id
 }
 
+output "automq_byoc_console_role_arn" {
+  description = "AutoMQ BYOC is bound to the role arn of the Console."
+  value = aws_iam_role.automq_byoc_role.arn
+}
+
+output "automq_byoc_eks_node_role_arn" {
+  description = "AutoMQ BYOC requires this role to be bound to the EKS Node group."
+  value = aws_iam_role.automq_byoc_role.arn
+}
+
 /*
 output "automq_byoc_data_bucket_name" {
   description = "The object storage bucket for that used to store message data generated by applications. The message data Bucket must be separate from the Ops Bucket."

tpls/automq_byoc_role_k8s_policy.json.tpl

@@ -0,0 +1,77 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "EC2InstanceProfileManagement",
+      "Effect": "Allow",
+      "Action": [
+        "iam:PassRole"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringLike": {
+          "iam:PassedToService": "ec2.amazonaws.com*"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DescribeVolumes",
+        "ec2:DescribeVolumes"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "cloudwatch:PutMetricData",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeVpcs",
+        "ec2:DescribeTags",
+        "route53:CreateHostedZone",
+        "route53:GetHostedZone",
+        "route53:ChangeResourceRecordSets",
+        "route53:ListHostedZonesByName",
+        "route53:ListResourceRecordSets",
+        "route53:DeleteHostedZone"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetLifecycleConfiguration",
+        "s3:PutLifecycleConfiguration",
+        "s3:ListBucket"
+      ],
+      "Resource": [
+        "arn:aws:s3:::${automq_data_bucket}",
+        "arn:aws:s3:::${automq_ops_bucket}"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:AbortMultipartUpload",
+        "s3:PutObjectTagging",
+        "s3:DeleteObject"
+      ],
+      "Resource": [
+        "arn:aws:s3:::${automq_data_bucket}/*",
+        "arn:aws:s3:::${automq_ops_bucket}/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "eks:DescribeCluster",
+        "eks:ListNodegroups",
+        "eks:DescribeNodegroup"
+      ],
+      "Resource": "*"
+    }
+  ]
+}

tpls/automq_byoc_role_policy.json.tpl

@@ -83,15 +83,6 @@
       ],
       "Resource": "*"
     },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "s3:GetLifecycleConfiguration",
-        "s3:PutLifecycleConfiguration",
-        "s3:ListBucket"
-      ],
-      "Resource": "*"
-    },
     {
       "Effect": "Allow",
       "Action": [

tpls/automq_node_s3_policy.json.tpl

@@ -0,0 +1,30 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "s3:PutObject",
+                "s3:GetObject",
+                "s3:AbortMultipartUpload",
+                "s3:PutObjectTagging",
+                "s3:DeleteObject"
+            ],
+            "Resource": [
+                "arn:aws:s3:::${automq_data_bucket}/*",
+                "arn:aws:s3:::${automq_ops_bucket}/*"
+            ]
+        },
+        {
+            "Action": [
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "arn:aws:s3:::${automq_data_bucket}",
+                "arn:aws:s3:::${automq_ops_bucket}"
+            ],
+            "Effect": "Allow"
+        }
+    ]
+}

tpls/aws_cluster_auto_scaler_policy.json.tpl

@@ -0,0 +1,32 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "autoscaling:DescribeAutoScalingGroups",
+                "autoscaling:DescribeAutoScalingInstances",
+                "autoscaling:DescribeLaunchConfigurations",
+                "autoscaling:DescribeScalingActivities",
+                "ec2:DescribeImages",
+                "ec2:DescribeInstanceTypes",
+                "ec2:DescribeLaunchTemplateVersions",
+                "ec2:GetInstanceTypesFromInstanceRequirements",
+                "eks:DescribeNodegroup"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "autoscaling:SetDesiredCapacity",
+                "autoscaling:TerminateInstanceInAutoScalingGroup"
+            ],
+            "Resource": [
+                "*"
+            ]
+        }
+    ]
+}