From 6025a0ffe12862e8267992583ecdfe7e5201dc58 Mon Sep 17 00:00:00 2001
From: Bill Monkman <bmonkman@gmail.com>
Date: Fri, 24 Apr 2020 17:33:04 -0700
Subject: [PATCH] Make sure circle user has access to ECR and EKS

---
 terraform/modules/eks/main.tf         | 25 +++++++++++++++++++++++++
 terraform/modules/environment/main.tf | 22 +++++++++++++++++++---
 2 files changed, 44 insertions(+), 3 deletions(-)

diff --git a/terraform/modules/eks/main.tf b/terraform/modules/eks/main.tf
index 54a6141..ecf306c 100644
--- a/terraform/modules/eks/main.tf
+++ b/terraform/modules/eks/main.tf
@@ -21,6 +21,31 @@ resource "aws_iam_role" "kubernetes_admin_role" {
   description        = "Kubernetes administrator role (for AWS IAM Authenticator)"
 }
 
+# Allow kube admin to list and describe EKS clusters (through assumed role)
+data "aws_iam_policy_document" "eks_list_and_describe" {
+  statement {
+    actions = [
+      "eks:ListUpdates",
+      "eks:ListClusters",
+      "eks:DescribeUpdate",
+      "eks:DescribeCluster",
+    ]
+
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "eks_list_and_describe_policy" {
+  name   = "eks_list_and_describe"
+  policy = data.aws_iam_policy_document.eks_list_and_describe.json
+}
+
+resource "aws_iam_role_policy_attachment" "kube_admin_eks_access" {
+  role       = aws_iam_role.kubernetes_admin_role.id
+  policy_arn = aws_iam_policy.eks_list_and_describe_policy.arn
+}
+
+
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
   version = "10.0.0"
diff --git a/terraform/modules/environment/main.tf b/terraform/modules/environment/main.tf
index 804a389..84187de 100644
--- a/terraform/modules/environment/main.tf
+++ b/terraform/modules/environment/main.tf
@@ -4,6 +4,10 @@ locals {
   kubernetes_cluster_name = "${var.project}-${var.environment}-${var.region}"
 }
 
+data "aws_iam_user" "ci_user" {
+  user_name = "${var.project}-ci-user"  # Should have been created in the bootstrap process
+}
+
 module "vpc" {
   source = "../../modules/vpc"
 
@@ -26,6 +30,21 @@ data "aws_iam_policy_document" "assumerole_root_policy" {
       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
   }
+
+  # Allow the CI user to assume this role
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [data.aws_iam_user.ci_user.arn]
+    }
+  }
+}
+
+resource "aws_iam_user_policy_attachment" "circleci_ecr_access" {
+  user       = data.aws_iam_user.ci_user.user_name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
 }
 
 #
@@ -50,9 +69,6 @@ module "eks" {
   worker_ami           = var.eks_worker_ami # EKS-Optimized AMI for your region: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
 }
 
-data "aws_iam_user" "ci_user" {
-  user_name = "${var.project}-ci-user"  # Should have been created in the bootstrap process
-}
 
 module "wildcard_domain" {
   source = "../../modules/certificate"