From cb714a0cb6c2b794a38bca869eaa2ca08276aa3c Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Sat, 2 Apr 2022 10:05:24 -0400 Subject: [PATCH 1/8] feat: Add support for Amazon Managed Service for Prometheus to `iam-role-for-service-accounts-eks` --- .../README.md | 1 + .../iam-role-for-service-accounts-eks/main.tf | 16 ++++++++ .../README.md | 5 +++ .../policies.tf | 39 +++++++++++++++++++ .../variables.tf | 13 +++++++ 5 files changed, 74 insertions(+) diff --git a/examples/iam-role-for-service-accounts-eks/README.md b/examples/iam-role-for-service-accounts-eks/README.md index c21db265..42235bf7 100644 --- a/examples/iam-role-for-service-accounts-eks/README.md +++ b/examples/iam-role-for-service-accounts-eks/README.md @@ -30,6 +30,7 @@ No providers. | Name | Source | Version | |------|--------|---------| +| [amazon\_managed\_service\_prometheus\_irsa\_role](#module\_amazon\_managed\_service\_prometheus\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [disabled](#module\_disabled) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf index cecfa691..16783d38 100644 --- a/examples/iam-role-for-service-accounts-eks/main.tf +++ b/examples/iam-role-for-service-accounts-eks/main.tf @@ -214,6 +214,22 @@ module "load_balancer_controller_targetgroup_binding_only_irsa_role" { tags = local.tags } +module "amazon_managed_service_prometheus_irsa_role" { + source = "../../modules/iam-role-for-service-accounts-eks" + + role_name = "amazon-managed-service-prometheus" + attach_amazon_managed_service_prometheus_policy = true + + oidc_providers = { + ex = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["prometheus:amp-ingest"] + } + } + + tags = local.tags +} + ################################################################################ # Supporting Resources ################################################################################ diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md index 6e5bf3ae..bf98fd34 100644 --- a/modules/iam-role-for-service-accounts-eks/README.md +++ b/modules/iam-role-for-service-accounts-eks/README.md @@ -110,6 +110,7 @@ No modules. | Name | Type | |------|------| +| [aws_iam_policy.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | @@ -120,6 +121,7 @@ No modules. | [aws_iam_policy.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | @@ -131,6 +133,7 @@ No modules. | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -147,7 +150,9 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [amazon\_managed\_service\_prometheus\_workspace\_arns](#input\_amazon\_managed\_service\_prometheus\_workspace\_arns) | List of AMP Workspace ARNs to read and write metrics | `list(string)` | 
[
  "*"
]
| no | | [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no | +| [attach\_amazon\_managed\_service\_prometheus\_policy](#input\_attach\_amazon\_managed\_service\_prometheus\_policy) | Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role | `bool` | `false` | no | | [attach\_cluster\_autoscaler\_policy](#input\_attach\_cluster\_autoscaler\_policy) | Determines whether to attach the Cluster Autoscaler IAM policy to the role | `bool` | `false` | no | | [attach\_ebs\_csi\_policy](#input\_attach\_ebs\_csi\_policy) | Determines whether to attach the EBS CSI IAM policy to the role | `bool` | `false` | no | | [attach\_efs\_csi\_policy](#input\_attach\_efs\_csi\_policy) | Determines whether to attach the EFS CSI IAM policy to the role | `bool` | `false` | no | diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index af2f91c9..561cdf61 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -865,3 +865,42 @@ resource "aws_iam_role_policy_attachment" "efs_csi" { role = aws_iam_role.this[0].name policy_arn = aws_iam_policy.efs_csi[0].arn } + +################################################################################ +# Amazon Managed Service for Prometheus Policy +################################################################################ + +# https://docs.aws.amazon.com/prometheus/latest/userguide/set-up-irsa.html +data "aws_iam_policy_document" "amazon_managed_service_prometheus" { + count = var.create_role && var.attach_amazon_managed_service_prometheus_policy ? 1 : 0 + + statement { + actions = [ + "aps:RemoteWrite", + "aps:QueryMetrics", + "aps:GetSeries", + "aps:GetLabels", + "aps:GetMetricMetadata", + ] + + resources = var.amazon_managed_service_prometheus_workspace_arns + } +} + +resource "aws_iam_policy" "amazon_managed_service_prometheus" { + count = var.create_role && var.attach_amazon_managed_service_prometheus_policy ? 1 : 0 + + name_prefix = "AmazonEKS_Managed_Service_Prometheus_Policy-" + path = var.role_path + description = "Provides permissions to for Amazon Managed Service for Prometheus" + policy = data.aws_iam_policy_document.amazon_managed_service_prometheus[0].json + + tags = var.tags +} + +resource "aws_iam_role_policy_attachment" "amazon_managed_service_prometheus" { + count = var.create_role && var.attach_amazon_managed_service_prometheus_policy ? 1 : 0 + + role = aws_iam_role.this[0].name + policy_arn = aws_iam_policy.amazon_managed_service_prometheus[0].arn +} diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf index b8f430e2..cc379246 100644 --- a/modules/iam-role-for-service-accounts-eks/variables.tf +++ b/modules/iam-role-for-service-accounts-eks/variables.tf @@ -198,3 +198,16 @@ variable "attach_load_balancer_controller_targetgroup_binding_only_policy" { type = bool default = false } + +# Amazon Managed Service for Prometheus +variable "attach_amazon_managed_service_prometheus_policy" { + description = "Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role" + type = bool + default = false +} + +variable "amazon_managed_service_prometheus_workspace_arns" { + description = "List of AMP Workspace ARNs to read and write metrics" + type = list(string) + default = ["*"] +} From f0d1182cd60b36894fecd3723ce738a9623c33d1 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Wed, 13 Apr 2022 07:57:54 -0400 Subject: [PATCH 2/8] feat: Add support for Cert Manager IAM policy --- .../README.md | 7 ++- .../policies.tf | 46 +++++++++++++++++++ .../variables.tf | 15 +++++- 3 files changed, 66 insertions(+), 2 deletions(-) diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md index bf98fd34..dbaa0ec0 100644 --- a/modules/iam-role-for-service-accounts-eks/README.md +++ b/modules/iam-role-for-service-accounts-eks/README.md @@ -111,6 +111,7 @@ No modules. | Name | Type | |------|------| | [aws_iam_policy.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | @@ -122,6 +123,7 @@ No modules. | [aws_iam_policy.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | @@ -134,6 +136,7 @@ No modules. | [aws_iam_role_policy_attachment.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -153,6 +156,7 @@ No modules. | [amazon\_managed\_service\_prometheus\_workspace\_arns](#input\_amazon\_managed\_service\_prometheus\_workspace\_arns) | List of AMP Workspace ARNs to read and write metrics | `list(string)` | 
[
  "*"
]
