Skip to content

Commit

Permalink
feat: Add conditional policy statement attachments for EKS IAM role m…
Browse files Browse the repository at this point in the history 
…odule (#184)
  • Loading branch information
@bryantbiggs
bryantbiggs authored Feb 16, 2022
1 parent 9575b7e commit e29b94f
Show file tree
Hide file tree
Showing 47 changed files with 1,467 additions and 191 deletions.
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.62.3
rev: v1.64.0
hooks:
- id: terraform_fmt
- id: terraform_validate
Expand Down
158 changes: 92 additions & 66 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
## Features

1. **Cross-account access.** Define IAM roles using `iam_assumable_role` or `iam_assumable_roles` submodules in "resource AWS accounts (prod, staging, dev)" and IAM groups and users using `iam-group-with-assumable-roles-policy` submodule in "IAM AWS Account" to setup access controls between accounts. See [iam-group-with-assumable-roles-policy example](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-with-assumable-roles-policy) for more details.
1. **Individual IAM resources (users, roles, policies).** See usage snippets and [examples](https://github.com/terraform-aws-modules/terraform-aws-iam#examples) listed below.
2. **Individual IAM resources (users, roles, policies).** See usage snippets and [examples](https://github.com/terraform-aws-modules/terraform-aws-iam#examples) listed below.

## Usage

Expand Down Expand Up @@ -134,63 +134,31 @@ module "iam_assumable_roles_with_saml" {
}
```

`iam-user`:
`iam-eks-role`:

```hcl
module "iam_user" {
source = "terraform-aws-modules/iam/aws//modules/iam-user"
version = "~> 4"
name = "vasya.pupkin"
force_destroy = true
pgp_key = "keybase:test"
password_reset_required = false
}
```
module "iam_eks_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-eks-role"
version = "~> 4"
`iam-policy`:
role_name = "my-app"
```hcl
module "iam_policy" {
source = "terraform-aws-modules/iam/aws//modules/iam-policy"
version = "~> 4"
cluster_service_accounts = {
"cluster1" = ["default:my-app"]
"cluster2" = [
"default:my-app",
"canary:my-app",
]
}
name = "example"
path = "/"
description = "My example policy"
tags = {
Name = "eks-role"
}
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
role_policy_arns = [
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
]
}
EOF
}
```

`iam-read-only-policy`:

```hcl
module "iam_read_only_policy" {
source = "terraform-aws-modules/iam/aws//modules/iam-read-only-policy"
version = "~> 4"
name = "example"
path = "/"
description = "My example read-only policy"
allowed_services = ["rds", "dynamo", "health"]
}
```

`iam-group-with-assumable-roles-policy`:
Expand Down Expand Up @@ -242,30 +210,87 @@ module "iam_group_with_policies" {
}
```

`iam-eks-role`:
`iam-policy`:

```hcl
module "iam_eks_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-eks-role"
module "iam_policy" {
source = "terraform-aws-modules/iam/aws//modules/iam-policy"
version = "~> 4"
name = "example"
path = "/"
description = "My example policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
```

`iam-read-only-policy`:

```hcl
module "iam_read_only_policy" {
source = "terraform-aws-modules/iam/aws//modules/iam-read-only-policy"
version = "~> 4"
name = "example"
path = "/"
description = "My example read-only policy"
allowed_services = ["rds", "dynamo", "health"]
}
```

`iam-role-for-service-accounts-eks`:

```hcl
module "vpc_cni_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
version = "~> 4"
role_name = "my-app"
role_name = "vpc-cni"
cluster_service_accounts = {
"cluster1" = ["default:my-app"]
"cluster2" = [
"default:my-app",
"canary:my-app",
]
attach_vpc_cni_policy = true
vpc_cni_enable_ipv4 = true
oidc_providers = {
main = {
provider_arn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
namespace_service_accounts = ["default:my-app", "canary:my-app"]
}
}
tags = {
Name = "eks-role"
Name = "vpc-cni-irsa"
}
}
```

role_policy_arns = [
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
]
`iam-user`:

```hcl
module "iam_user" {
source = "terraform-aws-modules/iam/aws//modules/iam-user"
version = "~> 4"
name = "vasya.pupkin"
force_destroy = true
pgp_key = "keybase:test"
password_reset_required = false
}
```

Expand Down Expand Up @@ -318,12 +343,13 @@ Use [iam-read-only-policy module](https://github.com/terraform-aws-modules/terra
- [iam-assumable-roles](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-roles) - Create several IAM roles which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
- [iam-assumable-roles-with-saml](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-roles-with-saml) - Create several IAM roles which can be assumed by users with a SAML Identity Provider
- [iam-eks-role](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-eks-role) - Create an IAM role which can be assumed by one or more EKS `ServiceAccount`
- [iam-group-complete](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-complete) - IAM group with users who are allowed to assume IAM roles in another AWS account and have access to specified IAM policies
- [iam-group-with-assumable-roles-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-with-assumable-roles-policy) - IAM group with users who are allowed to assume IAM roles in the same or in separate AWS account
- [iam-group-with-policies](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-with-policies) - IAM group with users who are allowed specified IAM policies (eg, "manage their own IAM user")
- [iam-group-complete](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-complete) - IAM group with users who are allowed to assume IAM roles in another AWS account and have access to specified IAM policies
- [iam-user](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-user) - Add IAM user, login profile and access keys (with PGP enabled or disabled)
- [iam-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-policy) - Create IAM policy
- [iam-read-only-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-read-only-policy) - Create IAM read-only policy
- [iam-role-for-service-accounts-eks](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-role-for-service-accounts-eks) - Create IAM role for service accounts (IRSA) for use within EKS clusters
- [iam-user](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-user) - Add IAM user, login profile and access keys (with PGP enabled or disabled)

