From 760b10d0967bd788ef17993c847ea044d576cbe2 Mon Sep 17 00:00:00 2001 From: Edgar Costa Date: Fri, 9 Aug 2024 10:38:12 -0300 Subject: [PATCH 1/5] feat: Add Sagemaker, MemoryDB, Opensearch and ECR Controllers --- README.md | 34 ++ examples/complete/README.md | 70 +-- examples/complete/main.tf | 4 + main.tf | 921 +++++++++++++++++++++++++++++++++++- variables.tf | 64 +++ 5 files changed, 1059 insertions(+), 34 deletions(-) diff --git a/README.md b/README.md index 497fbcb..06185f9 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,10 @@ module "eks_ack_addons" { ecrpublic_token = "" # Controllers to enable + enable_sagemaker = true + enable_memorydb = true + enable_opensearchservice = true + enable_ecr = true enable_sns = true enable_sqs = true enable_lambda = true @@ -72,6 +76,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [apigatewayv2](#module\_apigatewayv2) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [dynamodb](#module\_dynamodb) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [ec2](#module\_ec2) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [ecr](#module\_ecr) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [eks](#module\_eks) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [elasticache](#module\_elasticache) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [emrcontainers](#module\_emrcontainers) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | @@ -79,9 +84,12 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [iam](#module\_iam) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [kms](#module\_kms) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [lambda](#module\_lambda) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [memorydb](#module\_memorydb) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [opensearchservice](#module\_opensearchservice) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [prometheusservice](#module\_prometheusservice) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [rds](#module\_rds) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [s3](#module\_s3) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [sagemaker](#module\_sagemaker) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [sfn](#module\_sfn) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [sns](#module\_sns) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [sqs](#module\_sqs) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | @@ -91,17 +99,35 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | Name | Type | |------|------| | [aws_iam_policy.acmpolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.aws_service_actions_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.ecrpolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.ekspolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.emrcontainers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.iampolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.kmspolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.lambdapolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.memorydbpolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.opensearchservicepolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.resource_specific_actions_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.s3_actions_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.sagemaker_core_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.sagemaker_space_management_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.sagemaker_studio_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.sfnpasspolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.snspolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.sqspolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [time_sleep.this](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [aws_iam_policy_document.aws_service_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.ecr_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.emrcontainers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.lambda_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.memorydb_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.opensearchservice_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.resource_specific_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.s3_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.sagemaker_core](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.sagemaker_space_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.sagemaker_studio](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.sns_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.sqs_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | @@ -120,6 +146,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [create\_kubernetes\_resources](#input\_create\_kubernetes\_resources) | Create Kubernetes resource with Helm or Kubernetes provider | `bool` | `true` | no | | [dynamodb](#input\_dynamodb) | ACK dynamodb Helm Chart config | `any` | `{}` | no | | [ec2](#input\_ec2) | ACK ec2 Helm Chart config | `any` | `{}` | no | +| [ecr](#input\_ecr) | ACK ECR Helm Chart config | `any` | `{}` | no | | [ecrpublic\_token](#input\_ecrpublic\_token) | Password decoded from the authorization token for accessing public ECR | `string` | `""` | no | | [ecrpublic\_username](#input\_ecrpublic\_username) | User name decoded from the authorization token for accessing public ECR | `string` | `""` | no | | [eks](#input\_eks) | ACK eks Helm Chart config | `any` | `{}` | no | @@ -129,6 +156,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [enable\_apigatewayv2](#input\_enable\_apigatewayv2) | Enable ACK API gateway v2 add-on | `bool` | `false` | no | | [enable\_dynamodb](#input\_enable\_dynamodb) | Enable ACK dynamodb add-on | `bool` | `false` | no | | [enable\_ec2](#input\_enable\_ec2) | Enable ACK ec2 add-on | `bool` | `false` | no | +| [enable\_ecr](#input\_enable\_ecr) | Enable ACK ECR add-on | `bool` | `false` | no | | [enable\_eks](#input\_enable\_eks) | Enable ACK eks add-on | `bool` | `false` | no | | [enable\_elasticache](#input\_enable\_elasticache) | Enable ACK elasticache add-on | `bool` | `false` | no | | [enable\_emrcontainers](#input\_enable\_emrcontainers) | Enable ACK EMR container add-on | `bool` | `false` | no | @@ -136,9 +164,12 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [enable\_iam](#input\_enable\_iam) | Enable ACK iam add-on | `bool` | `false` | no | | [enable\_kms](#input\_enable\_kms) | Enable ACK kms add-on | `bool` | `false` | no | | [enable\_lambda](#input\_enable\_lambda) | Enable ACK Lambda add-on | `bool` | `false` | no | +| [enable\_memorydb](#input\_enable\_memorydb) | Enable ACK MemoryDB add-on | `bool` | `false` | no | +| [enable\_opensearchservice](#input\_enable\_opensearchservice) | Enable ACK OpensearchService add-on | `bool` | `false` | no | | [enable\_prometheusservice](#input\_enable\_prometheusservice) | Enable ACK prometheusservice add-on | `bool` | `false` | no | | [enable\_rds](#input\_enable\_rds) | Enable ACK rds add-on | `bool` | `false` | no | | [enable\_s3](#input\_enable\_s3) | Enable ACK s3 add-on | `bool` | `false` | no | +| [enable\_sagemaker](#input\_enable\_sagemaker) | Enable ACK Sagemaker add-on | `bool` | `false` | no | | [enable\_sfn](#input\_enable\_sfn) | Enable ACK step functions add-on | `bool` | `false` | no | | [enable\_sns](#input\_enable\_sns) | Enable ACK SNS add-on | `bool` | `false` | no | | [enable\_sqs](#input\_enable\_sqs) | Enable ACK SQS add-on | `bool` | `false` | no | @@ -146,10 +177,13 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [iam](#input\_iam) | ACK iam Helm Chart config | `any` | `{}` | no | | [kms](#input\_kms) | ACK kms Helm Chart config | `any` | `{}` | no | | [lambda](#input\_lambda) | ACK Lambda Helm Chart config | `any` | `{}` | no | +| [memorydb](#input\_memorydb) | ACK MemoryDB Helm Chart config | `any` | `{}` | no | | [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | The ARN of the cluster OIDC Provider | `string` | n/a | yes | +| [opensearchservice](#input\_opensearchservice) | ACK OpensearchService Helm Chart config | `any` | `{}` | no | | [prometheusservice](#input\_prometheusservice) | ACK prometheusservice Helm Chart config | `any` | `{}` | no | | [rds](#input\_rds) | ACK rds Helm Chart config | `any` | `{}` | no | | [s3](#input\_s3) | ACK s3 Helm Chart config | `any` | `{}` | no | +| [sagemaker](#input\_sagemaker) | ACK Sagemaker Helm Chart config | `any` | `{}` | no | | [sfn](#input\_sfn) | ACK step functions Helm Chart config | `any` | `{}` | no | | [sns](#input\_sns) | ACK SNS Helm Chart config | `any` | `{}` | no | | [sqs](#input\_sqs) | ACK SQS Helm Chart config | `any` | `{}` | no | diff --git a/examples/complete/README.md b/examples/complete/README.md index f03dda3..b288436 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -6,6 +6,7 @@ Configuration in this directory creates an AWS EKS cluster with the following AC - Amazon ApiGatewayV2 Controller - Amazon DynamoDB Controller - Amazon EC2 Controller +- Amazon ECR Controller - Amazon EKS Controller - Amazon ElastiCache Controller - Amazon EMR Containers Controller @@ -13,9 +14,12 @@ Configuration in this directory creates an AWS EKS cluster with the following AC - Amazon IAM Controller - Amazon KMS Controller - AWS Lambda Controller +- Amazon MemoryDB Controller +- Amazon OpenSearch Service Controller - Amazon Prometheus Service Controller - Amazon RDS Controller - Amazon S3 Controller +- Amazon SageMaker Controller - AWS SFN Controller - Amazon SNS Controller - Amazon SQS Controller @@ -59,37 +63,41 @@ aws eks --region update-kubeconfig --name kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE -ack-system ack-acm-5ffccbd5d5-62kx9 1/1 Running 0 11m -ack-system ack-apigatewayv2-cf6cd9d67-vxhsk 1/1 Running 0 11m -ack-system ack-dynamodb-bd47f88b7-7jbgw 1/1 Running 0 10m -ack-system ack-ec2-54dfcf968-pdbs2 1/1 Running 0 10m -ack-system ack-eks-9cb44fc-95k6x 1/1 Running 0 11m -ack-system ack-elasticache-5758ff66bd-6vbgc 1/1 Running 0 11m -ack-system ack-emrcontainers-69ffb54758-78ksb 1/1 Running 0 11m -ack-system ack-eventbridge-58c7d4c8f5-vvfz5 1/1 Running 0 11m -ack-system ack-iam-7486c996c8-kbb2h 1/1 Running 0 11m -ack-system ack-kms-bb956b4fc-x69lv 1/1 Running 0 11m -ack-system ack-lambda-65bd7fbc8d-6jn8k 1/1 Running 0 11m -ack-system ack-prometheusservice-5bccddc6f-7tkl5 1/1 Running 0 11m -ack-system ack-rds-57499b447d-pg9tq 1/1 Running 0 10m -ack-system ack-s3-78b44bf586-b8qnj 1/1 Running 0 11m -ack-system ack-sfn-7494cbccf-vx6g7 1/1 Running 0 10m -ack-system ack-sns-56bb579874-h26s5 1/1 Running 0 11m -ack-system ack-sqs-5f7bc84d45-47zw4 1/1 Running 0 11m -kube-system aws-load-balancer-controller-84b5bf9c5f-45fkt 1/1 Running 0 10m -kube-system aws-load-balancer-controller-84b5bf9c5f-vtwj4 1/1 Running 0 10m -kube-system aws-node-btph9 2/2 Running 0 10m -kube-system aws-node-dqh67 2/2 Running 0 10m -kube-system aws-node-kt5mp 2/2 Running 0 10m -kube-system coredns-787cb67946-hlqfm 1/1 Running 0 14m -kube-system coredns-787cb67946-q8lzj 1/1 Running 0 14m -kube-system eks-pod-identity-agent-lhj4d 1/1 Running 0 10m -kube-system eks-pod-identity-agent-vvf46 1/1 Running 0 10m -kube-system eks-pod-identity-agent-zw2qv 1/1 Running 0 10m -kube-system kube-proxy-27k5q 1/1 Running 0 10m -kube-system kube-proxy-6q78s 1/1 Running 0 10m -kube-system kube-proxy-x5hhm 1/1 Running 0 10m -kube-system metrics-server-7577444cf8-9l7h8 1/1 Running 0 12m +ack-system ack-acm-5ffccbd5d5-6ns6v 1/1 Running 0 60s +ack-system ack-apigatewayv2-cf6cd9d67-gfw5k 1/1 Running 0 60s +ack-system ack-dynamodb-bd47f88b7-4smb5 1/1 Running 0 60s +ack-system ack-ec2-54dfcf968-2vvcf 1/1 Running 0 60s +ack-system ack-ecr-5b4699f87b-n5bfp 1/1 Running 0 60s +ack-system ack-eks-9cb44fc-vgsvf 1/1 Running 0 59s +ack-system ack-elasticache-5758ff66bd-fn7cv 1/1 Running 0 59s +ack-system ack-emrcontainers-69ffb54758-s4d25 1/1 Running 0 59s +ack-system ack-eventbridge-58c7d4c8f5-hzc7m 1/1 Running 0 59s +ack-system ack-iam-7486c996c8-qmmd6 1/1 Running 0 58s +ack-system