| no | | [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no | | [attach\_amazon\_managed\_service\_prometheus\_policy](#input\_attach\_amazon\_managed\_service\_prometheus\_policy) | Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role | `bool` | `false` | no | +| [attach\_cert\_manager\_policy](#input\_attach\_cert\_manager\_policy) | Determines whether to attach the Cert Manager IAM policy to the role | `bool` | `false` | no | | [attach\_cluster\_autoscaler\_policy](#input\_attach\_cluster\_autoscaler\_policy) | Determines whether to attach the Cluster Autoscaler IAM policy to the role | `bool` | `false` | no | | [attach\_ebs\_csi\_policy](#input\_attach\_ebs\_csi\_policy) | Determines whether to attach the EBS CSI IAM policy to the role | `bool` | `false` | no | | [attach\_efs\_csi\_policy](#input\_attach\_efs\_csi\_policy) | Determines whether to attach the EFS CSI IAM policy to the role | `bool` | `false` | no | @@ -162,10 +166,11 @@ No modules. | [attach\_load\_balancer\_controller\_targetgroup\_binding\_only\_policy](#input\_attach\_load\_balancer\_controller\_targetgroup\_binding\_only\_policy) | Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only | `bool` | `false` | no | | [attach\_node\_termination\_handler\_policy](#input\_attach\_node\_termination\_handler\_policy) | Determines whether to attach the Node Termination Handler policy to the role | `bool` | `false` | no | | [attach\_vpc\_cni\_policy](#input\_attach\_vpc\_cni\_policy) | Determines whether to attach the VPC CNI IAM policy to the role | `bool` | `false` | no | +| [cert\_manager\_hosted\_zone\_arns](#input\_cert\_manager\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow Cert manager to manage records | `list(string)` | 
[
  "arn:aws:route53:::hostedzone/*"
]
| no | | [cluster\_autoscaler\_cluster\_ids](#input\_cluster\_autoscaler\_cluster\_ids) | List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy | `list(string)` | `[]` | no | | [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `true` | no | | [ebs\_csi\_kms\_cmk\_ids](#input\_ebs\_csi\_kms\_cmk\_ids) | KMS CMK IDs to allow EBS CSI to manage encrypted volumes | `list(string)` | `[]` | no | -| [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow external DNS to manage records | `list(string)` | 
[
  "arn:aws:route53:::hostedzone/*"
]
| no | +| [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow External DNS to manage records | `list(string)` | 
[
  "arn:aws:route53:::hostedzone/*"
]
| no | | [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no | | [karpenter\_controller\_cluster\_id](#input\_karpenter\_controller\_cluster\_id) | Cluster ID where the Karpenter controller is provisioned/managing | `string` | `"*"` | no | | [karpenter\_controller\_node\_iam\_role\_arns](#input\_karpenter\_controller\_node\_iam\_role\_arns) | List of node IAM role ARNs Karpenter can use to launch nodes | `list(string)` | 
[
  "*"
]
| no | diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index 561cdf61..b7f1fac0 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -107,6 +107,52 @@ resource "aws_iam_role_policy_attachment" "external_dns" { policy_arn = aws_iam_policy.external_dns[0].arn } +################################################################################ +# Cert Manager Policy +################################################################################ + +# https://cert-manager.io/docs/configuration/acme/dns01/route53/#set-up-an-iam-role +data "aws_iam_policy_document" "cert_manager" { + count = var.create_role && var.attach_cert_manager_policy ? 1 : 0 + + statement { + actions = ["route53:GetChange"] + resources = ["arn:aws:route53:::change/*"] + } + + statement { + actions = [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets" + ] + + resources = var.cert_manager_hosted_zone_arns + } + + statement { + actions = ["route53:ListHostedZonesByName"] + resources = ["*"] + } +} + +resource "aws_iam_policy" "cert_manager" { + count = var.create_role && var.attach_cert_manager_policy ? 1 : 0 + + name_prefix = "AmazonEKS_Cert_Manager_Policy-" + path = var.role_path + description = "Cert Manager policy to allow management of Route53 hosted zone records" + policy = data.aws_iam_policy_document.cert_manager[0].json + + tags = var.tags +} + +resource "aws_iam_role_policy_attachment" "cert_manager" { + count = var.create_role && var.attach_cert_manager_policy ? 1 : 0 + + role = aws_iam_role.this[0].name + policy_arn = aws_iam_policy.cert_manager[0].arn +} + ################################################################################ # EBS CSI Policy ################################################################################ diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf index cc379246..2a6fd766 100644 --- a/modules/iam-role-for-service-accounts-eks/variables.tf +++ b/modules/iam-role-for-service-accounts-eks/variables.tf @@ -95,7 +95,20 @@ variable "attach_external_dns_policy" { } variable "external_dns_hosted_zone_arns" { - description = "Route53 hosted zone ARNs to allow external DNS to manage records" + description = "Route53 hosted zone ARNs to allow External DNS to manage records" + type = list(string) + default = ["arn:aws:route53:::hostedzone/*"] +} + +# Cert Manager +variable "attach_cert_manager_policy" { + description = "Determines whether to attach the Cert Manager IAM policy to the role" + type = bool + default = false +} + +variable "cert_manager_hosted_zone_arns" { + description = "Route53 hosted zone ARNs to allow Cert manager to manage records" type = list(string) default = ["arn:aws:route53:::hostedzone/*"] } From e06d626c7e33f77a5a7b2ee096f227a29cd5a25e Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Wed, 13 Apr 2022 08:11:28 -0400 Subject: [PATCH 3/8] feat: Add support for External Secrets IAM policy --- .../README.md | 6 +++ .../policies.tf | 42 +++++++++++++++++++ .../variables.tf | 19 +++++++++ 3 files changed, 67 insertions(+) diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md index dbaa0ec0..da490aa9 100644 --- a/modules/iam-role-for-service-accounts-eks/README.md +++ b/modules/iam-role-for-service-accounts-eks/README.md @@ -116,6 +116,7 @@ No modules. | [aws_iam_policy.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | @@ -128,6 +129,7 @@ No modules. | [aws_iam_role_policy_attachment.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | @@ -141,6 +143,7 @@ No modules. | [aws_iam_policy_document.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -161,6 +164,7 @@ No modules. | [attach\_ebs\_csi\_policy](#input\_attach\_ebs\_csi\_policy) | Determines whether to attach the EBS CSI IAM policy to the role | `bool` | `false` | no | | [attach\_efs\_csi\_policy](#input\_attach\_efs\_csi\_policy) | Determines whether to attach the EFS CSI IAM policy to the role | `bool` | `false` | no | | [attach\_external\_dns\_policy](#input\_attach\_external\_dns\_policy) | Determines whether to attach the External DNS IAM policy to the role | `bool` | `false` | no | +| [attach\_external\_secrets\_policy](#input\_attach\_external\_secrets\_policy) | Determines whether to attach the External Secrets policy to the role | `bool` | `false` | no | | [attach\_karpenter\_controller\_policy](#input\_attach\_karpenter\_controller\_policy) | Determines whether to attach the Karpenter Controller policy to the role | `bool` | `false` | no | | [attach\_load\_balancer\_controller\_policy](#input\_attach\_load\_balancer\_controller\_policy) | Determines whether to attach the Load Balancer Controller policy to the role | `bool` | `false` | no | | [attach\_load\_balancer\_controller\_targetgroup\_binding\_only\_policy](#input\_attach\_load\_balancer\_controller\_targetgroup\_binding\_only\_policy) | Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only | `bool` | `false` | no | @@ -171,6 +175,8 @@ No modules. | [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `true` | no | | [ebs\_csi\_kms\_cmk\_ids](#input\_ebs\_csi\_kms\_cmk\_ids) | KMS CMK IDs to allow EBS CSI to manage encrypted volumes | `list(string)` | `[]` | no | | [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow External DNS to manage records | `list(string)` | 
[
  "arn:aws:route53:::hostedzone/*"
]
| no | +| [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | 
[
  "arn:aws:secretsmanager:*:*:secret:*"
]
| no | +| [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | 
[
  "arn:aws:ssm:*:*:parameter/*"
]
