update

chrisp018 · Jun 10, 2023 · b765d70 · b765d70
1 parent d6951cc
commit b765d70
Show file tree

Hide file tree

Showing 4 changed files with 355 additions and 36 deletions.
diff --git a/request-simulate/wc_dataset_processed_short.csv b/request-simulate/wc_dataset_processed_short.csv
@@ -9482,17 +9482,17 @@ event_time,event_count,sum_bytes,num_match_event
 1998-06-17 16:14:00,60165,183936621,0
 1998-06-17 16:15:00,61070,175950451,20000
 1998-06-17 16:16:00,62538,184423352,20000
-1998-06-17 16:17:00,61120,166090530,20000
-1998-06-17 16:18:00,62188,176754105,20000
-1998-06-17 16:19:00,62788,196932680,20000
-1998-06-17 16:20:00,63824,186096317,20000
-1998-06-17 16:21:00,62559,182614264,20000
+1998-06-17 16:17:00,63120,166090530,20000
+1998-06-17 16:18:00,65188,176754105,20000
+1998-06-17 16:19:00,66788,196932680,20000
+1998-06-17 16:20:00,67824,196096317,20000
+1998-06-17 16:21:00,66559,182614264,20000
 1998-06-17 16:22:00,62571,183386448,20000
 1998-06-17 16:23:00,64782,182536024,20000
 1998-06-17 16:24:00,61149,178634709,20000
 1998-06-17 16:25:00,61789,201943982,20000
-1998-06-17 16:26:00,60391,194125081,20000
-1998-06-17 16:27:00,60490,194541517,20000
+1998-06-17 16:26:00,66391,194125081,20000
+1998-06-17 16:27:00,67490,194541517,20000
 1998-06-17 16:28:00,60348,168995233,20000
 1998-06-17 16:29:00,57698,174294256,20000
 1998-06-17 16:30:00,55121,179821335,20000

diff --git a/system/infra/modules/skeleton-infra/irsa-alb.tf b/system/infra/modules/skeleton-infra/irsa-alb.tf
@@ -0,0 +1,275 @@
+data "aws_iam_policy_document" "aws_lb_controller_assume_role" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "StringEquals"
+      variable = "oidc.eks.ap-southeast-1.amazonaws.com/id/C9346C22EF38640E5C465F9128A3DCE0:sub"
+      values   = ["system:serviceaccount:aws-lb-controller:aws-lb-controller-role"]
+    }
+
+    principals {
+      identifiers = ["arn:aws:iam::832438989008:oidc-provider/oidc.eks.ap-southeast-1.amazonaws.com/id/C9346C22EF38640E5C465F9128A3DCE0"]
+      type        = "Federated"
+    }
+  }
+}
+
+resource "aws_iam_role" "aws_lb_controller" {
+  assume_role_policy = data.aws_iam_policy_document.aws_lb_controller_assume_role.json
+  name               = "system-opspace-aws-lb-controller-role"
+}
+
+resource "aws_iam_role_policy" "aws_lb_controller" {
+  name = "system-opspace-aws-lb-controller-policy"
+  role = aws_iam_role.aws_lb_controller.name
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : "iam:CreateServiceLinkedRole",
+        "Resource" : "*",
+        "Condition" : {
+          "StringEquals" : {
+            "iam:AWSServiceName" : "elasticloadbalancing.amazonaws.com"
+          }
+        }
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "ec2:DescribeAccountAttributes",
+          "ec2:DescribeAddresses",
+          "ec2:DescribeAvailabilityZones",
+          "ec2:DescribeInternetGateways",
+          "ec2:DescribeVpcs",
+          "ec2:DescribeVpcPeeringConnections",
+          "ec2:DescribeSubnets",
+          "ec2:DescribeSecurityGroups",
+          "ec2:DescribeInstances",
+          "ec2:DescribeNetworkInterfaces",
+          "ec2:DescribeTags",
+          "ec2:GetCoipPoolUsage",
+          "ec2:DescribeCoipPools",
+          "elasticloadbalancing:DescribeLoadBalancers",
+          "elasticloadbalancing:DescribeLoadBalancerAttributes",
+          "elasticloadbalancing:DescribeListeners",
+          "elasticloadbalancing:DescribeListenerCertificates",
+          "elasticloadbalancing:DescribeSSLPolicies",
+          "elasticloadbalancing:DescribeRules",
+          "elasticloadbalancing:DescribeTargetGroups",
+          "elasticloadbalancing:DescribeTargetGroupAttributes",
+          "elasticloadbalancing:DescribeTargetHealth",
