Merge pull request #8536 from ameukam/aws-kops-ci-user

k8s-ci-robot · web-flow · commit 426e4ec4600f · 2025-09-22T05:50:22.000-07:00
AWS: setup a IAM user for kOps CI
diff --git a/infra/aws/terraform/kops-infra-ci/eks.tf b/infra/aws/terraform/kops-infra-ci/eks.tf
@@ -44,9 +44,6 @@ module "eks" {
   cloudwatch_log_group_retention_in_days = 30
 
   cluster_addons = {
-    amazon-cloudwatch-observability = {
-      most_recent = true
-    }
     coredns = {
       most_recent = true
     }
diff --git a/infra/aws/terraform/kops-infra-ci/iam.tf b/infra/aws/terraform/kops-infra-ci/iam.tf
@@ -87,3 +87,33 @@ resource "aws_iam_role_policy_attachment" "eks_pod_identity_policy" {
   policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
   role       = aws_iam_role.eks_pod_identity_role.name
 }
+
+module "ci_iam_group" {
+  providers = { aws = aws.kops-infra-ci }
+  source    = "terraform-aws-modules/iam/aws//modules/iam-group-with-policies"
+  version   = "~> 5.60"
+  name      = "ci-admins"
+
+  group_users = [
+    module.kops_ci_user.iam_user_name,
+  ]
+  custom_group_policy_arns = [
+    "arn:aws:iam::aws:policy/AdministratorAccess",
+  ]
+
+  tags = var.tags
+}
+
+module "kops_ci_user" {
+  providers = { aws = aws.kops-infra-ci }
+  source    = "terraform-aws-modules/iam/aws//modules/iam-user"
+  version   = "~> 5.60"
+
+  name                          = "kops-ci-user"
+  create_iam_user_login_profile = false
+
+  force_destroy           = true
+  password_reset_required = false
+
+  tags = var.tags
+}
diff --git a/infra/aws/terraform/kops-infra-ci/pod-identity.tf b/infra/aws/terraform/kops-infra-ci/pod-identity.tf

Original file line number	Diff line number	Diff line change
`@@ -44,9 +44,6 @@ module "eks" {`
`44`	`44`	`cloudwatch_log_group_retention_in_days = 30`
`45`	`45`
`46`	`46`	`cluster_addons = {`
`47`		`- amazon-cloudwatch-observability = {`
`48`		`- most_recent = true`
`49`		`- }`
`50`	`47`	`coredns = {`
`51`	`48`	`most_recent = true`
`52`	`49`	`}`