Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add aws iam-bentheelder.tf #5044

Merged
merged 3 commits into from
Mar 28, 2023
Merged

Add aws iam-bentheelder.tf #5044

merged 3 commits into from
Mar 28, 2023

Conversation

hh
Copy link
Member

@hh hh commented Mar 28, 2023
edited
Loading

Request / Issue

#5043

Steps for running #sig-k8s-infra terraform for AWS

  • Check out the main or appropriate branch
  • Ensure aws cli authentication
  • Ensure terraform version is 1.3.9
  • Ensure terraform init
  • Inspect terraform state
  • Inspect terraform plan
  • Possibly paste plan to issue / ticket?
  • Upon inspection and approval of plan: `terraform apply`

Check out k8s.io/infra/aws/terraform

git checkout https://github.com/kubernetes/k8s.io/
cd k8s.io/aws/terraform/management-account

Ensure AWS cli authentication

Ensure you are using the right profile and organization

export AWS_PROFILE=hh@kubernetes
aws organizations describe-organization
{
    "Organization": {
        "Id": "o-kz4vlkihvy",
        "Arn": "arn:aws:organizations::348685125169:organization/o-kz4vlkihvy",
        "FeatureSet": "ALL",
        "MasterAccountArn": "arn:aws:organizations::348685125169:account/o-kz4vlkihvy/348685125169",
        "MasterAccountId": "348685125169",
        "MasterAccountEmail": "[email protected]",
        "AvailablePolicyTypes": [
            {
                "Type": "SERVICE_CONTROL_POLICY",
                "Status": "ENABLED"
            }
        ]
    }
}

Appropriate Account level

This is probably too high level of an account to run this, we should choose an account focused on running terraform. I’ll run it this once, but we need a better plan.

Ensure terraform version is 1.3.9

I am noting that terraform has a newer version at 1.4.2!

Documentation available from https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

export TF_VERSION=1.3.9
tfswitch
Reading required version from terraform file
Reading required version from constraint: ~> 1.3.0
Matched version: 1.3.9
Switched terraform to version "1.3.9"

terraform version
Terraform v1.3.9
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v4.52.0

Your version of Terraform is out of date! The latest version
is 1.4.2. You can update by downloading from https://www.terraform.io/downloads.html

Ensure Terraform init

terraform state S3 shared configuration

https://developer.hashicorp.com/terraform/language/settings/backends/s3#data-source-configuration

terraform init

export AWS_PROFILE=hh@kubernetes
terraform init
Initializing modules...

Initializing the backend...

Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Using previously-installed hashicorp/aws v4.52.0

