From cd0821644daf26926ead02a29e25b938f5f910cf Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Thu, 11 May 2023 16:52:20 -0400 Subject: [PATCH 1/2] feat: Add support for AWS Gateway API controller (VPC Lattice) to IRSA module --- .pre-commit-config.yaml | 2 +- .../README.md | 1 + .../iam-role-for-service-accounts-eks/main.tf | 16 ++++++++ .../README.md | 4 ++ .../policies.tf | 38 +++++++++++++++++++ .../variables.tf | 7 ++++ 6 files changed, 67 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 071427d7..4395e67e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.1 + rev: v1.79.1 hooks: - id: terraform_fmt - id: terraform_validate diff --git a/examples/iam-role-for-service-accounts-eks/README.md b/examples/iam-role-for-service-accounts-eks/README.md index c173e960..979ece7b 100644 --- a/examples/iam-role-for-service-accounts-eks/README.md +++ b/examples/iam-role-for-service-accounts-eks/README.md @@ -33,6 +33,7 @@ Run `terraform destroy` when you don't need these resources. | Name | Source | Version | |------|--------|---------| | [amazon\_managed\_service\_prometheus\_irsa\_role](#module\_amazon\_managed\_service\_prometheus\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | +| [api\_gateway\_controller\_irsa\_role](#module\_api\_gateway\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [appmesh\_controller\_irsa\_role](#module\_appmesh\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [appmesh\_envoy\_proxy\_irsa\_role](#module\_appmesh\_envoy\_proxy\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [cert\_manager\_irsa\_role](#module\_cert\_manager\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf index 9ebdf882..aeb0f300 100644 --- a/examples/iam-role-for-service-accounts-eks/main.tf +++ b/examples/iam-role-for-service-accounts-eks/main.tf @@ -47,6 +47,22 @@ module "irsa_role" { tags = local.tags } +module "api_gateway_controller_irsa_role" { + source = "../../modules/iam-role-for-service-accounts-eks" + + role_name = "api-gateway-controller" + attach_api_gateway_controller_policy = true + + oidc_providers = { + ex = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["aws-application-networking-system:gateway-api-controller"] + } + } + + tags = local.tags +} + module "cert_manager_irsa_role" { source = "../../modules/iam-role-for-service-accounts-eks" diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md index 5161264d..c974902f 100644 --- a/modules/iam-role-for-service-accounts-eks/README.md +++ b/modules/iam-role-for-service-accounts-eks/README.md @@ -122,6 +122,7 @@ No modules. | Name | Type | |------|------| | [aws_iam_policy.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.api_gateway_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.appmesh_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.appmesh_envoy_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | @@ -139,6 +140,7 @@ No modules. | [aws_iam_policy.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.api_gateway_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.appmesh_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.appmesh_envoy_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | @@ -157,6 +159,7 @@ No modules. | [aws_iam_role_policy_attachment.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.api_gateway_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.appmesh_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.appmesh_envoy_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -184,6 +187,7 @@ No modules. | [amazon\_managed\_service\_prometheus\_workspace\_arns](#input\_amazon\_managed\_service\_prometheus\_workspace\_arns) | List of AMP Workspace ARNs to read and write metrics | `list(string)` |
[
"*"
]
| no | | [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no | | [attach\_amazon\_managed\_service\_prometheus\_policy](#input\_attach\_amazon\_managed\_service\_prometheus\_policy) | Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role | `bool` | `false` | no | +| [attach\_api\_gateway\_controller\_policy](#input\_attach\_api\_gateway\_controller\_policy) | Determines whether to attach the API Gateway Controller IAM policy to the role | `bool` | `false` | no | | [attach\_appmesh\_controller\_policy](#input\_attach\_appmesh\_controller\_policy) | Determines whether to attach the Appmesh Controller policy to the role | `bool` | `false` | no | | [attach\_appmesh\_envoy\_proxy\_policy](#input\_attach\_appmesh\_envoy\_proxy\_policy) | Determines whether to attach the Appmesh envoy proxy policy to the role | `bool` | `false` | no | | [attach\_cert\_manager\_policy](#input\_attach\_cert\_manager\_policy) | Determines whether to attach the Cert Manager IAM policy to the role | `bool` | `false` | no | diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index 79196728..9c3c0338 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -1,3 +1,41 @@ +################################################################################ +# API Gateway Controller Policy +################################################################################ + +data "aws_iam_policy_document" "api_gateway_controller" { + count = var.create_role && var.attach_api_gateway_controller_policy ? 1 : 0 + + # https://github.com/aws/aws-application-networking-k8s/blob/main/examples/recommended-inline-policy.json + statement { + actions = [ + "vpc-lattice:*", + "iam:CreateServiceLinkedRole", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + ] + resources = ["*"] + } +} + + +resource "aws_iam_policy" "api_gateway_controller" { + count = var.create_role && var.attach_api_gateway_controller_policy ? 1 : 0 + + name_prefix = "${var.policy_name_prefix}APIGatewayController-" + path = var.role_path + description = "Provides permissions for the API Gateway Controller" + policy = data.aws_iam_policy_document.api_gateway_controller[0].json + + tags = var.tags +} + +resource "aws_iam_role_policy_attachment" "api_gateway_controller" { + count = var.create_role && var.attach_api_gateway_controller_policy ? 1 : 0 + + role = aws_iam_role.this[0].name + policy_arn = aws_iam_policy.api_gateway_controller[0].arn +} + ################################################################################ # Cert Manager Policy ################################################################################ diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf index 2b5df935..17832d5c 100644 --- a/modules/iam-role-for-service-accounts-eks/variables.tf +++ b/modules/iam-role-for-service-accounts-eks/variables.tf @@ -86,6 +86,13 @@ variable "allow_self_assume_role" { # Policies ################################################################################ +# API Gateway Controller +variable "attach_api_gateway_controller_policy" { + description = "Determines whether to attach the API Gateway Controller IAM policy to the role" + type = bool + default = false +} + # Cert Manager variable "attach_cert_manager_policy" { description = "Determines whether to attach the Cert Manager IAM policy to the role" From 5ca15c6b85f6802b384d6ab9687d136c11ac7a5c Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Mon, 22 May 2023 14:49:57 -0400 Subject: [PATCH 2/2] fix: Update example after testing; add correct variable names to match EKS module output --- .../README.md | 7 +-- .../iam-role-for-service-accounts-eks/main.tf | 44 ++++++++++--------- .../README.md | 16 ++++--- .../iam-role-for-service-accounts-eks/main.tf | 2 +- .../policies.tf | 38 +++++++++------- .../variables.tf | 22 +++++++--- 6 files changed, 76 insertions(+), 53 deletions(-) diff --git a/examples/iam-role-for-service-accounts-eks/README.md b/examples/iam-role-for-service-accounts-eks/README.md index 979ece7b..25fcda06 100644 --- a/examples/iam-role-for-service-accounts-eks/README.md +++ b/examples/iam-role-for-service-accounts-eks/README.md @@ -33,15 +33,15 @@ Run `terraform destroy` when you don't need these resources. | Name | Source | Version | |------|--------|---------| | [amazon\_managed\_service\_prometheus\_irsa\_role](#module\_amazon\_managed\_service\_prometheus\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | -| [api\_gateway\_controller\_irsa\_role](#module\_api\_gateway\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [appmesh\_controller\_irsa\_role](#module\_appmesh\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [appmesh\_envoy\_proxy\_irsa\_role](#module\_appmesh\_envoy\_proxy\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | +| [aws\_gateway\_controller\_irsa\_role](#module\_aws\_gateway\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [cert\_manager\_irsa\_role](#module\_cert\_manager\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [disabled](#module\_disabled) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | -| [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 