ack-kms-bb956b4fc-vtn7x 1/1 Running 0 58s +ack-system ack-lambda-65bd7fbc8d-lql8x 1/1 Running 0 58s +ack-system ack-memorydb-76c988f6dd-zxprv 1/1 Running 0 58s +ack-system ack-opensearchservice-7fd9d8c866-xzqfh 1/1 Running 0 57s +ack-system ack-prometheusservice-5bccddc6f-clnz9 1/1 Running 0 57s +ack-system ack-rds-57499b447d-qqf7w 1/1 Running 0 57s +ack-system ack-s3-78b44bf586-4f25v 1/1 Running 0 57s +ack-system ack-sagemaker-74f65d4cb9-9r74h 1/1 Running 0 57s +ack-system ack-sfn-7494cbccf-mwq7z 1/1 Running 0 56s +ack-system ack-sns-56bb579874-hk78c 1/1 Running 0 56s +ack-system ack-sqs-5f7bc84d45-jtd5b 1/1 Running 0 56s +kube-system aws-load-balancer-controller-84b5bf9c5f-4dm9s 1/1 Running 0 34m +kube-system aws-load-balancer-controller-84b5bf9c5f-62km5 1/1 Running 0 34m +kube-system aws-node-2pfp8 2/2 Running 0 32m +kube-system aws-node-c6mdg 2/2 Running 0 32m +kube-system aws-node-d8m55 2/2 Running 0 32m +kube-system coredns-787cb67946-8psqv 1/1 Running 0 38m +kube-system coredns-787cb67946-nvtnt 1/1 Running 0 38m +kube-system eks-pod-identity-agent-2lw9f 1/1 Running 0 33m +kube-system eks-pod-identity-agent-dhdxs 1/1 Running 0 33m +kube-system eks-pod-identity-agent-zt7gz 1/1 Running 0 33m +kube-system kube-proxy-2xjzt 1/1 Running 0 33m +kube-system kube-proxy-h27hw 1/1 Running 0 34m +kube-system kube-proxy-kd57b 1/1 Running 0 33m +kube-system metrics-server-7577444cf8-7f95q 1/1 Running 0 35m ``` ## Sample Application Deployment diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 4b09b4d..7016b85 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -131,6 +131,10 @@ module "eks_ack_addons" { ecrpublic_token = data.aws_ecrpublic_authorization_token.token.password # Controllers to enable + enable_sagemaker = true + enable_memorydb = true + enable_opensearchservice = true + enable_ecr = true enable_sns = true enable_sqs = true enable_lambda = true diff --git a/main.tf b/main.tf index 7917db2..5dad5df 100644 --- a/main.tf +++ b/main.tf @@ -32,6 +32,921 @@ locals { repository_password = var.create_kubernetes_resources ? var.ecrpublic_token : "" } +################################################################################ +# SageMaker +################################################################################ + +locals { + sagemaker_name = "ack-sagemaker" +} + +module "sagemaker" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_sagemaker + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/sagemaker-chart:1.2.12 + name = try(var.sagemaker.name, local.sagemaker_name) + description = try(var.sagemaker.description, "Helm Chart for Sagemaker controller for ACK") + namespace = try(var.sagemaker.namespace, "ack-system") + create_namespace = try(var.sagemaker.create_namespace, true) + chart = "sagemaker-chart" + chart_version = try(var.sagemaker.chart_version, "1.2.12") + repository = try(var.sagemaker.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.sagemaker.values, []) + + timeout = try(var.sagemaker.timeout, null) + repository_key_file = try(var.sagemaker.repository_key_file, null) + repository_cert_file = try(var.sagemaker.repository_cert_file, null) + repository_ca_file = try(var.sagemaker.repository_ca_file, null) + repository_username = try(var.sagemaker.repository_username, local.repository_username) + repository_password = try(var.sagemaker.repository_password, local.repository_password) + devel = try(var.sagemaker.devel, null) + verify = try(var.sagemaker.verify, null) + keyring = try(var.sagemaker.keyring, null) + disable_webhooks = try(var.sagemaker.disable_webhooks, null) + reuse_values = try(var.sagemaker.reuse_values, null) + reset_values = try(var.sagemaker.reset_values, null) + force_update = try(var.sagemaker.force_update, null) + recreate_pods = try(var.sagemaker.recreate_pods, null) + cleanup_on_fail = try(var.sagemaker.cleanup_on_fail, null) + max_history = try(var.sagemaker.max_history, null) + atomic = try(var.sagemaker.atomic, null) + skip_crds = try(var.sagemaker.skip_crds, null) + render_subchart_notes = try(var.sagemaker.render_subchart_notes, null) + disable_openapi_validation = try(var.sagemaker.disable_openapi_validation, null) + wait = try(var.sagemaker.wait, false) + wait_for_jobs = try(var.sagemaker.wait_for_jobs, null) + dependency_update = try(var.sagemaker.dependency_update, null) + replace = try(var.sagemaker.replace, null) + lint = try(var.sagemaker.lint, null) + + postrender = try(var.sagemaker.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-sagemaker-sagemaker-chart-xxxxxxxxxxxxx` to `ack-sagemaker-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-sagemaker" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.sagemaker_name + }], + try(var.sagemaker.set, []) + ) + set_sensitive = try(var.sagemaker.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.sagemaker.create_role, true) + role_name = try(var.sagemaker.role_name, "ack-sagemaker") + role_name_use_prefix = try(var.sagemaker.role_name_use_prefix, true) + role_path = try(var.sagemaker.role_path, "/") + role_permissions_boundary_arn = lookup(var.sagemaker, "role_permissions_boundary_arn", null) + role_description = try(var.sagemaker.role_description, "IRSA for Sagemaker controller for ACK") + role_policies = lookup(var.sagemaker, "role_policies", { + core_policy = var.enable_sagemaker ? aws_iam_policy.sagemaker_core_policy[0].arn : null, + studio_policy = var.enable_sagemaker ? aws_iam_policy.sagemaker_studio_policy[0].arn : null, + space_management_policy = var.enable_sagemaker ? aws_iam_policy.sagemaker_space_management_policy[0].arn : null, + aws_service_actions_policy = var.enable_sagemaker ? aws_iam_policy.aws_service_actions_policy[0].arn : null, + resource_specific_actions_policy = var.enable_sagemaker ? aws_iam_policy.resource_specific_actions_policy[0].arn : null, + s3_actions_policy = var.enable_sagemaker ? aws_iam_policy.s3_actions_policy[0].arn : null + }) + + create_policy = try(var.sagemaker.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.sagemaker_name + } + } + + tags = var.tags +} + +# recommended sagemaker-controller policy https://github.com/aws-controllers-k8s/sagemaker-controller/blob/main/config/iam/recommended-policy-arn +data "aws_iam_policy_document" "sagemaker_core" { + count = var.enable_sagemaker ? 1 : 0 + + statement { + sid = "AllowAllNonAdminSageMakerActions" + effect = "Allow" + actions = [ + "sagemaker:*", + "sagemaker-geospatial:*", + ] + not_resources = [ + "arn:aws:sagemaker:*:*:domain/*", + "arn:aws:sagemaker:*:*:user-profile/*", + "arn:aws:sagemaker:*:*:app/*", + "arn:aws:sagemaker:*:*:space/*", + "arn:aws:sagemaker:*:*:flow-definition/*", + ] + } + + statement { + sid = "AllowAddTagsForSpace" + effect = "Allow" + actions = ["sagemaker:AddTags"] + resources = ["arn:aws:sagemaker:*:*:space/*"] + + condition { + test = "StringEquals" + variable = "sagemaker:TaggingAction" + values = ["CreateSpace"] + } + } + + statement { + sid = "AllowAddTagsForApp" + effect = "Allow" + actions = ["sagemaker:AddTags"] + resources = ["arn:aws:sagemaker:*:*:app/*"] + } +} + +data "aws_iam_policy_document" "sagemaker_studio" { + count = var.enable_sagemaker ? 1 : 0 + + statement { + sid = "AllowStudioActions" + effect = "Allow" + actions = [ + "sagemaker:CreatePresignedDomainUrl", + "sagemaker:DescribeDomain", + "sagemaker:ListDomains", + "sagemaker:DescribeUserProfile", + "sagemaker:ListUserProfiles", + "sagemaker:DescribeSpace", + "sagemaker:ListSpaces", + "sagemaker:DescribeApp", + "sagemaker:ListApps", + ] + resources = ["*"] + } + + statement { + sid = "AllowAppActionsForUserProfile" + effect = "Allow" + actions = [ + "sagemaker:CreateApp", + "sagemaker:DeleteApp", + ] + resources = ["arn:aws:sagemaker:*:*:app/*/*/*/*"] + + condition { + test = "Null" + variable = "sagemaker:OwnerUserProfileArn" + values = ["true"] + } + } + + statement { + sid = "AllowAppActionsForSharedSpaces" + effect = "Allow" + actions = [ + "sagemaker:CreateApp", + "sagemaker:DeleteApp", + ] + resources = ["arn:aws:sagemaker:*:*:app/$${sagemaker:DomainId}/*/*/*"] + + condition { + test = "StringEquals" + variable = "sagemaker:SpaceSharingType" + values = ["Shared"] + } + } +} + +data "aws_iam_policy_document" "sagemaker_space_management" { + count = var.enable_sagemaker ? 1 : 0 + + statement { + sid = "AllowMutatingActionsOnSharedSpacesWithoutOwner" + effect = "Allow" + actions = [ + "sagemaker:CreateSpace", + "sagemaker:UpdateSpace", + "sagemaker:DeleteSpace", + ] + resources = ["arn:aws:sagemaker:*:*:space/$${sagemaker:DomainId}/*"] + + condition { + test = "Null" + variable = "sagemaker:OwnerUserProfileArn" + values = ["true"] + } + } + + statement { + sid = "RestrictMutatingActionsOnSpacesToOwnerUserProfile" + effect = "Allow" + actions = [ + "sagemaker:CreateSpace", + "sagemaker:UpdateSpace", + "sagemaker:DeleteSpace", + ] + resources = ["arn:aws:sagemaker:*:*:space/$${sagemaker:DomainId}/*"] + + condition { + test = "ArnLike" + variable = "sagemaker:OwnerUserProfileArn" + values = ["arn:aws:sagemaker:*:*:user-profile/$${sagemaker:DomainId}/$${sagemaker:UserProfileName}"] + } + + condition { + test = "StringEquals" + variable = "sagemaker:SpaceSharingType" + values = ["Private", "Shared"] + } + } + + statement { + sid = "RestrictMutatingActionsOnPrivateSpaceAppsToOwnerUserProfile" + effect = "Allow" + actions = [ + "sagemaker:CreateApp", + "sagemaker:DeleteApp", + ] + resources = ["arn:aws:sagemaker:*:*:app/$${sagemaker:DomainId}/*/*/*"] + + condition { + test = "ArnLike" + variable = "sagemaker:OwnerUserProfileArn" + values = ["arn:aws:sagemaker:*:*:user-profile/$${sagemaker:DomainId}/$${sagemaker:UserProfileName}"] + } + + condition { + test = "StringEquals" + variable = "sagemaker:SpaceSharingType" + values = ["Private"] + } + } + + statement { + sid = "AllowFlowDefinitionActions" + effect = "Allow" + actions = ["sagemaker:*"] + resources = ["arn:aws:sagemaker:*:*:flow-definition/*"] + + condition { + test = "StringEqualsIfExists" + variable = "sagemaker:WorkteamType" + values = ["private-crowd", "vendor-crowd"] + } + } +} + +data "aws_iam_policy_document" "aws_service_actions" { + count = var.enable_sagemaker ? 1 : 0 + + statement { + sid = "AllowAWSServiceActions" + effect = "Allow" + actions = [ + "application-autoscaling:*", + "aws-marketplace:ViewSubscriptions", + "cloudformation:GetTemplateSummary", + "cloudwatch:*", + "codecommit:*", + "cognito-idp:*", + "ec2:*", + "ecr:*", + "elastic-inference:Connect", + "elasticfilesystem:Describe*", + "fsx:DescribeFileSystems", + "glue:*", + "groundtruthlabeling:*", + "iam:ListRoles", + "kms:*", + "lambda:ListFunctions", + "logs:*", + "robomaker:*", + "secretsmanager:ListSecrets", + "servicecatalog:*", + "sns:ListTopics", + "tag:GetResources", + ] + resources = ["*"] + } +} + +data "aws_iam_policy_document" "resource_specific_actions" { + count = var.enable_sagemaker ? 1 : 0 + + statement { + sid = "AllowECRActions" + effect = "Allow" + actions = [ + "ecr:*", + ] + resources = ["arn:aws:ecr:*:*:repository/*sagemaker*"] + } + + statement { + sid = "AllowCodeCommitActions" + effect = "Allow" + actions = [ + "codecommit:GitPull", + "codecommit:GitPush", + ] + resources = [ + "arn:aws:codecommit:*:*:*sagemaker*", + "arn:aws:codecommit:*:*:*SageMaker*", + "arn:aws:codecommit:*:*:*Sagemaker*", + ] + } + + statement { + sid = "AllowCodeBuildActions" + effect = "Allow" + actions = [ + "codebuild:BatchGetBuilds", + "codebuild:StartBuild", + ] + resources = [ + "arn:aws:codebuild:*:*:project/sagemaker*", + "arn:aws:codebuild:*:*:build/*", + ] + } + + statement { + sid = "AllowStepFunctionsActions" + effect = "Allow" + actions = [ + "states:*", + ] + resources = [ + "arn:aws:states:*:*:statemachine:*sagemaker*", + "arn:aws:states:*:*:execution:*sagemaker*:*", + ] + } + + statement { + sid = "AllowSecretManagerActions" + effect = "Allow" + actions = [ + "secretsmanager:*", + ] + resources = ["arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"] + } + + statement { + sid = "AllowReadOnlySecretManagerActions" + effect = "Allow" + actions = [ + "secretsmanager:DescribeSecret", + "secretsmanager:GetSecretValue", + ] + resources = ["*"] + + condition { + test = "StringEquals" + variable = "secretsmanager:ResourceTag/SageMaker" + values = ["true"] + } + } +} + +data "aws_iam_policy_document" "s3_actions" { + count = var.enable_sagemaker ? 