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

terraform state inspection

export AWS_PROFILE=hh@kubernetes
terraform state list
data.aws_caller_identity.current
data.aws_iam_policy_document.cur_reports_integration_athena_s3_bucket
data.aws_iam_policy_document.cur_reports_s3_bucket
aws_budgets_budget.everything
aws_cur_report_definition.athena_integration
aws_cur_report_definition.no_integrations
aws_iam_service_linked_role.access_analyzer
aws_organizations_delegated_administrator.access_analyzer
aws_organizations_delegated_administrator.cloudtrail
aws_organizations_delegated_administrator.config
aws_organizations_delegated_administrator.config_multiaccount
aws_organizations_delegated_administrator.detective
aws_organizations_delegated_administrator.fms
aws_organizations_delegated_administrator.guardduty
aws_organizations_delegated_administrator.identity_center
aws_organizations_delegated_administrator.securityhub
aws_organizations_delegated_administrator.storage_lens
aws_organizations_organization.default
aws_organizations_organizational_unit.boskos
aws_organizations_organizational_unit.infrastructure
aws_organizations_organizational_unit.non_production
aws_organizations_organizational_unit.policy_staging
aws_organizations_organizational_unit.production
aws_organizations_organizational_unit.security
aws_organizations_organizational_unit.workloads
module.artifacts-k8s-io.aws_organizations_account.this
module.aws-playground-01.aws_organizations_account.this
module.cur_reports_integration_athena_s3_bucket.data.aws_caller_identity.current
module.cur_reports_integration_athena_s3_bucket.data.aws_canonical_user_id.this
module.cur_reports_integration_athena_s3_bucket.data.aws_iam_policy_document.combined[0]
module.cur_reports_integration_athena_s3_bucket.data.aws_iam_policy_document.deny_insecure_transport[0]
module.cur_reports_integration_athena_s3_bucket.data.aws_region.current
module.cur_reports_integration_athena_s3_bucket.aws_s3_bucket.this[0]
module.cur_reports_integration_athena_s3_bucket.aws_s3_bucket_policy.this[0]
module.cur_reports_integration_athena_s3_bucket.aws_s3_bucket_public_access_block.this[0]
module.cur_reports_integration_athena_s3_bucket.aws_s3_bucket_versioning.this[0]
module.cur_reports_s3_bucket.data.aws_caller_identity.current
module.cur_reports_s3_bucket.data.aws_canonical_user_id.this
module.cur_reports_s3_bucket.data.aws_iam_policy_document.combined[0]
module.cur_reports_s3_bucket.data.aws_iam_policy_document.deny_insecure_transport[0]
module.cur_reports_s3_bucket.data.aws_region.current
module.cur_reports_s3_bucket.aws_s3_bucket.this[0]
module.cur_reports_s3_bucket.aws_s3_bucket_policy.this[0]
module.cur_reports_s3_bucket.aws_s3_bucket_public_access_block.this[0]
module.cur_reports_s3_bucket.aws_s3_bucket_versioning.this[0]
module.infra_network.aws_organizations_account.this
module.infra_shared_services.aws_organizations_account.this
module.k8s-infra-sandbox-capa.aws_organizations_account.this
module.k8s_infra_e2e_boskos_001.aws_organizations_account.this
module.k8s_infra_e2e_boskos_002.aws_organizations_account.this
module.k8s_infra_e2e_boskos_003.aws_organizations_account.this
module.policy_staging_account_1.aws_organizations_account.this
module.registry-k8s-io.aws_organizations_account.this
module.security_audit.aws_organizations_account.this
module.security_engineering.aws_organizations_account.this
module.security_incident_response.aws_organizations_account.this
module.security_logs.aws_organizations_account.this

List of Current IAM Users (Not really accounts)

export AWS_PROFILE=hh@kubernetes
aws iam list-users --output=table --query 'Users[*].[UserName,Arn]'
-----------------------------------------------------
|                     ListUsers                     |
+--------+------------------------------------------+
|  arnaud|  arn:aws:iam::348685125169:user/arnaud   |
|  dims  |  arn:aws:iam::348685125169:user/dims     |
|  hh    |  arn:aws:iam::348685125169:user/hh       |
|  jeefy |  arn:aws:iam::348685125169:user/jeefy    |
+--------+------------------------------------------+

S3 Related Policies sorted by arn

We have other options, but I’m assuming “arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess”

export AWS_PROFILE=hh@kubernetes
aws iam list-policies --output=table --query 'Policies[*].[Arn] | sort_by(@, &[0])' | grep -i s3
|  arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup                                              |
|  arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Restore                                             |
|  arn:aws:iam::aws:policy/AmazonS3FullAccess                                                                 |
|  arn:aws:iam::aws:policy/AmazonS3OutpostsFullAccess                                                         |
|  arn:aws:iam::aws:policy/AmazonS3OutpostsReadOnlyAccess                                                     |
|  arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess                                                             |
|  arn:aws:iam::aws:policy/aws-service-role/IVSRecordToS3                                                     |
|  arn:aws:iam::aws:policy/aws-service-role/S3StorageLensServiceRolePolicy                                    |
|  arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role                                               |
|  arn:aws:iam::aws:policy/service-role/AmazonS3ObjectLambdaExecutionRolePolicy                               |
|  arn:aws:iam::aws:policy/service-role/QuickSightAccessForS3StorageManagementAnalyticsReadOnly               |