18.21 | +| [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.14 | | [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [external\_secrets\_irsa\_role](#module\_external\_secrets\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [fsx\_lustre\_csi\_irsa\_role](#module\_fsx\_lustre\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | @@ -53,7 +53,7 @@ Run `terraform destroy` when you don't need these resources. | [load\_balancer\_controller\_targetgroup\_binding\_only\_irsa\_role](#module\_load\_balancer\_controller\_targetgroup\_binding\_only\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [node\_termination\_handler\_irsa\_role](#module\_node\_termination\_handler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [velero\_irsa\_role](#module\_velero\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 4.0 | | [vpc\_cni\_ipv4\_irsa\_role](#module\_vpc\_cni\_ipv4\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [vpc\_cni\_ipv6\_irsa\_role](#module\_vpc\_cni\_ipv6\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | @@ -62,6 +62,7 @@ Run `terraform destroy` when you don't need these resources. | Name | Type | |------|------| | [aws_iam_policy.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | ## Inputs diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf index aeb0f300..a8eb1eca 100644 --- a/examples/iam-role-for-service-accounts-eks/main.tf +++ b/examples/iam-role-for-service-accounts-eks/main.tf @@ -2,10 +2,15 @@ provider "aws" { region = local.region } +data "aws_availability_zones" "available" {} + locals { - name = "ex-iam-eks-role" + name = "ex-irsa" region = "eu-west-1" + vpc_cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 3) + tags = { Example = local.name GithubRepo = "terraform-aws-iam" @@ -47,11 +52,11 @@ module "irsa_role" { tags = local.tags } -module "api_gateway_controller_irsa_role" { +module "aws_gateway_controller_irsa_role" { source = "../../modules/iam-role-for-service-accounts-eks" - role_name = "api-gateway-controller" - attach_api_gateway_controller_policy = true + role_name = "aws-gateway-controller" + attach_aws_gateway_controller_policy = true oidc_providers = { ex = { @@ -85,7 +90,7 @@ module "cluster_autoscaler_irsa_role" { role_name = "cluster-autoscaler" attach_cluster_autoscaler_policy = true - cluster_autoscaler_cluster_ids = [module.eks.cluster_id] + cluster_autoscaler_cluster_names = [module.eks.cluster_name] oidc_providers = { ex = { @@ -185,7 +190,7 @@ module "karpenter_controller_irsa_role" { role_name = "karpenter-controller" attach_karpenter_controller_policy = true - karpenter_controller_cluster_id = module.eks.cluster_id + karpenter_controller_cluster_name = module.eks.cluster_name karpenter_controller_node_iam_role_arns = [module.eks.eks_managed_node_groups["default"].iam_role_arn] oidc_providers = { @@ -377,7 +382,7 @@ module "iam_eks_role" { role_name = "my-app" role_policy_arns = { - policy = "arn:aws:iam::012345678901:policy/myapp" + policy = module.iam_policy.arn } oidc_providers = { @@ -398,27 +403,24 @@ module "iam_eks_role" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 3.0" + version = "~> 4.0" name = local.name - cidr = "10.0.0.0/16" + cidr = local.vpc_cidr - azs = ["${local.region}a", "${local.region}b", "${local.region}c"] - private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] - public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)] - enable_nat_gateway = true - single_nat_gateway = true - enable_dns_hostnames = true + enable_nat_gateway = true + single_nat_gateway = true public_subnet_tags = { - "kubernetes.io/cluster/${local.name}" = "shared" - "kubernetes.io/role/elb" = 1 + "kubernetes.io/role/elb" = 1 } private_subnet_tags = { - "kubernetes.io/cluster/${local.name}" = "shared" - "kubernetes.io/role/internal-elb" = 1 + "kubernetes.io/role/internal-elb" = 1 } tags = local.tags @@ -426,10 +428,10 @@ module "vpc" { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 18.21" + version = "~> 19.14" cluster_name = local.name - cluster_version = "1.22" + cluster_version = "1.26" vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md index c974902f..602ff55e 100644 --- a/modules/iam-role-for-service-accounts-eks/README.md +++ b/modules/iam-role-for-service-accounts-eks/README.md @@ -69,7 +69,7 @@ module "karpenter_irsa_role" { role_name = "karpenter_controller" attach_karpenter_controller_policy = true - karpenter_controller_cluster_id = module.eks.cluster_id + karpenter_controller_cluster_name = module.eks.cluster_name karpenter_controller_node_iam_role_arns = [module.eks.eks_managed_node_groups["default"].iam_role_arn] attach_vpc_cni_policy = true @@ -122,9 +122,9 @@ No modules. | Name | Type | |------|------| | [aws_iam_policy.