1 : 0 + + statement { + sid = "AllowS3ObjectActions" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:AbortMultipartUpload", + ] + resources = [ + "arn:aws:s3:::*SageMaker*", + "arn:aws:s3:::*Sagemaker*", + "arn:aws:s3:::*sagemaker*", + "arn:aws:s3:::*aws-glue*", + ] + } + + statement { + sid = "AllowS3GetObjectWithSageMakerExistingObjectTag" + effect = "Allow" + actions = ["s3:GetObject"] + resources = ["arn:aws:s3:::*"] + + condition { + test = "StringEqualsIgnoreCase" + variable = "s3:ExistingObjectTag/SageMaker" + values = ["true"] + } + } + + statement { + sid = "AllowS3GetObjectWithServiceCatalogProvisioningExistingObjectTag" + effect = "Allow" + actions = ["s3:GetObject"] + resources = ["arn:aws:s3:::*"] + + condition { + test = "StringEquals" + variable = "s3:ExistingObjectTag/servicecatalog:provisioning" + values = ["true"] + } + } + + statement { + sid = "AllowS3BucketActions" + effect = "Allow" + actions = [ + "s3:CreateBucket", + "s3:GetBucketLocation", + "s3:ListBucket", + "s3:ListAllMyBuckets", + "s3:GetBucketCors", + "s3:PutBucketCors", + ] + resources = ["*"] + } + + statement { + sid = "AllowS3BucketACL" + effect = "Allow" + actions = [ + "s3:GetBucketAcl", + "s3:PutObjectAcl", + ] + resources = [ + "arn:aws:s3:::*SageMaker*", + "arn:aws:s3:::*Sagemaker*", + "arn:aws:s3:::*sagemaker*", + ] + } + + statement { + sid = "AllowLambdaInvokeFunction" + effect = "Allow" + actions = ["lambda:InvokeFunction"] + resources = [ + "arn:aws:lambda:*:*:function:*SageMaker*", + "arn:aws:lambda:*:*:function:*sagemaker*", + "arn:aws:lambda:*:*:function:*Sagemaker*", + "arn:aws:lambda:*:*:function:*LabelingFunction*", + ] + } +} + +resource "aws_iam_policy" "sagemaker_core_policy" { + count = var.enable_sagemaker ? 1 : 0 + + name = "SagemakerCorePolicy" + description = "IAM policy for SageMaker core actions" + policy = data.aws_iam_policy_document.sagemaker_core[0].json + + tags = var.tags +} + +resource "aws_iam_policy" "sagemaker_studio_policy" { + count = var.enable_sagemaker ? 1 : 0 + + name = "SagemakerStudioPolicy" + description = "IAM policy for SageMaker Studio and App actions" + policy = data.aws_iam_policy_document.sagemaker_studio[0].json + + tags = var.tags +} + +resource "aws_iam_policy" "sagemaker_space_management_policy" { + count = var.enable_sagemaker ? 1 : 0 + + name = "SagemakerSpaceManagementPolicy" + description = "IAM policy for SageMaker space and flow definition management" + policy = data.aws_iam_policy_document.sagemaker_space_management[0].json + + tags = var.tags +} + +resource "aws_iam_policy" "aws_service_actions_policy" { + count = var.enable_sagemaker ? 1 : 0 + + name = "AWSServiceActionsPolicy" + description = "IAM policy for AWS service actions" + policy = data.aws_iam_policy_document.aws_service_actions[0].json + + tags = var.tags +} + +resource "aws_iam_policy" "resource_specific_actions_policy" { + count = var.enable_sagemaker ? 1 : 0 + + name = "ResourceSpecificActionsPolicy" + description = "IAM policy for resource-specific actions" + policy = data.aws_iam_policy_document.resource_specific_actions[0].json + + tags = var.tags +} + +resource "aws_iam_policy" "s3_actions_policy" { + count = var.enable_sagemaker ? 1 : 0 + + name = "S3ActionsPolicy" + description = "IAM policy for S3 and S3 Express actions" + policy = data.aws_iam_policy_document.s3_actions[0].json + + tags = var.tags +} + +################################################################################ +# MemoryDB +################################################################################ + +locals { + memorydb_name = "ack-memorydb" +} + +module "memorydb" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_memorydb + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/memorydb-chart:1.0.4 + name = try(var.memorydb.name, local.memorydb_name) + description = try(var.memorydb.description, "Helm Chart for MemoryDB controller for ACK") + namespace = try(var.memorydb.namespace, "ack-system") + create_namespace = try(var.memorydb.create_namespace, true) + chart = "memorydb-chart" + chart_version = try(var.memorydb.chart_version, "1.0.4") + repository = try(var.memorydb.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.memorydb.values, []) + + timeout = try(var.memorydb.timeout, null) + repository_key_file = try(var.memorydb.repository_key_file, null) + repository_cert_file = try(var.memorydb.repository_cert_file, null) + repository_ca_file = try(var.memorydb.repository_ca_file, null) + repository_username = try(var.memorydb.repository_username, local.repository_username) + repository_password = try(var.memorydb.repository_password, local.repository_password) + devel = try(var.memorydb.devel, null) + verify = try(var.memorydb.verify, null) + keyring = try(var.memorydb.keyring, null) + disable_webhooks = try(var.memorydb.disable_webhooks, null) + reuse_values = try(var.memorydb.reuse_values, null) + reset_values = try(var.memorydb.reset_values, null) + force_update = try(var.memorydb.force_update, null) + recreate_pods = try(var.memorydb.recreate_pods, null) + cleanup_on_fail = try(var.memorydb.cleanup_on_fail, null) + max_history = try(var.memorydb.max_history, null) + atomic = try(var.memorydb.atomic, null) + skip_crds = try(var.memorydb.skip_crds, null) + render_subchart_notes = try(var.memorydb.render_subchart_notes, null) + disable_openapi_validation = try(var.memorydb.disable_openapi_validation, null) + wait = try(var.memorydb.wait, false) + wait_for_jobs = try(var.memorydb.wait_for_jobs, null) + dependency_update = try(var.memorydb.dependency_update, null) + replace = try(var.memorydb.replace, null) + lint = try(var.memorydb.lint, null) + + postrender = try(var.memorydb.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-memorydb-memorydb-chart-xxxxxxxxxxxxx` to `ack-memorydb-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-memorydb" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.memorydb_name + }], + try(var.memorydb.set, []) + ) + set_sensitive = try(var.memorydb.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.memorydb.create_role, true) + role_name = try(var.memorydb.role_name, "ack-memorydb") + role_name_use_prefix = try(var.memorydb.role_name_use_prefix, true) + role_path = try(var.memorydb.role_path, "/") + role_permissions_boundary_arn = lookup(var.memorydb, "role_permissions_boundary_arn", null) + role_description = try(var.memorydb.role_description, "IRSA for MemoryDB controller for ACK") + role_policies = lookup(var.memorydb, "role_policies", { + policy = var.enable_memorydb ? aws_iam_policy.memorydbpolicy[0].arn : null + }) + create_policy = try(var.memorydb.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.memorydb_name + } + } + + tags = var.tags +} + +# recommended memorydb-controller policy https://github.com/aws-controllers-k8s/memorydb-controller/blob/main/config/iam/recommended-policy-arn +data "aws_iam_policy_document" "memorydb_controller" { + count = var.enable_memorydb ? 1 : 0 + + statement { + effect = "Allow" + actions = ["memorydb:*"] + resources = ["*"] + } + + statement { + effect = "Allow" + actions = ["iam:CreateServiceLinkedRole"] + resources = ["arn:aws:iam::*:role/aws-service-role/memorydb.amazonaws.com/AWSServiceRoleForMemoryDB"] + + condition { + test = "StringLike" + variable = "iam:AWSServiceName" + values = ["memorydb.amazonaws.com"] + } + } +} + +resource "aws_iam_policy" "memorydbpolicy" { + count = var.enable_memorydb ? 1 : 0 + + name = "MemoryDBController" + description = "IAM policy for MemoryDB Controller" + policy = data.aws_iam_policy_document.memorydb_controller[0].json + + tags = var.tags +} + +################################################################################ +# OpenSearch Service +################################################################################ + +locals { + opensearchservice_name = "ack-opensearchservice" +} + +module "opensearchservice" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_opensearchservice + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/opensearchservice-chart:0.0.27 + name = try(var.opensearchservice.name, local.opensearchservice_name) + description = try(var.opensearchservice.description, "Helm Chart for Opensearch Service controller for ACK") + namespace = try(var.opensearchservice.namespace, "ack-system") + create_namespace = try(var.opensearchservice.create_namespace, true) + chart = "opensearchservice-chart" + chart_version = try(var.opensearchservice.chart_version, "0.0.27") + repository = try(var.opensearchservice.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.opensearchservice.values, []) + + timeout = try(var.opensearchservice.timeout, null) + repository_key_file = try(var.opensearchservice.repository_key_file, null) + repository_cert_file = try(var.opensearchservice.repository_cert_file, null) + repository_ca_file = try(var.opensearchservice.repository_ca_file, null) + repository_username = try(var.opensearchservice.repository_username, local.repository_username) + repository_password = try(var.opensearchservice.repository_password, local.repository_password) + devel = try(var.opensearchservice.devel, null) + verify = try(var.opensearchservice.verify, null) + keyring = try(var.opensearchservice.keyring, null) + disable_webhooks = try(var.opensearchservice.disable_webhooks, null) + reuse_values = try(var.opensearchservice.reuse_values, null) + reset_values = try(var.opensearchservice.reset_values, null) + force_update = try(var.opensearchservice.force_update, null) + recreate_pods = try(var.opensearchservice.recreate_pods, null) + cleanup_on_fail = try(var.opensearchservice.cleanup_on_fail, null) + max_history = try(var.opensearchservice.max_history, null) + atomic = try(var.opensearchservice.atomic, null) + skip_crds = try(var.opensearchservice.skip_crds, null) + render_subchart_notes = try(var.opensearchservice.render_subchart_notes, null) + disable_openapi_validation = try(var.opensearchservice.disable_openapi_validation, null) + wait = try(var.opensearchservice.wait, false) + wait_for_jobs = try(var.opensearchservice.wait_for_jobs, null) + dependency_update = try(var.opensearchservice.dependency_update, null) + replace = try(var.opensearchservice.replace, null) + lint = try(var.opensearchservice.lint, null) + + postrender = try(var.opensearchservice.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-opensearchservice-opensearchservice-chart-xxxxxxxxxxxxx` to `ack-opensearchservice-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-opensearchservice" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.opensearchservice_name + }], + try(var.opensearchservice.set, []) + ) + set_sensitive = try(var.opensearchservice.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.opensearchservice.create_role, true) + role_name = try(var.opensearchservice.role_name, "ack-opensearchservice") + role_name_use_prefix = try(var.opensearchservice.role_name_use_prefix, true) + role_path = try(var.opensearchservice.role_path, "/") + role_permissions_boundary_arn = lookup(var.opensearchservice, "role_permissions_boundary_arn", null) + role_description = try(var.opensearchservice.role_description, "IRSA for Opensearch Service controller for ACK") + role_policies = lookup(var.opensearchservice, "role_policies", { + policy = var.enable_opensearchservice ? aws_iam_policy.opensearchservicepolicy[0].arn : null + }) + create_policy = try(var.opensearchservice.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.opensearchservice_name + } + } + + tags = var.tags +} + +# recommended opensearchservice-controller policy https://github.com/aws-controllers-k8s/opensearchservice-controller/blob/main/config/iam/recommended-policy-arn +data "aws_iam_policy_document" "opensearchservice_controller" { + count = var.enable_opensearchservice ? 