List of Policies sorted by arn

We have other options, but I’m assuming “arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess”

export AWS_PROFILE=hh@kubernetes
aws iam list-policies --output=table --query 'Policies[*].[Arn] | sort_by(@, &[0])' | head -20
---------------------------------------------------------------------------------------------------------------
|                                                ListPolicies                                                 |
+-------------------------------------------------------------------------------------------------------------+
|  arn:aws:iam::348685125169:policy/AssumeRoleAccountMigrated                                                 |
|  arn:aws:iam::aws:policy/AWSAccountActivityAccess                                                           |
|  arn:aws:iam::aws:policy/AWSAccountManagementFullAccess                                                     |
|  arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess                                                 |
|  arn:aws:iam::aws:policy/AWSAccountUsageReportAccess                                                        |
|  arn:aws:iam::aws:policy/AWSAgentlessDiscoveryService                                                       |
|  arn:aws:iam::aws:policy/AWSAppMeshEnvoyAccess                                                              |
|  arn:aws:iam::aws:policy/AWSAppMeshFullAccess                                                               |
|  arn:aws:iam::aws:policy/AWSAppMeshPreviewEnvoyAccess                                                       |
|  arn:aws:iam::aws:policy/AWSAppMeshReadOnly                                                                 |
|  arn:aws:iam::aws:policy/AWSAppRunnerFullAccess                                                             |
|  arn:aws:iam::aws:policy/AWSAppRunnerReadOnlyAccess                                                         |
|  arn:aws:iam::aws:policy/AWSAppSyncAdministrator                                                            |
|  arn:aws:iam::aws:policy/AWSAppSyncInvokeFullAccess                                                         |
|  arn:aws:iam::aws:policy/AWSAppSyncSchemaAuthor                                                             |
|  arn:aws:iam::aws:policy/AWSApplicationDiscoveryAgentAccess                                                 |
|  arn:aws:iam::aws:policy/AWSApplicationDiscoveryAgentlessCollectorAccess                                    |
Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'>
BrokenPipeError: [Errno 32] Broken pipe

Ben IAM User Terrafrom Code

Boilerplate code / Copyright is required at the top of the file.

awsiamuser ben

/*
Copyright 2023 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/


resource "aws_iam_user" "bentheelder" {
  name = "bentheelder"
}
resource "aws_iam_user_policy_attachment" "bentheelder_billing" {
  user       = aws_iam_user.bentheelder.name
  policy_arn = "arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess"
}
resource "aws_iam_user_login_profile" "bentheelder_login" {
  user    = aws_iam_user.bentheelder.name
  password_reset_required = true
}

