From 82aeca33595db3ce214837cc3d7039810718181f Mon Sep 17 00:00:00 2001
From: kuannie1 <anne.ku@chanzuckerberg.com>
Date: Tue, 3 Sep 2024 11:53:05 -0700
Subject: [PATCH 1/5] fix: create service account role for EKS

---
 aws-iam-service-account-eks/README.md      |  0
 aws-iam-service-account-eks/main.tf        | 43 ++++++++++++++++
 aws-iam-service-account-eks/module_test.go |  1 +
 aws-iam-service-account-eks/outputs.tf     | 15 ++++++
 aws-iam-service-account-eks/terraform.tf   | 13 +++++
 aws-iam-service-account-eks/variables.tf   | 59 ++++++++++++++++++++++
 6 files changed, 131 insertions(+)
 create mode 100644 aws-iam-service-account-eks/README.md
 create mode 100644 aws-iam-service-account-eks/main.tf
 create mode 100644 aws-iam-service-account-eks/module_test.go
 create mode 100644 aws-iam-service-account-eks/outputs.tf
 create mode 100644 aws-iam-service-account-eks/terraform.tf
 create mode 100644 aws-iam-service-account-eks/variables.tf

diff --git a/aws-iam-service-account-eks/README.md b/aws-iam-service-account-eks/README.md
new file mode 100644
index 00000000..e69de29b
diff --git a/aws-iam-service-account-eks/main.tf b/aws-iam-service-account-eks/main.tf
new file mode 100644
index 00000000..d90a7644
--- /dev/null
+++ b/aws-iam-service-account-eks/main.tf
@@ -0,0 +1,43 @@
+locals {
+  iam_path             = coalesce(var.iam_path, "/${var.eks_cluster.cluster_id}/")
+  oidc_provider_url    = replace(var.eks_cluster.cluster_oidc_issuer_url, "https://", "")
+  service_account_name = coalesce(var.service_account_name, "*")
+  name                 = coalesce(var.service_account_name, "${var.tags.service}-${var.tags.env}-${var.tags.project}")
+}
+
+data "aws_iam_policy_document" "assume-role" {
+  statement {
+    principals {
+      type        = "Federated"
+      identifiers = [var.eks_cluster.oidc_provider_arn]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "${local.oidc_provider_url}:sub"
+      values   = ["system:serviceaccount:${var.k8s_namespace}:${local.service_account_name}"]
+    }
+
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+  }
+}
+
+resource "aws_iam_role" "role" {
+  name                 = local.name
+  description          = "Service account role for ${local.name}"
+  assume_role_policy   = data.aws_iam_policy_document.assume-role.json
+  path                 = local.iam_path
+  max_session_duration = var.max_session_duration
+  permissions_boundary = var.role_permissions_boundary_arn
+}
+
+resource "kubernetes_service_account" "service_account" {
+  metadata {
+    name      = local.name
+    namespace = var.k8s_namespace
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.role.arn
+    }
+  }
+  automount_service_account_token = true
+}
diff --git a/aws-iam-service-account-eks/module_test.go b/aws-iam-service-account-eks/module_test.go
new file mode 100644
index 00000000..56e54040
--- /dev/null
+++ b/aws-iam-service-account-eks/module_test.go
@@ -0,0 +1 @@
+package test
diff --git a/aws-iam-service-account-eks/outputs.tf b/aws-iam-service-account-eks/outputs.tf
new file mode 100644
index 00000000..7bd6796b
--- /dev/null
+++ b/aws-iam-service-account-eks/outputs.tf
@@ -0,0 +1,15 @@
+output "iam_role_name_with_path" {
+  value = "${substr(local.iam_path, 1, -1)}${aws_iam_role.role.name}"
+}
+
+output "iam_role" {
+  value = aws_iam_role.role.name
+}
+
+output "iam_role_arn" {
+  value = aws_iam_role.role.arn
+}
+
+output "service_account_name" {
+  value = kubernetes_service_account.service_account.metadata[0].name
+}
\ No newline at end of file
diff --git a/aws-iam-service-account-eks/terraform.tf b/aws-iam-service-account-eks/terraform.tf
new file mode 100644
index 00000000..8ba00ae7
--- /dev/null
+++ b/aws-iam-service-account-eks/terraform.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.14"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.16"
+    }
+  }
+  required_version = ">= 1.3"
+}
\ No newline at end of file
diff --git a/aws-iam-service-account-eks/variables.tf b/aws-iam-service-account-eks/variables.tf
new file mode 100644
index 00000000..d287b876
--- /dev/null
+++ b/aws-iam-service-account-eks/variables.tf
@@ -0,0 +1,59 @@
+variable "eks_cluster" {
+  type = object({
+    cluster_id : string,
+    cluster_arn : string,
+    cluster_endpoint : string,
+    cluster_ca : string,
+    cluster_oidc_issuer_url : string,
+    cluster_version : string,
+    worker_iam_role_name : string,
+    worker_security_group : string,
+    oidc_provider_arn : string,
+  })
+  description = "eks-cluster module output"
+}
+
+variable "k8s_namespace" {
+  description = "Kubernetes namespace that the service account is in"
+  type        = string
+}
+
+variable "iam_path" {
+  type        = string
+  default     = ""
+  description = "IAM path for the role."
+}
+
+variable "role_permissions_boundary_arn" {
+  description = "Permissions boundary ARN to use for IAM role"
+  type        = string
+  default     = ""
+}
+
+variable "max_session_duration" {
+  description = "Maximum CLI/API session duration in seconds between 3600 and 43200"
+  type        = number
+  default     = 3600
+}
+
+variable "aws_iam_policies_json" {
+  type        = list(string)
+  description = "The additional AWS IAM policies to give to the pod. Backward compatibility with aws_iam_policy_json"
+  default     = []
+}
+
+variable "aws_iam_policy_json" {
+  type        = string
+  description = "The AWS IAM policy to give to the pod."
+}
+
+variable "service_account_name" {
+  type        = string
+  default     = ""
+  description = "Specified Service Account Name in case "
+}
+
+variable "tags" {
+  type = object({ project : string, env : string, service : string, owner : string, managedBy : string })
+  description = "Basic metadata about the service account"
+}
\ No newline at end of file

