feat: use pod identity

Author: johanneswuerbach

README.md

@@ -2,14 +2,14 @@
 
 > TL;DR
 >
-> Skip the theory? Go [here](README.md#how-to-spin-up-your-humanitec-aws-reference-architecture) to spin up your Humanitec AWS Reference Architecture Implementation. 
+> Skip the theory? Go [here](README.md#how-to-spin-up-your-humanitec-aws-reference-architecture) to spin up your Humanitec AWS Reference Architecture Implementation.
 >
 > [Follow this learning path to master your Internal Developer Platform](https://developer.humanitec.com/training/master-your-internal-developer-platform/introduction/).
 >
 
 Building an Internal Developer Platform (IDP) can come with many challenges. To give you a head start, we’ve created a set of [reference architectures](https://humanitec.com/reference-architectures) based on hundreds of real-world setups. These architectures described in code provide a starting point to build your own IDP within minutes, along with customization capabilities to ensure your platform meets the unique needs of your users (developers).
 
-The initial version of this reference architecture has been presented by Mike Gatto, Sr. DevOps Engineer, McKinsey and Stephan Schneider, Digital Expert Associate Partner, McKinsey at [PlartformCon 2023](https://www.youtube.com/watch?v=AimSwK8Mw-U). 
+The initial version of this reference architecture has been presented by Mike Gatto, Sr. DevOps Engineer, McKinsey and Stephan Schneider, Digital Expert Associate Partner, McKinsey at [PlartformCon 2023](https://www.youtube.com/watch?v=AimSwK8Mw-U).
 
 ## What is an Internal Developer Platform (IDP)?
 
@@ -21,36 +21,34 @@ When McKinsey originally [published the reference architecture](https://www.yout
 
 ![AWS reference architecture Humanitec](docs/images/AWS-reference-architecture-Humanitec.png)
 
-### Developer Control Plane 
+### Developer Control Plane
 
 This plane is the primary configuration layer and interaction point for the platform users. It harbors the following components:
 
-
-
 * A **Version Control System**. GitHub is a prominent example, but this can be any system that contains two types of repositories:
-    * Application Source Code
-    * Platform Source Code, e.g. using Terraform
+  * Application Source Code
+  * Platform Source Code, e.g. using Terraform
 * **Workload specifications**. The reference architecture uses [Score](https://developer.humanitec.com/score/overview/).
 * A **portal** for developers to interact with. It can be the Humanitec Portal, but you might also use [Backstage](https://backstage.io/) or any other portal on the market.
 
-
-### Integration and Delivery Plane 
+### Integration and Delivery Plane
 
 This plane is about building and storing the image, creating app and infra configs from the abstractions provided by the developers, and deploying the final state. It’s where the domains of developers and platform engineers meet.
 
 This plane usually contains four different tools:
+
 * A **CI pipeline**. It can be Github Actions or any CI tooling on the market.
 * The **image registry** holding your container images. Again, this can be any registry on the market.
 * An **orchestrator** which in our example, is the Humanitec Platform Orchestrator.
 * The **CD system**, which can be the Platform Orchestrator’s deployment pipeline capabilities — an external system triggered by the Orchestrator using a webhook, or a setup in tandem with GitOps operators like ArgoCD.
 
-### Monitoring and Logging Plane 
+### Monitoring and Logging Plane
 
 The integration of monitoring and logging systems varies greatly depending on the system. This plane however is not a focus of the reference architecture.
 
-### Security Plane 
+### Security Plane
 
-The security plane of the reference architecture is focused on the secrets management system. The secrets manager stores configuration information such as database passwords, API keys, or TLS certificates needed by an Application at runtime. It allows the Platform Orchestrator to reference the secrets and inject them into the Workloads dynamically. You can learn more about secrets management and integration with other secrets management [here](https://developer.humanitec.com/platform-orchestrator/security/overview). 
+The security plane of the reference architecture is focused on the secrets management system. The secrets manager stores configuration information such as database passwords, API keys, or TLS certificates needed by an Application at runtime. It allows the Platform Orchestrator to reference the secrets and inject them into the Workloads dynamically. You can learn more about secrets management and integration with other secrets management [here](https://developer.humanitec.com/platform-orchestrator/security/overview).
 
 The reference architecture sample implementations use the secrets store attached to the Humanitec SaaS system.
 
@@ -59,6 +57,7 @@ The reference architecture sample implementations use the secrets store attached
 This plane is where the actual infrastructure exists including clusters, databases, storage, or DNS services. The configuration of the Resources is managed by the Platform Orchestrator which dynamically creates app and infrastructure configurations with every deployment and creates, updates, or deletes dependent Resources as required.
 
 ## How to spin up your Humanitec AWS Reference Architecture
+
 This repo contains an implementation of part of the Humanitec Reference Architecture for an Internal Developer Platform.
 
 To install an implementation containing add-ons, follow the separate README. We currently feature these add-ons:
@@ -69,13 +68,13 @@ This repo covers the base layer of the implementation for AWS.
 
