Skip to content

Commit 9178327

Browse files
ruzickapruzickap
authored
docs: add aws diagram to readme (#17)
1 parent 0d51d53 commit 9178327

File tree

1 file changed

+58
-2
lines changed

1 file changed

+58
-2
lines changed

README.md

Lines changed: 58 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -79,8 +79,8 @@ AWS_USER_ARN=$(aws iam list-users --query "Users[? UserName==\`${AWS_USER_NAME}\
7979
sed -i "s@^AWS_USER_ARN.*@AWS_USER_ARN = \"${AWS_USER_ARN}\"@" mise.local.toml
8080
```
8181

82-
The `aws-cli` user was created in the management AWS account and will be used to
83-
access all AWS accounts via the AWS CLI.
82+
The `aws-cli` user was created in the management AWS account. It will be used to
83+
access all AWS accounts via the AWS CLI by assuming the proper IAM Role.
8484

8585
##### Route35 Hosted Zone + GitHub Action IAM Role
8686

@@ -241,6 +241,62 @@ flowchart TB
241241
k8s.gcp.mylabs.dev --> k04.k8s.gcp.mylabs.dev
242242
```
243243
244+
### AWS diagram
245+
246+
Suppose you have three AWS accounts and want to provision one EKS cluster in each.
247+
The setup would look like this:
248+
249+
- **AWS Management Account** - centralized account responsible for provisioning
250+
and managing infrastructure, hosting two EKS clusters, and assuming IAM roles
251+
in tenant accounts
252+
- k01.k8s.aws.mylabs.dev
253+
- k02.k8s.aws.mylabs.dev
254+
- **AWS Tenant Account 01** – tenant account hosting two EKS clusters. These
255+
clusters are created using a local IAM role, which is assumed by the IAM role
256+
from the management account
257+
- k03.k8s.aws.mylabs.dev
258+
- k04.k8s.aws.mylabs.dev
259+
- **AWS Tenant Account 02** – tenant account hosting two EKS clusters. These
260+
clusters are created using a local IAM role, which is assumed by the IAM role
261+
from the management account
262+
- k05.k8s.aws.mylabs.dev
263+
- k06.k8s.aws.mylabs.dev
264+
265+
```mermaid
266+
flowchart TB
267+
268+
subgraph "AWS"
269+
subgraph "AWS Management Account"
270+
aws-cli@{ icon: "logos:panda", form: "rounded", label: "aws-cli", pos: "b", h: 60 }
271+
aws-mgmt-iam-role@{ icon: "logos:aws-iam", form: "square", label: "aws-mgmt-iam-role", pos: "b", h: 60 }
272+
aws-01-iam-role@{ icon: "logos:aws-iam", form: "square", label: "aws-01-iam-role", pos: "b", h: 60 }
273+
k01.k8s.aws.mylabs.dev@{ icon: "logos:aws-eks", form: "square", label: "k01.k8s.aws.mylabs.dev", pos: "b", h: 60 }
274+
k02.k8s.aws.mylabs.dev@{ icon: "logos:aws-eks", form: "square", label: "k02.k8s.aws.mylabs.dev", pos: "b", h: 60 }
275+
end
276+
subgraph "AWS Account 01"
277+
aws-02-iam-role@{ icon: "logos:aws-iam", form: "square", label: "aws-02-iam-role", pos: "b", h: 60 }
278+
k03.k8s.aws.mylabs.dev@{ icon: "logos:aws-eks", form: "square", label: "k03.k8s.aws.mylabs.dev", pos: "b", h: 60 }
279+
k04.k8s.aws.mylabs.dev@{ icon: "logos:aws-eks", form: "square", label: "k04.k8s.aws.mylabs.dev", pos: "b", h: 60 }
280+
end
281+
subgraph "AWS Account 02"
282+
aws-03-iam-role@{ icon: "logos:aws-iam", form: "square", label: "aws-03-iam-role", pos: "b", h: 60 }
283+
k05.k8s.aws.mylabs.dev@{ icon: "logos:aws-eks", form: "square", label: "k05.k8s.aws.mylabs.dev", pos: "b", h: 60 }
284+
k06.k8s.aws.mylabs.dev@{ icon: "logos:aws-eks", form: "square", label: "k06.k8s.aws.mylabs.dev", pos: "b", h: 60 }
285+
end
286+
end
287+
288+
aws-cli -- "Assume Role (STS)" --> aws-mgmt-iam-role
289+
aws-mgmt-iam-role -- "Assume Role (STS)" --> aws-01-iam-role
290+
aws-01-iam-role --> k01.k8s.aws.mylabs.dev
291+
aws-01-iam-role --> k02.k8s.aws.mylabs.dev
292+
aws-mgmt-iam-role -- "Assume Role (STS)" --> aws-02-iam-role
293+
aws-02-iam-role --> k03.k8s.aws.mylabs.dev
294+
aws-02-iam-role --> k04.k8s.aws.mylabs.dev
295+
aws-mgmt-iam-role -- "Assume Role (STS)" --> aws-03-iam-role
296+
aws-03-iam-role --> k05.k8s.aws.mylabs.dev
297+
aws-03-iam-role --> k06.k8s.aws.mylabs.dev
298+
```
299+
244300
## Tests
245301

246302
```bash

0 commit comments

Comments
 (0)