From 76ec3d0c541ce13784db35c9554819cc076e45e3 Mon Sep 17 00:00:00 2001 From: David Landry Date: Sat, 1 Mar 2025 13:56:49 -0500 Subject: [PATCH] chore(crossplane): split providerconfigs and use a chain of AssumeRoles --- bootstrap/crossplane/kustomization.yaml | 4 +++- ...config.yaml => providerconfig.default.yaml} | 7 +++---- .../crossplane/providerconfig.route53.yaml | 18 ++++++++++++++++++ bootstrap/crossplane/providerconfig.s3.yaml | 18 ++++++++++++++++++ 4 files changed, 42 insertions(+), 5 deletions(-) rename bootstrap/crossplane/{providerconfig.yaml => providerconfig.default.yaml} (79%) create mode 100644 bootstrap/crossplane/providerconfig.route53.yaml create mode 100644 bootstrap/crossplane/providerconfig.s3.yaml diff --git a/bootstrap/crossplane/kustomization.yaml b/bootstrap/crossplane/kustomization.yaml index 7bb9678..3f78f1c 100644 --- a/bootstrap/crossplane/kustomization.yaml +++ b/bootstrap/crossplane/kustomization.yaml @@ -11,7 +11,9 @@ helmCharts: resources: - ns.yaml - - providerconfig.yaml + - providerconfig.default.yaml + - providerconfig.route53.yaml + - providerconfig.s3.yaml generators: - secret-generator.yaml diff --git a/bootstrap/crossplane/providerconfig.yaml b/bootstrap/crossplane/providerconfig.default.yaml similarity index 79% rename from bootstrap/crossplane/providerconfig.yaml rename to bootstrap/crossplane/providerconfig.default.yaml index af5b011..c975762 100644 --- a/bootstrap/crossplane/providerconfig.yaml +++ b/bootstrap/crossplane/providerconfig.default.yaml @@ -6,13 +6,12 @@ metadata: argocd.argoproj.io/hook: PostSync argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: + assumeRoleChain: + - roleARN: "arn:aws:iam::000654387266:role/CrossplaneServiceRole" + credentials: source: Secret secretRef: namespace: crossplane-system name: aws-secret key: creds - - assumeRole: - roleARN: "arn:aws:iam::000654387266:role/crossplane" - diff --git a/bootstrap/crossplane/providerconfig.route53.yaml b/bootstrap/crossplane/providerconfig.route53.yaml new file mode 100644 index 0000000..f1a0153 --- /dev/null +++ b/bootstrap/crossplane/providerconfig.route53.yaml @@ -0,0 +1,18 @@ +apiVersion: aws.upbound.io/v1beta1 +kind: ProviderConfig +metadata: + name: route53 + annotations: + argocd.argoproj.io/hook: PostSync + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + assumeRoleChain: + - roleARN: "arn:aws:iam::000654387266:role/CrossplaneServiceRole" + - roleARN: "arn:aws:iam::000654387266:role/Route53ManagementRole" + + credentials: + source: Secret + secretRef: + namespace: crossplane-system + name: aws-secret + key: creds diff --git a/bootstrap/crossplane/providerconfig.s3.yaml b/bootstrap/crossplane/providerconfig.s3.yaml new file mode 100644 index 0000000..15d47f0 --- /dev/null +++ b/bootstrap/crossplane/providerconfig.s3.yaml @@ -0,0 +1,18 @@ +apiVersion: aws.upbound.io/v1beta1 +kind: ProviderConfig +metadata: + name: s3 + annotations: + argocd.argoproj.io/hook: PostSync + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + assumeRoleChain: + - roleARN: "arn:aws:iam::000654387266:role/CrossplaneServiceRole" + - roleARN: "arn:aws:iam::000654387266:role/S3ManageHomelab" + + credentials: + source: Secret + secretRef: + namespace: crossplane-system + name: aws-secret + key: creds