From 0492955751c18f14acbd1b52444cfec14376f0c5 Mon Sep 17 00:00:00 2001 From: yutachaos <18604471+yutachaos@users.noreply.github.com> Date: Fri, 22 Apr 2022 20:50:37 +0900 Subject: [PATCH] feat: Added appmesh controller support to `iam-role-for-service-accounts-eks` (#231) Co-authored-by: Bryant Biggs Co-authored-by: Anton Babenko --- .../README.md | 2 + .../iam-role-for-service-accounts-eks/main.tf | 32 ++++ .../README.md | 9 + .../policies.tf | 155 ++++++++++++++++++ .../variables.tf | 14 ++ 5 files changed, 212 insertions(+) diff --git a/examples/iam-role-for-service-accounts-eks/README.md b/examples/iam-role-for-service-accounts-eks/README.md index aa5279e1..c6a9f468 100644 --- a/examples/iam-role-for-service-accounts-eks/README.md +++ b/examples/iam-role-for-service-accounts-eks/README.md @@ -31,6 +31,8 @@ No providers. | Name | Source | Version | |------|--------|---------| | [amazon\_managed\_service\_prometheus\_irsa\_role](#module\_amazon\_managed\_service\_prometheus\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | +| [appmesh\_controller\_irsa\_role](#module\_appmesh\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | +| [appmesh\_envoy\_proxy\_irsa\_role](#module\_appmesh\_envoy\_proxy\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [cert\_manager\_irsa\_role](#module\_cert\_manager\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [disabled](#module\_disabled) | ../../modules/iam-role-for-service-accounts-eks | n/a | diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf index 084993a8..03372b5d 100644 --- a/examples/iam-role-for-service-accounts-eks/main.tf +++ b/examples/iam-role-for-service-accounts-eks/main.tf @@ -213,6 +213,38 @@ module "load_balancer_controller_targetgroup_binding_only_irsa_role" { tags = local.tags } +module "appmesh_controller_irsa_role" { + source = "../../modules/iam-role-for-service-accounts-eks" + + role_name = "appmesh-controller" + attach_appmesh_controller_policy = true + + oidc_providers = { + ex = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["appmesh-system:appmesh-controller"] + } + } + + tags = local.tags +} + +module "appmesh_envoy_proxy_irsa_role" { + source = "../../modules/iam-role-for-service-accounts-eks" + + role_name = "appmesh-envoy-proxy" + attach_appmesh_envoy_proxy_policy = true + + oidc_providers = { + ex = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["appmesh-system:appmesh-envoy-proxy"] + } + } + + tags = local.tags +} + module "amazon_managed_service_prometheus_irsa_role" { source = "../../modules/iam-role-for-service-accounts-eks" diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md index b0026444..c6d78215 100644 --- a/modules/iam-role-for-service-accounts-eks/README.md +++ b/modules/iam-role-for-service-accounts-eks/README.md @@ -11,6 +11,7 @@ Creates an IAM role which can be assumed by AWS EKS `ServiceAccount`s with optio - [Karpenter](https://github.com/aws/karpenter/blob/main/website/content/en/preview/getting-started/cloudformation.yaml) - [Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json) - [Load Balancer Controller Target Group Binding Only](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/installation/#iam-permission-subset-for-those-who-use-targetgroupbinding-only-and-dont-plan-to-use-the-aws-load-balancer-controller-to-manage-security-group-rules) +- [Appmesh Controller](https://github.com/aws/aws-app-mesh-controller-for-k8s/blob/master/config/iam/controller-iam-policy.json) - [Managed Service for Prometheus](https://docs.aws.amazon.com/prometheus/latest/userguide/set-up-irsa.html) - [Node Termination Handler](https://github.com/aws/aws-node-termination-handler#5-create-an-iam-role-for-the-pods) - [VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html) @@ -115,6 +116,8 @@ No modules. | Name | Type | |------|------| | [aws_iam_policy.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.appmesh_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.appmesh_envoy_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | @@ -129,6 +132,8 @@ No modules. | [aws_iam_policy.