From 31a9a4ce928cc6653e510b47812ea1056f070ac2 Mon Sep 17 00:00:00 2001 From: David Landry Date: Wed, 5 Mar 2025 13:02:36 -0500 Subject: [PATCH] chore(work): add Crossplane examples --- .../cognito.test.yaml | 41 ++++++ .../composite-resources/composition.yaml | 118 ++++++++++++++++++ .../composite-resources/definition.yaml | 47 +++++++ .../composite-resources/example-claim.yaml | 8 ++ .../example-managed-resources/s3.test.yaml | 17 +++ .../iam-examples/CognitoManagement-README.md | 23 ++++ .../iam-examples/CognitoManagement-role.json | 18 +++ .../iam-examples/CrossplaneServiceRole.json | 24 ++++ .../iam-examples/S3Manage-policy.json | 61 +++++++++ .../iam-examples/S3Manage-role.json | 18 +++ 10 files changed, 375 insertions(+) create mode 100644 bootstrap/crossplane/example-managed-resources/cognito.test.yaml create mode 100644 bootstrap/crossplane/example-managed-resources/composite-resources/composition.yaml create mode 100644 bootstrap/crossplane/example-managed-resources/composite-resources/definition.yaml create mode 100644 bootstrap/crossplane/example-managed-resources/composite-resources/example-claim.yaml create mode 100644 bootstrap/crossplane/example-managed-resources/s3.test.yaml create mode 100644 bootstrap/crossplane/iam-examples/CognitoManagement-README.md create mode 100644 bootstrap/crossplane/iam-examples/CognitoManagement-role.json create mode 100644 bootstrap/crossplane/iam-examples/CrossplaneServiceRole.json create mode 100644 bootstrap/crossplane/iam-examples/S3Manage-policy.json create mode 100644 bootstrap/crossplane/iam-examples/S3Manage-role.json diff --git a/bootstrap/crossplane/example-managed-resources/cognito.test.yaml b/bootstrap/crossplane/example-managed-resources/cognito.test.yaml new file mode 100644 index 0000000..3735cc5 --- /dev/null +++ b/bootstrap/crossplane/example-managed-resources/cognito.test.yaml @@ -0,0 +1,41 @@ +apiVersion: cognitoidp.aws.upbound.io/v1beta2 +kind: UserPool +metadata: + annotations: + meta.upbound.io/example-id: cognitoidp/v1beta1/useringroup + labels: + testing.upbound.io/example-name: example + name: example +spec: + forProvider: + name: example + region: us-east-1 + # userPoolTier: LITE + providerConfigRef: + name: cognito + +--- +apiVersion: cognitoidp.aws.upbound.io/v1beta1 +kind: UserGroup +metadata: + annotations: + meta.upbound.io/example-id: cognitoidp/v1beta1/usergroup + labels: + testing.upbound.io/example-name: example + name: example +spec: + forProvider: + name: example + precedence: 42 + region: us-east-1 + # roleArnSelector: + # matchLabels: + # testing.upbound.io/example-name: group_role + userPoolIdSelector: + matchLabels: + testing.upbound.io/example-name: example + providerConfigRef: + name: cognito + + + diff --git a/bootstrap/crossplane/example-managed-resources/composite-resources/composition.yaml b/bootstrap/crossplane/example-managed-resources/composite-resources/composition.yaml new file mode 100644 index 0000000..0a04e11 --- /dev/null +++ b/bootstrap/crossplane/example-managed-resources/composite-resources/composition.yaml @@ -0,0 +1,118 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: xexamples.aws.k8s.masos.dev + labels: + provider: aws +spec: + writeConnectionSecretsToNamespace: crossplane-system + compositeTypeRef: + apiVersion: k8s.masos.dev/v1alpha1 + kind: XExample + + patchSets: + - name: example-id + patches: + - type: CombineFromComposite + combine: + variables: + - fromFieldPath: spec.name + - fromFieldPath: spec.tenant + strategy: string + string: + fmt: "%s-%s" + fromFieldPath: spec.id + toFieldPath: metadata.labels[aws.k8s.masos.dev/example-id] + - type: ToCompositeFieldPath + fromFieldPath: metadata.labels[aws.k8s.masos.dev/example-id] + toFieldPath: status.masos.id + - type: ToCompositeFieldPath + fromFieldPath: metadata.labels[aws.k8s.masos.dev/example-id] + toFieldPath: status.masos-id + + + + resources: + - base: + apiVersion: cognitoidp.aws.upbound.io/v1beta2 + kind: UserPool + spec: + forProvider: + region: us-east-1 + deletionProtection: INACTIVE + name: auth-backend + patches: + - type: