From d6ecfd31589857f1abfd819a059a7a61e19fddeb Mon Sep 17 00:00:00 2001 From: Annie Ku Date: Tue, 3 Sep 2024 15:04:21 -0700 Subject: [PATCH] feat: create service account role module for EKS (#636) * fix: create service account role for EKS * don't need these variables * finish my sentence * apply jake's feedback/suggestions Co-authored-by: Jake Heath <76011913+jakeyheath@users.noreply.github.com> * remove unneeded stuff --------- Co-authored-by: Jake Heath <76011913+jakeyheath@users.noreply.github.com> --- aws-iam-service-account-eks/README.md | 0 aws-iam-service-account-eks/main.tf | 32 +++++++++++++++ aws-iam-service-account-eks/module_test.go | 1 + aws-iam-service-account-eks/outputs.tf | 11 +++++ aws-iam-service-account-eks/terraform.tf | 9 ++++ aws-iam-service-account-eks/variables.tf | 48 ++++++++++++++++++++++ 6 files changed, 101 insertions(+) create mode 100644 aws-iam-service-account-eks/README.md create mode 100644 aws-iam-service-account-eks/main.tf create mode 100644 aws-iam-service-account-eks/module_test.go create mode 100644 aws-iam-service-account-eks/outputs.tf create mode 100644 aws-iam-service-account-eks/terraform.tf create mode 100644 aws-iam-service-account-eks/variables.tf diff --git a/aws-iam-service-account-eks/README.md b/aws-iam-service-account-eks/README.md new file mode 100644 index 00000000..e69de29b diff --git a/aws-iam-service-account-eks/main.tf b/aws-iam-service-account-eks/main.tf new file mode 100644 index 00000000..96d24b50 --- /dev/null +++ b/aws-iam-service-account-eks/main.tf @@ -0,0 +1,32 @@ +locals { + iam_path = coalesce(var.iam_path, "/${var.eks_cluster.cluster_id}/") + oidc_provider_url = replace(var.eks_cluster.cluster_oidc_issuer_url, "https://", "") + name = "${var.tags.service}-${var.tags.env}-${var.tags.project}" +} + +data "aws_iam_policy_document" "assume-role" { + statement { + principals { + type = "Federated" + identifiers = [var.eks_cluster.oidc_provider_arn] + } + + condition { + test = "StringLike" + variable = "${local.oidc_provider_url}:sub" + values = ["system:serviceaccount:${var.k8s_namespace}:${var.service_account_name}"] + } + + actions = ["sts:AssumeRoleWithWebIdentity"] + } +} + +resource "aws_iam_role" "role" { + name = local.name + description = "Service account role for ${local.name}" + assume_role_policy = data.aws_iam_policy_document.assume-role.json + path = local.iam_path + max_session_duration = var.max_session_duration + permissions_boundary = var.role_permissions_boundary_arn +} + diff --git a/aws-iam-service-account-eks/module_test.go b/aws-iam-service-account-eks/module_test.go new file mode 100644 index 00000000..56e54040 --- /dev/null +++ b/aws-iam-service-account-eks/module_test.go @@ -0,0 +1 @@ +package test diff --git a/aws-iam-service-account-eks/outputs.tf b/aws-iam-service-account-eks/outputs.tf new file mode 100644 index 00000000..56fcab11 --- /dev/null +++ b/aws-iam-service-account-eks/outputs.tf @@ -0,0 +1,11 @@ +output "iam_role_name_with_path" { + value = "${substr(local.iam_path, 1, -1)}${aws_iam_role.role.name}" +} + +output "iam_role" { + value = aws_iam_role.role.name +} + +output "iam_role_arn" { + value = aws_iam_role.role.arn +} diff --git a/aws-iam-service-account-eks/terraform.tf b/aws-iam-service-account-eks/terraform.tf new file mode 100644 index 00000000..35670a72 --- /dev/null +++ b/aws-iam-service-account-eks/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.14" + } + } + required_version = ">= 1.3" +} \ No newline at end of file diff --git a/aws-iam-service-account-eks/variables.tf b/aws-iam-service-account-eks/variables.tf new file mode 100644 index 00000000..9e3134b5 --- /dev/null +++ b/aws-iam-service-account-eks/variables.tf @@ -0,0 +1,48 @@ +variable "eks_cluster" { + type = object({ + cluster_id : string, + cluster_arn : string, + cluster_endpoint : string, + cluster_ca : string, + cluster_oidc_issuer_url : string, + cluster_version : string, + worker_iam_role_name : string, + worker_security_group : string, + oidc_provider_arn : string, + }) + description = "eks-cluster module output" +} + +variable "k8s_namespace" { + description = "Kubernetes namespace that the service account is in" + type = string +} + +variable "iam_path" { + type = string + default = "" + description = "IAM path for the role." +} + +variable "role_permissions_boundary_arn" { + description = "Permissions boundary ARN to use for IAM role" + type = string + default = "" +} + +variable "max_session_duration" { + description = "Maximum CLI/API session duration in seconds between 3600 and 43200" + type = number + default = 3600 +} + +variable "service_account_name" { + type = string + default = "*" + description = "Specified Service Account Name in case you want to customize it" +} + +variable "tags" { + type = object({ project : string, env : string, service : string, owner : string, managedBy : string }) + description = "Basic metadata about the service account" +} \ No newline at end of file