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.appmesh_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.appmesh_envoy_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | @@ -144,6 +149,8 @@ No modules. | [aws_iam_role_policy_attachment.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.appmesh_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.appmesh_envoy_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -166,6 +173,8 @@ No modules. | [amazon\_managed\_service\_prometheus\_workspace\_arns](#input\_amazon\_managed\_service\_prometheus\_workspace\_arns) | List of AMP Workspace ARNs to read and write metrics | `list(string)` |
[
"*"
]
| no | | [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no | | [attach\_amazon\_managed\_service\_prometheus\_policy](#input\_attach\_amazon\_managed\_service\_prometheus\_policy) | Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role | `bool` | `false` | no | +| [attach\_appmesh\_controller\_policy](#input\_attach\_appmesh\_controller\_policy) | Determines whether to attach the Appmesh Controller policy to the role | `bool` | `false` | no | +| [attach\_appmesh\_envoy\_proxy\_policy](#input\_attach\_appmesh\_envoy\_proxy\_policy) | Determines whether to attach the Appmesh envoy proxy policy to the role | `bool` | `false` | no | | [attach\_cert\_manager\_policy](#input\_attach\_cert\_manager\_policy) | Determines whether to attach the Cert Manager IAM policy to the role | `bool` | `false` | no | | [attach\_cluster\_autoscaler\_policy](#input\_attach\_cluster\_autoscaler\_policy) | Determines whether to attach the Cluster Autoscaler IAM policy to the role | `bool` | `false` | no | | [attach\_ebs\_csi\_policy](#input\_attach\_ebs\_csi\_policy) | Determines whether to attach the EBS CSI IAM policy to the role | `bool` | `false` | no | diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index f7c96471..baab14f8 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -896,6 +896,161 @@ resource "aws_iam_role_policy_attachment" "load_balancer_controller_targetgroup_ policy_arn = aws_iam_policy.load_balancer_controller_targetgroup_only[0].arn } +################################################################################ +# Appmesh Controller +################################################################################ +# https://github.com/aws/eks-charts/tree/master/stable/appmesh-controller#prerequisites +# https://raw.githubusercontent.com/aws/aws-app-mesh-controller-for-k8s/master/config/iam/controller-iam-policy.json +data "aws_iam_policy_document" "appmesh_controller" { + count = var.create_role && var.attach_appmesh_controller_policy ? 1 : 0 + + statement { + actions = [ + "appmesh:ListVirtualRouters", + "appmesh:ListVirtualServices", + "appmesh:ListRoutes", + "appmesh:ListGatewayRoutes", + "appmesh:ListMeshes", + "appmesh:ListVirtualNodes", + "appmesh:ListVirtualGateways", + "appmesh:DescribeMesh", + "appmesh:DescribeVirtualRouter", + "appmesh:DescribeRoute", + "appmesh:DescribeVirtualNode", + "appmesh:DescribeVirtualGateway", + "appmesh:DescribeGatewayRoute", + "appmesh:DescribeVirtualService", + "appmesh:CreateMesh", + "appmesh:CreateVirtualRouter", + "appmesh:CreateVirtualGateway", + "appmesh:CreateVirtualService", + "appmesh:CreateGatewayRoute", + "appmesh:CreateRoute", + "appmesh:CreateVirtualNode", + "appmesh:UpdateMesh", + "appmesh:UpdateRoute", + "appmesh:UpdateVirtualGateway", + "appmesh:UpdateVirtualRouter", + "appmesh:UpdateGatewayRoute", + "appmesh:UpdateVirtualService", + "appmesh:UpdateVirtualNode", + "appmesh:DeleteMesh", + "appmesh:DeleteRoute", + "appmesh:DeleteVirtualRouter", + "appmesh:DeleteGatewayRoute", + "appmesh:DeleteVirtualService", + "appmesh:DeleteVirtualNode", + "appmesh:DeleteVirtualGateway" + ] + resources = ["*"] + } + + statement { + actions = [ + "arn:${local.partition}:iam::*:role/aws-service-role/appmesh.${local.dns_suffix}/AWSServiceRoleForAppMesh" + ] + resources = ["*"] + condition { + test = "StringLike" + variable = "iam:AWSServiceName" + values = ["appmesh.