terraform plan

export AWS_PROFILE=hh@kubernetes
terraform plan -out terraform.newplan
aws_iam_service_linked_role.access_analyzer: Refreshing state... [id=arn:aws:iam::348685125169:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer]
data.aws_caller_identity.current: Reading...
module.cur_reports_s3_bucket.data.aws_canonical_user_id.this: Reading...
module.cur_reports_s3_bucket.data.aws_region.current: Reading...
module.cur_reports_integration_athena_s3_bucket.data.aws_region.current: Reading...
module.cur_reports_s3_bucket.data.aws_region.current: Read complete after 0s [id=us-east-1]
module.cur_reports_integration_athena_s3_bucket.data.aws_canonical_user_id.this: Reading...
module.cur_reports_integration_athena_s3_bucket.data.aws_region.current: Read complete after 0s [id=us-east-1]
module.cur_reports_integration_athena_s3_bucket.data.aws_caller_identity.current: Reading...
module.cur_reports_s3_bucket.aws_s3_bucket.this[0]: Refreshing state... [id=k8s-infra-cur-reports-bucket]
module.cur_reports_s3_bucket.data.aws_caller_identity.current: Reading...
module.cur_reports_integration_athena_s3_bucket.aws_s3_bucket.this[0]: Refreshing state... [id=k8s-infra-cur-reports-athena-bucket]
aws_organizations_organization.default: Refreshing state... [id=o-kz4vlkihvy]
module.cur_reports_integration_athena_s3_bucket.data.aws_caller_identity.current: Read complete after 1s [id=348685125169]
module.cur_reports_s3_bucket.data.aws_caller_identity.current: Read complete after 1s [id=348685125169]
module.cur_reports_integration_athena_s3_bucket.data.aws_canonical_user_id.this: Read complete after 1s [id=eb1b4e99537971cc04f7eb30651c5473710354b068266143cf78ae59f8de3ff5]
module.cur_reports_s3_bucket.data.aws_canonical_user_id.this: Read complete after 1s [id=eb1b4e99537971cc04f7eb30651c5473710354b068266143cf78ae59f8de3ff5]
data.aws_caller_identity.current: Read complete after 1s [id=348685125169]
aws_budgets_budget.everything: Refreshing state... [id=348685125169:k8s-infra-monthly]
aws_organizations_organizational_unit.policy_staging: Refreshing state... [id=ou-unv1-pxzbpu89]
aws_organizations_organizational_unit.infrastructure: Refreshing state... [id=ou-unv1-pvh1fjp7]
aws_organizations_organizational_unit.security: Refreshing state... [id=ou-unv1-7712vgib]
aws_organizations_organizational_unit.workloads: Refreshing state... [id=ou-unv1-ylnwmrk0]
module.cur_reports_integration_athena_s3_bucket.aws_s3_bucket_versioning.this[0]: Refreshing state... [id=k8s-infra-cur-reports-athena-bucket]
module.cur_reports_integration_athena_s3_bucket.data.aws_iam_policy_document.deny_insecure_transport[0]: Reading...
data.aws_iam_policy_document.cur_reports_integration_athena_s3_bucket: Reading...
module.cur_reports_integration_athena_s3_bucket.data.aws_iam_policy_document.deny_insecure_transport[0]: Read complete after 0s [id=1931211801]
module.cur_reports_s3_bucket.aws_s3_bucket_versioning.this[0]: Refreshing state... [id=k8s-infra-cur-reports-bucket]
module.cur_reports_s3_bucket.data.aws_iam_policy_document.deny_insecure_transport[0]: Reading...
data.aws_iam_policy_document.cur_reports_integration_athena_s3_bucket: Read complete after 0s [id=1361119985]
data.aws_iam_policy_document.cur_reports_s3_bucket: Reading...
module.cur_reports_s3_bucket.data.aws_iam_policy_document.deny_insecure_transport[0]: Read complete after 0s [id=214081987]
data.aws_iam_policy_document.cur_reports_s3_bucket: Read complete after 0s [id=1354078299]
module.cur_reports_integration_athena_s3_bucket.data.aws_iam_policy_document.combined[0]: Reading...
module.cur_reports_integration_athena_s3_bucket.data.aws_iam_policy_document.combined[0]: Read complete after 0s [id=2704809721]
module.cur_reports_integration_athena_s3_bucket.aws_s3_bucket_policy.this[0]: Refreshing state... [id=k8s-infra-cur-reports-athena-bucket]
module.cur_reports_s3_bucket.data.aws_iam_policy_document.combined[0]: Reading...
module.cur_reports_s3_bucket.data.aws_iam_policy_document.combined[0]: Read complete after 0s [id=1714115231]
module.cur_reports_s3_bucket.aws_s3_bucket_policy.this[0]: Refreshing state... [id=k8s-infra-cur-reports-bucket]
module.cur_reports_integration_athena_s3_bucket.aws_s3_bucket_public_access_block.this[0]: Refreshing state... [id=k8s-infra-cur-reports-athena-bucket]
module.cur_reports_s3_bucket.aws_s3_bucket_public_access_block.this[0]: Refreshing state... [id=k8s-infra-cur-reports-bucket]
aws_cur_report_definition.athena_integration: Refreshing state... [id=k8s-infra-cur-athena-definition]
aws_cur_report_definition.no_integrations: Refreshing state... [id=k8s-infra-cur-definition]
module.infra_shared_services.aws_organizations_account.this: Refreshing state... [id=678544613731]
module.infra_network.aws_organizations_account.this: Refreshing state... [id=203865341587]
aws_organizations_organizational_unit.boskos: Refreshing state... [id=ou-unv1-6ib3rho6]
aws_organizations_organizational_unit.non_production: Refreshing state... [id=ou-unv1-0h3hebxm]
aws_organizations_organizational_unit.production: Refreshing state... [id=ou-unv1-l9ebvb3s]
module.policy_staging_account_1.aws_organizations_account.this: Refreshing state... [id=581954596586]
aws_organizations_delegated_administrator.identity_center: Refreshing state... [id=678544613731/sso.amazonaws.com]
module.security_incident_response.aws_organizations_account.this: Refreshing state... [id=573772537124]
module.security_logs.aws_organizations_account.this: Refreshing state... [id=759415916157]
module.security_engineering.aws_organizations_account.this: Refreshing state... [id=580784499913]
module.security_audit.aws_organizations_account.this: Refreshing state... [id=128476729677]
module.aws-playground-01.aws_organizations_account.this: Refreshing state... [id=855606814420]
aws_organizations_delegated_administrator.fms: Refreshing state... [id=128476729677/fms.amazonaws.com]
aws_organizations_delegated_administrator.access_analyzer: Refreshing state... [id=128476729677/access-analyzer.amazonaws.com]
aws_organizations_delegated_administrator.storage_lens: Refreshing state... [id=128476729677/storage-lens.s3.amazonaws.com]
module.k8s_infra_e2e_boskos_003.aws_organizations_account.this: Refreshing state... [id=336527747262]
module.k8s_infra_e2e_boskos_002.aws_organizations_account.this: Refreshing state... [id=867921711297]
module.k8s_infra_e2e_boskos_001.aws_organizations_account.this: Refreshing state... [id=144171684817]
aws_organizations_delegated_administrator.securityhub: Refreshing state... [id=580784499913/securityhub.amazonaws.com]
aws_organizations_delegated_administrator.config_multiaccount: Refreshing state... [id=580784499913/config-multiaccountsetup.amazonaws.com]
aws_organizations_delegated_administrator.cloudtrail: Refreshing state... [id=580784499913/cloudtrail.amazonaws.com]
aws_organizations_delegated_administrator.detective: Refreshing state... [id=580784499913/detective.amazonaws.com]
aws_organizations_delegated_administrator.config: Refreshing state... [id=580784499913/config.amazonaws.com]
aws_organizations_delegated_administrator.guardduty: Refreshing state... [id=580784499913/guardduty.amazonaws.com]
module.k8s-infra-sandbox-capa.aws_organizations_account.this: Refreshing state... [id=027487054958]
module.registry-k8s-io.aws_organizations_account.this: Refreshing state... [id=468027687836]
module.artifacts-k8s-io.aws_organizations_account.this: Refreshing state... [id=354561287328]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_iam_user.bentheelder will be created
  + resource "aws_iam_user" "bentheelder" {
      + arn           = (known after apply)
      + force_destroy = false
      + id            = (known after apply)
      + name          = "bentheelder"
      + path          = "/"
      + tags_all      = (known after apply)
      + unique_id     = (known after apply)
    }

