Skip to content

Commit

Permalink
doc(self-managed): eks upgrade module doc
Browse files Browse the repository at this point in the history
  • Loading branch information
@leiicamundi
leiicamundi committed Jul 1, 2024
1 parent 4d80835 commit 29dc91a
Show file tree
Hide file tree
Showing 3 changed files with 139 additions and 59 deletions.
90 changes: 71 additions & 19 deletions docs/self-managed/setup/deploy/amazon/amazon-eks/terraform-setup.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ The [Camunda provided module](https://github.com/camunda/camunda-tf-eks-module)

```hcl
module "eks_cluster" {
source = "github.com/camunda/camunda-tf-eks-module/modules/eks-cluster"
source = "git::github.com/camunda/camunda-tf-eks-module/modules/eks-cluster?ref=v2.0.0"
region = "eu-central-1" # change to your AWS region
name = "cluster-name" # change to name of your choosing
Expand All @@ -142,7 +142,7 @@ We separated the cluster and PostgreSQL modules from each other to allow more cu

```hcl
module "postgresql" {
source = "github.com/camunda/camunda-tf-eks-module/modules/aurora"
source = "git::github.com/camunda/camunda-tf-eks-module/modules/aurora?ref=v2.0.0"
engine_version = "15.4"
auto_minor_version_upgrade = false
cluster_name = "cluster-name-postgresql" # change "cluster-name" to your name
Expand Down Expand Up @@ -226,29 +226,81 @@ Users can generate access to the Amazon EKS cluster via the `AWS CLI`.
aws eks --region <region> update-kubeconfig --name <clusterName>
```

### Terraform AWS IAM permissions
### Terraform AWS IAM Permissions

The user creating the Amazon EKS cluster has admin access. To allow other users to access this cluster as well, adjust the `aws-auth` configmap.
The user creating the Amazon EKS cluster has admin access by default.
To manage user access use the `access_entries` configuration introduced in module version [2.0.0](https://github.com/camunda/camunda-tf-eks-module/releases/tag/2.0.0):

With Terraform, you can create an AWS IAM user to Kubernetes role mapping via the following variable:
```hcl
access_entries = {
example = {
kubernetes_groups = []
principal_arn = "<arn>"
policy_associations = {
example = {
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
access_scope = {
namespaces = ["default"]
type = "namespace"
}
}
}
}
}
```

In this updated configuration:

- `principal_arn` should be replaced with the ARN of the IAM user or role.
- `policy_associations` allow you to associate policies for fine-grained access control.

For a list of policies, please visit the [AWS EKS Access Policies documentation](https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html).

:::info

Please note that the version 2.x.x of this module no longer supports direct mappings via `aws_auth_roles` and `aws_auth_users`. If you are upgrading from version [1.x.x](https://github.com/camunda/camunda-tf-eks-module/releases/tag/1.0.3), fork the module repository and follow the official AWS instructions for managing the `aws-auth` ConfigMap.
For more details, refer to the [official upgrade guide](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/UPGRADE-20.0.md).

:::

### Terraform AWS IAM Permissions

The user creating the Amazon EKS cluster has admin access by default.
To manage user access use the `access_entries` configuration introduced in module version [2.0.0](https://github.com/camunda/camunda-tf-eks-module/releases/tag/2.0.0):

```hcl
# AWS IAM roles mapping
aws_auth_roles = [{
rolearn = "<arn>"
username = "<username>"
groups = ["system:masters"]
}]
# AWS IAM users mapping
aws_auth_users = [{
userarn = "<arn>"
username = "<username>"
groups = ["system:masters"]
}]
access_entries = {
example = {
kubernetes_groups = []
principal_arn = "<arn>"
policy_associations = {
example = {
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
access_scope = {
namespaces = ["default"]
type = "namespace"
}
}
}
}
}
```

Where `arn` is the `arn` of your user or the role. The `group` is the Kubernetes rule, where `system:masters` is equivalent to an admin role. Lastly, `username` is either the username itself or the role name, which is used for logs.
In this updated configuration:

- `principal_arn` should be replaced with the ARN of the IAM user or role.
- `policy_associations` allow you to associate policies for fine-grained access control.

For a list of policies, please visit the [AWS EKS Access Policies documentation](https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html).

:::info

Please note that the version 2.x.x of this module no longer supports direct mappings via `aws_auth_roles` and `aws_auth_users`. If you are upgrading from version [1.x.x](https://github.com/camunda/camunda-tf-eks-module/releases/tag/1.0.3), fork the module repository and follow the official AWS instructions for managing the `aws-auth` ConfigMap.
For more details, refer to the [official upgrade guide](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/UPGRADE-20.0.md).

:::

## Outputs

Expand Down
54 changes: 34 additions & 20 deletions ...ged/platform-deployment/helm-kubernetes/platforms/amazon-eks/terraform-setup.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ The [Camunda provided module](https://github.com/camunda/camunda-tf-eks-module)

```hcl
module "eks_cluster" {
source = "github.com/camunda/camunda-tf-eks-module/modules/eks-cluster"
source = "git::github.com/camunda/camunda-tf-eks-module/modules/eks-cluster?ref=2.0.0"
region = "eu-central-1" # change to your AWS region
name = "cluster-name" # change to name of your choosing
Expand All @@ -142,7 +142,7 @@ We separated the cluster and PostgreSQL modules from each other to allow more cu

```hcl
module "postgresql" {
source = "github.com/camunda/camunda-tf-eks-module/modules/aurora"
source = "git::github.com/camunda/camunda-tf-eks-module/modules/aurora?ref=2.0.0"
engine_version = "15.4"
auto_minor_version_upgrade = false
cluster_name = "cluster-name-postgresql" # change "cluster-name" to your name
Expand Down Expand Up @@ -226,29 +226,43 @@ Users can generate access to the Amazon EKS cluster via the `AWS CLI`.
aws eks --region <region> update-kubeconfig --name <clusterName>
```

### Terraform AWS IAM permissions
### Terraform AWS IAM Permissions

The user creating the Amazon EKS cluster has admin access. To allow other users to access this cluster as well, adjust the `aws-auth` configmap.

With Terraform, you can create an AWS IAM user to Kubernetes role mapping via the following variable:
The user creating the Amazon EKS cluster has admin access by default.
To manage user access use the `access_entries` configuration introduced in module version [2.0.0](https://github.com/camunda/camunda-tf-eks-module/releases/tag/2.0.0):

```hcl
# AWS IAM roles mapping
aws_auth_roles = [{
rolearn = "<arn>"
username = "<username>"
groups = ["system:masters"]
}]
# AWS IAM users mapping
aws_auth_users = [{
userarn = "<arn>"
username = "<username>"
groups = ["system:masters"]
}]
access_entries = {
example = {
kubernetes_groups = []
principal_arn = "<arn>"
policy_associations = {
example = {
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
access_scope = {
namespaces = ["default"]
type = "namespace"
}
}
}
}
}
```

Where `arn` is the `arn` of your user or the role. The `group` is the Kubernetes rule, where `system:masters` is equivalent to an admin role. Lastly, `username` is either the username itself or the role name, which is used for logs.
In this updated configuration:

- `principal_arn` should be replaced with the ARN of the IAM user or role.
- `policy_associations` allow you to associate policies for fine-grained access control.

For a list of policies, please visit the [AWS EKS Access Policies documentation](https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html).

:::info

Please note that the version 2.x.x of this module no longer supports direct mappings via `aws_auth_roles` and `aws_auth_users`. If you are upgrading from version [1.x.x](https://github.com/camunda/camunda-tf-eks-module/releases/tag/1.0.3), fork the module repository and follow the official AWS instructions for managing the `aws-auth` ConfigMap.
For more details, refer to the [official upgrade guide](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/UPGRADE-20.0.md).

:::

## Outputs

Expand Down
54 changes: 34 additions & 20 deletions ...docs/version-8.5/self-managed/setup/deploy/amazon/amazon-eks/terraform-setup.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ The [Camunda provided module](https://github.com/camunda/camunda-tf-eks-module)

```hcl
module "eks_cluster" {
source = "github.com/camunda/camunda-tf-eks-module/modules/eks-cluster"
source = "git::github.com/camunda/camunda-tf-eks-module/modules/eks-cluster?ref=2.0.0"
region = "eu-central-1" # change to your AWS region
name = "cluster-name" # change to name of your choosing
Expand All @@ -142,7 +142,7 @@ We separated the cluster and PostgreSQL modules from each other to allow more cu

```hcl
module "postgresql" {
source = "github.com/camunda/camunda-tf-eks-module/modules/aurora"
source = "git::github.com/camunda/camunda-tf-eks-module/modules/aurora?ref=2.0.0"
engine_version = "15.4"
auto_minor_version_upgrade = false
cluster_name = "cluster-name-postgresql" # change "cluster-name" to your name
Expand Down Expand Up @@ -226,29 +226,43 @@ Users can generate access to the Amazon EKS cluster via the `AWS CLI`.
aws eks --region <region> update-kubeconfig --name <clusterName>
```

### Terraform AWS IAM permissions
### Terraform AWS IAM Permissions

The user creating the Amazon EKS cluster has admin access. To allow other users to access this cluster as well, adjust the `aws-auth` configmap.

With Terraform, you can create an AWS IAM user to Kubernetes role mapping via the following variable:
The user creating the Amazon EKS cluster has admin access by default.
To manage user access use the `access_entries` configuration introduced in module version [2.0.0](https://github.com/camunda/camunda-tf-eks-module/releases/tag/2.0.0):

```hcl
# AWS IAM roles mapping
aws_auth_roles = [{
rolearn = "<arn>"
username = "<username>"
groups = ["system:masters"]
}]
# AWS IAM users mapping
aws_auth_users = [{
userarn = "<arn>"
username = "<username>"
groups = ["system:masters"]
}]
access_entries = {
example = {
kubernetes_groups = []
principal_arn = "<arn>"
policy_associations = {
example = {
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
access_scope = {
namespaces = ["default"]
type = "namespace"
}
}
}
}
}
```

Where `arn` is the `arn` of your user or the role. The `group` is the Kubernetes rule, where `system:masters` is equivalent to an admin role. Lastly, `username` is either the username itself or the role name, which is used for logs.
In this updated configuration:

- `principal_arn` should be replaced with the ARN of the IAM user or role.
- `policy_associations` allow you to associate policies for fine-grained access control.

For a list of policies, please visit the [AWS EKS Access Policies documentation](https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html).

:::info

Please note that the version 2.x.x of this module no longer supports direct mappings via `aws_auth_roles` and `aws_auth_users`. If you are upgrading from version [1.x.x](https://github.com/camunda/camunda-tf-eks-module/releases/tag/1.0.3), fork the module repository and follow the official AWS instructions for managing the `aws-auth` ConfigMap.
For more details, refer to the [official upgrade guide](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/UPGRADE-20.0.md).

:::

## Outputs

Expand Down

0 comments on commit 29dc91a

Please sign in to comment.