${local.dns_suffix}"] + } + } + + statement { + actions = [ + "acm:ListCertificates", + "acm:DescribeCertificate", + "acm-pca:DescribeCertificateAuthority", + "acm-pca:ListCertificateAuthorities" + ] + resources = ["*"] + } + + statement { + actions = [ + "servicediscovery:CreateService", + "servicediscovery:DeleteService", + "servicediscovery:GetService", + "servicediscovery:GetInstance", + "servicediscovery:RegisterInstance", + "servicediscovery:DeregisterInstance", + "servicediscovery:ListInstances", + "servicediscovery:ListNamespaces", + "servicediscovery:ListServices", + "servicediscovery:GetInstancesHealthStatus", + "servicediscovery:UpdateInstanceCustomHealthStatus", + "servicediscovery:GetOperation", + "route53:GetHealthCheck", + "route53:CreateHealthCheck", + "route53:UpdateHealthCheck", + "route53:ChangeResourceRecordSets", + "route53:DeleteHealthCheck" + ] + resources = ["*"] + } +} + +resource "aws_iam_policy" "appmesh_controller" { + count = var.create_role && var.attach_appmesh_controller_policy ? 1 : 0 + + name_prefix = "AmazonEKS_Appmesh_Controller-" + path = var.role_path + description = "Provides permissions to for appmesh controller" + policy = data.aws_iam_policy_document.appmesh_controller[0].json + + tags = var.tags +} + +resource "aws_iam_role_policy_attachment" "appmesh_controller" { + count = var.create_role && var.attach_appmesh_controller_policy ? 1 : 0 + + role = aws_iam_role.this[0].name + policy_arn = aws_iam_policy.appmesh_controller[0].arn +} + +################################################################################ +# Appmesh envoy proxy +################################################################################ +# https://github.com/aws/aws-app-mesh-controller-for-k8s/blob/f4a551399c4a4428d31692d0e6d944c2b78f2753/config/helm/appmesh-controller/README.md#with-irsa +# https://raw.githubusercontent.com/aws/aws-app-mesh-controller-for-k8s/master/config/iam/envoy-iam-policy.json +data "aws_iam_policy_document" "appmesh_envoy_proxy" { + count = var.create_role && var.attach_appmesh_envoy_proxy_policy ? 1 : 0 + + statement { + actions = [ + "appmesh:StreamAggregatedResources" + ] + resources = ["*"] + } + + statement { + actions = [ + "acm:ExportCertificate", + "acm-pca:GetCertificateAuthorityCertificate" + ] + resources = ["*"] + } +} + +resource "aws_iam_policy" "appmesh_envoy_proxy" { + count = var.create_role && var.attach_appmesh_envoy_proxy_policy ? 1 : 0 + + name_prefix = "AmazonEKS_Appmesh_Envoy_Proxy-" + path = var.role_path + description = "Provides permissions to for appmesh envoy proxy" + policy = data.aws_iam_policy_document.appmesh_envoy_proxy[0].json + + tags = var.tags +} + +resource "aws_iam_role_policy_attachment" "appmesh_envoy_proxy" { + count = var.create_role && var.attach_appmesh_envoy_proxy_policy ? 1 : 0 + + role = aws_iam_role.this[0].name + policy_arn = aws_iam_policy.appmesh_envoy_proxy[0].arn +} + ################################################################################ # Amazon Managed Service for Prometheus Policy ################################################################################ diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf index 65ccacdd..4eaf2a3b 100644 --- a/modules/iam-role-for-service-accounts-eks/variables.tf +++ b/modules/iam-role-for-service-accounts-eks/variables.tf @@ -212,6 +212,20 @@ variable "attach_load_balancer_controller_targetgroup_binding_only_policy" { default = false } +# AWS Appmesh Controller +variable "attach_appmesh_controller_policy" { + description = "Determines whether to attach the Appmesh Controller policy to the role" + type = bool + default = false +} + +# AWS Appmesh envoy proxy +variable "attach_appmesh_envoy_proxy_policy" { + description = "Determines whether to attach the Appmesh envoy proxy policy to the role" + type = bool + default = false +} + # Amazon Managed Service for Prometheus variable "attach_amazon_managed_service_prometheus_policy" { description = "Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role"