updating access policy for audit role

CHANGELOG.md

@@ -8,7 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## 16.0.0
 * upgrade to EKS module 20.8.5
-* introducing eks access entries
+* introducing eks access entries and making updates
 * updating delete_ebs_role dependency
 
 ## 15.0.0

README.md

@@ -36,9 +36,9 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
-| <a name="provider_kubectl"></a> [kubectl](#provider\_kubectl) | ~> 1.14.0 |
-| <a name="provider_null"></a> [null](#provider\_null) | >= 3.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.48.0 |
+| <a name="provider_kubectl"></a> [kubectl](#provider\_kubectl) | 1.14.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | 3.2.2 |
 
 ## Modules
 
@@ -56,8 +56,10 @@ Note that this example may create resources which cost money. Run `terraform des
 | [aws_autoscaling_attachment.eks_managed_node_groups_proxy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_attachment) | resource |
 | [aws_autoscaling_attachment.eks_managed_node_groups_shared_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_attachment) | resource |
 | [aws_eks_access_entry.cluster_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_entry) | resource |
+| [aws_eks_access_entry.cluster_admin_readonly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_entry) | resource |
 | [aws_eks_access_entry.delete_ebs_volume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_entry) | resource |
 | [aws_eks_access_policy_association.cluster_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_policy_association) | resource |
+| [aws_eks_access_policy_association.cluster_admin_readonly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_policy_association) | resource |
 | [aws_eks_access_policy_association.delete_ebs_volume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_policy_association) | resource |
 | [aws_iam_policy.cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.node_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -139,6 +141,7 @@ Note that this example may create resources which cost money. Run `terraform des
 |------|-------------|------|---------|:--------:|
 | <a name="input_acm_cert_base_domain"></a> [acm\_cert\_base\_domain](#input\_acm\_cert\_base\_domain) | Base domain of the certificate used for the ALB Proxy | `string` | `""` | no |
 | <a name="input_admin_principal_arns"></a> [admin\_principal\_arns](#input\_admin\_principal\_arns) | List of principal\_arns that require admin access to the cluster | `list(string)` | `[]` | no |
+| <a name="input_admin_readonly_principal_arns"></a> [admin\_readonly\_principal\_arns](#input\_admin\_readonly\_principal\_arns) | List of principal\_arns that require admin readonly access to the cluster | `list(string)` | `[]` | no |
 | <a name="input_alb_deletion_protection"></a> [alb\_deletion\_protection](#input\_alb\_deletion\_protection) | Enable/Disable ALB deletion protection for both ALBs | `bool` | `false` | no |
 | <a name="input_alb_drop_invalid_header_fields"></a> [alb\_drop\_invalid\_header\_fields](#input\_alb\_drop\_invalid\_header\_fields) | Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true) or routed to targets (false). The default is false. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. Only valid for Load Balancers of type application | `bool` | `true` | no |
 | <a name="input_alb_idle_timeout"></a> [alb\_idle\_timeout](#input\_alb\_idle\_timeout) | Default idle request timeout for the ALB | `string` | `"60"` | no |

eks-access-entries.tf

@@ -2,7 +2,7 @@
 #################################################################################
 # Access Entry for Cluster access
 #################################################################################
-## The resources  access entry and policy association is targeting roles that require cluster admins
+## The resources  access entry and policy association is targeting roles that require cluster admins permissions
 ## it can be repeated for roles that require different cluster policy
 resource "aws_eks_access_entry" "cluster_admin" {
   for_each = toset(var.admin_principal_arns)
@@ -36,6 +36,39 @@ resource "aws_eks_access_policy_association" "cluster_admin" {
   ]
 }
 
+## The resources  access entry and policy association is targeting roles that require cluster Admin ReadOnly Permissions
+resource "aws_eks_access_entry" "cluster_admin_readonly" {
+  for_each = toset(var.admin_readonly_principal_arns)
+
+  cluster_name      = local.name
+  kubernetes_groups = []
+  principal_arn     = each.value
+  type              = "STANDARD"
+  user_name         = try(each.value.user_name, null)
+
+  depends_on = [
+    module.eks_managed_node_groups,
+  ]
+}
+
+resource "aws_eks_access_policy_association" "cluster_admin_readonly" {
+  for_each = toset(var.admin_readonly_principal_arns)
+
+  access_scope {
+    namespaces = []
+    type       = "cluster"
+  }
+
+  cluster_name = local.name
+
+  policy_arn    = "arn:${data.aws_partition.current.partition}:eks::aws:cluster-access-policy/AmazonEKSAdminViewPolicy"
+  principal_arn = each.value
+
+  depends_on = [
+    aws_eks_access_entry.cluster_admin_readonly,
+  ]
+}
+
 ## Creating access entry for delete_ebs_volumes_lambda with namespaced adminpolicy
 resource "aws_eks_access_entry" "delete_ebs_volume" {
   count             = var.delete_ebs_volume_role_arn != "" ? 1 : 0

variables.tf

@@ -368,6 +368,11 @@ variable "admin_principal_arns" {
   type        = list(string)
 }
 
+variable "admin_readonly_principal_arns" {
+  description = "List of principal_arns that require admin readonly access to the cluster"
+  default     = []
+  type        = list(string)
+}
 
 variable "delete_ebs_volume_role_arn" {
   description = "principal_arn for delete ebs volume role"