Hi Team - I was wondering if someone has solution ...
# platform-blueprints
Hi Team - I was wondering if someone has solution for this or can direct me to the right documentation/blog or any other source available for the following scenario: I am working on automation to bring up Amazon EKS clusters (multi-tenants), and install all the necessary add ons using the fully GitOps method. Currently, tools I am considering, but open to any better ones: • ArgoCD for CD - using ApplicationSet heavily and app of apps pattern • Cluster API for provisioning Amazon EKS clusters (was considering at one point using Crossplane), open to any. Problem: I would like to know how are you guys managing IAM Role for Service Account in that case? What’s the common methods in industry to manage this? What are the best practices to integrate IRSA with add ons to improve security, and achieve this using automated way (GitOps).


this talk could give some insight, in particular the discussion of what's done with crossplane vs what's done with argo
Thanks @Kévin Sztern looking into it now.
@Kévin Sztern This was a great talk, thanks for pointing at this one.
I did a high-over talk on that:


it boils down to in a first stage setting up the bare minimum for EKS to function (we used terraform) and then let ArgoCD take care of the rest. In both cases the source of truth is Git, and any changes have to be made using commits (well, you could run terraform locally if you wanted instead of using Atlantis).
This way you can also re-use the common AWS base for other (non-Kubernetes) things, and you prevent running too many Kubernetes resources outside of the controller manager.
Not sure if you've tried this already, but AWS EKS Blueprints may help. They have CDK and TF variants for doing, what I think you are asking for https://aws-quickstart.github.io/cdk-eks-blueprints/addons/argo-cd/
In the AWS EKS Blueprint, they use the concept of Teams to help with role management. Service accounts are created for the application(s), engineer(s) and operators(s) separately.
Thanks @John Keates it was great presentation. @Kevin Davis I am aware of EKS blueprints, and its working with ArgoCD. However, there is no specific example or architecture pattern available as per my understanding to have hub-and-spoke model with ArgoCD fully automated way. Another reason, I am looking into Crossplane and Cluster API is to manage clusters through GitOps ways, and make lifecycle management easier. Although, Cluster API is ready-made solution available, it doesn't have everything we need. So, Crossplane is the tool we have decided to use.