-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
70 lines (60 loc) · 2.33 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
locals {
eks_oidc_issuer_url = replace(var.eks_oidc_provider_arn, "/^(.*provider/)/", "")
}
resource "kubernetes_namespace_v1" "irsa" {
count = var.create_kubernetes_namespace && var.kubernetes_namespace != "kube-system" ? 1 : 0
metadata {
name = var.kubernetes_namespace
}
timeouts {
delete = "15m"
}
}
resource "kubernetes_service_account_v1" "irsa" {
count = var.create_kubernetes_service_account ? 1 : 0
metadata {
name = var.kubernetes_service_account
namespace = try(kubernetes_namespace_v1.irsa[0].metadata[0].name, var.kubernetes_namespace)
annotations = var.irsa_iam_policies != null ? { "eks.amazonaws.com/role-arn" : aws_iam_role.irsa[0].arn } : null
}
dynamic "image_pull_secret" {
for_each = var.kubernetes_svc_image_pull_secrets != null ? var.kubernetes_svc_image_pull_secrets : []
content {
name = image_pull_secret.value
}
}
automount_service_account_token = true
}
# NOTE: Don't change the condition from StringLike to StringEquals. We are using wild characters for service account hence StringLike is required.
resource "aws_iam_role" "irsa" {
count = var.irsa_iam_policies != null ? 1 : 0
name = try(coalesce(var.irsa_iam_role_name, format("%s-%s-%s", var.eks_cluster_id, trim(var.kubernetes_service_account, "-*"), "irsa")), null)
description = "AWS IAM Role for the Kubernetes service account ${var.kubernetes_service_account}."
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Federated" : "${var.eks_oidc_provider_arn}"
},
"Action" : "sts:AssumeRoleWithWebIdentity",
"Condition" : {
"StringLike" : {
"${local.eks_oidc_issuer_url}:sub" : "system:serviceaccount:${var.kubernetes_namespace}:${var.kubernetes_service_account}",
"${local.eks_oidc_issuer_url}:aud" : "sts.amazonaws.com"
}
}
}
]
})
path = var.irsa_iam_role_path
force_detach_policies = true
permissions_boundary = var.irsa_iam_permissions_boundary
tags = var.tags
}
resource "aws_iam_role_policy_attachment" "irsa" {
count = var.irsa_iam_policies != null ? length(var.irsa_iam_policies) : 0
policy_arn = var.irsa_iam_policies[count.index]
role = aws_iam_role.irsa[0].name
}