+          "elasticloadbalancing:DescribeTags"
+        ],
+        "Resource" : "*"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "cognito-idp:DescribeUserPoolClient",
+          "acm:ListCertificates",
+          "acm:DescribeCertificate",
+          "iam:ListServerCertificates",
+          "iam:GetServerCertificate",
+          "waf-regional:GetWebACL",
+          "waf-regional:GetWebACLForResource",
+          "waf-regional:AssociateWebACL",
+          "waf-regional:DisassociateWebACL",
+          "wafv2:GetWebACL",
+          "wafv2:GetWebACLForResource",
+          "wafv2:AssociateWebACL",
+          "wafv2:DisassociateWebACL",
+          "shield:GetSubscriptionState",
+          "shield:DescribeProtection",
+          "shield:CreateProtection",
+          "shield:DeleteProtection"
+        ],
+        "Resource" : "*"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "ec2:AuthorizeSecurityGroupIngress",
+          "ec2:RevokeSecurityGroupIngress"
+        ],
+        "Resource" : "*"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "ec2:CreateSecurityGroup"
+        ],
+        "Resource" : "*"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "ec2:CreateTags"
+        ],
+        "Resource" : "arn:aws:ec2:*:*:security-group/*",
+        "Condition" : {
+          "StringEquals" : {
+            "ec2:CreateAction" : "CreateSecurityGroup"
+          },
+          "Null" : {
+            "aws:RequestTag/elbv2.k8s.aws/cluster" : "false"
+          }
+        }
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "ec2:CreateTags",
+          "ec2:DeleteTags"
+        ],
+        "Resource" : "arn:aws:ec2:*:*:security-group/*",
+        "Condition" : {
+          "Null" : {
+            "aws:RequestTag/elbv2.k8s.aws/cluster" : "true",
+            "aws:ResourceTag/elbv2.k8s.aws/cluster" : "false"
+          }
+        }
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "ec2:AuthorizeSecurityGroupIngress",
+          "ec2:RevokeSecurityGroupIngress",
+          "ec2:DeleteSecurityGroup"
+        ],
+        "Resource" : "*",
+        "Condition" : {
+          "Null" : {
+            "aws:ResourceTag/elbv2.k8s.aws/cluster" : "false"
+          }
+        }
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "elasticloadbalancing:CreateLoadBalancer",
+          "elasticloadbalancing:CreateTargetGroup"
+        ],
+        "Resource" : "*",
+        "Condition" : {
+          "Null" : {
+            "aws:RequestTag/elbv2.k8s.aws/cluster" : "false"
+          }
+        }
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "elasticloadbalancing:CreateListener",
+          "elasticloadbalancing:DeleteListener",
+          "elasticloadbalancing:CreateRule",
+          "elasticloadbalancing:DeleteRule"
+        ],
+        "Resource" : "*"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "elasticloadbalancing:AddTags",
+          "elasticloadbalancing:RemoveTags"
+        ],
+        "Resource" : [
+          "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
+          "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+          "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+        ],
+        "Condition" : {
+          "Null" : {
+            "aws:RequestTag/elbv2.k8s.aws/cluster" : "true",
+            "aws:ResourceTag/elbv2.k8s.aws/cluster" : "false"
+          }
+        }
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "elasticloadbalancing:AddTags",
+          "elasticloadbalancing:RemoveTags"
+        ],
+        "Resource" : [
+          "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
+          "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
+          "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
