From e90384e88f60c90663ed2f8df590d2a8897e69de Mon Sep 17 00:00:00 2001
From: Dmitry Dunaev <dmitry@opsfleet.com>
Date: Fri, 28 May 2021 15:31:05 +0300
Subject: [PATCH] [TOOLS-137] Add: helm values for wlan-onboard and AWS user
 with access to EKS

---
 helm-values/aws-wlan-onboard.yaml             | 27 ++++++++++++
 .../wifi-289708231103/cloudsdk_cicd/eks.tf    |  5 +++
 .../wifi-289708231103/cloudsdk_cicd/kms.tf    |  2 +
 .../wifi-289708231103/cloudsdk_cicd/users.tf  | 44 ++++++++++---------
 4 files changed, 58 insertions(+), 20 deletions(-)
 create mode 100644 helm-values/aws-wlan-onboard.yaml

diff --git a/helm-values/aws-wlan-onboard.yaml b/helm-values/aws-wlan-onboard.yaml
new file mode 100644
index 0000000..46c2426
--- /dev/null
+++ b/helm-values/aws-wlan-onboard.yaml
@@ -0,0 +1,27 @@
+images:
+  onboard:
+    repository: tip-tip-wlan-test-bss-docker-repo.jfrog.io/wlan-onboard
+    tag: latest
+    pullPolicy: IfNotPresent
+    regcred: eyJhdXRocyI6IHsidGlwLXRpcC13bGFuLWNsb3VkLWRvY2tlci1yZXBvLmpmcm9nLmlvIjogeyJhdXRoIjogImRHbHdMWEpsWVdRNmRHbHdMWEpsWVdRPSJ9fX0=
+
+services:
+  onboard:
+    type: NodePort
+
+ingresses:
+  default: 
+    annotations:
+      kubernetes.io/ingress.class: alb
+      alb.ingress.kubernetes.io/scheme: internet-facing
+      alb.ingress.kubernetes.io/group.name: test-bss-load-testing
+      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285
+      alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
+      alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_302"}}'
+      external-dns.alpha.kubernetes.io/hostname: onboard.cicd.lab.wlan.tip.build
+    hosts:
+    - onboard.cicd.lab.wlan.tip.build
+    paths:
+    - path: /*
+      serviceName: onboard
+      servicePort: http
diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/eks.tf b/terraform/wifi-289708231103/cloudsdk_cicd/eks.tf
index 048056b..cd1c1c6 100644
--- a/terraform/wifi-289708231103/cloudsdk_cicd/eks.tf
+++ b/terraform/wifi-289708231103/cloudsdk_cicd/eks.tf
@@ -126,6 +126,11 @@ locals {
       userarn  = aws_iam_user.quali-poc.arn
       username = aws_iam_user.quali-poc.name
       groups   = ["system:masters"]
+    },
+    {
+      userarn  = aws_iam_user.gh-actions-wlan-test-bss.arn
+      username = aws_iam_user.gh-actions-wlan-test-bss.name
+      groups   = ["system:masters"]
     }
   ]
   admin_roles = [for role in var.eks_admin_roles : {
diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/kms.tf b/terraform/wifi-289708231103/cloudsdk_cicd/kms.tf
index 0f8c281..886d3ed 100644
--- a/terraform/wifi-289708231103/cloudsdk_cicd/kms.tf
+++ b/terraform/wifi-289708231103/cloudsdk_cicd/kms.tf
@@ -35,6 +35,7 @@ data "aws_iam_policy_document" "kms" {
       identifiers = [
         "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AdministratorAccess_5b24211378e8344f",
         "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SystemAdministrator_622371b0ceece6f8",
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/atlantis-ecs_task_execution",
       ]
     }
   }
@@ -55,6 +56,7 @@ data "aws_iam_policy_document" "kms" {
       identifiers = [
         "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AdministratorAccess_5b24211378e8344f",
         "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SystemAdministrator_622371b0ceece6f8",
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/atlantis-ecs_task_execution",
       ]
     }
   }
diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/users.tf b/terraform/wifi-289708231103/cloudsdk_cicd/users.tf
index 06431bb..dbd16ab 100644
--- a/terraform/wifi-289708231103/cloudsdk_cicd/users.tf
+++ b/terraform/wifi-289708231103/cloudsdk_cicd/users.tf
@@ -1,3 +1,15 @@
+data "aws_iam_policy_document" "gh-actions-policy" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "eks:DescribeCluster",
+      "eks:ListClusters",
+    ]
+    resources = ["*"]
+  }
+}
+
+# gh-actions-user
 resource "aws_iam_user" "gh-actions-user" {
   name = "gh-actions-user"
   path = "/"
@@ -10,17 +22,7 @@ resource "aws_iam_user_policy" "lb_ro" {
   policy = data.aws_iam_policy_document.gh-actions-policy.json
 }
 
-data "aws_iam_policy_document" "gh-actions-policy" {
-  statement {
-    effect = "Allow"
-    actions = [
-      "eks:DescribeCluster",
-      "eks:ListClusters",
-    ]
-    resources = ["*"]
-  }
-}
-
+# quali-poc
 resource "aws_iam_user" "quali-poc" {
   name = "quali-poc"
   path = "/"
@@ -33,13 +35,15 @@ resource "aws_iam_user_policy" "lb_ro_quali" {
   policy = data.aws_iam_policy_document.gh-actions-policy.json
 }
 
-data "aws_iam_policy_document" "quali-poc-policy" {
-  statement {
-    effect = "Allow"
-    actions = [
-      "eks:DescribeCluster",
-      "eks:ListClusters",
-    ]
-    resources = ["*"]
-  }
+# gh-actions-wlan-test-bss
+resource "aws_iam_user" "gh-actions-wlan-test-bss" {
+  name = "gh-actions-wlan-test-bss"
+  path = "/"
+  tags = local.common_tags
+}
+
+resource "aws_iam_user_policy" "lb_ro_gh_wlan_test_bss" {
+  name   = "eks-list-access"
+  user   = aws_iam_user.gh-actions-wlan-test-bss.name
+  policy = data.aws_iam_policy_document.gh-actions-policy.json
 }