  # aws_iam_user_login_profile.bentheelder_login will be created
  + resource "aws_iam_user_login_profile" "bentheelder_login" {
      + encrypted_password      = (known after apply)
      + id                      = (known after apply)
      + key_fingerprint         = (known after apply)
      + password                = (known after apply)
      + password_length         = 20
      + password_reset_required = true
      + user                    = "bentheelder"
    }

  # aws_iam_user_policy_attachment.bentheelder_billing will be created
  + resource "aws_iam_user_policy_attachment" "bentheelder_billing" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess"
      + user       = "bentheelder"
    }

Plan: 3 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: terraform.newplan

To perform exactly these actions, run the following command to apply:
    terraform apply "terraform.newplan"

TODO: Figure out how to get password / console access via iam + tf

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile

paste to issue or ticket (private hackmd for now)

terraform apply

With permission, I will run the following:

export AWS_PROFILE=hh@kubernetes
terraform apply terraform.newplan
aws_iam_user.bentheelder: Creating...
aws_iam_user.bentheelder: Creation complete after 1s [id=bentheelder]
aws_iam_user_policy_attachment.bentheelder_billing: Creating...
aws_iam_user_login_profile.bentheelder_login: Creating...
aws_iam_user_login_profile.bentheelder_login: Creation complete after 1s [id=bentheelder]
aws_iam_user_policy_attachment.bentheelder_billing: Creation complete after 1s [id=bentheelder-20230328164714983500000001]

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Retrieve bentheelder inital password

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile#password

I shared this directly via slack, but also putting into the PR/Issue the steps necessary.

export AWS_PROFILE=hh@kubernetes
terraform state show aws_iam_user_login_profile.bentheelder_login
# aws_iam_user_login_profile.bentheelder_login:
resource "aws_iam_user_login_profile" "bentheelder_login" {
    id                      = "bentheelder"
    password                = "XXXXXXXXXXXXXXXXX"
    password_length         = 20
    password_reset_required = true
    user                    = "bentheelder"
}

