Setup Federation for SPC
Overview
This module provisions IAM resources for Kosmos to create and manage EKS clusters using OIDC authentication. It includes:
- An IAM Role for Kosmos with an associated Trust Policy to define who can assume the role.
- A Permissions Policy granting Kosmos the necessary permissions to create EKS clusters.
- An Attachment linking the permission policy to the IAM role.
- (Optional) Creation of an OIDC Provider entry in SPC for Kosmos.
Variables
Required Variables
The following variables are required, depending on your setup:
| Variable | Requirement | Description |
|---|---|---|
oidc_provider_arn | Required if oidc_client_id, oidc_thumbprint, and oidc_url are not provided. | ARN of an existing OIDC provider instance in SPC. If specified, the module will not create a new OIDC provider. |
oidc_client_id | Required if oidc_provider_arn is not specified. | Client ID for creating a new OIDC provider in SPC. Ensure it is registered in the OIDC provider. |
oidc_thumbprint | Required if oidc_provider_arn is not specified. | Thumbprint of the OIDC provider’s certificates. Can be obtained from AWS Docs or via the SPC console. |
oidc_url | Required if oidc_provider_arn is not specified. | Issuer URL of the OIDC provider, including the full path. |
fleet_name | Always Required | Name of the Kosmos fleet. Used as a resource identifier and for subject matching in tokens. |
Optional Variables
| Variable | Description | Default Value |
|---|---|---|
mks_role_name_prefix | Prefix for the IAM role created for MKS clusters. | mks-service-role |
kosmos_role_name_prefix | Prefix for the IAM role used by the Kosmos operator. | kosmos-operator |
Outputs
| Output Variable | Description |
|---|---|
kosmos_operator_role_arn | ARN of the IAM Role for Kosmos to create EKS clusters. |
mks_role_arn | ARN of the IAM Role for the MKS cluster. |
mks_service_role_name | Name of the IAM Role for the MKS cluster. |
Example Usage
Note:
The following resource fetches the Kosmos certificate so its thumbprint can be read later using locals.kosmos_fingerprint:
data "tls_certificate" "kosmos" {
url = "https://console.kosmos.spcplatform.com/kosmos-oidc"
}
locals {
kosmos_fingerprint = element([
for cert in data.tls_certificate.kosmos.certificates :
cert.sha1_fingerprint if "${cert.subject}" == "CN=https://console.kosmos.spcplatform.com/kosmos-oidc"],
0)
}
1. Use an Existing OIDC Provider Entry
module "kosmos-iam" {
source = "../<path-to-kosmos-spc-identity-unzipped>"
oidc_provider_arn = "arn:aws:iam::<SPC Account ID>:oidc-provider/console.kosmos.spcplatform.com/kosmos-oidc"
fleet_name = var.fleet_name
}
2. Create a New OIDC Provider Entry
module "kosmos-iam" {
source = "../<path-to-kosmos-spc-identity-unzipped>"
oidc_client_id = "kosmos-operator"
oidc_thumbprint = locals.kosmos_fingerprint
oidc_url = "https://console.kosmos.spcplatform.com/kosmos-oidc"
fleet_name = var.fleet_name
}
3. Using HTTPS to Fetch the Module from an S3 Bucket
Note:
- The bucket is accessible only from within the Samsung/Joyent VPN or offices.
- Using S3 directly, the module is stored as a
.tar.gzarchive in thesrin-s3-terraform-modulesbucket in theap-southeast-1region. - For authentication details, refer to Terraform Docs .
module "kosmos-iam" {
source = "https://s3.ap-southeast-1.amazonaws.com/srin-s3-terraform-modules/kosmos-spc-identity-v1.0.1.tar.gz"
oidc_provider_arn = "arn:aws:iam::<SPC Account ID>:oidc-provider/console.kosmos.spcplatform.com/kosmos-oidc"
fleet_name = var.fleet_name
}
This can also be used with the oidc_client_id, oidc_thumbprint, oidc_url arguments.
Download Resources
For complete examples and the latest updates, refer to:
Setup federation using CLI
For federation using CLI instructions, please refer to MKS create and Import documentation