1 : 0 + + statement { + effect = "Allow" + actions = ["es:*"] + resources = ["*"] + } +} + +resource "aws_iam_policy" "opensearchservicepolicy" { + count = var.enable_opensearchservice ? 1 : 0 + + name = "OpensearchServiceController" + description = "IAM policy for OpensearchService Controller" + policy = data.aws_iam_policy_document.opensearchservice_controller[0].json + + tags = var.tags +} + +################################################################################ +# ECR +################################################################################ + +locals { + ecr_name = "ack-ecr" +} + +module "ecr" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_ecr + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/ecr-chart:1.0.17 + name = try(var.ecr.name, local.ecr_name) + description = try(var.ecr.description, "Helm Chart for ECR controller for ACK") + namespace = try(var.ecr.namespace, "ack-system") + create_namespace = try(var.ecr.create_namespace, true) + chart = "ecr-chart" + chart_version = try(var.ecr.chart_version, "1.0.17") + repository = try(var.ecr.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.ecr.values, []) + + timeout = try(var.ecr.timeout, null) + repository_key_file = try(var.ecr.repository_key_file, null) + repository_cert_file = try(var.ecr.repository_cert_file, null) + repository_ca_file = try(var.ecr.repository_ca_file, null) + repository_username = try(var.ecr.repository_username, local.repository_username) + repository_password = try(var.ecr.repository_password, local.repository_password) + devel = try(var.ecr.devel, null) + verify = try(var.ecr.verify, null) + keyring = try(var.ecr.keyring, null) + disable_webhooks = try(var.ecr.disable_webhooks, null) + reuse_values = try(var.ecr.reuse_values, null) + reset_values = try(var.ecr.reset_values, null) + force_update = try(var.ecr.force_update, null) + recreate_pods = try(var.ecr.recreate_pods, null) + cleanup_on_fail = try(var.ecr.cleanup_on_fail, null) + max_history = try(var.ecr.max_history, null) + atomic = try(var.ecr.atomic, null) + skip_crds = try(var.ecr.skip_crds, null) + render_subchart_notes = try(var.ecr.render_subchart_notes, null) + disable_openapi_validation = try(var.ecr.disable_openapi_validation, null) + wait = try(var.ecr.wait, false) + wait_for_jobs = try(var.ecr.wait_for_jobs, null) + dependency_update = try(var.ecr.dependency_update, null) + replace = try(var.ecr.replace, null) + lint = try(var.ecr.lint, null) + + postrender = try(var.ecr.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-ecr-ecr-chart-xxxxxxxxxxxxx` to `ack-ecr-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-ecr" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.ecr_name + }], + try(var.ecr.set, []) + ) + set_sensitive = try(var.ecr.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.ecr.create_role, true) + role_name = try(var.ecr.role_name, "ack-ecr") + role_name_use_prefix = try(var.ecr.role_name_use_prefix, true) + role_path = try(var.ecr.role_path, "/") + role_permissions_boundary_arn = lookup(var.ecr, "role_permissions_boundary_arn", null) + role_description = try(var.ecr.role_description, "IRSA for ECR controller for ACK") + role_policies = lookup(var.ecr, "role_policies", { + policy = var.enable_ecr ? aws_iam_policy.ecrpolicy[0].arn : null + }) + create_policy = try(var.ecr.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.ecr_name + } + } + + tags = var.tags +} + +# recommended ecr policy https://github.com/aws-controllers-k8s/ecr-controller/blob/main/config/iam/recommended-policy-arn +data "aws_iam_policy_document" "ecr_controller" { + count = var.enable_ecr ? 1 : 0 + + statement { + effect = "Allow" + actions = [ + "ecr:*", + "cloudtrail:LookupEvents", + ] + resources = ["*"] + } + + statement { + effect = "Allow" + actions = ["iam:CreateServiceLinkedRole"] + resources = ["*"] + + condition { + test = "StringEquals" + variable = "iam:AWSServiceName" + values = ["replication.ecr.amazonaws.com"] + } + } +} + +resource "aws_iam_policy" "ecrpolicy" { + count = var.enable_ecr ? 1 : 0 + + name = "ECRController" + description = "IAM policy for ecr Controller" + policy = data.aws_iam_policy_document.ecr_controller[0].json + + tags = var.tags +} + ################################################################################ # SNS ################################################################################ @@ -129,7 +1044,7 @@ module "sns" { tags = var.tags } -# recommended iam-controller policy https://github.com/aws-controllers-k8s/sns-controller/blob/main/config/iam/recommended-policy-arn +# recommended sns-controller policy https://github.com/aws-controllers-k8s/sns-controller/blob/main/config/iam/recommended-policy-arn data "aws_iam_policy_document" "sns_controller" { count = var.enable_sns ? 1 : 0 @@ -249,7 +1164,7 @@ module "sqs" { tags = var.tags } -# recommended iam-controller policy https://github.com/aws-controllers-k8s/sqs-controller/blob/main/config/iam/recommended-policy-arn +# recommended sqs-controller policy https://github.com/aws-controllers-k8s/sqs-controller/blob/main/config/iam/recommended-policy-arn data "aws_iam_policy_document" "sqs_controller" { count = var.enable_sqs ? 1 : 0 @@ -369,7 +1284,7 @@ module "lambda" { tags = var.tags } -# recommended iam-controller policy https://github.com/aws-controllers-k8s/lambda-controller/blob/main/config/iam/recommended-inline-policy +# recommended lambda policy https://github.com/aws-controllers-k8s/lambda-controller/blob/main/config/iam/recommended-inline-policy data "aws_iam_policy_document" "lambda_controller" { count = var.enable_lambda ? 1 : 0 diff --git a/variables.tf b/variables.tf index 2afe618..b53fdd0 100644 --- a/variables.tf +++ b/variables.tf @@ -43,6 +43,70 @@ variable "tags" { default = {} } +################################################################################ +# Sagemaker +################################################################################ + +variable "enable_sagemaker" { + description = "Enable ACK Sagemaker add-on" + type = bool + default = false +} + +variable "sagemaker" { + description = "ACK Sagemaker Helm Chart config" + type = any + default = {} +} + +################################################################################ +# MemoryDB +################################################################################ + +variable "enable_memorydb" { + description = "Enable ACK MemoryDB add-on" + type = bool + default = false +} + +variable "memorydb" { + description = "ACK MemoryDB Helm Chart config" + type = any + default = {} +} + +################################################################################ +# OpenSearch Service +################################################################################ + +variable "enable_opensearchservice" { + description = "Enable ACK OpensearchService add-on" + type = bool + default = false +} + +variable "opensearchservice" { + description = "ACK OpensearchService Helm Chart config" + type = any + default = {} +} + +################################################################################ +# ECR +################################################################################ + +variable "enable_ecr" { + description = "Enable ACK ECR add-on" + type = bool + default = false +} + +variable "ecr" { + description = "ACK ECR Helm Chart config" + type = any + default = {} +} + ################################################################################ # SNS ################################################################################ From ef8391998c4660bcc670d8fbaa2ef7c7630fbfb6 Mon Sep 17 00:00:00 2001 From: Edgar Costa Date: Fri, 9 Aug 2024 10:44:19 -0300 Subject: [PATCH 2/5] fix variable typo --- README.md | 4 ++-- main.tf | 2 +- variables.tf | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 06185f9..aa2e32a 100644 --- a/README.md +++ b/README.md @@ -165,7 +165,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [enable\_kms](#input\_enable\_kms) | Enable ACK kms add-on | `bool` | `false` | no | | [enable\_lambda](#input\_enable\_lambda) | Enable ACK Lambda add-on | `bool` | `false` | no | | [enable\_memorydb](#input\_enable\_memorydb) | Enable ACK MemoryDB add-on | `bool` | `false` | no | -| [enable\_opensearchservice](#input\_enable\_opensearchservice) | Enable ACK OpensearchService add-on | `bool` | `false` | no | +| [enable\_opensearchservice](#input\_enable\_opensearchservice) | Enable ACK Opensearch Service add-on | `bool` | `false` | no | | [enable\_prometheusservice](#input\_enable\_prometheusservice) | Enable ACK prometheusservice add-on | `bool` | `false` | no | | [enable\_rds](#input\_enable\_rds) | Enable ACK rds add-on | `bool` | `false` | no | | [enable\_s3](#input\_enable\_s3) | Enable ACK s3 add-on | `bool` | `false` | no | @@ -179,7 +179,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [lambda](#input\_lambda) | ACK Lambda Helm Chart config | `any` | `{}` | no | | [memorydb](#input\_memorydb) | ACK MemoryDB Helm Chart config | `any` | `{}` | no | | [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | The ARN of the cluster OIDC Provider | `string` | n/a | yes | -| [opensearchservice](#input\_opensearchservice) | ACK OpensearchService Helm Chart config | `any` | `{}` | no | +| [opensearchservice](#input\_opensearchservice) | ACK Opensearch Service Helm Chart config | `any` | `{}` | no | | [prometheusservice](#input\_prometheusservice) | ACK prometheusservice Helm Chart config | `any` | `{}` | no | | [rds](#input\_rds) | ACK rds Helm Chart config | `any` | `{}` | no | | [s3](#input\_s3) | ACK s3 Helm Chart config | `any` | `{}` | no | diff --git a/main.tf b/main.tf index 5dad5df..4e5d6ac 100644 --- a/main.tf +++ b/main.tf @@ -1284,7 +1284,7 @@ module "lambda" { tags = var.tags } -# recommended lambda policy https://github.com/aws-controllers-k8s/lambda-controller/blob/main/config/iam/recommended-inline-policy +# recommended lambda-controller policy https://github.com/aws-controllers-k8s/lambda-controller/blob/main/config/iam/recommended-inline-policy data "aws_iam_policy_document" "lambda_controller" { count = var.enable_lambda ? 1 : 0 diff --git a/variables.tf b/variables.tf index b53fdd0..16f28de 100644 --- a/variables.tf +++ b/variables.tf @@ -80,13 +80,13 @@ variable "memorydb" { ################################################################################ variable "enable_opensearchservice" { - description = "Enable ACK OpensearchService add-on" + description = "Enable ACK Opensearch Service add-on" type = bool default = false } variable "opensearchservice" { - description = "ACK OpensearchService Helm Chart config" + description = "ACK Opensearch Service Helm Chart config" type = any default = {} } From cbd1a93fcd87ea17bd59a120fa5e0766b1b4888f Mon Sep 17 00:00:00 2001 From: Edgar Costa Date: Fri, 9 Aug 2024 12:56:07 -0300 Subject: [PATCH 3/5] update controllers to the latest version --- main.tf | 52 ++++++++++++++++++++++++++-------------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/main.tf b/main.tf index 4e5d6ac..d21d454 100644 --- a/main.tf +++ b/main.tf @@ -964,13 +964,13 @@ module "sns" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/sns-chart:1.0.11 + # public.ecr.aws/aws-controllers-k8s/sns-chart:1.0.12 name = try(var.sns.name, local.sns_name) description = try(var.sns.description, "Helm Chart for SNS controller for ACK") namespace = try(var.sns.namespace, "ack-system") create_namespace = try(var.sns.create_namespace, true) chart = "sns-chart" - chart_version = try(var.sns.chart_version, "1.0.11") + chart_version = try(var.sns.chart_version, "1.0.12") repository = try(var.sns.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.sns.values, []) @@ -1084,13 +1084,13 @@ module "sqs" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/sqs-chart:1.0.14 + # public.ecr.aws/aws-controllers-k8s/sqs-chart:1.0.15 name = try(var.sqs.name, local.sqs_name) description = try(var.sqs.description, "Helm Chart for SQS controller for ACK") namespace = try(var.sqs.namespace, "ack-system") create_namespace = try(var.sqs.create_namespace, true) chart = "sqs-chart" - chart_version = try(var.sqs.chart_version, "1.0.14") + chart_version = try(var.sqs.chart_version, "1.0.15") repository = try(var.sqs.