## Authors

Expand Down
5 changes: 4 additions & 1 deletion examples/iam-account/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ terraform {
required_version = ">= 0.12.6"

required_providers {
aws = ">= 2.23"
aws = {
source = "hashicorp/aws"
version = ">= 2.23"
}
}
}
5 changes: 4 additions & 1 deletion examples/iam-assumable-role-with-oidc/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ terraform {
required_version = ">= 0.12.6"

required_providers {
aws = ">= 2.23"
aws = {
source = "hashicorp/aws"
version = ">= 2.23"
}
}
}
5 changes: 4 additions & 1 deletion examples/iam-assumable-role-with-saml/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ terraform {
required_version = ">= 0.12.6"

required_providers {
aws = ">= 2.23"
aws = {
source = "hashicorp/aws"
version = ">= 2.23"
}
}
}
5 changes: 4 additions & 1 deletion examples/iam-assumable-role/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ terraform {
required_version = ">= 0.12.6"

required_providers {
aws = ">= 2.23"
aws = {
source = "hashicorp/aws"
version = ">= 2.23"
}
}
}
5 changes: 4 additions & 1 deletion examples/iam-assumable-roles-with-saml/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ terraform {
required_version = ">= 0.12.6"

required_providers {
aws = ">= 2.23"
aws = {
source = "hashicorp/aws"
version = ">= 2.23"
}
}
}
5 changes: 4 additions & 1 deletion examples/iam-assumable-roles/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ terraform {
required_version = ">= 0.12.6"

required_providers {
aws = ">= 2.23"
aws = {
source = "hashicorp/aws"
version = ">= 2.23"
}
}
}
5 changes: 4 additions & 1 deletion examples/iam-group-complete/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ terraform {
required_version = ">= 0.12.6"

required_providers {
aws = ">= 2.23"
aws = {
source = "hashicorp/aws"
version = ">= 2.23"
}
}
}
5 changes: 4 additions & 1 deletion examples/iam-group-with-assumable-roles-policy/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ terraform {
required_version = ">= 0.12.6"

required_providers {
aws = ">= 2.23"
aws = {
source = "hashicorp/aws"
version = ">= 2.23"
}
}
}
5 changes: 4 additions & 1 deletion examples/iam-group-with-policies/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ terraform {
required_version = ">= 0.12.6"

required_providers {
aws = ">= 2.23"
aws = {
source = "hashicorp/aws"
version = ">= 2.23"
}
}
}
5 changes: 4 additions & 1 deletion examples/iam-policy/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ terraform {
required_version = ">= 0.12.6"

required_providers {
aws = ">= 2.23"
aws = {
source = "hashicorp/aws"
version = ">= 2.23"
}
}
}
5 changes: 4 additions & 1 deletion examples/iam-read-only-policy/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ terraform {
required_version = ">= 0.12.6"

required_providers {
aws = ">= 2.23"
aws = {
source = "hashicorp/aws"
version = ">= 2.23"
}
}
}
61 changes: 61 additions & 0 deletions examples/iam-role-for-service-accounts-eks/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# IAM Role for Service Accounts in EKS

Configuration in this directory creates IAM roles that can be assumed by multiple EKS `ServiceAccount`s for various tasks.

# Usage

To run this example you need to execute:

```bash
$ terraform init
$ terraform plan
$ terraform apply
```

Run `terraform destroy` when you don't need these resources.

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |

## Providers

No providers.

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_cluster_autoscaler_irsa_role"></a> [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_disabled"></a> [disabled](#module\_disabled) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 18.6 |
| <a name="module_external_dns_irsa_role"></a> [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_irsa_role"></a> [irsa\_role](#module\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_karpenter_controller_irsa_role"></a> [karpenter\_controller\_irsa\_role](#module\_karpenter\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_node_termination_handler_irsa_role"></a> [node\_termination\_handler\_irsa\_role](#module\_node\_termination\_handler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
| <a name="module_vpc_cni_ipv4_irsa_role"></a> [vpc\_cni\_ipv4\_irsa\_role](#module\_vpc\_cni\_ipv4\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_vpc_cni_ipv6_irsa_role"></a> [vpc\_cni\_ipv6\_irsa\_role](#module\_vpc\_cni\_ipv6\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |

## Resources

No resources.

## Inputs

No inputs.

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | ARN of IAM role |
| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | Name of IAM role |
| <a name="output_iam_role_path"></a> [iam\_role\_path](#output\_iam\_role\_path) | Path of IAM role |
| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Unique ID of IAM role |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
Loading

0 comments on commit e29b94f

Please sign in to comment.