+          "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
+        ]
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "elasticloadbalancing:ModifyLoadBalancerAttributes",
+          "elasticloadbalancing:SetIpAddressType",
+          "elasticloadbalancing:SetSecurityGroups",
+          "elasticloadbalancing:SetSubnets",
+          "elasticloadbalancing:DeleteLoadBalancer",
+          "elasticloadbalancing:ModifyTargetGroup",
+          "elasticloadbalancing:ModifyTargetGroupAttributes",
+          "elasticloadbalancing:DeleteTargetGroup"
+        ],
+        "Resource" : "*",
+        "Condition" : {
+          "Null" : {
+            "aws:ResourceTag/elbv2.k8s.aws/cluster" : "false"
+          }
+        }
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "elasticloadbalancing:RegisterTargets",
+          "elasticloadbalancing:DeregisterTargets"
+        ],
+        "Resource" : "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "elasticloadbalancing:SetWebAcl",
+          "elasticloadbalancing:ModifyListener",
+          "elasticloadbalancing:AddListenerCertificates",
+          "elasticloadbalancing:RemoveListenerCertificates",
+          "elasticloadbalancing:ModifyRule"
+        ],
+        "Resource" : "*"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "ec2:CreateTags",
+          "ec2:DeleteTags"
+        ],
+        "Resource" : "arn:aws:ec2:*:*:security-group/*",
+        "Condition" : {
+          "Null" : {
+            "aws:ResourceTag/ingress.k8s.aws/cluster" : "false"
+          }
+        }
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "elasticloadbalancing:AddTags",
+          "elasticloadbalancing:RemoveTags",
+          "elasticloadbalancing:DeleteTargetGroup"
+        ],
+        "Resource" : [
+          "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
+          "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+          "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+        ],
+        "Condition" : {
+          "Null" : {
+            "aws:ResourceTag/ingress.k8s.aws/cluster" : "false"
+          }
+        }
+      }
+    ]
+  })
+}
diff --git a/system/infra/modules/skeleton-infra/irsa-argocd.tf b/system/infra/modules/skeleton-infra/irsa-argocd.tf
@@ -0,0 +1,44 @@
+data "aws_caller_identity" "current" {}
+data "aws_iam_policy_document" "argo_cd_assume_role" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "StringEquals"
+      variable = "oidc.eks.ap-southeast-1.amazonaws.com/id/C9346C22EF38640E5C465F9128A3DCE0:sub"  #"${replace(var.eks-auth-oidc-url, "https://", "")}:sub"
+      values   = ["system:serviceaccount:argo:argo-role"]
+    }
+
+    principals { 
+      identifiers = ["arn:aws:iam::832438989008:oidc-provider/oidc.eks.ap-southeast-1.amazonaws.com/id/C9346C22EF38640E5C465F9128A3DCE0"] #[var.eks-auth-oidc-arn]
+      type        = "Federated"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "argo_cd_secret" {
+  statement {
+    sid = "SecretsManager"
+    actions = [
+      "secretsmanager:GetResourcePolicy",
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:ListSecretVersionIds",
+      "secretsmanager:ListSecrets"
+    ]
+    effect    = "Allow"
+    resources = ["arn:aws:secretsmanager:${var.region}:${data.aws_caller_identity.current.account_id}:secret:devops-gh/argo/*"]
+  }
+}
+
+resource "aws_iam_role" "argo_cd_secret" {
+  assume_role_policy = data.aws_iam_policy_document.argo_cd_assume_role.json
+  name               = "system-opspace-argo-cd-worker-role"
+}
+
+resource "aws_iam_role_policy" "argo_cd_secret" {
+  name   = "system-opspace-argo-cd-manager-policy"
+  role   = aws_iam_role.argo_cd_secret.name
+  policy = data.aws_iam_policy_document.argo_cd_secret.json
+}