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.sqs.values, []) @@ -1341,13 +1341,13 @@ module "iam" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/iam-chart:1.3.10 + # public.ecr.aws/aws-controllers-k8s/iam-chart:1.3.11 name = try(var.iam.name, local.iam_name) description = try(var.iam.description, "Helm Chart for iam controller for ACK") namespace = try(var.iam.namespace, "ack-system") create_namespace = try(var.iam.create_namespace, true) chart = "iam-chart" - chart_version = try(var.iam.chart_version, "1.3.10") + chart_version = try(var.iam.chart_version, "1.3.11") repository = try(var.iam.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.iam.values, []) @@ -1525,13 +1525,13 @@ module "ec2" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/ec2-chart:1.2.15 + # public.ecr.aws/aws-controllers-k8s/ec2-chart:1.2.16 name = try(var.ec2.name, local.ec2_name) description = try(var.ec2.description, "Helm Chart for ec2 controller for ACK") namespace = try(var.ec2.namespace, "ack-system") create_namespace = try(var.ec2.create_namespace, true) chart = "ec2-chart" - chart_version = try(var.ec2.chart_version, "1.2.15") + chart_version = try(var.ec2.chart_version, "1.2.16") repository = try(var.ec2.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.ec2.values, []) @@ -1623,13 +1623,13 @@ module "eks" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/eks-chart:1.4.3 + # public.ecr.aws/aws-controllers-k8s/eks-chart:1.4.4 name = try(var.eks.name, local.eks_name) description = try(var.eks.description, "Helm Chart for eks controller for ACK") namespace = try(var.eks.namespace, "ack-system") create_namespace = try(var.eks.create_namespace, true) chart = "eks-chart" - chart_version = try(var.eks.chart_version, "1.4.3") + chart_version = try(var.eks.chart_version, "1.4.4") repository = try(var.eks.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.eks.values, []) @@ -1750,13 +1750,13 @@ module "kms" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/kms-chart:1.0.14 + # public.ecr.aws/aws-controllers-k8s/kms-chart:1.0.15 name = try(var.kms.name, local.kms_name) description = try(var.kms.description, "Helm Chart for kms controller for ACK") namespace = try(var.kms.namespace, "ack-system") create_namespace = try(var.kms.create_namespace, true) chart = "kms-chart" - chart_version = try(var.kms.chart_version, "1.0.14") + chart_version = try(var.kms.chart_version, "1.0.15") repository = try(var.kms.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.kms.values, []) @@ -1888,13 +1888,13 @@ module "acm" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/acm-chart:0.0.17 + # public.ecr.aws/aws-controllers-k8s/acm-chart:0.0.18 name = try(var.acm.name, local.acm_name) description = try(var.acm.description, "Helm Chart for acm controller for ACK") namespace = try(var.acm.namespace, "ack-system") create_namespace = try(var.acm.create_namespace, true) chart = "acm-chart" - chart_version = try(var.acm.chart_version, "0.0.17") + chart_version = try(var.acm.chart_version, "0.0.18") repository = try(var.acm.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.acm.values, []) @@ -2019,13 +2019,13 @@ module "apigatewayv2" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/apigatewayv2-chart:1.0.14 + # public.ecr.aws/aws-controllers-k8s/apigatewayv2-chart:1.0.15 name = try(var.apigatewayv2.name, local.apigatewayv2_name) description = try(var.apigatewayv2.description, "Helm Chart for apigatewayv2 controller for ACK") namespace = try(var.apigatewayv2.namespace, "ack-system") create_namespace = try(var.apigatewayv2.create_namespace, true) chart = "apigatewayv2-chart" - chart_version = try(var.apigatewayv2.chart_version, "1.0.14") + chart_version = try(var.apigatewayv2.chart_version, "1.0.15") repository = try(var.apigatewayv2.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.apigatewayv2.values, []) @@ -2118,13 +2118,13 @@ module "dynamodb" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/dynamodb-chart:1.2.12 + # public.ecr.aws/aws-controllers-k8s/dynamodb-chart:1.2.13 name = try(var.dynamodb.name, local.dynamodb_name) description = try(var.dynamodb.description, "Helm Chart for dynamodb controller for ACK") namespace = try(var.dynamodb.namespace, "ack-system") create_namespace = try(var.dynamodb.create_namespace, true) chart = "dynamodb-chart" - chart_version = try(var.dynamodb.chart_version, "1.2.12") + chart_version = try(var.dynamodb.chart_version, "1.2.13") repository = try(var.dynamodb.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.dynamodb.values, []) @@ -2216,13 +2216,13 @@ module "s3" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/s3-chart:1.0.13 + # public.ecr.aws/aws-controllers-k8s/s3-chart:1.0.15 name = try(var.s3.name, local.s3_name) description = try(var.s3.description, "Helm Chart for s3 controller for ACK") namespace = try(var.s3.namespace, "ack-system") create_namespace = try(var.s3.create_namespace, true) chart = "s3-chart" - chart_version = try(var.s3.chart_version, "1.0.13") + chart_version = try(var.s3.chart_version, "1.0.15") repository = try(var.s3.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.s3.values, []) @@ -2412,13 +2412,13 @@ module "rds" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/rds-chart:1.4.2 + # public.ecr.aws/aws-controllers-k8s/rds-chart:1.4.3 name = try(var.rds.name, local.rds_name) description = try(var.rds.description, "Helm Chart for rds controller for ACK") namespace = try(var.rds.namespace, "ack-system") create_namespace = try(var.rds.create_namespace, true) chart = "rds-chart" - chart_version = try(var.rds.chart_version, "1.4.2") + chart_version = try(var.rds.chart_version, "1.4.3") repository = try(var.rds.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.rds.values, []) @@ -2516,7 +2516,7 @@ module "prometheusservice" { namespace = try(var.prometheusservice.namespace, "ack-system") create_namespace = try(var.prometheusservice.create_namespace, true) chart = "prometheusservice-chart" - chart_version = try(var.prometheusservice.chart_version, "1.2.12") + chart_version = try(var.prometheusservice.chart_version, "1.2.13") repository = try(var.prometheusservice.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.prometheusservice.values, []) @@ -2614,7 +2614,7 @@ module "emrcontainers" { namespace = try(var.emrcontainers.namespace, "ack-system") create_namespace = try(var.emrcontainers.create_namespace, true) chart = "emrcontainers-chart" - chart_version = try(var.emrcontainers.chart_version, "1.0.11") + chart_version = try(var.emrcontainers.chart_version, "1.0.12") repository = try(var.emrcontainers.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.emrcontainers.values, []) @@ -2797,7 +2797,7 @@ module "sfn" { namespace = try(var.sfn.namespace, "ack-system") create_namespace = try(var.sfn.create_namespace, true) chart = "sfn-chart" - chart_version = try(var.sfn.chart_version, "1.0.12") + chart_version = try(var.sfn.chart_version, "1.0.13") repository = try(var.sfn.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.sfn.values, []) @@ -2922,7 +2922,7 @@ module "eventbridge" { namespace = try(var.eventbridge.namespace, "ack-system") create_namespace = try(var.eventbridge.create_namespace, true) chart = "eventbridge-chart" - chart_version = try(var.eventbridge.chart_version, "1.0.12") + chart_version = try(var.eventbridge.chart_version, "1.0.13") repository = try(var.eventbridge.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.eventbridge.values, []) From b8fa9f31368de50db0a81efb83c033ef6c945577 Mon Sep 17 00:00:00 2001 From: Edgar Costa Date: Fri, 9 Aug 2024 19:33:54 -0300 Subject: [PATCH 4/5] adjust managed roles and custom roles --- main.tf | 1028 +++++++++++++------------------------------------------ 1 file changed, 242 insertions(+), 786 deletions(-) diff --git a/main.tf b/main.tf index d21d454..98da80e 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,6 @@ data "aws_partition" "current" {} data "aws_region" "current" {} +data "aws_caller_identity" "current" {} # This resource is used to provide a means of mapping an implicit dependency # between the cluster and the addons. @@ -114,12 +115,7 @@ module "sagemaker" { role_permissions_boundary_arn = lookup(var.sagemaker, "role_permissions_boundary_arn", null) role_description = try(var.sagemaker.role_description, "IRSA for Sagemaker controller for ACK") role_policies = lookup(var.sagemaker, "role_policies", { - core_policy = var.enable_sagemaker ? aws_iam_policy.sagemaker_core_policy[0].arn : null, - studio_policy = var.enable_sagemaker ? aws_iam_policy.sagemaker_studio_policy[0].arn : null, - space_management_policy = var.enable_sagemaker ? aws_iam_policy.sagemaker_space_management_policy[0].arn : null, - aws_service_actions_policy = var.enable_sagemaker ? aws_iam_policy.aws_service_actions_policy[0].arn : null, - resource_specific_actions_policy = var.enable_sagemaker ? aws_iam_policy.resource_specific_actions_policy[0].arn : null, - s3_actions_policy = var.enable_sagemaker ? aws_iam_policy.s3_actions_policy[0].arn : null + AmazonSageMakerFullAccess = "${local.iam_role_policy_prefix}/AmazonSageMakerFullAccess" }) create_policy = try(var.sagemaker.create_policy, false) @@ -135,437 +131,6 @@ module "sagemaker" { tags = var.tags } -# recommended sagemaker-controller policy https://github.com/aws-controllers-k8s/sagemaker-controller/blob/main/config/iam/recommended-policy-arn -data "aws_iam_policy_document" "sagemaker_core" { - count = var.enable_sagemaker ? 1 : 0 - - statement { - sid = "AllowAllNonAdminSageMakerActions" - effect = "Allow" - actions = [ - "sagemaker:*", - "sagemaker-geospatial:*", - ] - not_resources = [ - "arn:aws:sagemaker:*:*:domain/*", - "arn:aws:sagemaker:*:*:user-profile/*", - "arn:aws:sagemaker:*:*:app/*", - "arn:aws:sagemaker:*:*:space/*", - "arn:aws:sagemaker:*:*:flow-definition/*", - ] - } - - statement { - sid = "AllowAddTagsForSpace" - effect = "Allow" - actions = ["sagemaker:AddTags"] - resources = ["arn:aws:sagemaker:*:*:space/*"] - - condition { - test = "StringEquals" - variable = "sagemaker:TaggingAction" - values = ["CreateSpace"] - } - } - - statement { - sid = "AllowAddTagsForApp" - effect = "Allow" - actions = ["sagemaker:AddTags"] - resources = ["arn:aws:sagemaker:*:*:app/*"] - } -} - -data "aws_iam_policy_document" "sagemaker_studio" { - count = var.enable_sagemaker ? 1 : 0 - - statement { - sid = "AllowStudioActions" - effect = "Allow" - actions = [ - "sagemaker:CreatePresignedDomainUrl", - "sagemaker:DescribeDomain", - "sagemaker:ListDomains", - "sagemaker:DescribeUserProfile", - "sagemaker:ListUserProfiles", - "sagemaker:DescribeSpace", - "sagemaker:ListSpaces", - "sagemaker:DescribeApp", - "sagemaker:ListApps", - ] - resources = ["*"] - } - - statement { - sid = "AllowAppActionsForUserProfile" - effect = "Allow" - actions = [ - "sagemaker:CreateApp", - "sagemaker:DeleteApp", - ] - resources = ["arn:aws:sagemaker:*:*:app/*/*/*/*"] - - condition { - test = "Null" - variable = "sagemaker:OwnerUserProfileArn" - values = ["true"] - } - } - - statement { - sid = "AllowAppActionsForSharedSpaces" - effect = "Allow" - actions = [ - "sagemaker:CreateApp", - "sagemaker:DeleteApp", - ] - resources = ["arn:aws:sagemaker:*:*:app/$${sagemaker:DomainId}/*/*/*"] - - condition { - test = "StringEquals" - variable = "sagemaker:SpaceSharingType" - values = ["Shared"] - } - } -} - -data "aws_iam_policy_document" "sagemaker_space_management" { - count = var.enable_sagemaker ? 