From c44d0451d4485481d4f5e0e7de2e387e81a46352 Mon Sep 17 00:00:00 2001
From: kuannie1 <anne.ku@chanzuckerberg.com>
Date: Tue, 3 Sep 2024 12:02:03 -0700
Subject: [PATCH 2/5] don't need these variables

---
 aws-iam-service-account-eks/variables.tf | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/aws-iam-service-account-eks/variables.tf b/aws-iam-service-account-eks/variables.tf
index d287b876..f9c008c8 100644
--- a/aws-iam-service-account-eks/variables.tf
+++ b/aws-iam-service-account-eks/variables.tf
@@ -36,17 +36,6 @@ variable "max_session_duration" {
   default     = 3600
 }
 
-variable "aws_iam_policies_json" {
-  type        = list(string)
-  description = "The additional AWS IAM policies to give to the pod. Backward compatibility with aws_iam_policy_json"
-  default     = []
-}
-
-variable "aws_iam_policy_json" {
-  type        = string
-  description = "The AWS IAM policy to give to the pod."
-}
-
 variable "service_account_name" {
   type        = string
   default     = ""

From cd778a50a358b9335e9e4afd71930f2844f971a9 Mon Sep 17 00:00:00 2001
From: kuannie1 <anne.ku@chanzuckerberg.com>
Date: Tue, 3 Sep 2024 13:25:41 -0700
Subject: [PATCH 3/5] finish my sentence

---
 aws-iam-service-account-eks/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aws-iam-service-account-eks/variables.tf b/aws-iam-service-account-eks/variables.tf
index f9c008c8..8f2e084f 100644
--- a/aws-iam-service-account-eks/variables.tf
+++ b/aws-iam-service-account-eks/variables.tf
@@ -39,7 +39,7 @@ variable "max_session_duration" {
 variable "service_account_name" {
   type        = string
   default     = ""
-  description = "Specified Service Account Name in case "
+  description = "Specified Service Account Name in case you want to customize it"
 }
 
 variable "tags" {

From 7ea24213a4f25cd56fee5607ba50cd546af9cb55 Mon Sep 17 00:00:00 2001
From: Annie Ku <kuannie1@users.noreply.github.com>
Date: Tue, 3 Sep 2024 14:03:08 -0700
Subject: [PATCH 4/5] apply jake's feedback/suggestions