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.api_gateway_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.appmesh_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.appmesh_envoy_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.aws_gateway_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | @@ -140,9 +140,9 @@ No modules. | [aws_iam_policy.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.api_gateway_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.appmesh_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.appmesh_envoy_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.aws_gateway_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | @@ -159,9 +159,9 @@ No modules. | [aws_iam_role_policy_attachment.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.api_gateway_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.appmesh_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.appmesh_envoy_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.aws_gateway_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -187,9 +187,9 @@ No modules. | [amazon\_managed\_service\_prometheus\_workspace\_arns](#input\_amazon\_managed\_service\_prometheus\_workspace\_arns) | List of AMP Workspace ARNs to read and write metrics | `list(string)` |
[
"*"
]
| no | | [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no | | [attach\_amazon\_managed\_service\_prometheus\_policy](#input\_attach\_amazon\_managed\_service\_prometheus\_policy) | Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role | `bool` | `false` | no | -| [attach\_api\_gateway\_controller\_policy](#input\_attach\_api\_gateway\_controller\_policy) | Determines whether to attach the API Gateway Controller IAM policy to the role | `bool` | `false` | no | | [attach\_appmesh\_controller\_policy](#input\_attach\_appmesh\_controller\_policy) | Determines whether to attach the Appmesh Controller policy to the role | `bool` | `false` | no | | [attach\_appmesh\_envoy\_proxy\_policy](#input\_attach\_appmesh\_envoy\_proxy\_policy) | Determines whether to attach the Appmesh envoy proxy policy to the role | `bool` | `false` | no | +| [attach\_aws\_gateway\_controller\_policy](#input\_attach\_aws\_gateway\_controller\_policy) | Determines whether to attach the AWS Gateway Controller IAM policy to the role | `bool` | `false` | no | | [attach\_cert\_manager\_policy](#input\_attach\_cert\_manager\_policy) | Determines whether to attach the Cert Manager IAM policy to the role | `bool` | `false` | no | | [attach\_cluster\_autoscaler\_policy](#input\_attach\_cluster\_autoscaler\_policy) | Determines whether to attach the Cluster Autoscaler IAM policy to the role | `bool` | `false` | no | | [attach\_ebs\_csi\_policy](#input\_attach\_ebs\_csi\_policy) | Determines whether to attach the EBS CSI IAM policy to the role | `bool` | `false` | no | @@ -204,7 +204,8 @@ No modules. | [attach\_velero\_policy](#input\_attach\_velero\_policy) | Determines whether to attach the Velero IAM policy to the role | `bool` | `false` | no | | [attach\_vpc\_cni\_policy](#input\_attach\_vpc\_cni\_policy) | Determines whether to attach the VPC CNI IAM policy to the role | `bool` | `false` | no | | [cert\_manager\_hosted\_zone\_arns](#input\_cert\_manager\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow Cert manager to manage records | `list(string)` |
[
"arn:aws:route53:::hostedzone/*"
]
| no | -| [cluster\_autoscaler\_cluster\_ids](#input\_cluster\_autoscaler\_cluster\_ids) | List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy | `list(string)` | `[]` | no | +| [cluster\_autoscaler\_cluster\_ids](#input\_cluster\_autoscaler\_cluster\_ids) | [Deprecated - use `cluster_autoscaler_cluster_names`] List of cluster names to appropriately scope permissions within the Cluster Autoscaler IAM policy | `list(string)` | `[]` | no | +| [cluster\_autoscaler\_cluster\_names](#input\_cluster\_autoscaler\_cluster\_names) | List of cluster names to appropriately scope permissions within the Cluster Autoscaler IAM policy | `list(string)` | `[]` | no | | [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `true` | no | | [ebs\_csi\_kms\_cmk\_ids](#input\_ebs\_csi\_kms\_cmk\_ids) | KMS CMK IDs to allow EBS CSI to manage encrypted volumes | `list(string)` | `[]` | no | | [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow External DNS to manage records | `list(string)` |