1 : 0 - - statement { - sid = "AllowMutatingActionsOnSharedSpacesWithoutOwner" - effect = "Allow" - actions = [ - "sagemaker:CreateSpace", - "sagemaker:UpdateSpace", - "sagemaker:DeleteSpace", - ] - resources = ["arn:aws:sagemaker:*:*:space/$${sagemaker:DomainId}/*"] - - condition { - test = "Null" - variable = "sagemaker:OwnerUserProfileArn" - values = ["true"] - } - } - - statement { - sid = "RestrictMutatingActionsOnSpacesToOwnerUserProfile" - effect = "Allow" - actions = [ - "sagemaker:CreateSpace", - "sagemaker:UpdateSpace", - "sagemaker:DeleteSpace", - ] - resources = ["arn:aws:sagemaker:*:*:space/$${sagemaker:DomainId}/*"] - - condition { - test = "ArnLike" - variable = "sagemaker:OwnerUserProfileArn" - values = ["arn:aws:sagemaker:*:*:user-profile/$${sagemaker:DomainId}/$${sagemaker:UserProfileName}"] - } - - condition { - test = "StringEquals" - variable = "sagemaker:SpaceSharingType" - values = ["Private", "Shared"] - } - } - - statement { - sid = "RestrictMutatingActionsOnPrivateSpaceAppsToOwnerUserProfile" - effect = "Allow" - actions = [ - "sagemaker:CreateApp", - "sagemaker:DeleteApp", - ] - resources = ["arn:aws:sagemaker:*:*:app/$${sagemaker:DomainId}/*/*/*"] - - condition { - test = "ArnLike" - variable = "sagemaker:OwnerUserProfileArn" - values = ["arn:aws:sagemaker:*:*:user-profile/$${sagemaker:DomainId}/$${sagemaker:UserProfileName}"] - } - - condition { - test = "StringEquals" - variable = "sagemaker:SpaceSharingType" - values = ["Private"] - } - } - - statement { - sid = "AllowFlowDefinitionActions" - effect = "Allow" - actions = ["sagemaker:*"] - resources = ["arn:aws:sagemaker:*:*:flow-definition/*"] - - condition { - test = "StringEqualsIfExists" - variable = "sagemaker:WorkteamType" - values = ["private-crowd", "vendor-crowd"] - } - } -} - -data "aws_iam_policy_document" "aws_service_actions" { - count = var.enable_sagemaker ? 1 : 0 - - statement { - sid = "AllowAWSServiceActions" - effect = "Allow" - actions = [ - "application-autoscaling:*", - "aws-marketplace:ViewSubscriptions", - "cloudformation:GetTemplateSummary", - "cloudwatch:*", - "codecommit:*", - "cognito-idp:*", - "ec2:*", - "ecr:*", - "elastic-inference:Connect", - "elasticfilesystem:Describe*", - "fsx:DescribeFileSystems", - "glue:*", - "groundtruthlabeling:*", - "iam:ListRoles", - "kms:*", - "lambda:ListFunctions", - "logs:*", - "robomaker:*", - "secretsmanager:ListSecrets", - "servicecatalog:*", - "sns:ListTopics", - "tag:GetResources", - ] - resources = ["*"] - } -} - -data "aws_iam_policy_document" "resource_specific_actions" { - count = var.enable_sagemaker ? 1 : 0 - - statement { - sid = "AllowECRActions" - effect = "Allow" - actions = [ - "ecr:*", - ] - resources = ["arn:aws:ecr:*:*:repository/*sagemaker*"] - } - - statement { - sid = "AllowCodeCommitActions" - effect = "Allow" - actions = [ - "codecommit:GitPull", - "codecommit:GitPush", - ] - resources = [ - "arn:aws:codecommit:*:*:*sagemaker*", - "arn:aws:codecommit:*:*:*SageMaker*", - "arn:aws:codecommit:*:*:*Sagemaker*", - ] - } - - statement { - sid = "AllowCodeBuildActions" - effect = "Allow" - actions = [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - ] - resources = [ - "arn:aws:codebuild:*:*:project/sagemaker*", - "arn:aws:codebuild:*:*:build/*", - ] - } - - statement { - sid = "AllowStepFunctionsActions" - effect = "Allow" - actions = [ - "states:*", - ] - resources = [ - "arn:aws:states:*:*:statemachine:*sagemaker*", - "arn:aws:states:*:*:execution:*sagemaker*:*", - ] - } - - statement { - sid = "AllowSecretManagerActions" - effect = "Allow" - actions = [ - "secretsmanager:*", - ] - resources = ["arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"] - } - - statement { - sid = "AllowReadOnlySecretManagerActions" - effect = "Allow" - actions = [ - "secretsmanager:DescribeSecret", - "secretsmanager:GetSecretValue", - ] - resources = ["*"] - - condition { - test = "StringEquals" - variable = "secretsmanager:ResourceTag/SageMaker" - values = ["true"] - } - } -} - -data "aws_iam_policy_document" "s3_actions" { - count = var.enable_sagemaker ? 1 : 0 - - statement { - sid = "AllowS3ObjectActions" - effect = "Allow" - actions = [ - "s3:GetObject", - "s3:PutObject", - "s3:DeleteObject", - "s3:AbortMultipartUpload", - ] - resources = [ - "arn:aws:s3:::*SageMaker*", - "arn:aws:s3:::*Sagemaker*", - "arn:aws:s3:::*sagemaker*", - "arn:aws:s3:::*aws-glue*", - ] - } - - statement { - sid = "AllowS3GetObjectWithSageMakerExistingObjectTag" - effect = "Allow" - actions = ["s3:GetObject"] - resources = ["arn:aws:s3:::*"] - - condition { - test = "StringEqualsIgnoreCase" - variable = "s3:ExistingObjectTag/SageMaker" - values = ["true"] - } - } - - statement { - sid = "AllowS3GetObjectWithServiceCatalogProvisioningExistingObjectTag" - effect = "Allow" - actions = ["s3:GetObject"] - resources = ["arn:aws:s3:::*"] - - condition { - test = "StringEquals" - variable = "s3:ExistingObjectTag/servicecatalog:provisioning" - values = ["true"] - } - } - - statement { - sid = "AllowS3BucketActions" - effect = "Allow" - actions = [ - "s3:CreateBucket", - "s3:GetBucketLocation", - "s3:ListBucket", - "s3:ListAllMyBuckets", - "s3:GetBucketCors", - "s3:PutBucketCors", - ] - resources = ["*"] - } - - statement { - sid = "AllowS3BucketACL" - effect = "Allow" - actions = [ - "s3:GetBucketAcl", - "s3:PutObjectAcl", - ] - resources = [ - "arn:aws:s3:::*SageMaker*", - "arn:aws:s3:::*Sagemaker*", - "arn:aws:s3:::*sagemaker*", - ] - } - - statement { - sid = "AllowLambdaInvokeFunction" - effect = "Allow" - actions = ["lambda:InvokeFunction"] - resources = [ - "arn:aws:lambda:*:*:function:*SageMaker*", - "arn:aws:lambda:*:*:function:*sagemaker*", - "arn:aws:lambda:*:*:function:*Sagemaker*", - "arn:aws:lambda:*:*:function:*LabelingFunction*", - ] - } -} - -resource "aws_iam_policy" "sagemaker_core_policy" { - count = var.enable_sagemaker ? 1 : 0 - - name = "SagemakerCorePolicy" - description = "IAM policy for SageMaker core actions" - policy = data.aws_iam_policy_document.sagemaker_core[0].json - - tags = var.tags -} - -resource "aws_iam_policy" "sagemaker_studio_policy" { - count = var.enable_sagemaker ? 1 : 0 - - name = "SagemakerStudioPolicy" - description = "IAM policy for SageMaker Studio and App actions" - policy = data.aws_iam_policy_document.sagemaker_studio[0].json - - tags = var.tags -} - -resource "aws_iam_policy" "sagemaker_space_management_policy" { - count = var.enable_sagemaker ? 1 : 0 - - name = "SagemakerSpaceManagementPolicy" - description = "IAM policy for SageMaker space and flow definition management" - policy = data.aws_iam_policy_document.sagemaker_space_management[0].json - - tags = var.tags -} - -resource "aws_iam_policy" "aws_service_actions_policy" { - count = var.enable_sagemaker ? 1 : 0 - - name = "AWSServiceActionsPolicy" - description = "IAM policy for AWS service actions" - policy = data.aws_iam_policy_document.aws_service_actions[0].json - - tags = var.tags -} - -resource "aws_iam_policy" "resource_specific_actions_policy" { - count = var.enable_sagemaker ? 1 : 0 - - name = "ResourceSpecificActionsPolicy" - description = "IAM policy for resource-specific actions" - policy = data.aws_iam_policy_document.resource_specific_actions[0].json - - tags = var.tags -} - -resource "aws_iam_policy" "s3_actions_policy" { - count = var.enable_sagemaker ? 1 : 0 - - name = "S3ActionsPolicy" - description = "IAM policy for S3 and S3 Express actions" - policy = data.aws_iam_policy_document.s3_actions[0].json - - tags = var.tags -} - ################################################################################ # MemoryDB ################################################################################ @@ -648,7 +213,7 @@ module "memorydb" { role_permissions_boundary_arn = lookup(var.memorydb, "role_permissions_boundary_arn", null) role_description = try(var.memorydb.role_description, "IRSA for MemoryDB controller for ACK") role_policies = lookup(var.memorydb, "role_policies", { - policy = var.enable_memorydb ? aws_iam_policy.memorydbpolicy[0].arn : null + AmazonMemoryDBFullAccess = "${local.iam_role_policy_prefix}/AmazonMemoryDBFullAccess" }) create_policy = try(var.memorydb.create_policy, false) @@ -663,39 +228,6 @@ module "memorydb" { tags = var.tags } -# recommended memorydb-controller policy https://github.com/aws-controllers-k8s/memorydb-controller/blob/main/config/iam/recommended-policy-arn -data "aws_iam_policy_document" "memorydb_controller" { - count = var.enable_memorydb ? 1 : 0 - - statement { - effect = "Allow" - actions = ["memorydb:*"] - resources = ["*"] - } - - statement { - effect = "Allow" - actions = ["iam:CreateServiceLinkedRole"] - resources = ["arn:aws:iam::*:role/aws-service-role/memorydb.amazonaws.com/AWSServiceRoleForMemoryDB"] - - condition { - test = "StringLike" - variable = "iam:AWSServiceName" - values = ["memorydb.amazonaws.com"] - } - } -} - -resource "aws_iam_policy" "memorydbpolicy" { - count = var.enable_memorydb ? 1 : 0 - - name = "MemoryDBController" - description = "IAM policy for MemoryDB Controller" - policy = data.aws_iam_policy_document.memorydb_controller[0].json - - tags = var.tags -} - ################################################################################ # OpenSearch Service ################################################################################ @@ -778,7 +310,7 @@ module "opensearchservice" { role_permissions_boundary_arn = lookup(var.opensearchservice, "role_permissions_boundary_arn", null) role_description = try(var.opensearchservice.role_description, "IRSA for Opensearch Service controller for ACK") role_policies = lookup(var.opensearchservice, "role_policies", { - policy = var.enable_opensearchservice ? aws_iam_policy.opensearchservicepolicy[0].arn : null + AmazonOpenSearchServiceFullAccess = "${local.iam_role_policy_prefix}/AmazonOpenSearchServiceFullAccess" }) create_policy = try(var.opensearchservice.create_policy, false) @@ -793,27 +325,6 @@ module "opensearchservice" { tags = var.tags } -# recommended opensearchservice-controller policy https://github.com/aws-controllers-k8s/opensearchservice-controller/blob/main/config/iam/recommended-policy-arn -data "aws_iam_policy_document" "opensearchservice_controller" { - count = var.enable_opensearchservice ? 1 : 0 - - statement { - effect = "Allow" - actions = ["es:*"] - resources = ["*"] - } -} - -resource "aws_iam_policy" "opensearchservicepolicy" { - count = var.enable_opensearchservice ? 1 : 0 - - name = "OpensearchServiceController" - description = "IAM policy for OpensearchService Controller" - policy = data.aws_iam_policy_document.opensearchservice_controller[0].json - - tags = var.tags -} - ################################################################################ # ECR ################################################################################ @@ -896,7 +407,7 @@ module "ecr" { role_permissions_boundary_arn = lookup(var.ecr, "role_permissions_boundary_arn", null) role_description = try(var.ecr.role_description, "IRSA for ECR controller for ACK") role_policies = lookup(var.ecr, "role_policies", { - policy = var.enable_ecr ? aws_iam_policy.ecrpolicy[0].arn : null + AmazonEC2ContainerRegistryFullAccess = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryFullAccess" }) create_policy = try(var.ecr.create_policy, false) @@ -911,42 +422,6 @@ module "ecr" { tags = var.tags } -# recommended ecr policy https://github.com/aws-controllers-k8s/ecr-controller/blob/main/config/iam/recommended-policy-arn -data "aws_iam_policy_document" "ecr_controller" { - count = var.enable_ecr ? 1 : 0 - - statement { - effect = "Allow" - actions = [ - "ecr:*", - "cloudtrail:LookupEvents", - ] - resources = ["*"] - } - - statement { - effect = "Allow" - actions = ["iam:CreateServiceLinkedRole"] - resources = ["*"] - - condition { - test = "StringEquals" - variable = "iam:AWSServiceName" - values = ["replication.ecr.amazonaws.com"] - } - } -} - -resource "aws_iam_policy" "ecrpolicy" { - count = var.enable_ecr ? 1 : 0 - - name = "ECRController" - description = "IAM policy for ecr Controller" - policy = data.aws_iam_policy_document.ecr_controller[0].json - - tags = var.tags -} - ################################################################################ # SNS ################################################################################ @@ -1029,7 +504,7 @@ module "sns" { role_permissions_boundary_arn = lookup(var.sns, "role_permissions_boundary_arn", null) role_description = try(var.sns.role_description, "IRSA for SNS controller for ACK") role_policies = lookup(var.sns, "role_policies", { - policy = var.enable_sns ? aws_iam_policy.snspolicy[0].arn : null + AmazonSNSFullAccess = "${local.iam_role_policy_prefix}/AmazonSNSFullAccess" }) create_policy = try(var.sns.create_policy, false) @@ -1044,29 +519,6 @@ module "sns" { tags = var.tags } -# recommended sns-controller policy https://github.com/aws-controllers-k8s/sns-controller/blob/main/config/iam/recommended-policy-arn -data "aws_iam_policy_document" "sns_controller" { - count = var.enable_sns ? 