| no | | [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no | | [karpenter\_controller\_cluster\_id](#input\_karpenter\_controller\_cluster\_id) | Cluster ID where the Karpenter controller is provisioned/managing | `string` | `"*"` | no | | [karpenter\_controller\_node\_iam\_role\_arns](#input\_karpenter\_controller\_node\_iam\_role\_arns) | List of node IAM role ARNs Karpenter can use to launch nodes | `list(string)` | 
[
  "*"
]
| no | diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index b7f1fac0..d3f329a6 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -950,3 +950,45 @@ resource "aws_iam_role_policy_attachment" "amazon_managed_service_prometheus" { role = aws_iam_role.this[0].name policy_arn = aws_iam_policy.amazon_managed_service_prometheus[0].arn } + +################################################################################ +# External Secrets Policy +################################################################################ + +# https://github.com/external-secrets/kubernetes-external-secrets#add-a-secret +data "aws_iam_policy_document" "external_secrets" { + count = var.create_role && var.attach_external_secrets_policy ? 1 : 0 + + statement { + actions = ["ssm:GetParameter"] + resources = var.external_secrets_ssm_parameter_arns + } + + statement { + actions = [ + "secretsmanager:GetResourcePolicy", + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret", + "secretsmanager:ListSecretVersionIds", + ] + resources = var.external_secrets_secrets_manager_arns + } +} + +resource "aws_iam_policy" "external_secrets" { + count = var.create_role && var.attach_external_secrets_policy ? 1 : 0 + + name_prefix = "AmazonEKS_External_Secrets_Policy-" + path = var.role_path + description = "Provides permissions to for External Secrets to retrieve secrets from AWS SSM and AWS Secrets Manager" + policy = data.aws_iam_policy_document.external_secrets[0].json + + tags = var.tags +} + +resource "aws_iam_role_policy_attachment" "external_secrets" { + count = var.create_role && var.attach_external_secrets_policy ? 1 : 0 + + role = aws_iam_role.this[0].name + policy_arn = aws_iam_policy.external_secrets[0].arn +} diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf index 2a6fd766..88369c9a 100644 --- a/modules/iam-role-for-service-accounts-eks/variables.tf +++ b/modules/iam-role-for-service-accounts-eks/variables.tf @@ -224,3 +224,22 @@ variable "amazon_managed_service_prometheus_workspace_arns" { type = list(string) default = ["*"] } + +# External Secrets +variable "attach_external_secrets_policy" { + description = "Determines whether to attach the External Secrets policy to the role" + type = bool + default = false +} + +variable "external_secrets_ssm_parameter_arns" { + description = "List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets" + type = list(string) + default = ["arn:aws:ssm:*:*:parameter/*"] +} + +variable "external_secrets_secrets_manager_arns" { + description = "List of Secrets Manager ARNs that contain secrets to mount using External Secrets" + type = list(string) + default = ["arn:aws:secretsmanager:*:*:secret:*"] +} From 8f51e4fc036ea02554ee6e28072fab6da566cdc6 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Wed, 13 Apr 2022 08:41:08 -0400 Subject: [PATCH 4/8] chore: update examples to reflect new policies added --- .../iam-role-for-service-accounts-eks/main.tf | 38 ++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf index 16783d38..9429a731 100644 --- a/examples/iam-role-for-service-accounts-eks/main.tf +++ b/examples/iam-role-for-service-accounts-eks/main.tf @@ -74,7 +74,24 @@ module "external_dns_irsa_role" { oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["default:my-app", "canary:my-app"] + namespace_service_accounts = ["kube-system:external-dns"] + } + } + + tags = local.tags +} + +module "cert_manager_irsa_role" { + source = "../../modules/iam-role-for-service-accounts-eks" + + role_name = "cert-manager" + attach_external_dns_policy = true + cert_manager_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"] + + oidc_providers = { + ex = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:cert-manager"] } } @@ -230,6 +247,25 @@ module "amazon_managed_service_prometheus_irsa_role" { tags = local.tags } + +module "external_secrets_irsa_role" { + source = "../../modules/iam-role-for-service-accounts-eks" + + role_name = "external-secrets" + attach_external_secrets_policy = true + external_secrets_ssm_parameter_arns = ["arn:aws:ssm:*:*:parameter/foo"] + external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:*:*:secret:bar"] + + oidc_providers = { + ex = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["default:kubernetes-external-secrets"] + } + } + + tags = local.tags +} + ################################################################################ # Supporting Resources ################################################################################ From ca608d58827e4f894f3cb313fb9d6f08bdc4738b Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Wed, 13 Apr 2022 08:48:22 -0400 Subject: [PATCH 5/8] chore: update readme for new policies --- examples/iam-role-for-service-accounts-eks/README.md | 2 ++ modules/iam-role-for-service-accounts-eks/README.md | 3 +++ 2 files changed, 5 insertions(+) diff --git a/examples/iam-role-for-service-accounts-eks/README.md b/examples/iam-role-for-service-accounts-eks/README.md index 42235bf7..df4d58e1 100644 --- a/examples/iam-role-for-service-accounts-eks/README.md +++ b/examples/iam-role-for-service-accounts-eks/README.md @@ -31,12 +31,14 @@ No providers. | Name | Source | Version | |------|--------|---------| | [amazon\_managed\_service\_prometheus\_irsa\_role](#module\_amazon\_managed\_service\_prometheus\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | +| [cert\_manager\_irsa\_role](#module\_cert\_manager\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [disabled](#module\_disabled) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 18.6 | | [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | +| [external\_secrets\_irsa\_role](#module\_external\_secrets\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [irsa\_role](#module\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [karpenter\_controller\_irsa\_role](#module\_karpenter\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [load\_balancer\_controller\_irsa\_role](#module\_load\_balancer\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md index da490aa9..eb65731d 100644 --- a/modules/iam-role-for-service-accounts-eks/README.md +++ b/modules/iam-role-for-service-accounts-eks/README.md @@ -1,8 +1,10 @@ # IAM Role for Service Accounts in EKS Creates an IAM role which can be assumed by AWS EKS `ServiceAccount`s with optional policies for commonly used controllers/custom resources within EKS. The optional policies supported include: +- [Cert-Manager](https://cert-manager.io/docs/configuration/acme/dns01/route53/#set-up-an-iam-role) - [Cluster Autoscaler](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md) - [External DNS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy) +- [External Secrets](https://github.com/external-secrets/kubernetes-external-secrets#add-a-secret) - [EBS CSI Driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/example-iam-policy.json) - [EFS CSI Driver](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json) - [VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html) @@ -10,6 +12,7 @@ Creates an IAM role which can be assumed by AWS EKS `ServiceAccount`s with optio - [Karpenter](https://github.com/aws/karpenter/blob/main/website/content/en/preview/getting-started/cloudformation.yaml) - [Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json) - [Load