PatchSet + patchSetName: example-id + - type: CombineFromComposite + combine: + variables: + - fromFieldPath: spec.name + - fromFieldPath: spec.tenant + strategy: string + string: + fmt: "%s-%s" + fromFieldPath: spec.id + toFieldPath: spec.forProvider.name + + - name: group-admin + base: + apiVersion: cognitoidp.aws.upbound.io/v1beta1 + kind: UserGroup + spec: + providerConfigRef: + name: cognito + forProvider: + name: admin + precedence: 10 + region: us-east-1 + # roleArnSelector: + # matchLabels: + # testing.upbound.io/example-name: group_role + userPoolIdSelector: + matchLabels: + aws.k8s.masos.dev/example-id: unset + patches: + - type: PatchSet + patchSetName: example-id + - type: CombineFromComposite + combine: + variables: + - fromFieldPath: spec.name + - fromFieldPath: spec.tenant + strategy: string + string: + fmt: "%s-%s" + fromFieldPath: spec.id + toFieldPath: spec.forProvider.userPoolIdSelector.matchLabels['aws.k8s.masos.dev/example-id'] + + - name: example-bucket + base: + apiVersion: cognitoidp.aws.upbound.io/v1beta1 + kind: UserGroup + spec: + providerConfigRef: + name: s3 + forProvider: + name: admin + precedence: 10 + region: us-east-1 + # roleArnSelector: + # matchLabels: + # testing.upbound.io/example-name: group_role + userPoolIdSelector: + matchLabels: + aws.k8s.masos.dev/example-id: unset + patches: + - type: PatchSet + patchSetName: example-id + - type: CombineFromComposite + combine: + variables: + - fromFieldPath: spec.name + - fromFieldPath: spec.tenant + strategy: string + string: + fmt: "%s-%s" + fromFieldPath: spec.id + toFieldPath: spec.forProvider.userPoolIdSelector.matchLabels['aws.k8s.masos.dev/example-id'] diff --git a/bootstrap/crossplane/example-managed-resources/composite-resources/definition.yaml b/bootstrap/crossplane/example-managed-resources/composite-resources/definition.yaml new file mode 100644 index 0000000..b0ee8cb --- /dev/null +++ b/bootstrap/crossplane/example-managed-resources/composite-resources/definition.yaml @@ -0,0 +1,47 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: CompositeResourceDefinition +metadata: + name: xexamples.k8s.masos.dev +spec: + group: k8s.masos.dev + names: + kind: XExample + plural: xexamples + claimNames: + kind: Example + plural: examples + versions: + - name: v1alpha1 + served: true + referenceable: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + name: + type: string + description: ID of this resource that other objects will use to refer to it. + tenant: + type: string + description: Tenant using this resource + providerConfigRef: + type: object + properties: + name: + type: string + + required: + - name + - tenant + + status: + type: object + properties: + masos: + type: object + x-kubernetes-preserve-unknown-fields: true + masos-id: + type: string diff --git a/bootstrap/crossplane/example-managed-resources/composite-resources/example-claim.yaml b/bootstrap/crossplane/example-managed-resources/composite-resources/example-claim.yaml new file mode 100644 index 0000000..d98e2ea --- /dev/null +++ b/bootstrap/crossplane/example-managed-resources/composite-resources/example-claim.yaml @@ -0,0 +1,8 @@ +apiVersion: k8s.masos.dev/v1alpha1 +kind: Example +metadata: + name: this-is-an-example + namespace: default +spec: + name: alice + tenant: wonderland diff --git a/bootstrap/crossplane/example-managed-resources/s3.test.yaml b/bootstrap/crossplane/example-managed-resources/s3.test.yaml new file mode 100644 index 0000000..b0845cc --- /dev/null +++ b/bootstrap/crossplane/example-managed-resources/s3.test.yaml @@ -0,0 +1,17 @@ +apiVersion: s3.aws.upbound.io/v1beta2 +kind: Bucket +metadata: + annotations: + meta.upbound.io/example-id: s3/v1beta2/bucket + labels: + testing.upbound.io/example-name: s3 + name: masos-crossplane-test +spec: + forProvider: + objectLockEnabled: true + region: us-east-1 + tags: + example-tag: some-value + + providerConfigRef: + name: s3 diff --git a/bootstrap/crossplane/iam-examples/CognitoManagement-README.md b/bootstrap/crossplane/iam-examples/CognitoManagement-README.md new file mode 100644 index 