1 : 0 - - statement { - effect = "Allow" - actions = [ - "sns:*" - ] - resources = ["*"] - } -} - -resource "aws_iam_policy" "snspolicy" { - count = var.enable_sns ? 1 : 0 - - name = "SNSController" - description = "IAM policy for SNS Controller" - policy = data.aws_iam_policy_document.sns_controller[0].json - - tags = var.tags -} - ################################################################################ # SQS ################################################################################ @@ -1149,7 +601,7 @@ module "sqs" { role_permissions_boundary_arn = lookup(var.sqs, "role_permissions_boundary_arn", null) role_description = try(var.sqs.role_description, "IRSA for SQS controller for ACK") role_policies = lookup(var.sqs, "role_policies", { - policy = var.enable_sqs ? aws_iam_policy.sqspolicy[0].arn : null + AmazonSQSFullAccess = "${local.iam_role_policy_prefix}/AmazonSQSFullAccess" }) create_policy = try(var.sqs.create_policy, false) @@ -1164,29 +616,6 @@ module "sqs" { tags = var.tags } -# recommended sqs-controller policy https://github.com/aws-controllers-k8s/sqs-controller/blob/main/config/iam/recommended-policy-arn -data "aws_iam_policy_document" "sqs_controller" { - count = var.enable_sqs ? 1 : 0 - - statement { - effect = "Allow" - actions = [ - "sqs:*" - ] - resources = ["*"] - } -} - -resource "aws_iam_policy" "sqspolicy" { - count = var.enable_sqs ? 1 : 0 - - name = "SQSController" - description = "IAM policy for SQS Controller" - policy = data.aws_iam_policy_document.sqs_controller[0].json - - tags = var.tags -} - ################################################################################ # Lambda ################################################################################ @@ -1269,7 +698,7 @@ module "lambda" { role_permissions_boundary_arn = lookup(var.lambda, "role_permissions_boundary_arn", null) role_description = try(var.lambda.role_description, "IRSA for Lambda controller for ACK") role_policies = lookup(var.lambda, "role_policies", { - policy = var.enable_lambda ? aws_iam_policy.lambdapolicy[0].arn : null + policy = var.enable_lambda ? aws_iam_policy.lambda[0].arn : null }) create_policy = try(var.lambda.create_policy, false) @@ -1285,7 +714,7 @@ module "lambda" { } # recommended lambda-controller policy https://github.com/aws-controllers-k8s/lambda-controller/blob/main/config/iam/recommended-inline-policy -data "aws_iam_policy_document" "lambda_controller" { +data "aws_iam_policy_document" "lambda" { count = var.enable_lambda ? 1 : 0 statement { @@ -1314,12 +743,12 @@ data "aws_iam_policy_document" "lambda_controller" { } } -resource "aws_iam_policy" "lambdapolicy" { +resource "aws_iam_policy" "lambda" { count = var.enable_lambda ? 1 : 0 name = "LambdaController" description = "IAM policy for Lambda Controller" - policy = data.aws_iam_policy_document.lambda_controller[0].json + policy = data.aws_iam_policy_document.lambda[0].json tags = var.tags } @@ -1407,7 +836,7 @@ module "iam" { role_permissions_boundary_arn = lookup(var.iam, "role_permissions_boundary_arn", null) role_description = try(var.iam.role_description, "IRSA for iam controller for ACK") role_policies = lookup(var.iam, "role_policies", { - AWSIamPolicy = var.enable_iam ? aws_iam_policy.iampolicy[0].arn : null + policy = var.enable_iam ? aws_iam_policy.iam[0].arn : null }) create_policy = try(var.iam.create_policy, false) @@ -1423,87 +852,84 @@ module "iam" { } # recommended iam-controller policy https://github.com/aws-controllers-k8s/iam-controller/blob/main/config/iam/recommended-inline-policy -resource "aws_iam_policy" "iampolicy" { +data "aws_iam_policy_document" "iam" { count = var.enable_iam ? 1 : 0 - name_prefix = format("%s-%s", local.iam_name, "controller-iam-policies") - - path = "/" - description = "ACK IAM contoller policy" - - # Terraform's "jsonencode" function converts a - # Terraform expression result to valid JSON syntax. - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "iam:GetGroup", - "iam:CreateGroup", - "iam:DeleteGroup", - "iam:UpdateGroup", - "iam:GetRole", - "iam:CreateRole", - "iam:DeleteRole", - "iam:UpdateRole", - "iam:PutRolePermissionsBoundary", - "iam:PutUserPermissionsBoundary", - "iam:GetUser", - "iam:CreateUser", - "iam:DeleteUser", - "iam:UpdateUser", - "iam:GetPolicy", - "iam:CreatePolicy", - "iam:DeletePolicy", - "iam:GetPolicyVersion", - "iam:CreatePolicyVersion", - "iam:DeletePolicyVersion", - "iam:ListPolicyVersions", - "iam:ListPolicyTags", - "iam:ListAttachedGroupPolicies", - "iam:GetGroupPolicy", - "iam:PutGroupPolicy", - "iam:AttachGroupPolicy", - "iam:DetachGroupPolicy", - "iam:DeleteGroupPolicy", - "iam:ListAttachedRolePolicies", - "iam:ListRolePolicies", - "iam:GetRolePolicy", - "iam:PutRolePolicy", - "iam:AttachRolePolicy", - "iam:DetachRolePolicy", - "iam:DeleteRolePolicy", - "iam:ListAttachedUserPolicies", - "iam:ListUserPolicies", - "iam:GetUserPolicy", - "iam:PutUserPolicy", - "iam:AttachUserPolicy", - "iam:DetachUserPolicy", - "iam:DeleteUserPolicy", - "iam:ListRoleTags", - "iam:ListUserTags", - "iam:TagPolicy", - "iam:UntagPolicy", - "iam:TagRole", - "iam:UntagRole", - "iam:TagUser", - "iam:UntagUser", - "iam:RemoveClientIDFromOpenIDConnectProvider", - "iam:ListOpenIDConnectProviderTags", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:UntagOpenIDConnectProvider", - "iam:AddClientIDToOpenIDConnectProvider", - "iam:DeleteOpenIDConnectProvider", - "iam:GetOpenIDConnectProvider", - "iam:TagOpenIDConnectProvider", - "iam:CreateOpenIDConnectProvider", - "iam:UpdateAssumeRolePolicy" - ] - Effect = "Allow" - Resource = "*" - }, + statement { + effect = "Allow" + actions = [ + "iam:GetGroup", + "iam:CreateGroup", + "iam:DeleteGroup", + "iam:UpdateGroup", + "iam:GetRole", + "iam:CreateRole", + "iam:DeleteRole", + "iam:UpdateRole", + "iam:PutRolePermissionsBoundary", + "iam:PutUserPermissionsBoundary", + "iam:GetUser", + "iam:CreateUser", + "iam:DeleteUser", + "iam:UpdateUser", + "iam:GetPolicy", + "iam:CreatePolicy", + "iam:DeletePolicy", + "iam:GetPolicyVersion", + "iam:CreatePolicyVersion", + "iam:DeletePolicyVersion", + "iam:ListPolicyVersions", + "iam:ListPolicyTags", + "iam:ListAttachedGroupPolicies", + "iam:GetGroupPolicy", + "iam:PutGroupPolicy", + "iam:AttachGroupPolicy", + "iam:DetachGroupPolicy", + "iam:DeleteGroupPolicy", + "iam:ListAttachedRolePolicies", + "iam:ListRolePolicies", + "iam:GetRolePolicy", + "iam:PutRolePolicy", + "iam:AttachRolePolicy", + "iam:DetachRolePolicy", + "iam:DeleteRolePolicy", + "iam:ListAttachedUserPolicies", + "iam:ListUserPolicies", + "iam:GetUserPolicy", + "iam:PutUserPolicy", + "iam:AttachUserPolicy", + "iam:DetachUserPolicy", + "iam:DeleteUserPolicy", + "iam:ListRoleTags", + "iam:ListUserTags", + "iam:TagPolicy", + "iam:UntagPolicy", + "iam:TagRole", + "iam:UntagRole", + "iam:TagUser", + "iam:UntagUser", + "iam:RemoveClientIDFromOpenIDConnectProvider", + "iam:ListOpenIDConnectProviderTags", + "iam:UpdateOpenIDConnectProviderThumbprint", + "iam:UntagOpenIDConnectProvider", + "iam:AddClientIDToOpenIDConnectProvider", + "iam:DeleteOpenIDConnectProvider", + "iam:GetOpenIDConnectProvider", + "iam:TagOpenIDConnectProvider", + "iam:CreateOpenIDConnectProvider", + "iam:UpdateAssumeRolePolicy", ] - }) + + resources = ["*"] + } +} + +resource "aws_iam_policy" "iam" { + count = var.enable_iam ? 1 : 0 + + name = "IAMController" + description = "IAM policy for IAM Controller" + policy = data.aws_iam_policy_document.iam[0].json tags = var.tags } @@ -1689,7 +1115,7 @@ module "eks" { role_permissions_boundary_arn = lookup(var.eks, "role_permissions_boundary_arn", null) role_description = try(var.eks.role_description, "IRSA for eks controller for ACK") role_policies = lookup(var.eks, "role_policies", { - EKSPolicy = var.enable_eks ? aws_iam_policy.ekspolicy[0].arn : null + policy = var.enable_eks ? aws_iam_policy.eks[0].arn : null }) create_policy = try(var.eks.create_policy, false) @@ -1705,30 +1131,27 @@ module "eks" { } # recommended eks-controller policy https://github.com/aws-controllers-k8s/eks-controller/blob/main/config/iam/recommended-inline-policy -resource "aws_iam_policy" "ekspolicy" { +data "aws_iam_policy_document" "eks" { count = var.enable_eks ? 1 : 0 - name_prefix = format("%s-%s", local.eks_name, "controller-eks-policies") - - path = "/" - description = "ACK EKS contoller policy" - - # Terraform's "jsonencode" function converts a - # Terraform expression result to valid JSON syntax. - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "eks:*", - "iam:GetRole", - "iam:PassRole" - ] - Effect = "Allow" - Resource = "*" - }, + statement { + effect = "Allow" + + actions = [ + "eks:*", + "iam:GetRole", + "iam:PassRole", ] - }) + resources = ["*"] + } +} + +resource "aws_iam_policy" "eks" { + count = var.enable_eks ? 1 : 0 + + name = "EKSController" + description = "IAM policy for EKS Controller" + policy = data.aws_iam_policy_document.eks[0].json tags = var.tags } @@ -1816,7 +1239,7 @@ module "kms" { role_permissions_boundary_arn = lookup(var.kms, "role_permissions_boundary_arn", null) role_description = try(var.kms.role_description, "IRSA for kms controller for ACK") role_policies = lookup(var.kms, "role_policies", { - policy = var.enable_kms ? aws_iam_policy.kmspolicy[0].arn : null + policy = var.enable_kms ? aws_iam_policy.kms[0].arn : null }) create_policy = try(var.kms.create_policy, false) @@ -1832,41 +1255,37 @@ module "kms" { } # recommended kms-controller policy https://github.com/aws-controllers-k8s/kms-controller/blob/main/config/iam/recommended-inline-policy -resource "aws_iam_policy" "kmspolicy" { +data "aws_iam_policy_document" "kms" { count = var.enable_kms ? 1 : 0 - name_prefix = format("%s-%s", local.kms_name, "controller-kms-policies") - - path = "/" - description = "ACK KMS contoller policy" - - # Terraform's "jsonencode" function converts a - # Terraform expression result to valid JSON syntax. - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "kms:CreateAlias", - "kms:CreateKey", - "kms:DeleteAlias", - "kms:Describe*", - "kms:GenerateRandom", - "kms:Get*", - "kms:List*", - "kms:ScheduleKeyDeletion", - "kms:TagResource", - "kms:UntagResource", - "iam:ListGroups", - "iam:ListRoles", - "iam:ListUsers", - "iam:CreateServiceLinkedRole" - ] - Effect = "Allow" - Resource = "*" - }, + statement { + effect = "Allow" + actions = [ + "kms:CreateAlias", + "kms:CreateKey", + "kms:DeleteAlias", + "kms:Describe*", + "kms:GenerateRandom", + "kms:Get*", + "kms:List*", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "kms:UntagResource", + "iam:ListGroups", + "iam:ListRoles", + "iam:ListUsers", + "iam:CreateServiceLinkedRole", ] - }) + resources = ["*"] + } +} + +resource "aws_iam_policy" "kms" { + count = var.enable_kms ? 1 : 0 + + name = "KMSController" + description = "IAM policy for KMS Controller" + policy = data.aws_iam_policy_document.kms[0].json tags = var.tags } @@ -1954,7 +1373,7 @@ module "acm" { role_permissions_boundary_arn = lookup(var.acm, "role_permissions_boundary_arn", null) role_description = try(var.acm.role_description, "IRSA for acm controller for ACK") role_policies = lookup(var.acm, "role_policies", { - policy = var.enable_acm ? aws_iam_policy.acmpolicy[0].arn : null + policy = var.enable_acm ? aws_iam_policy.acm[0].arn : null }) create_policy = try(var.acm.create_policy, false) @@ -1970,34 +1389,32 @@ module "acm" { } # recommended acm-controller policy https://github.com/aws-controllers-k8s/acm-controller/blob/main/config/iam/recommended-inline-policy -resource "aws_iam_policy" "acmpolicy" { +data "aws_iam_policy_document" "acm" { count = var.enable_acm ? 