[
"arn:aws:route53:::hostedzone/*"
]
| no | @@ -213,7 +214,8 @@ No modules. | [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` |
[
"arn:aws:ssm:*:*:parameter/*"
]
| no | | [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no | | [fsx\_lustre\_csi\_service\_role\_arns](#input\_fsx\_lustre\_csi\_service\_role\_arns) | Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles | `list(string)` |
[
"arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"
]
| no | -| [karpenter\_controller\_cluster\_id](#input\_karpenter\_controller\_cluster\_id) | Cluster ID where the Karpenter controller is provisioned/managing | `string` | `"*"` | no | +| [karpenter\_controller\_cluster\_id](#input\_karpenter\_controller\_cluster\_id) | [Deprecated - use `karpenter_controller_cluster_name`] The name of the cluster where the Karpenter controller is provisioned/managing | `string` | `"*"` | no | +| [karpenter\_controller\_cluster\_name](#input\_karpenter\_controller\_cluster\_name) | The name of the cluster where the Karpenter controller is provisioned/managing | `string` | `"*"` | no | | [karpenter\_controller\_node\_iam\_role\_arns](#input\_karpenter\_controller\_node\_iam\_role\_arns) | List of node IAM role ARNs Karpenter can use to launch nodes | `list(string)` |
[
"*"
]
| no | | [karpenter\_controller\_ssm\_parameter\_arns](#input\_karpenter\_controller\_ssm\_parameter\_arns) | List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter | `list(string)` |
[
"arn:aws:ssm:*:*:parameter/aws/service/*"
]
| no | | [karpenter\_sqs\_queue\_arn](#input\_karpenter\_sqs\_queue\_arn) | (Optional) ARN of SQS used by Karpenter when native node termination handling is enabled | `string` | `null` | no | diff --git a/modules/iam-role-for-service-accounts-eks/main.tf b/modules/iam-role-for-service-accounts-eks/main.tf index 6095f390..b24a8fff 100644 --- a/modules/iam-role-for-service-accounts-eks/main.tf +++ b/modules/iam-role-for-service-accounts-eks/main.tf @@ -7,7 +7,7 @@ locals { partition = data.aws_partition.current.partition dns_suffix = data.aws_partition.current.dns_suffix region = data.aws_region.current.name - role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*" + role_name_condition = try(coalesce(var.role_name, "${var.role_name_prefix}*"), null) } data "aws_iam_policy_document" "this" { diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index 9c3c0338..44ce1473 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -1,11 +1,11 @@ ################################################################################ -# API Gateway Controller Policy +# AWS Gateway Controller Policy ################################################################################ -data "aws_iam_policy_document" "api_gateway_controller" { - count = var.create_role && var.attach_api_gateway_controller_policy ? 1 : 0 +data "aws_iam_policy_document" "aws_gateway_controller" { + count = var.create_role && var.attach_aws_gateway_controller_policy ? 1 : 0 - # https://github.com/aws/aws-application-networking-k8s/blob/main/examples/recommended-inline-policy.json + # https://github.com/aws/aws-application-networking-k8s/blob/v0.0.11/examples/recommended-inline-policy.json statement { actions = [ "vpc-lattice:*", @@ -18,22 +18,22 @@ data "aws_iam_policy_document" "api_gateway_controller" { } -resource "aws_iam_policy" "api_gateway_controller" { - count = var.create_role && var.attach_api_gateway_controller_policy ? 1 : 0 +resource "aws_iam_policy" "aws_gateway_controller" { + count = var.create_role && var.attach_aws_gateway_controller_policy ? 1 : 0 - name_prefix = "${var.policy_name_prefix}APIGatewayController-" + name_prefix = "${var.policy_name_prefix}AWSGatewayController-" path = var.role_path - description = "Provides permissions for the API Gateway Controller" - policy = data.aws_iam_policy_document.api_gateway_controller[0].json + description = "Provides permissions for the AWS Gateway Controller" + policy = data.aws_iam_policy_document.aws_gateway_controller[0].json tags = var.tags } -resource "aws_iam_role_policy_attachment" "api_gateway_controller" { - count = var.create_role && var.attach_api_gateway_controller_policy ? 