Balancer Controller Target Group Binding Only](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/installation/#iam-permission-subset-for-those-who-use-targetgroupbinding-only-and-dont-plan-to-use-the-aws-load-balancer-controller-to-manage-security-group-rules) +- [Managed Service for Prometheus](https://docs.aws.amazon.com/prometheus/latest/userguide/set-up-irsa.html) This module is intended to be used with AWS EKS. For details of how a `ServiceAccount` in EKS can assume an IAM role, see the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). From 049112f4b8f197a2bfd49884bfd058e67a7b976a Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Wed, 13 Apr 2022 09:11:51 -0400 Subject: [PATCH 6/8] fix: correct variable description --- modules/iam-role-for-service-accounts-eks/README.md | 2 +- modules/iam-role-for-service-accounts-eks/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md index eb65731d..dfa512b8 100644 --- a/modules/iam-role-for-service-accounts-eks/README.md +++ b/modules/iam-role-for-service-accounts-eks/README.md @@ -187,7 +187,7 @@ No modules. | [karpenter\_tag\_key](#input\_karpenter\_tag\_key) | Tag key (`{key = value}`) applied to resources launched by Karpenter through the Karpenter provisioner | `string` | `"karpenter.sh/discovery"` | no | | [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no | | [node\_termination\_handler\_sqs\_queue\_arns](#input\_node\_termination\_handler\_sqs\_queue\_arns) | List of SQS ARNs that contain node termination events | `list(string)` | 
[
  "*"
]
| no | -| [oidc\_providers](#input\_oidc\_providers) | Map of OIDC providers where each provdier map should contain the `provider`, `provider_arns`, and `namespace_service_accounts` | `any` | `{}` | no | +| [oidc\_providers](#input\_oidc\_providers) | Map of OIDC providers where each provider map should contain the `provider`, `provider_arn`, and `namespace_service_accounts` | `any` | `{}` | no | | [role\_description](#input\_role\_description) | IAM Role description | `string` | `null` | no | | [role\_name](#input\_role\_name) | Name of IAM role | `string` | `null` | no | | [role\_name\_prefix](#input\_role\_name\_prefix) | IAM role name prefix | `string` | `null` | no | diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf index 88369c9a..9fb5443d 100644 --- a/modules/iam-role-for-service-accounts-eks/variables.tf +++ b/modules/iam-role-for-service-accounts-eks/variables.tf @@ -41,7 +41,7 @@ variable "role_policy_arns" { } variable "oidc_providers" { - description = "Map of OIDC providers where each provdier map should contain the `provider`, `provider_arns`, and `namespace_service_accounts`" + description = "Map of OIDC providers where each provider map should contain the `provider`, `provider_arn`, and `namespace_service_accounts`" type = any default = {} } From 80bda8d4a491391abdf1ea611720c277c6cdd1ea Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Wed, 13 Apr 2022 09:22:54 -0400 Subject: [PATCH 7/8] feat: Add support for FSx for Lustre CSI IAM policy --- .../README.md | 1 + .../iam-role-for-service-accounts-eks/main.tf | 14 +++++ .../README.md | 5 ++ .../policies.tf | 57 +++++++++++++++++++ .../variables.tf | 15 ++++- 5 files changed, 91 insertions(+), 1 deletion(-) diff --git a/examples/iam-role-for-service-accounts-eks/README.md b/examples/iam-role-for-service-accounts-eks/README.md index df4d58e1..aa5279e1 100644 --- a/examples/iam-role-for-service-accounts-eks/README.md +++ b/examples/iam-role-for-service-accounts-eks/README.md @@ -39,6 +39,7 @@ No providers. | [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 18.6 | | [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [external\_secrets\_irsa\_role](#module\_external\_secrets\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | +| [fsx\_lustre\_csi\_irsa\_role](#module\_fsx\_lustre\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [irsa\_role](#module\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [karpenter\_controller\_irsa\_role](#module\_karpenter\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [load\_balancer\_controller\_irsa\_role](#module\_load\_balancer\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf index 9429a731..9494530d 100644 --- a/examples/iam-role-for-service-accounts-eks/main.tf +++ b/examples/iam-role-for-service-accounts-eks/main.tf @@ -130,6 +130,20 @@ module "efs_csi_irsa_role" { tags = local.tags } +module "fsx_lustre_csi_irsa_role" { + source = "../../modules/iam-role-for-service-accounts-eks" + + role_name = "fsx-lustre-csi" + attach_fsx_lustre_csi_policy = true + + oidc_providers = { + ex = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:fsx-csi-controller-sa"] + } + } +} + module "vpc_cni_ipv4_irsa_role" { source = "../../modules/iam-role-for-service-accounts-eks" diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md index dfa512b8..602e4bf5 100644 --- a/modules/iam-role-for-service-accounts-eks/README.md +++ b/modules/iam-role-for-service-accounts-eks/README.md @@ -120,6 +120,7 @@ No modules. | [aws_iam_policy.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | @@ -133,6 +134,7 @@ No modules. | [aws_iam_role_policy_attachment.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | @@ -147,6 +149,7 @@ No modules. | [aws_iam_policy_document.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -168,6 +171,7 @@ No modules. | [attach\_efs\_csi\_policy](#input\_attach\_efs\_csi\_policy) | Determines whether to attach the EFS CSI IAM policy to the role | `bool` | `false` | no | | [attach\_external\_dns\_policy](#input\_attach\_external\_dns\_policy) | Determines whether to attach the External DNS IAM policy to the role | `bool` | `false` | no | | [attach\_external\_secrets\_policy](#input\_attach\_external\_secrets\_policy) | Determines whether to attach the External Secrets policy to the role | `bool` | `false` | no | +| [attach\_fsx\_lustre\_csi\_policy](#input\_attach\_fsx\_lustre\_csi\_policy) | Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role | `bool` | `false` | no | | [attach\_karpenter\_controller\_policy](#input\_attach\_karpenter\_controller\_policy) | Determines whether to attach the Karpenter Controller policy to the role | `bool` | `false` | no | | [attach\_load\_balancer\_controller\_policy](#input\_attach\_load\_balancer\_controller\_policy) | Determines whether to attach the Load Balancer Controller policy to the role | `bool` | `false` | no | | [attach\_load\_balancer\_controller\_targetgroup\_binding\_only\_policy](#input\_attach\_load\_balancer\_controller\_targetgroup\_binding\_only\_policy) | Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only | `bool` | `false` | no | @@ -181,6 +185,7 @@ No modules. | [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | 
[
  "arn:aws:secretsmanager:*:*:secret:*"
]
| no | | [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | 
[
  "arn:aws:ssm:*:*:parameter/*"
]
| no | | [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no | +| [fsx\_lustre\_csi\_service\_role\_arns](#input\_fsx\_lustre\_csi\_service\_role\_arns) | Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles | `list(string)` | 
[
  "arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"
]
| no | | [karpenter\_controller\_cluster\_id](#input\_karpenter\_controller\_cluster\_id) | Cluster ID where the Karpenter controller is provisioned/managing | `string` | `"*"` | no | | [karpenter\_controller\_node\_iam\_role\_arns](#input\_karpenter\_controller\_node\_iam\_role\_arns) | List of node IAM role ARNs Karpenter can use to launch nodes | `list(string)` | 
[
  "*"
]
| no | | [karpenter\_controller\_ssm\_parameter\_arns](#input\_karpenter\_controller\_ssm\_parameter\_arns) | List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter | `list(string)` | 
