server-1658 | Added AWS IRSA example (#140)

* server-1658 | Added AWS IRSA exmaple

* server-1658 | update AWS IRSA exmaple in ReadMe

Co-authored-by: Atul Singh <atul@circleci.com>

nomad-aws/README.md

@@ -25,7 +25,7 @@ provider "aws" {
 
 module "nomad_clients" {
   # We strongly recommend pinning the version using ref=<<release tag>> as is done here
-  source = "git::https://github.com/CircleCI-Public/server-terraform.git//nomad-aws?ref=3.2.0"
+  source = "git::https://github.com/CircleCI-Public/server-terraform.git//nomad-aws?ref=3.4.0"
 
   # Number of nomad clients to run
   nodes = 4
@@ -44,22 +44,22 @@ module "nomad_clients" {
     "vendor" = "circleci"
     "team"   = "sre"
   }
-}
-
-output "nomad_server_cert" {
-  value = module.nomad_clients.nomad_server_cert
-}
+  nomad_auto_scaler = false # If true, terraform will generate an IAM user to be used by nomad-autoscaler in CircleCI Server.
 
-output "nomad_server_key" {
-  value = module.nomad_clients.nomad_server_key
+  # enable_irsa input will allow K8s service account to use IAM roles, you have to replace REGION, ACCOUNT_ID, OIDC_ID and K8S_NAMESPACE with appropriate value
+  # for more info, visit - https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html
+  enable_irsa = {}
 }
 
-output "nomad_ca" {
-  value = module.nomad_clients.nomad_tls_ca
+output "nomad" {
+  value = module.nomad_clients
 }
 ```
 
-There are more examples in the `examples` directory.
+There are more examples in the [examples](./examples/) directory.
+- [Basic example](./examples/basic/main.tf)
+- [IRSA example](./examples/irsa/main.tf)
+
 
 ## Inputs
 
@@ -82,6 +82,7 @@ There are more examples in the `examples` directory.
 | subnet | Subnet ID | `string` | `""` | yes* |
 | subnets | Subnet IDs | `list(string)` | `[""]` | yes* |
 | vpc\_id | VPC ID of VPC used for Nomad resources | `string` | n/a | yes |
+| enable_irsa | Enable IAM Roles for K8s service account | `map` | `{}` | no |
 
 * Note: `subnet` or `subnets` is required, but not both. The use of `subnet` will supersede `subnets`.
 

nomad-aws/examples/basic/main.tf

@@ -54,3 +54,7 @@ module "nomad-aws" {
   nomad_auto_scaler = false # If true, terraform will generate an IAM user to be used by nomad-autoscaler in CircleCI Server. The keys will be available in terraform's output
   max_nodes         = 5     # the max number of clients to scale to. Must be greater than our equal to the nodes set above.
 }
+
+output "nomad_module" {
+  value = module.nomad-aws
+}

nomad-aws/examples/irsa/main.tf

@@ -0,0 +1,72 @@
+terraform {
+  required_version = ">=0.15.2"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~>3.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+# An example VPC for demonstration. This might already exist if you deployed
+# server in a preexisting VPC and want your nomad clients to run there,
+# In that case, you should make the appropriate changes in this file.
+module "vpc" {
+  source = "terraform-aws-modules/vpc/aws"
+
+  name                 = "nomad-vpc"
+  cidr                 = "10.0.0.0/16"
+  azs                  = ["us-east-1a"]
+  public_subnets       = ["10.0.0.0/24"]
+  private_subnets      = ["10.0.1.0/24"]
+  enable_nat_gateway   = true
+  single_nat_gateway   = true
+  enable_dns_hostnames = true
+}
+
+module "nomad-aws" {
+  source = "../.."
+
+  # prefix to add in AWS resources name
+  basename = "cci"
+
+  # Number of nomad clients to run
+  nodes = 4
+
+  subnet = module.vpc.public_subnets[0]
+  vpc_id = module.vpc.vpc_id
+
+  # Location of your Nomad server endpoint. This should be exposed from your
+  # server installation via a load balancer service.
+  server_endpoint = "example.com:4647"
+
+  # AWS DNS Server runs on the third IP address of the VPC block. We define it
+  # here to allow access to if from the Nomad clients.
+  dns_server = "10.0.0.2"
+
+  blocked_cidrs = [
+    # Block access to private subnet. You may which to do this if you
+    # Kubernetes cluster is some other resource you don't want your CI jobs to
+    # access is running there.
+    module.vpc.private_subnets[0]
+  ]
+
+  nomad_auto_scaler = true # If true, terraform will generate an IAM user to be used by nomad-autoscaler in CircleCI Server.
+  max_nodes         = 5    # the max number of clients to scale to. Must be greater than our equal to the nodes set above.
+
+  # enable_irsa input will allow K8s service account to use IAM roles, you have to replace REGION, ACCOUNT_ID, OIDC_ID and K8S_NAMESPACE with appropriate value
+  # for more info, visit - https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html
+  enable_irsa = {
+    oidc_principal_id   = "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>"
+    oidc_eks_variable   = "oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:sub"
+    k8s_service_account = "system:serviceaccount:<K8S_NAMESPACE>:nomad-autoscaler"
+  }
+}
+
+output "nomad_module" {
+  value = module.nomad-aws
+}