1 : 0 +resource "aws_iam_role_policy_attachment" "aws_gateway_controller" { + count = var.create_role && var.attach_aws_gateway_controller_policy ? 1 : 0 role = aws_iam_role.this[0].name - policy_arn = aws_iam_policy.api_gateway_controller[0].arn + policy_arn = aws_iam_policy.aws_gateway_controller[0].arn } ################################################################################ @@ -108,7 +108,8 @@ data "aws_iam_policy_document" "cluster_autoscaler" { } dynamic "statement" { - for_each = toset(var.cluster_autoscaler_cluster_ids) + # TODO - remove *_ids at next breaking change + for_each = toset(coalescelist(var.cluster_autoscaler_cluster_ids, var.cluster_autoscaler_cluster_names)) content { actions = [ "autoscaling:SetDesiredCapacity", @@ -585,6 +586,11 @@ resource "aws_iam_role_policy_attachment" "fsx_lustre_csi" { # Karpenter Controller Policy ################################################################################ +locals { + # TODO - remove this at next breaking change + karpenter_controller_cluster_name = var.karpenter_controller_cluster_name != "*" ? var.karpenter_controller_cluster_name : var.karpenter_controller_cluster_id +} + # https://github.com/aws/karpenter/blob/502d275cc330fb0f2435b124935c49632146d945/website/content/en/v0.19.0/getting-started/getting-started-with-eksctl/cloudformation.yaml#L34 data "aws_iam_policy_document" "karpenter_controller" { count = var.create_role && var.attach_karpenter_controller_policy ? 1 : 0 @@ -621,7 +627,7 @@ data "aws_iam_policy_document" "karpenter_controller" { condition { test = "StringEquals" variable = "ec2:ResourceTag/${var.karpenter_tag_key}" - values = [var.karpenter_controller_cluster_id] + values = [local.karpenter_controller_cluster_name] } } @@ -634,7 +640,7 @@ data "aws_iam_policy_document" "karpenter_controller" { condition { test = "StringEquals" variable = "ec2:ResourceTag/${var.karpenter_tag_key}" - values = [var.karpenter_controller_cluster_id] + values = [local.karpenter_controller_cluster_name] } } @@ -663,7 +669,7 @@ data "aws_iam_policy_document" "karpenter_controller" { statement { actions = ["eks:DescribeCluster"] - resources = ["arn:${local.partition}:eks:${local.region}:${local.account_id}:cluster/${var.karpenter_controller_cluster_id}"] + resources = ["arn:${local.partition}:eks:${local.region}:${local.account_id}:cluster/${local.karpenter_controller_cluster_name}"] } dynamic "statement" { diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf index 17832d5c..92c6b598 100644 --- a/modules/iam-role-for-service-accounts-eks/variables.tf +++ b/modules/iam-role-for-service-accounts-eks/variables.tf @@ -86,9 +86,9 @@ variable "allow_self_assume_role" { # Policies ################################################################################ -# API Gateway Controller -variable "attach_api_gateway_controller_policy" { - description = "Determines whether to attach the API Gateway Controller IAM policy to the role" +# AWS Gateway Controller +variable "attach_aws_gateway_controller_policy" { + description = "Determines whether to attach the AWS Gateway Controller IAM policy to the role" type = bool default = false } @@ -114,7 +114,13 @@ variable "attach_cluster_autoscaler_policy" { } variable "cluster_autoscaler_cluster_ids" { - description = "List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy" + description = "[Deprecated - use `cluster_autoscaler_cluster_names`] List of cluster names to appropriately scope permissions within the Cluster Autoscaler IAM policy" + type = list(string) + default = [] +} + +variable "cluster_autoscaler_cluster_names" { + description = "List of cluster names to appropriately scope permissions within the Cluster Autoscaler IAM policy" type = list(string) default = [] } @@ -198,7 +204,13 @@ variable "attach_karpenter_controller_policy" { } variable "karpenter_controller_cluster_id" { - description = "Cluster ID where the Karpenter controller is provisioned/managing" + description = "[Deprecated - use `karpenter_controller_cluster_name`] The name of the cluster where the Karpenter controller is provisioned/managing" + type = string + default = "*" +} + +variable "karpenter_controller_cluster_name" { + description = "The name of the cluster where the Karpenter controller is provisioned/managing" type = string default = "*" }