[
  "arn:aws:ssm:*:*:parameter/aws/service/*"
]
| no | diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index d3f329a6..529d3028 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -348,6 +348,63 @@ resource "aws_iam_role_policy_attachment" "ebs_csi" { policy_arn = aws_iam_policy.ebs_csi[0].arn } +################################################################################ +# FSx for Lustre CSI Driver Policy +################################################################################ + +# https://github.com/kubernetes-sigs/aws-fsx-csi-driver/blob/master/docs/README.md +data "aws_iam_policy_document" "fsx_lustre_csi" { + count = var.create_role && var.attach_fsx_lustre_csi_policy ? 1 : 0 + + statement { + actions = [ + "iam:CreateServiceLinkedRole", + "iam:AttachRolePolicy", + "iam:PutRolePolicy" + ] + resources = var.fsx_lustre_csi_service_role_arns + } + + statement { + actions = ["iam:CreateServiceLinkedRole"] + resources = ["*"] + condition { + test = "StringLike" + variable = "iam:AWSServiceName" + values = ["fsx.${local.dns_suffix}"] + } + } + + statement { + actions = [ + "s3:ListBucket", + "fsx:CreateFileSystem", + "fsx:DeleteFileSystem", + "fsx:DescribeFileSystems", + "fsx:TagResource", + ] + resources = ["*"] + } +} + +resource "aws_iam_policy" "fsx_lustre_csi" { + count = var.create_role && var.attach_fsx_lustre_csi_policy ? 1 : 0 + + name_prefix = "AmazonEKS_FSx_Lustre_CSI_Policy-" + path = var.role_path + description = "Provides permissions to manage FSx Lustre volumes via the container storage interface driver" + policy = data.aws_iam_policy_document.fsx_lustre_csi[0].json + + tags = var.tags +} + +resource "aws_iam_role_policy_attachment" "fsx_lustre_csi" { + count = var.create_role && var.attach_fsx_lustre_csi_policy ? 1 : 0 + + role = aws_iam_role.this[0].name + policy_arn = aws_iam_policy.fsx_lustre_csi[0].arn +} + ################################################################################ # VPC CNI Policy ################################################################################ diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf index 9fb5443d..11c1a21e 100644 --- a/modules/iam-role-for-service-accounts-eks/variables.tf +++ b/modules/iam-role-for-service-accounts-eks/variables.tf @@ -133,6 +133,19 @@ variable "attach_efs_csi_policy" { default = false } +# FSx Lustre CSI +variable "attach_fsx_lustre_csi_policy" { + description = "Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role" + type = bool + default = false +} + +variable "fsx_lustre_csi_service_role_arns" { + description = "Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles" + type = list(string) + default = ["arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"] +} + # VPC CNI variable "attach_vpc_cni_policy" { description = "Determines whether to attach the VPC CNI IAM policy to the role" @@ -165,7 +178,7 @@ variable "node_termination_handler_sqs_queue_arns" { default = ["*"] } -# Karpetner controller +# Karpenter controller variable "attach_karpenter_controller_policy" { description = "Determines whether to attach the Karpenter Controller policy to the role" type = bool From 96ab68d93c9b616e35bb147f3691f94bf7df589c Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Wed, 13 Apr 2022 09:36:05 -0400 Subject: [PATCH 8/8] chore: re-order IAM role for service account policies alphabetically --- .../iam-role-for-service-accounts-eks/main.tf | 123 +++-- .../README.md | 9 +- .../policies.tf | 516 +++++++++--------- .../variables.tf | 114 ++-- 4 files changed, 381 insertions(+), 381 deletions(-) diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf index 9494530d..2922b629 100644 --- a/examples/iam-role-for-service-accounts-eks/main.tf +++ b/examples/iam-role-for-service-accounts-eks/main.tf @@ -47,51 +47,34 @@ module "irsa_role" { tags = local.tags } -module "cluster_autoscaler_irsa_role" { - source = "../../modules/iam-role-for-service-accounts-eks" - - role_name = "cluster-autoscaler" - attach_cluster_autoscaler_policy = true - cluster_autoscaler_cluster_ids = [module.eks.cluster_id] - - oidc_providers = { - ex = { - provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["kube-system:cluster-autoscaler"] - } - } - - tags = local.tags -} - -module "external_dns_irsa_role" { +module "cert_manager_irsa_role" { source = "../../modules/iam-role-for-service-accounts-eks" - role_name = "external-dns" + role_name = "cert-manager" attach_external_dns_policy = true - external_dns_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"] + cert_manager_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"] oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["kube-system:external-dns"] + namespace_service_accounts = ["kube-system:cert-manager"] } } tags = local.tags } -module "cert_manager_irsa_role" { +module "cluster_autoscaler_irsa_role" { source = "../../modules/iam-role-for-service-accounts-eks" - role_name = "cert-manager" - attach_external_dns_policy = true - cert_manager_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"] + role_name = "cluster-autoscaler" + attach_cluster_autoscaler_policy = true + cluster_autoscaler_cluster_ids = [module.eks.cluster_id] oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["kube-system:cert-manager"] + namespace_service_accounts = ["kube-system:cluster-autoscaler"] } } @@ -130,68 +113,53 @@ module "efs_csi_irsa_role" { tags = local.tags } -module "fsx_lustre_csi_irsa_role" { - source = "../../modules/iam-role-for-service-accounts-eks" - - role_name = "fsx-lustre-csi" - attach_fsx_lustre_csi_policy = true - - oidc_providers = { - ex = { - provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["kube-system:fsx-csi-controller-sa"] - } - } -} - -module "vpc_cni_ipv4_irsa_role" { +module "external_dns_irsa_role" { source = "../../modules/iam-role-for-service-accounts-eks" - role_name = "vpc-cni-ipv4" - attach_vpc_cni_policy = true - vpc_cni_enable_ipv4 = true + role_name = "external-dns" + attach_external_dns_policy = true + external_dns_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"] oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["kube-system:aws-vpc-cni"] + namespace_service_accounts = ["kube-system:external-dns"] } } tags = local.tags } -module "vpc_cni_ipv6_irsa_role" { +module "external_secrets_irsa_role" { source = "../../modules/iam-role-for-service-accounts-eks" - role_name = "vpc-cni-ipv6" - attach_vpc_cni_policy = true - vpc_cni_enable_ipv6 = true + role_name = "external-secrets" + attach_external_secrets_policy = true + external_secrets_ssm_parameter_arns = ["arn:aws:ssm:*:*:parameter/foo"] + external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:*:*:secret:bar"] oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["kube-system:aws-vpc-cni"] + namespace_service_accounts = ["default:kubernetes-external-secrets"] } } tags = local.tags } -module "node_termination_handler_irsa_role" { +module "fsx_lustre_csi_irsa_role" { source = "../../modules/iam-role-for-service-accounts-eks" - role_name = "node-termination-handler" - attach_node_termination_handler_policy = true + role_name = "fsx-lustre-csi" + attach_fsx_lustre_csi_policy = true oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["kube-system:aws-node"] + namespace_service_accounts = ["kube-system:fsx-csi-controller-sa"] } } - - tags = local.tags } module "karpenter_controller_irsa_role" { @@ -261,19 +229,50 @@ module "amazon_managed_service_prometheus_irsa_role" { tags = local.tags } +module "node_termination_handler_irsa_role" { + source = "../../modules/iam-role-for-service-accounts-eks" + + role_name = "node-termination-handler" + attach_node_termination_handler_policy = true -module "external_secrets_irsa_role" { + oidc_providers = { + ex = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:aws-node"] + } + } + + tags = local.tags +} + +module "vpc_cni_ipv4_irsa_role" { source = "../../modules/iam-role-for-service-accounts-eks" - role_name = "external-secrets" - attach_external_secrets_policy = true - external_secrets_ssm_parameter_arns = ["arn:aws:ssm:*:*:parameter/foo"] - external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:*:*:secret:bar"] + role_name = "vpc-cni-ipv4" + attach_vpc_cni_policy = true + vpc_cni_enable_ipv4 = true oidc_providers = { ex = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["default:kubernetes-external-secrets"] + namespace_service_accounts = ["kube-system:aws-vpc-cni"] + } + } + + tags = local.tags +} + +module "vpc_cni_ipv6_irsa_role" { + source = "../../modules/iam-role-for-service-accounts-eks" + + role_name = "vpc-cni-ipv6" + attach_vpc_cni_policy = true + vpc_cni_enable_ipv6 = true + + oidc_providers = { + ex = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:aws-vpc-cni"] } } diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md index 602e4bf5..ad944d72 100644 --- a/modules/iam-role-for-service-accounts-eks/README.md +++ b/modules/iam-role-for-service-accounts-eks/README.md @@ -3,16 +3,17 @@ Creates an IAM role which can be assumed by AWS EKS `ServiceAccount`s with optional policies for commonly used controllers/custom resources within EKS. The optional policies supported include: - [Cert-Manager](https://cert-manager.io/docs/configuration/acme/dns01/route53/#set-up-an-iam-role) - [Cluster Autoscaler](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md) -- [External DNS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy) -- [External Secrets](https://github.com/external-secrets/kubernetes-external-secrets#add-a-secret) - [EBS CSI Driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/example-iam-policy.json) - [EFS CSI Driver](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json) -- [VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html) -- [Node Termination Handler](https://github.com/aws/aws-node-termination-handler#5-create-an-iam-role-for-the-pods) +- [External DNS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy) +- [External Secrets](https://github.com/external-secrets/kubernetes-external-secrets#add-a-secret) +- [FSx for Lustre CSI Driver](https://github.com/kubernetes-sigs/aws-fsx-csi-driver/blob/master/docs/README.md) - [Karpenter](https://github.com/aws/karpenter/blob/main/website/content/en/preview/getting-started/cloudformation.yaml) - [Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json) - [Load Balancer Controller Target Group Binding Only](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/installation/#iam-permission-subset-for-those-who-use-targetgroupbinding-only-and-dont-plan-to-use-the-aws-load-balancer-controller-to-manage-security-group-rules) - [Managed Service for Prometheus](https://docs.aws.amazon.com/prometheus/latest/userguide/set-up-irsa.html) +- [Node Termination Handler](https://github.com/aws/aws-node-termination-handler#5-create-an-iam-role-for-the-pods) +- [VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html) This module is intended to be used with AWS EKS. For details of how a `ServiceAccount` in EKS can assume an IAM role, see the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index 529d3028..16b09e79 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -7,6 +7,52 @@ locals { dns_suffix = data.aws_partition.current.dns_suffix } +################################################################################ +# Cert Manager Policy +################################################################################ + +# https://cert-manager.io/docs/configuration/acme/dns01/route53/#set-up-an-iam-role +data "aws_iam_policy_document" "cert_manager" { + count = var.create_role && var.attach_cert_manager_policy ? 1 : 0 + + statement { + actions = ["route53:GetChange"] + resources = ["arn:aws:route53:::change/*"] + } + + statement { + actions = [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets" + ] + + resources = var.cert_manager_hosted_zone_arns + } + + statement { + actions = ["route53:ListHostedZonesByName"] + resources = ["*"] + } +} + +resource "aws_iam_policy" "cert_manager" { + count = var.create_role && var.attach_cert_manager_policy ? 1 : 0 + + name_prefix = "AmazonEKS_Cert_Manager_Policy-" + path = var.role_path + description = "Cert Manager policy to allow management of Route53 hosted zone records" + policy = data.aws_iam_policy_document.cert_manager[0].json + + tags = var.tags +} + +resource "aws_iam_role_policy_attachment" "cert_manager" { + count = var.create_role && var.attach_cert_manager_policy ? 1 : 0 + + role = aws_iam_role.this[0].name + policy_arn = aws_iam_policy.cert_manager[0].arn +} + ################################################################################ # Cluster Autoscaler Policy ################################################################################ @@ -66,93 +112,6 @@ resource "aws_iam_role_policy_attachment" "cluster_autoscaler" { policy_arn = aws_iam_policy.cluster_autoscaler[0].arn } -################################################################################ -# External DNS Policy -################################################################################ - -# https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy -data "aws_iam_policy_document" "external_dns" { - count = var.create_role && var.attach_external_dns_policy ? 1 : 0 - - statement { - actions = ["route53:ChangeResourceRecordSets"] - resources = var.external_dns_hosted_zone_arns - } - - statement { - actions = [ - "route53:ListHostedZones", - "route53:ListResourceRecordSets", - ] - - resources = ["*"] - } -} - -resource "aws_iam_policy" "external_dns" { - count = var.create_role && var.attach_external_dns_policy ? 1 : 0 - - name_prefix = "AmazonEKS_External_DNS_Policy-" - path = var.role_path - description = "External DNS policy to allow management of Route53 hosted zone records" - policy = data.aws_iam_policy_document.external_dns[0].json - - tags = var.tags -} - -resource "aws_iam_role_policy_attachment" "external_dns" { - count = var.create_role && var.attach_external_dns_policy ? 1 : 0 - - role = aws_iam_role.this[0].name - policy_arn = aws_iam_policy.external_dns[0].arn -} - -################################################################################ -# Cert Manager Policy -################################################################################ - -# https://cert-manager.io/docs/configuration/acme/dns01/route53/#set-up-an-iam-role -data "aws_iam_policy_document" "cert_manager" { - count = var.create_role && var.attach_cert_manager_policy ? 1 : 0 - - statement { - actions = ["route53:GetChange"] - resources = ["arn:aws:route53:::change/*"] - } - - statement { - actions = [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets" - ] - - resources = var.cert_manager_hosted_zone_arns - } - - statement { - actions = ["route53:ListHostedZonesByName"] - resources = ["*"] - } -} - -resource "aws_iam_policy" "cert_manager" { - count = var.create_role && var.attach_cert_manager_policy ? 1 : 0 - - name_prefix = "AmazonEKS_Cert_Manager_Policy-" - path = var.role_path - description = "Cert Manager policy to allow management of Route53 hosted zone records" - policy = data.aws_iam_policy_document.cert_manager[0].json - - tags = var.tags -} - -resource "aws_iam_role_policy_attachment" "cert_manager" { - count = var.create_role && var.attach_cert_manager_policy ? 