0000000..1969afc --- /dev/null +++ b/bootstrap/crossplane/iam-examples/CognitoManagement-README.md @@ -0,0 +1,23 @@ +I'm not sure what permissions are needed to create a UserPool. There is +no AWS managed policies for creating/updating/deleting a UserPool. In the +description of one of the managed Cognito policies, it says: + +> You will need AWS account admin privileges to create new Cognito resources. + +For my testing, I used the AdministratorAccess managed policy. + +To follow the principle of least privilege, it's not clear which actions +Crossplane needs access to it. Here is a list of some areas that it might +touch: + +* cognito-identity +* cognito-ip +* cognito-sync +* iam +* kinesis +* lambda +* sns +* ses +* mobiletargeting +* acm +* sms-voice diff --git a/bootstrap/crossplane/iam-examples/CognitoManagement-role.json b/bootstrap/crossplane/iam-examples/CognitoManagement-role.json new file mode 100644 index 0000000..2ae70d7 --- /dev/null +++ b/bootstrap/crossplane/iam-examples/CognitoManagement-role.json @@ -0,0 +1,18 @@ +{ + "Role": { + "Path": "/", + "RoleName": "CognitoManagementRole", + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/CrossplaneServiceRole" + }, + "Action": "sts:AssumeRole" + } + ] + } + } +} diff --git a/bootstrap/crossplane/iam-examples/CrossplaneServiceRole.json b/bootstrap/crossplane/iam-examples/CrossplaneServiceRole.json new file mode 100644 index 0000000..570232d --- /dev/null +++ b/bootstrap/crossplane/iam-examples/CrossplaneServiceRole.json @@ -0,0 +1,24 @@ +{ + "Role": { + "Path": "/", + "RoleName": "CrossplaneServiceRole", + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::XXXXXXXXXXXX:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "oidc.eks.us-east-1.amazonaws.com/id/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY:sub": "system:serviceaccount:NAMESPACE:SERVICEACCOUNTNAME", + "oidc.eks.us-east-1.amazonaws.com/id/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY:aud": "sts.amazonaws.com" + } + } + } + ] + } + } +} diff --git a/bootstrap/crossplane/iam-examples/S3Manage-policy.json b/bootstrap/crossplane/iam-examples/S3Manage-policy.json new file mode 100644 index 0000000..5b87ef4 --- /dev/null +++ b/bootstrap/crossplane/iam-examples/S3Manage-policy.json @@ -0,0 +1,61 @@ +{ + "RoleName": "S3Manage", + "PolicyName": "s3-readwrite-masos-buckets", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "s3:DeleteObjectTagging", + "s3:DeleteObjectVersion", + "s3:GetObjectVersionTagging", + "s3:RestoreObject", + "s3:PutObjectVersionTagging", + "s3:DeleteObjectVersionTagging", + "s3:GetObjectVersionAttributes", + "s3:GetObjectVersionTorrent", + "s3:PutObject", + "s3:GetObject", + "s3:GetObjectTorrent", + "s3:GetObjectTagging", + "s3:PutObjectTagging", + "s3:DeleteObject", + "s3:GetObjectVersion" + ], + "Resource": "arn:aws:s3:::masos-XXXXXXX-*/*" + },{ + "Sid": "VisualEditor1", + "Effect": "Allow", + "Action": [ + "s3:GetLifecycleConfiguration", + "s3:GetBucketTagging", + "s3:GetBucketWebsite", + "s3:GetBucketLogging", + "s3:CreateBucket", + "s3:ListBucket", + "s3:GetAccelerateConfiguration", + "s3:GetBucketVersioning", + "s3:PutBucketCORS", + "s3:GetBucketAcl", + "s3:DeleteBucketPolicy", + "s3:GetBucketPolicy", + "s3:GetReplicationConfiguration", + "s3:GetBucketObjectLockConfiguration", + "s3:GetEncryptionConfiguration", + "s3:PutBucketTagging", + "s3:GetBucketRequestPayment", + "s3:GetBucketCORS", + "s3:PutBucketAcl", + "s3:PutBucketPolicy", + "s3:PutBucketObjectLockConfiguration", + "s3:GetBucketLocation", + "s3:DeleteBucket", + "s3:PutBucketVersioning" + ], + "Resource": "arn:aws:s3:::masos-XXXXXXX-*" + } + ] + } +} diff --git a/bootstrap/crossplane/iam-examples/S3Manage-role.json b/bootstrap/crossplane/iam-examples/S3Manage-role.json new file mode 100644 index 0000000..3282d96 --- /dev/null +++ b/bootstrap/crossplane/iam-examples/S3Manage-role.json @@ -0,0 +1,18 @@ +{ + "Role": { + "Path": "/", + "RoleName": "S3Manage", + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/CrossplaneServiceRole" + }, + "Action": "sts:AssumeRole" + } + ] + } + } +}