 By default, the following will be provisioned:
 
-- VPC
-- EKS Cluster
-- IAM User to access the cluster
-- Ingress NGINX in the cluster
-- Resource Definitions in Humanitec for:
-  - Kubernetes Cluster
-  - Logging
+* VPC
+* EKS Cluster
+* IAM User to access the cluster
+* Ingress NGINX in the cluster
+* Resource Definitions in Humanitec for:
+  * Kubernetes Cluster
+  * Logging
 
 ### Prerequisites
 
@@ -115,22 +114,12 @@ This reference architecture implementation uses Terraform. You will need to do t
    terraform apply
    ```
 
-   `terraform plan` and `apply` might output this message:
-   ```   
-   │ Warning: Argument is deprecated
-   │
-   │   with module.base.module.aws_eks.aws_eks_addon.this["aws-ebs-csi-driver"],
-   │   [...]
-   ```
-   This is due to an upstream issue with the Terraform AWS modules, and can be ignored.
-
 #### Required input variables
 
 Terraform reads variables by default from a file called `terraform.tfvars`. You can create your own file by renaming the `terraform.tfvars.example` file in the root of the repo and then filling in the missing values.
 
 You can see find a details about each of those variables and additional supported variables under [Inputs](#inputs).
 
-
 ### Verify your result
 
 Check for the existence of key elements of the reference architecture. This is a subset of all elements only. For a complete list of what was installed, review the Terraform code.
@@ -148,8 +137,9 @@ Check for the existence of key elements of the reference architecture. This is a
      --header "Authorization: Bearer ${HUMANITEC_TOKEN}" \
      | jq .id,.type
    ```
-   
+
    This should output:
+
    ```
    "ref-arch"
    "k8s-cluster"
@@ -160,9 +150,9 @@ Check for the existence of key elements of the reference architecture. This is a
    ```
    aws eks list-clusters --region <your-region>
    ```
-   
+
    This should output:
-   
+
    ```
    {
        "clusters": [
@@ -216,9 +206,7 @@ Once you are finished with the reference architecture, you can remove all provis
 
 ## Learn more
 
-Expand your knowledge by heading over to our learning path, and discover how to: 
-
-
+Expand your knowledge by heading over to our learning path, and discover how to:
 
 * Deploy the Humanitec reference architecture using a cloud provider of your choice
 * Deploy and manage Applications using the Humanitec Platform Orchestrator and Score
@@ -228,8 +216,6 @@ Expand your knowledge by heading over to our learning path, and discover how to:
 
 [Master your Internal Developer Platform](https://developer.humanitec.com/training/master-your-internal-developer-platform/introduction/)
 
-
-
 * [Introduction](https://developer.humanitec.com/training/master-your-internal-developer-platform/introduction/)
 * [Design principles](https://developer.humanitec.com/training/master-your-internal-developer-platform/design-principles/)
 * [Structure and integration points](https://developer.humanitec.com/training/master-your-internal-developer-platform/structure-and-integration-points/)

examples/with-backstage/backstage-humanitec.tf

@@ -153,9 +153,8 @@ module "backstage_iam_role_service_account" {
 
   policy_classes = ["default"]
 
-  oidc_provider     = module.base.eks_oidc_provider
-  oidc_provider_arn = module.base.eks_oidc_provider_arn
-  prefix            = local.res_def_prefix
+  cluster_name = module.base.eks_cluster_name
+  prefix       = local.res_def_prefix
 }
 
 resource "humanitec_resource_definition_criteria" "backstage_iam_role_service_account" {

modules/base/README.md

@@ -24,7 +24,7 @@ Module that provides the reference architecture.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_aws_eks"></a> [aws\_eks](#module\_aws\_eks) | terraform-aws-modules/eks/aws | ~> 19.16 |
+| <a name="module_aws_eks"></a> [aws\_eks](#module\_aws\_eks) | terraform-aws-modules/eks/aws | ~> 20.2 |
 | <a name="module_aws_vpc"></a> [aws\_vpc](#module\_aws\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.1 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.30 |
 

modules/base/main.tf

@@ -48,11 +48,6 @@ data "aws_caller_identity" "current" {}
 
 locals {
   default_aws_auth_users = [
-    {
-      userarn  = data.aws_caller_identity.current.arn
-      username = "creator"
-      groups   = ["system:masters"]
-    },
     {
       userarn  = aws_iam_user.humanitec_svc.arn
       username = aws_iam_user.humanitec_svc.name
@@ -81,7 +76,7 @@ module "ebs_csi_irsa_role" {
 
 module "aws_eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 19.16"
+  version = "~> 20.2"
 
   cluster_name    = var.cluster_name
   cluster_version = var.cluster_version
@@ -111,10 +106,29 @@ module "aws_eks" {
       most_recent              = true
       service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn
     }
+    eks-pod-identity-agent = {
+      most_recent = true
+    }
   }
 
-  manage_aws_auth_configmap = true
-  aws_auth_users            = local.aws_auth_users
+  enable_cluster_creator_admin_permissions = true
+
+  access_entries = {
+    for s in local.aws_auth_users : s.username => {
+      kubernetes_groups = []
+      principal_arn     = s.userarn
+
+      policy_associations = {
+        cluster_admin = {
+          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+          access_scope = {
+            namespaces = []
+            type       = "cluster"
+          }
+        }
+      }
+    }
+  }
 
   # required for ingress-nginx see https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2513
   node_security_group_additional_rules = {