1 : 0 - - role = aws_iam_role.this[0].name - policy_arn = aws_iam_policy.cert_manager[0].arn -} - ################################################################################ # EBS CSI Policy ################################################################################ @@ -349,177 +308,201 @@ resource "aws_iam_role_policy_attachment" "ebs_csi" { } ################################################################################ -# FSx for Lustre CSI Driver Policy +# EFS CSI Driver Policy ################################################################################ -# https://github.com/kubernetes-sigs/aws-fsx-csi-driver/blob/master/docs/README.md -data "aws_iam_policy_document" "fsx_lustre_csi" { - count = var.create_role && var.attach_fsx_lustre_csi_policy ? 1 : 0 +# https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json +data "aws_iam_policy_document" "efs_csi" { + count = var.create_role && var.attach_efs_csi_policy ? 1 : 0 statement { actions = [ - "iam:CreateServiceLinkedRole", - "iam:AttachRolePolicy", - "iam:PutRolePolicy" + "elasticfilesystem:DescribeAccessPoints", + "elasticfilesystem:DescribeFileSystems", ] - resources = var.fsx_lustre_csi_service_role_arns + + resources = ["*"] } statement { - actions = ["iam:CreateServiceLinkedRole"] + actions = ["elasticfilesystem:CreateAccessPoint"] resources = ["*"] + condition { test = "StringLike" - variable = "iam:AWSServiceName" - values = ["fsx.${local.dns_suffix}"] + variable = "aws:RequestTag/efs.csi.aws.com/cluster" + values = ["true"] } } statement { - actions = [ - "s3:ListBucket", - "fsx:CreateFileSystem", - "fsx:DeleteFileSystem", - "fsx:DescribeFileSystems", - "fsx:TagResource", - ] + actions = ["elasticfilesystem:DeleteAccessPoint"] resources = ["*"] + + condition { + test = "StringEquals" + variable = "aws:ResourceTag/efs.csi.aws.com/cluster" + values = ["true"] + } } } -resource "aws_iam_policy" "fsx_lustre_csi" { - count = var.create_role && var.attach_fsx_lustre_csi_policy ? 1 : 0 +resource "aws_iam_policy" "efs_csi" { + count = var.create_role && var.attach_efs_csi_policy ? 1 : 0 - name_prefix = "AmazonEKS_FSx_Lustre_CSI_Policy-" + name_prefix = "AmazonEKS_EFS_CSI_Policy-" path = var.role_path - description = "Provides permissions to manage FSx Lustre volumes via the container storage interface driver" - policy = data.aws_iam_policy_document.fsx_lustre_csi[0].json + description = "Provides permissions to manage EFS volumes via the container storage interface driver" + policy = data.aws_iam_policy_document.efs_csi[0].json tags = var.tags } -resource "aws_iam_role_policy_attachment" "fsx_lustre_csi" { - count = var.create_role && var.attach_fsx_lustre_csi_policy ? 1 : 0 +resource "aws_iam_role_policy_attachment" "efs_csi" { + count = var.create_role && var.attach_efs_csi_policy ? 1 : 0 role = aws_iam_role.this[0].name - policy_arn = aws_iam_policy.fsx_lustre_csi[0].arn + policy_arn = aws_iam_policy.efs_csi[0].arn } ################################################################################ -# VPC CNI Policy +# External DNS Policy ################################################################################ -data "aws_iam_policy_document" "vpc_cni" { - count = var.create_role && var.attach_vpc_cni_policy ? 1 : 0 +# https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy +data "aws_iam_policy_document" "external_dns" { + count = var.create_role && var.attach_external_dns_policy ? 1 : 0 - # arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy - dynamic "statement" { - for_each = var.vpc_cni_enable_ipv4 ? [1] : [] - content { - sid = "IPV4" - actions = [ - "ec2:AssignPrivateIpAddresses", - "ec2:AttachNetworkInterface", - "ec2:CreateNetworkInterface", - "ec2:DeleteNetworkInterface", - "ec2:DescribeInstances", - "ec2:DescribeTags", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeInstanceTypes", - "ec2:DetachNetworkInterface", - "ec2:ModifyNetworkInterfaceAttribute", - "ec2:UnassignPrivateIpAddresses", - ] - resources = ["*"] - } + statement { + actions = ["route53:ChangeResourceRecordSets"] + resources = var.external_dns_hosted_zone_arns } - # https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy - dynamic "statement" { - for_each = var.vpc_cni_enable_ipv6 ? [1] : [] - content { - sid = "IPV6" - actions = [ - "ec2:AssignIpv6Addresses", - "ec2:DescribeInstances", - "ec2:DescribeTags", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeInstanceTypes", - ] - resources = ["*"] - } + statement { + actions = [ + "route53:ListHostedZones", + "route53:ListResourceRecordSets", + ] + + resources = ["*"] + } +} + +resource "aws_iam_policy" "external_dns" { + count = var.create_role && var.attach_external_dns_policy ? 1 : 0 + + name_prefix = "AmazonEKS_External_DNS_Policy-" + path = var.role_path + description = "External DNS policy to allow management of Route53 hosted zone records" + policy = data.aws_iam_policy_document.external_dns[0].json + + tags = var.tags +} + +resource "aws_iam_role_policy_attachment" "external_dns" { + count = var.create_role && var.attach_external_dns_policy ? 1 : 0 + + role = aws_iam_role.this[0].name + policy_arn = aws_iam_policy.external_dns[0].arn +} + +################################################################################ +# External Secrets Policy +################################################################################ + +# https://github.com/external-secrets/kubernetes-external-secrets#add-a-secret +data "aws_iam_policy_document" "external_secrets" { + count = var.create_role && var.attach_external_secrets_policy ? 1 : 0 + + statement { + actions = ["ssm:GetParameter"] + resources = var.external_secrets_ssm_parameter_arns } statement { - sid = "CreateTags" - actions = ["ec2:CreateTags"] - resources = ["arn:${local.partition}:ec2:*:*:network-interface/*"] + actions = [ + "secretsmanager:GetResourcePolicy", + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret", + "secretsmanager:ListSecretVersionIds", + ] + resources = var.external_secrets_secrets_manager_arns } } -resource "aws_iam_policy" "vpc_cni" { - count = var.create_role && var.attach_vpc_cni_policy ? 1 : 0 +resource "aws_iam_policy" "external_secrets" { + count = var.create_role && var.attach_external_secrets_policy ? 1 : 0 - name_prefix = "AmazonEKS_CNI_Policy-" + name_prefix = "AmazonEKS_External_Secrets_Policy-" path = var.role_path - description = "Provides the Amazon VPC CNI Plugin (amazon-vpc-cni-k8s) the permissions it requires to modify the IPv4/IPv6 address configuration on your EKS worker nodes" - policy = data.aws_iam_policy_document.vpc_cni[0].json + description = "Provides permissions to for External Secrets to retrieve secrets from AWS SSM and AWS Secrets Manager" + policy = data.aws_iam_policy_document.external_secrets[0].json tags = var.tags } -resource "aws_iam_role_policy_attachment" "vpc_cni" { - count = var.create_role && var.attach_vpc_cni_policy ? 1 : 0 +resource "aws_iam_role_policy_attachment" "external_secrets" { + count = var.create_role && var.attach_external_secrets_policy ? 1 : 0 role = aws_iam_role.this[0].name - policy_arn = aws_iam_policy.vpc_cni[0].arn + policy_arn = aws_iam_policy.external_secrets[0].arn } ################################################################################ -# Node Termination Handler Policy +# FSx for Lustre CSI Driver Policy ################################################################################ -# https://github.com/aws/aws-node-termination-handler#5-create-an-iam-role-for-the-pods -data "aws_iam_policy_document" "node_termination_handler" { - count = var.create_role && var.attach_node_termination_handler_policy ? 1 : 0 +# https://github.com/kubernetes-sigs/aws-fsx-csi-driver/blob/master/docs/README.md +data "aws_iam_policy_document" "fsx_lustre_csi" { + count = var.create_role && var.attach_fsx_lustre_csi_policy ? 