Final Steps

Visit https://console.aws.amazon.com/console/home

  • Select the IAM User Radio dial

  • Use `kubernetes-public` as the Account ID Alias

  • Initially, use the password provided, but reset it upon login

  • Try to do what it is you need to, identify missing polices from # List of Policy ARNs are here https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/policies

  • You can add more policies to iam-bentheelder.tf by attaching policyarn from this list:

      aws iam list-policies --output=table --query 'Policies[*].[Arn] | sort_by(@, &[0])' | grep -i s3
resource "aws_iam_user_policy_attachment" "bentheelder_s3" {
  user       = aws_iam_user.bentheelder.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Mar 28, 2023
@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. area/infra Infrastructure management, infrastructure design, code in infra/ area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. labels Mar 28, 2023
@hh
Copy link
Member Author

hh commented Mar 28, 2023

In response to #5043

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Mar 28, 2023
TerryHowe
TerryHowe approved these changes Mar 28, 2023
View reviewed changes
Copy link
Member

@TerryHowe TerryHowe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot
Copy link
Contributor

@TerryHowe: changing LGTM is restricted to collaborators

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

hh
hh commented Mar 28, 2023
View reviewed changes
infra/aws/terraform/management-account/iam-bentheelder.tf
}
resource "aws_iam_user_login_profile" "bentheelder_login" {
user = aws_iam_user.bentheelder.name
password_reset_required = true
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will provide you with an initial password @BenTheElder
You will then be required to change it upon login.

BenTheElder
BenTheElder reviewed Mar 28, 2023
View reviewed changes
infra/aws/terraform/management-account/iam-bentheelder.tf
}
resource "aws_iam_user_policy_attachment" "bentheelder_billing" {
user = aws_iam_user.bentheelder.name
policy_arn = "arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a role for S3 metrics?

Copy link
Member Author

@hh hh Mar 28, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

aws iam list-policies --output=table --query 'Policies[*].[Arn] | sort_by(@, &[0])' | grep -I s3

|  arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Restore                                             |
|  arn:aws:iam::aws:policy/AmazonS3FullAccess                                                                 |
|  arn:aws:iam::aws:policy/AmazonS3OutpostsFullAccess                                                         |
|  arn:aws:iam::aws:policy/AmazonS3OutpostsReadOnlyAccess                                                     |
|  arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess                                                             |
|  arn:aws:iam::aws:policy/aws-service-role/IVSRecordToS3                                                     |
|  arn:aws:iam::aws:policy/aws-service-role/S3StorageLensServiceRolePolicy                                    |
|  arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role                                               |
|  arn:aws:iam::aws:policy/service-role/AmazonS3ObjectLambdaExecutionRolePolicy                               |
|  arn:aws:iam::aws:policy/service-role/QuickSightAccessForS3StorageManagementAnalyticsReadOnly               |

pkprzekwas
pkprzekwas reviewed Mar 28, 2023
View reviewed changes
infra/aws/terraform/management-account/iam-bentheelder.tf
policy_arn = "arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess"
}
resource "aws_iam_user_login_profile" "bentheelder_login" {
user = aws_iam_user.bentheelder.name
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Do you mind running terraform fmt to adjust alignment here?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could do this as a follow up. we could also add update/verify scripts to ensure that this the terraform fmt is run automatically and shows up as a failure instead of manual inspection (as without it, things will still creep in)

@dims
Copy link
Member

dims commented Mar 28, 2023

/approve
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 28, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, hh, TerryHowe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 28, 2023
@k8s-ci-robot k8s-ci-robot merged commit cb8b9c7 into kubernetes:main Mar 28, 2023
@k8s-ci-robot k8s-ci-robot added this to the v1.28 milestone Mar 28, 2023
@BobyMCbobs BobyMCbobs mentioned this pull request Nov 29, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pkprzekwas pkprzekwas pkprzekwas left review comments

@BenTheElder BenTheElder BenTheElder left review comments

@TerryHowe TerryHowe TerryHowe approved these changes

@dims dims Awaiting requested review from dims

@thockin thockin Awaiting requested review from thockin

Assignees

@dims dims

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure area/infra Infrastructure management, infrastructure design, code in infra/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.28
Development

Successfully merging this pull request may close these issues.
6 participants
@hh @k8s-ci-robot @dims @TerryHowe @BenTheElder @pkprzekwas