[#77] Argo: EKS prereqs

odahu · Apr 13, 2021 · bc83bf6 · bc83bf6
1 parent c4ac81e
commit bc83bf6
Show file tree

Hide file tree

Showing 3 changed files with 129 additions and 0 deletions.
diff --git a/terraform/modules/k8s/argo/prereqs/eks/main.tf b/terraform/modules/k8s/argo/prereqs/eks/main.tf
@@ -0,0 +1,69 @@
+locals {
+  argo_sa_name        = "${var.cluster_name}-argo"
+  workflows_namespace = var.workflows_namespace == "" ? var.namespace : var.workflows_namespace
+}
+
+data "aws_s3_bucket" "argo" {
+  bucket = var.bucket
+}
+
+data "aws_iam_policy_document" "argo_base" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(var.openid_connect_provider.url, "https://", "")}:sub"
+      values = [
+        "system:serviceaccount:${var.namespace}:argo-server",
+        "system:serviceaccount:${local.workflows_namespace}:argo-workflow"
+      ]
+    }
+
+    principals {
+      identifiers = [var.openid_connect_provider.arn]
+      type        = "Federated"
+    }
+  }
+}
+
+resource "aws_iam_role" "argo" {
+  assume_role_policy = data.aws_iam_policy_document.argo_base.json
+  name               = "${var.cluster_name}-argo"
+}
+
+data "aws_iam_policy_document" "argo" {
+  statement {
+    actions = [
+      "s3:GetObject",
+      "s3:ListBucket"
+    ]
+    effect    = "Allow"
+    resources = ["${data.aws_s3_bucket.argo.arn}*"]
+  }
+  statement {
+    actions   = ["ecr:*"]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey"
+    ]
+    effect    = "Allow"
+    resources = [var.kms_key_arn]
+  }
+}
+
+resource "aws_iam_policy" "argo" {
+  name   = local.argo_sa_name
+  policy = data.aws_iam_policy_document.argo.json
+}
+
+resource "aws_iam_role_policy_attachment" "argo" {
+  policy_arn = aws_iam_policy.argo.arn
+  role       = aws_iam_role.argo.name
+}
diff --git a/terraform/modules/k8s/argo/prereqs/eks/output.tf b/terraform/modules/k8s/argo/prereqs/eks/output.tf
@@ -0,0 +1,17 @@
+output "argo_sa_annotations" {
+  value = {
+    "eks.amazonaws.com/role-arn" = aws_iam_role.argo.arn
+  }
+}
+
+output "argo_artifact_repository_config" {
+  value = {
+    s3 = {
+      useSDKCreds = true,
+      region      = data.aws_s3_bucket.argo.region,
+      endpoint    = "s3.amazonaws.com",
+      bucket      = data.aws_s3_bucket.argo.bucket,
+      keyFormat   = "argo/{{workflow.namespace}}/{{workflow.name}}/"
+    }
+  }
+}
diff --git a/terraform/modules/k8s/argo/prereqs/eks/variables.tf b/terraform/modules/k8s/argo/prereqs/eks/variables.tf
@@ -0,0 +1,43 @@
+# Common
+variable "cluster_name" {
+  type        = string
+  default     = "odahuflow"
+  description = "ODAHU flow cluster name"
+}
+
+variable "bucket" {
+  type        = string
+  description = "Argo artifacts bucket name"
+}
+
+variable "region" {
+  type        = string
+  description = "DAGs bucket region"
+}
+
+variable "workflows_namespace" {
+  type        = string
+  description = "Namespace to run Argo Workflows"
+}
+
+variable "namespace" {
+  type        = string
+  description = "Namespace to run Argo server"
+}
+
+variable "kms_key_arn" {
+  type        = string
+  description = "The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use when creating the encrypted volume"
+}
+
+variable "openid_connect_provider" {
+  type = object({
+    url = string
+    arn = string
+  })
+  default = ({
+    url = ""
+    arn = ""
+  })
+  description = "OpenID connect provider for IRSA"
+}