Skip to content

Commit

Permalink
feat: Add support for AMP, cert-manager, and external-secrets to `iam…
Browse files Browse the repository at this point in the history
…-role-for-service-accounts-eks` (#223)
  • Loading branch information
bryantbiggs authored Apr 13, 2022
1 parent 912f29c commit f53d409
Show file tree
Hide file tree
Showing 5 changed files with 531 additions and 195 deletions.
4 changes: 4 additions & 0 deletions examples/iam-role-for-service-accounts-eks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,16 @@ No providers.

| Name | Source | Version |
|------|--------|---------|
| <a name="module_amazon_managed_service_prometheus_irsa_role"></a> [amazon\_managed\_service\_prometheus\_irsa\_role](#module\_amazon\_managed\_service\_prometheus\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_cert_manager_irsa_role"></a> [cert\_manager\_irsa\_role](#module\_cert\_manager\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_cluster_autoscaler_irsa_role"></a> [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_disabled"></a> [disabled](#module\_disabled) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 18.6 |
| <a name="module_external_dns_irsa_role"></a> [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_external_secrets_irsa_role"></a> [external\_secrets\_irsa\_role](#module\_external\_secrets\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_fsx_lustre_csi_irsa_role"></a> [fsx\_lustre\_csi\_irsa\_role](#module\_fsx\_lustre\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_irsa_role"></a> [irsa\_role](#module\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_karpenter_controller_irsa_role"></a> [karpenter\_controller\_irsa\_role](#module\_karpenter\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_load_balancer_controller_irsa_role"></a> [load\_balancer\_controller\_irsa\_role](#module\_load\_balancer\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
Expand Down
117 changes: 91 additions & 26 deletions examples/iam-role-for-service-accounts-eks/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -47,34 +47,34 @@ module "irsa_role" {
tags = local.tags
}

module "cluster_autoscaler_irsa_role" {
module "cert_manager_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "cluster-autoscaler"
attach_cluster_autoscaler_policy = true
cluster_autoscaler_cluster_ids = [module.eks.cluster_id]
role_name = "cert-manager"
attach_external_dns_policy = true
cert_manager_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"]

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:cluster-autoscaler"]
namespace_service_accounts = ["kube-system:cert-manager"]
}
}

tags = local.tags
}

module "external_dns_irsa_role" {
module "cluster_autoscaler_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "external-dns"
attach_external_dns_policy = true
external_dns_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"]
role_name = "cluster-autoscaler"
attach_cluster_autoscaler_policy = true
cluster_autoscaler_cluster_ids = [module.eks.cluster_id]

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["default:my-app", "canary:my-app"]
namespace_service_accounts = ["kube-system:cluster-autoscaler"]
}
}

Expand Down Expand Up @@ -113,54 +113,53 @@ module "efs_csi_irsa_role" {
tags = local.tags
}

module "vpc_cni_ipv4_irsa_role" {
module "external_dns_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "vpc-cni-ipv4"
attach_vpc_cni_policy = true
vpc_cni_enable_ipv4 = true
role_name = "external-dns"
attach_external_dns_policy = true
external_dns_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"]

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:aws-vpc-cni"]
namespace_service_accounts = ["kube-system:external-dns"]
}
}

tags = local.tags
}

module "vpc_cni_ipv6_irsa_role" {
module "external_secrets_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "vpc-cni-ipv6"
attach_vpc_cni_policy = true
vpc_cni_enable_ipv6 = true
role_name = "external-secrets"
attach_external_secrets_policy = true
external_secrets_ssm_parameter_arns = ["arn:aws:ssm:*:*:parameter/foo"]
external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:*:*:secret:bar"]

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:aws-vpc-cni"]
namespace_service_accounts = ["default:kubernetes-external-secrets"]
}
}

tags = local.tags
}

module "node_termination_handler_irsa_role" {
module "fsx_lustre_csi_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "node-termination-handler"
attach_node_termination_handler_policy = true
role_name = "fsx-lustre-csi"
attach_fsx_lustre_csi_policy = true

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:aws-node"]
namespace_service_accounts = ["kube-system:fsx-csi-controller-sa"]
}
}

tags = local.tags
}

module "karpenter_controller_irsa_role" {
Expand Down Expand Up @@ -214,6 +213,72 @@ module "load_balancer_controller_targetgroup_binding_only_irsa_role" {
tags = local.tags
}

module "amazon_managed_service_prometheus_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "amazon-managed-service-prometheus"
attach_amazon_managed_service_prometheus_policy = true

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["prometheus:amp-ingest"]
}
}

tags = local.tags
}

module "node_termination_handler_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "node-termination-handler"
attach_node_termination_handler_policy = true

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:aws-node"]
}
}

tags = local.tags
}

module "vpc_cni_ipv4_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "vpc-cni-ipv4"
attach_vpc_cni_policy = true
vpc_cni_enable_ipv4 = true

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:aws-vpc-cni"]
}
}

tags = local.tags
}

module "vpc_cni_ipv6_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "vpc-cni-ipv6"
attach_vpc_cni_policy = true
vpc_cni_enable_ipv6 = true

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:aws-vpc-cni"]
}
}

tags = local.tags
}

################################################################################
# Supporting Resources
################################################################################
Expand Down
Loading

0 comments on commit f53d409

Please sign in to comment.