1 : 0 - name_prefix = format("%s-%s", local.acm_name, "controller-acm-policies") - - path = "/" - description = "ACK ACM contoller policy" - - # Terraform's "jsonencode" function converts a - # Terraform expression result to valid JSON syntax. - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "acm:DescribeCertificate", - "acm:RequestCertificate", - "acm:UpdateCertificateOptions", - "acm:DeleteCertificate", - "acm:AddTagsToCertificate", - "acm:RemoveTagsFromCertificate", - "acm:ListTagsForCertificate" - ] - Effect = "Allow" - Resource = "*" - }, + statement { + effect = "Allow" + + actions = [ + "acm:DescribeCertificate", + "acm:RequestCertificate", + "acm:UpdateCertificateOptions", + "acm:DeleteCertificate", + "acm:AddTagsToCertificate", + "acm:RemoveTagsFromCertificate", + "acm:ListTagsForCertificate", ] - }) + resources = ["*"] + } + +} + +resource "aws_iam_policy" "acm" { + count = var.enable_acm ? 1 : 0 + + name = "ACMController" + description = "IAM policy for ACM Controller" + policy = data.aws_iam_policy_document.acm[0].json tags = var.tags } @@ -2510,7 +1927,7 @@ module "prometheusservice" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/prometheusservice_name-chart:1.2.12 + # public.ecr.aws/aws-controllers-k8s/prometheusservice-chart:1.2.13 name = try(var.prometheusservice.name, local.prometheusservice_name) description = try(var.prometheusservice.description, "Helm Chart for prometheusservice controller for ACK") namespace = try(var.prometheusservice.namespace, "ack-system") @@ -2576,7 +1993,7 @@ module "prometheusservice" { role_permissions_boundary_arn = lookup(var.prometheusservice, "role_permissions_boundary_arn", null) role_description = try(var.prometheusservice.role_description, "IRSA for prometheusservice controller for ACK") role_policies = lookup(var.prometheusservice, "role_policies", { - AmazonPrometheusFullAccess = "${local.iam_role_policy_prefix}/AmazonPrometheusFullAccess" + policy = var.enable_prometheusservice ? aws_iam_policy.prometheusservice[0].arn : null }) create_policy = try(var.prometheusservice.create_policy, false) @@ -2591,6 +2008,35 @@ module "prometheusservice" { tags = var.tags } +# recommended prometheusservice-controller policy https://github.com/aws-controllers-k8s/prometheusservice-controller/blob/main/config/iam/recommended-inline-policy +data "aws_iam_policy_document" "prometheusservice" { + count = var.enable_prometheusservice ? 1 : 0 + + statement { + effect = "Allow" + + actions = [ + "aps:*", + "logs:CreateLogDelivery", + "logs:DescribeLogGroups", + "logs:DescribeResourcePolicies", + "logs:PutResourcePolicy", + ] + + resources = ["*"] + } +} + +resource "aws_iam_policy" "prometheusservice" { + count = var.enable_prometheusservice ? 1 : 0 + + name = "PrometheusServiceController" + description = "IAM policy for Prometheus Service Controller" + policy = data.aws_iam_policy_document.prometheusservice[0].json + + tags = var.tags +} + ################################################################################ # EMR Containers ################################################################################ @@ -2608,7 +2054,7 @@ module "emrcontainers" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/emrcontainers_name-chart:1.0.11 + # public.ecr.aws/aws-controllers-k8s/emrcontainers-chart:1.0.12 name = try(var.emrcontainers.name, local.emrcontainers_name) description = try(var.emrcontainers.description, "Helm Chart for emrcontainers controller for ACK") namespace = try(var.emrcontainers.namespace, "ack-system") @@ -2674,7 +2120,7 @@ module "emrcontainers" { role_permissions_boundary_arn = lookup(var.emrcontainers, "role_permissions_boundary_arn", null) role_description = try(var.emrcontainers.role_description, "IRSA for emrcontainers controller for ACK") role_policies = lookup(var.emrcontainers, "role_policies", { - AmazonEmrContainers = var.enable_emrcontainers ? aws_iam_policy.emrcontainers[0].arn : null + policy = var.enable_emrcontainers ? aws_iam_policy.emrcontainers[0].arn : null }) create_policy = try(var.emrcontainers.create_policy, false) @@ -2689,24 +2135,16 @@ module "emrcontainers" { tags = var.tags } -resource "aws_iam_policy" "emrcontainers" { - count = var.enable_emrcontainers ? 1 : 0 - - name_prefix = format("%s-%s", local.emrcontainers_name, "controller-iam-policies") - description = "IAM policy for EMRcontainers controller" - path = "/" - policy = data.aws_iam_policy_document.emrcontainers.json - - tags = var.tags -} - -# inline policy provided by ack https://raw.githubusercontent.com/aws-controllers-k8s/emrcontainers-controller/main/config/iam/recommended-inline-policy +# recommended emrcontainers-controller policy https://github.com/aws-controllers-k8s/emrcontainers-controller/blob/main/config/iam/recommended-inline-policy data "aws_iam_policy_document" "emrcontainers" { + count = var.enable_emrcontainers ? 1 : 0 statement { effect = "Allow" + actions = [ - "iam:CreateServiceLinkedRole" + "iam:CreateServiceLinkedRole", ] + resources = ["*"] condition { @@ -2718,22 +2156,25 @@ data "aws_iam_policy_document" "emrcontainers" { statement { effect = "Allow" + actions = [ "emr-containers:CreateVirtualCluster", "emr-containers:ListVirtualClusters", "emr-containers:DescribeVirtualCluster", - "emr-containers:DeleteVirtualCluster" + "emr-containers:DeleteVirtualCluster", ] + resources = ["*"] } statement { effect = "Allow" + actions = [ "emr-containers:StartJobRun", "emr-containers:ListJobRuns", "emr-containers:DescribeJobRun", - "emr-containers:CancelJobRun" + "emr-containers:CancelJobRun", ] resources = ["*"] @@ -2741,12 +2182,13 @@ data "aws_iam_policy_document" "emrcontainers" { statement { effect = "Allow" + actions = [ "emr-containers:DescribeJobRun", "emr-containers:TagResource", "elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:DescribePersistentAppUI", - "elasticmapreduce:GetPersistentAppUIPresignedURL" + "elasticmapreduce:GetPersistentAppUIPresignedURL", ] resources = ["*"] @@ -2754,9 +2196,10 @@ data "aws_iam_policy_document" "emrcontainers" { statement { effect = "Allow" + actions = [ "s3:GetObject", - "s3:ListBucket" + "s3:ListBucket", ] resources = ["*"] @@ -2764,14 +2207,25 @@ data "aws_iam_policy_document" "emrcontainers" { statement { effect = "Allow" + actions = [ "logs:Get*", "logs:DescribeLogGroups", - "logs:DescribeLogStreams" + "logs:DescribeLogStreams", ] + resources = ["*"] } +} +resource "aws_iam_policy" "emrcontainers" { + count = var.enable_emrcontainers ? 1 : 0 + + name = "EMRContainersController" + description = "IAM policy for EMR Containers Controller" + policy = data.aws_iam_policy_document.emrcontainers[0].json + + tags = var.tags } ################################################################################ @@ -2791,7 +2245,7 @@ module "sfn" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/sfn_name-chart:1.0.12 + # public.ecr.aws/aws-controllers-k8s/sfn-chart:1.0.13 name = try(var.sfn.name, local.sfn_name) description = try(var.sfn.description, "Helm Chart for sfn controller for ACK") namespace = try(var.sfn.namespace, "ack-system") @@ -2858,7 +2312,7 @@ module "sfn" { role_description = try(var.sfn.role_description, "IRSA for sfn controller for ACK") role_policies = lookup(var.sfn, "role_policies", { AWSStepFunctionsFullAccess = "${local.iam_role_policy_prefix}/AWSStepFunctionsFullAccess" - AWSStepFunctionsIamPassRole = var.enable_sfn ? aws_iam_policy.sfnpasspolicy[0].arn : null + AWSStepFunctionsIamPassRole = var.enable_sfn ? aws_iam_policy.sfn[0].arn : null }) create_policy = try(var.sfn.create_policy, false) @@ -2873,28 +2327,30 @@ module "sfn" { tags = var.tags } -resource "aws_iam_policy" "sfnpasspolicy" { +# recommended sfn-controller policy https://github.com/aws-controllers-k8s/sfn-controller/blob/main/config/iam/recommended-policy-arn +data "aws_iam_policy_document" "sfn" { count = var.enable_sfn ? 1 : 0 - name_prefix = format("%s-%s", local.sfn_name, "controller-iam-policies") - - path = "/" - description = "passrole policy" - - # Terraform's "jsonencode" function converts a - # Terraform expression result to valid JSON syntax. - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "iam:PassRole", - ] - Effect = "Allow" - Resource = "*" - }, + statement { + effect = "Allow" + + actions = [ + "iam:PassRole", ] - }) + + resources = [ + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/ack-sfn-execution-role" + ] + } + +} + +resource "aws_iam_policy" "sfn" { + count = var.enable_sfn ? 1 : 0 + + name = "SFNController" + description = "IAM policy for SFN Controller" + policy = data.aws_iam_policy_document.sfn[0].json tags = var.tags } @@ -2916,7 +2372,7 @@ module "eventbridge" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/eventbridge_name-chart:1.0.12 + # public.ecr.aws/aws-controllers-k8s/eventbridge-chart:1.0.13 name = try(var.eventbridge.name, local.eventbridge_name) description = try(var.eventbridge.description, "Helm Chart for eventbridge controller for ACK") namespace = try(var.eventbridge.namespace, "ack-system") From a3ca17c8db164cf832a8764aeef98df0b510372f Mon Sep 17 00:00:00 2001 From: Edgar Costa Date: Fri, 9 Aug 2024 19:35:46 -0300 Subject: [PATCH 5/5] fix pre commit --- README.md | 44 +++++++++++++++----------------------------- 1 file changed, 15 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index aa2e32a..8254c7c 100644 --- a/README.md +++ b/README.md @@ -98,38 +98,24 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | Name | Type | |------|------| -| [aws_iam_policy.acmpolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.aws_service_actions_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.ecrpolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.ekspolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.acm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.emrcontainers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.iampolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.kmspolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.lambdapolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.memorydbpolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.opensearchservicepolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.resource_specific_actions_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.s3_actions_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.sagemaker_core_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.sagemaker_space_management_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.sagemaker_studio_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.sfnpasspolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.snspolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.sqspolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.iam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.prometheusservice](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [time_sleep.this](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | -| [aws_iam_policy_document.aws_service_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.ecr_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.acm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.emrcontainers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.lambda_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.memorydb_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.opensearchservice_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.resource_specific_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.s3_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.sagemaker_core](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.sagemaker_space_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.sagemaker_studio](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.sns_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.sqs_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.iam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.prometheusservice](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |