configure artifacts.k8s.io to use atlantis + atlantis IAM changes in management account (#8686)

Author: upodroid

infra/aws/terraform/.gitignore

@@ -13,12 +13,6 @@ plan.out
 # Crash log files
 crash.log
 
-# Exclude all .tfvars files, which are likely to contain sentitive data, such as
-# password, private keys, and other secrets. These should not be part of version
-# control as they are data points which are potentially sensitive and subject
-# to change depending on the environment.
-*.tfvars
-
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
 override.tf

infra/aws/terraform/artifacts.k8s.io/atlantis.config

@@ -0,0 +1,3 @@
+assume_role = {
+  role_arn = "arn:aws:iam::354561287328:role/OrganizationAccountAccessRole"
+}

infra/aws/terraform/artifacts.k8s.io/atlantis.tfvars

@@ -0,0 +1 @@
+atlantis_role_arn = "arn:aws:iam::354561287328:role/OrganizationAccountAccessRole"

infra/aws/terraform/artifacts.k8s.io/main.tf

@@ -20,7 +20,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = "~> 5.0"
     }
   }
 
@@ -34,90 +34,144 @@ terraform {
 # Provider for AWS non-region-specific operations
 provider "aws" {
   region = "us-east-2"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 # Per-region providers
 provider "aws" {
   alias  = "ap-northeast-1"
   region = "ap-northeast-1"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 provider "aws" {
   alias  = "ap-northeast-2"
   region = "ap-northeast-2"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 provider "aws" {
   alias  = "ap-northeast-3"
   region = "ap-northeast-3"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 provider "aws" {
   alias  = "ap-south-1"
   region = "ap-south-1"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 provider "aws" {
   alias  = "ap-southeast-1"
   region = "ap-southeast-1"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 provider "aws" {
   alias  = "ap-southeast-2"
   region = "ap-southeast-2"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 provider "aws" {
   alias  = "ca-central-1"
   region = "ca-central-1"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 provider "aws" {
   alias  = "eu-central-1"
   region = "eu-central-1"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 provider "aws" {
   alias  = "eu-north-1"
   region = "eu-north-1"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 provider "aws" {
   alias  = "eu-west-1"
   region = "eu-west-1"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 provider "aws" {
   alias  = "eu-west-2"
   region = "eu-west-2"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 provider "aws" {
   alias  = "eu-west-3"
   region = "eu-west-3"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 provider "aws" {
   alias  = "sa-east-1"
   region = "sa-east-1"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 provider "aws" {
   alias  = "us-east-1"
   region = "us-east-1"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 provider "aws" {
   alias  = "us-east-2"
   region = "us-east-2"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 provider "aws" {
   alias  = "us-west-1"
   region = "us-west-1"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }
 
 provider "aws" {
   alias  = "us-west-2"
   region = "us-west-2"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
 }

infra/aws/terraform/artifacts.k8s.io/s3/versions.tf

@@ -19,8 +19,7 @@ terraform {
 
   required_providers {
     aws = {
-      source  = "hashicorp/aws"
-      version = "~> 4.0"
+      source = "hashicorp/aws"
     }
   }
 }

infra/aws/terraform/artifacts.k8s.io/variables.tf

@@ -17,10 +17,15 @@ limitations under the License.
 variable "prefix" {
   description = "Prefix for every resource so that the resources can be created without using the same names. Useful for testing and staging"
   type        = string
-  default     = "test-"
+  default     = "prod-"
 
   validation {
     condition     = can(regex(".*-$|^$", var.prefix))
     error_message = "The string must end with a hyphen or be empty."
   }
 }
+
+variable "atlantis_role_arn" {
+  description = "The ARN of the Atlantis IAM role"
+  default     = null
+}

infra/aws/terraform/management-account/iam-bentheelder.tf

@@ -0,0 +1,62 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Service Linked Roles
+resource "aws_iam_service_linked_role" "access_analyzer" {
+  aws_service_name = "access-analyzer.amazonaws.com"
+}
+
+
+// Atlantis
+
+resource "aws_iam_openid_connect_provider" "utility_cluster" {
+  url             = "https://container.googleapis.com/v1/projects/k8s-infra-prow/locations/us-central1/clusters/utility"
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = ["08745487e891c19e3078c1f2a07e452950ef36f6"]
+}
+
+resource "aws_iam_role" "atlantis" {
+  name = "atlantis"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Federated" : aws_iam_openid_connect_provider.utility_cluster.arn
+        },
+        "Action" : "sts:AssumeRoleWithWebIdentity",
+        "Condition" : {
+          "StringEquals" : {
+            "container.googleapis.com/v1/projects/k8s-infra-prow/locations/us-central1/clusters/utility:sub" : "system:serviceaccount:atlantis:atlantis"
+          }
+        }
+      }
+    ]
+  })
+
+  max_session_duration = 43200
+
+  tags = {
+    service = "atlantis"
+  }
+}
+
+
+resource "aws_iam_role_policy_attachment" "atlantis" {
+  role       = aws_iam_role.atlantis.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}

infra/aws/terraform/management-account/iam-roles.tf

@@ -30,7 +30,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.93.0"
+      version = "~> 6.17.0"
     }
   }
 }