⚙️ Add EKS prep scripts

prepare-eks/10_create_cluster.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+eksctl create cluster \
+    --node-type=t3.large \
+    --nodes-max=10 \
+    --alb-ingress-access \
+    --asg-access \
+    --ssh-access \
+    --with-oidc \
+    #
+

prepare-eks/20_create_users.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+echo "Getting list of existing users ..."
+aws iam list-users --output json | jq -r .Users[].UserName > users.tmp
+
+for U in $(cat users.txt); do
+    if ! grep -qw $U users.tmp; then
+        echo "Creating user $U..."
+        aws iam create-user --user-name=$U \
+            --tags=Key=container.training,Value=1
+    fi
+    if ! grep -qw $U users.keys; then
+        echo "Listing keys for user $U..."
+        KEYS=$(aws iam list-access-keys --user=$U | jq -r .AccessKeyMetadata[].AccessKeyId)
+        for KEY in $KEYS; do
+            echo "Deleting key $KEY for user $U..."
+            aws iam delete-access-key --user=$U --access-key-id=$KEY
+        done
+        echo "Creating access key for user $U..."
+        aws iam create-access-key --user=$U --output json \
+          | jq -r '.AccessKey | [ .UserName, .AccessKeyId, .SecretAccessKey ] | @tsv' \
+          >> users.keys
+    fi
+done

prepare-eks/30_create_or_update_policy.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+JSON='{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "eks:DescribeCluster"
+            ],
+            "Resource": "arn:aws:eks:*",
+            "Effect": "Allow"
+        }
+    ]
+}'
+
+ACCOUNT=$(aws sts get-caller-identity | jq -r .Account)
+
+#aws iam create-policy --policy-name user.container.training --policy-document "$JSON"
+aws iam create-policy-version --policy-arn arn:aws:iam::$ACCOUNT:policy/user.container.training --policy-document "$JSON" --set-as-default
+
+# Uncomment this to check which users have the policy
+#aws iam list-entities-for-policy --policy-arn arn:aws:iam::$ACCOUNT:policy/user.container.training

prepare-eks/40_attach_policy.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+ACCOUNT=$(aws sts get-caller-identity | jq -r .Account)
+
+for U in $(cat users.txt); do
+  echo "Attaching policy to user $U ..."
+  aws iam attach-user-policy --user-name $U --policy-arn arn:aws:iam::$ACCOUNT:policy/user.container.training
+done

prepare-eks/50_aws_auth.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+ACCOUNT=$(aws sts get-caller-identity | jq -r .Account)
+
+rm -f users.map
+for U in ada.lovelace also.lol; do
+echo "\
+- userarn: arn:aws:iam::$ACCOUNT:user/$U
+  username: $U
+  groups: [ container.training ]\
+" >> users.map
+done
+
+kubectl create --namespace=kube-system configmap aws-auth --dry-run=client --from-file=mapUsers=users.map -o yaml | kubectl apply -f-
+

prepare-eks/60_setup_rbac_and_ns.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+kubectl create rolebinding --namespace default container.training --group=container.training --clusterrole=view
+kubectl create clusterrole view-nodes --verb=get,list,watch --resource=node
+kubectl create clusterrolebinding view-nodes --group=container.training --clusterrole=view-nodes
+kubectl create clusterrole view-namespaces --verb=get,list,watch --resource=namespace
+kubectl create clusterrolebinding view-namespaces --group=container.training --clusterrole=view-namespaces
+
+kubectl create namespace container-training
+kubectl create rolebinding --namespace container-training edit --group=container.training --clusterrole=edit
+
+for U in $(cat users.txt); do
+  NS=$(echo $U | tr . -)
+  cat <<EOF
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: $NS
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: admin
+  namespace: $NS
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: $U
+EOF
+done | kubectl create -f-
+

prepare-eks/99_cleanup_old_policy.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+ACCOUNT=$(aws sts get-caller-identity | jq -r .Account)
+
+for VERSION in $(aws iam list-policy-versions --policy-arn arn:aws:iam::$ACCOUNT:policy/user.container.training | jq -r '.Versions[].VersionId'); do
+  aws iam delete-policy-version --policy-arn arn:aws:iam::$ACCOUNT:policy/user.container.training --version-id "$VERSION"
+done

prepare-eks/users.txt

@@ -0,0 +1,50 @@
+ada.lovelace
+adele.goldstine
+amanda.jones
+anita.borg
+ann.kiessling
+barbara.mcclintock
+beatrice.worsley
+bessie.blount
+betty.holberton
+beulah.henry
+carleen.hutchins
+caroline.herschel
+dona.bailey
+dorothy.hodgkin
+ellen.ochoa
+edith.clarke
+elisha.collier
+elizabeth.feinler
+emily.davenport
+erna.hoover
+frances.spence
+gertrude.blanch
+grace.hopper
+grete.hermann
+giuliana.tesoro
+harriet.tubman
+hedy.lamarr
+irma.wyman
+jane.goodall
+jean.bartik
+joy.mangano
+josephine.cochrane
+katherine.blodgett
+kathleen.antonelli
+lynn.conway
+margaret.hamilton
+maria.beasley
+marie.curie
+marjorie.joyner
+marlyn.meltzer
+mary.kies
+melitta.bentz
+milly.koss
+radia.perlman
+rosalind.franklin
+ruth.teitelbaum
+sarah.mather
+sophie.wilson
+stephanie.kwolek
+yvonne.brill