Co-authored-by: Jake Heath <76011913+jakeyheath@users.noreply.github.com>
---
 aws-iam-service-account-eks/main.tf      | 15 ++-------------
 aws-iam-service-account-eks/variables.tf |  2 +-
 2 files changed, 3 insertions(+), 14 deletions(-)

diff --git a/aws-iam-service-account-eks/main.tf b/aws-iam-service-account-eks/main.tf
index d90a7644..96d24b50 100644
--- a/aws-iam-service-account-eks/main.tf
+++ b/aws-iam-service-account-eks/main.tf
@@ -1,8 +1,7 @@
 locals {
   iam_path             = coalesce(var.iam_path, "/${var.eks_cluster.cluster_id}/")
   oidc_provider_url    = replace(var.eks_cluster.cluster_oidc_issuer_url, "https://", "")
-  service_account_name = coalesce(var.service_account_name, "*")
-  name                 = coalesce(var.service_account_name, "${var.tags.service}-${var.tags.env}-${var.tags.project}")
+  name                 = "${var.tags.service}-${var.tags.env}-${var.tags.project}"
 }
 
 data "aws_iam_policy_document" "assume-role" {
@@ -15,7 +14,7 @@ data "aws_iam_policy_document" "assume-role" {
     condition {
       test     = "StringLike"
       variable = "${local.oidc_provider_url}:sub"
-      values   = ["system:serviceaccount:${var.k8s_namespace}:${local.service_account_name}"]
+      values   = ["system:serviceaccount:${var.k8s_namespace}:${var.service_account_name}"]
     }
 
     actions = ["sts:AssumeRoleWithWebIdentity"]
@@ -31,13 +30,3 @@ resource "aws_iam_role" "role" {
   permissions_boundary = var.role_permissions_boundary_arn
 }
 
-resource "kubernetes_service_account" "service_account" {
-  metadata {
-    name      = local.name
-    namespace = var.k8s_namespace
-    annotations = {
-      "eks.amazonaws.com/role-arn" = aws_iam_role.role.arn
-    }
-  }
-  automount_service_account_token = true
-}
diff --git a/aws-iam-service-account-eks/variables.tf b/aws-iam-service-account-eks/variables.tf
index 8f2e084f..9e3134b5 100644
--- a/aws-iam-service-account-eks/variables.tf
+++ b/aws-iam-service-account-eks/variables.tf
@@ -38,7 +38,7 @@ variable "max_session_duration" {
 
 variable "service_account_name" {
   type        = string
-  default     = ""
+  default     = "*"
   description = "Specified Service Account Name in case you want to customize it"
 }
 

From 6da645f0dae2aeaf6545beed0fb0175aab4ff36b Mon Sep 17 00:00:00 2001
From: kuannie1 <anne.ku@chanzuckerberg.com>
Date: Tue, 3 Sep 2024 14:14:03 -0700
Subject: [PATCH 5/5] remove unneeded stuff

---
 aws-iam-service-account-eks/outputs.tf   | 4 ----
 aws-iam-service-account-eks/terraform.tf | 4 ----
 2 files changed, 8 deletions(-)

diff --git a/aws-iam-service-account-eks/outputs.tf b/aws-iam-service-account-eks/outputs.tf
index 7bd6796b..56fcab11 100644
--- a/aws-iam-service-account-eks/outputs.tf
+++ b/aws-iam-service-account-eks/outputs.tf
@@ -9,7 +9,3 @@ output "iam_role" {
 output "iam_role_arn" {
   value = aws_iam_role.role.arn
 }
-
-output "service_account_name" {
-  value = kubernetes_service_account.service_account.metadata[0].name
-}
\ No newline at end of file
diff --git a/aws-iam-service-account-eks/terraform.tf b/aws-iam-service-account-eks/terraform.tf
index 8ba00ae7..35670a72 100644
--- a/aws-iam-service-account-eks/terraform.tf
+++ b/aws-iam-service-account-eks/terraform.tf
@@ -4,10 +4,6 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 5.14"
     }
-    kubernetes = {
-      source  = "hashicorp/kubernetes"
-      version = ">= 2.16"
-    }
   }
   required_version = ">= 1.3"
 }
\ No newline at end of file