1 : 0 statement { actions = [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:DescribeTags", - "ec2:DescribeInstances", + "iam:CreateServiceLinkedRole", + "iam:AttachRolePolicy", + "iam:PutRolePolicy" ] + resources = var.fsx_lustre_csi_service_role_arns + } + statement { + actions = ["iam:CreateServiceLinkedRole"] resources = ["*"] + condition { + test = "StringLike" + variable = "iam:AWSServiceName" + values = ["fsx.${local.dns_suffix}"] + } } statement { actions = [ - "sqs:DeleteMessage", - "sqs:ReceiveMessage", + "s3:ListBucket", + "fsx:CreateFileSystem", + "fsx:DeleteFileSystem", + "fsx:DescribeFileSystems", + "fsx:TagResource", ] - - resources = var.node_termination_handler_sqs_queue_arns + resources = ["*"] } } -resource "aws_iam_policy" "node_termination_handler" { - count = var.create_role && var.attach_node_termination_handler_policy ? 1 : 0 +resource "aws_iam_policy" "fsx_lustre_csi" { + count = var.create_role && var.attach_fsx_lustre_csi_policy ? 1 : 0 - name_prefix = "AmazonEKS_Node_Termination_Handler_Policy-" + name_prefix = "AmazonEKS_FSx_Lustre_CSI_Policy-" path = var.role_path - description = "Provides permissions to handle node termination events via the Node Termination Handler" - policy = data.aws_iam_policy_document.node_termination_handler[0].json + description = "Provides permissions to manage FSx Lustre volumes via the container storage interface driver" + policy = data.aws_iam_policy_document.fsx_lustre_csi[0].json tags = var.tags } -resource "aws_iam_role_policy_attachment" "node_termination_handler" { - count = var.create_role && var.attach_node_termination_handler_policy ? 1 : 0 +resource "aws_iam_role_policy_attachment" "fsx_lustre_csi" { + count = var.create_role && var.attach_fsx_lustre_csi_policy ? 1 : 0 role = aws_iam_role.this[0].name - policy_arn = aws_iam_policy.node_termination_handler[0].arn + policy_arn = aws_iam_policy.fsx_lustre_csi[0].arn } ################################################################################ @@ -911,64 +894,6 @@ resource "aws_iam_role_policy_attachment" "load_balancer_controller_targetgroup_ policy_arn = aws_iam_policy.load_balancer_controller_targetgroup_only[0].arn } -################################################################################ -# EFS CSI Driver Policy -################################################################################ - -# https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json -data "aws_iam_policy_document" "efs_csi" { - count = var.create_role && var.attach_efs_csi_policy ? 1 : 0 - - statement { - actions = [ - "elasticfilesystem:DescribeAccessPoints", - "elasticfilesystem:DescribeFileSystems", - ] - - resources = ["*"] - } - - statement { - actions = ["elasticfilesystem:CreateAccessPoint"] - resources = ["*"] - - condition { - test = "StringLike" - variable = "aws:RequestTag/efs.csi.aws.com/cluster" - values = ["true"] - } - } - - statement { - actions = ["elasticfilesystem:DeleteAccessPoint"] - resources = ["*"] - - condition { - test = "StringEquals" - variable = "aws:ResourceTag/efs.csi.aws.com/cluster" - values = ["true"] - } - } -} - -resource "aws_iam_policy" "efs_csi" { - count = var.create_role && var.attach_efs_csi_policy ? 1 : 0 - - name_prefix = "AmazonEKS_EFS_CSI_Policy-" - path = var.role_path - description = "Provides permissions to manage EFS volumes via the container storage interface driver" - policy = data.aws_iam_policy_document.efs_csi[0].json - - tags = var.tags -} - -resource "aws_iam_role_policy_attachment" "efs_csi" { - count = var.create_role && var.attach_efs_csi_policy ? 1 : 0 - - role = aws_iam_role.this[0].name - policy_arn = aws_iam_policy.efs_csi[0].arn -} - ################################################################################ # Amazon Managed Service for Prometheus Policy ################################################################################ @@ -1009,43 +934,118 @@ resource "aws_iam_role_policy_attachment" "amazon_managed_service_prometheus" { } ################################################################################ -# External Secrets Policy +# Node Termination Handler Policy ################################################################################ -# https://github.com/external-secrets/kubernetes-external-secrets#add-a-secret -data "aws_iam_policy_document" "external_secrets" { - count = var.create_role && var.attach_external_secrets_policy ? 1 : 0 +# https://github.com/aws/aws-node-termination-handler#5-create-an-iam-role-for-the-pods +data "aws_iam_policy_document" "node_termination_handler" { + count = var.create_role && var.attach_node_termination_handler_policy ? 1 : 0 statement { - actions = ["ssm:GetParameter"] - resources = var.external_secrets_ssm_parameter_arns + actions = [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeTags", + "ec2:DescribeInstances", + ] + + resources = ["*"] } statement { actions = [ - "secretsmanager:GetResourcePolicy", - "secretsmanager:GetSecretValue", - "secretsmanager:DescribeSecret", - "secretsmanager:ListSecretVersionIds", + "sqs:DeleteMessage", + "sqs:ReceiveMessage", ] - resources = var.external_secrets_secrets_manager_arns + + resources = var.node_termination_handler_sqs_queue_arns } } -resource "aws_iam_policy" "external_secrets" { - count = var.create_role && var.attach_external_secrets_policy ? 1 : 0 +resource "aws_iam_policy" "node_termination_handler" { + count = var.create_role && var.attach_node_termination_handler_policy ? 1 : 0 - name_prefix = "AmazonEKS_External_Secrets_Policy-" + name_prefix = "AmazonEKS_Node_Termination_Handler_Policy-" path = var.role_path - description = "Provides permissions to for External Secrets to retrieve secrets from AWS SSM and AWS Secrets Manager" - policy = data.aws_iam_policy_document.external_secrets[0].json + description = "Provides permissions to handle node termination events via the Node Termination Handler" + policy = data.aws_iam_policy_document.node_termination_handler[0].json tags = var.tags } -resource "aws_iam_role_policy_attachment" "external_secrets" { - count = var.create_role && var.attach_external_secrets_policy ? 1 : 0 +resource "aws_iam_role_policy_attachment" "node_termination_handler" { + count = var.create_role && var.attach_node_termination_handler_policy ? 1 : 0 role = aws_iam_role.this[0].name - policy_arn = aws_iam_policy.external_secrets[0].arn + policy_arn = aws_iam_policy.node_termination_handler[0].arn +} + +################################################################################ +# VPC CNI Policy +################################################################################ + +data "aws_iam_policy_document" "vpc_cni" { + count = var.create_role && var.attach_vpc_cni_policy ? 1 : 0 + + # arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy + dynamic "statement" { + for_each = var.vpc_cni_enable_ipv4 ? [1] : [] + content { + sid = "IPV4" + actions = [ + "ec2:AssignPrivateIpAddresses", + "ec2:AttachNetworkInterface", + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeInstanceTypes", + "ec2:DetachNetworkInterface", + "ec2:ModifyNetworkInterfaceAttribute", + "ec2:UnassignPrivateIpAddresses", + ] + resources = ["*"] + } + } + + # https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy + dynamic "statement" { + for_each = var.vpc_cni_enable_ipv6 ? [1] : [] + content { + sid = "IPV6" + actions = [ + "ec2:AssignIpv6Addresses", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeInstanceTypes", + ] + resources = ["*"] + } + } + + statement { + sid = "CreateTags" + actions = ["ec2:CreateTags"] + resources = ["arn:${local.partition}:ec2:*:*:network-interface/*"] + } +} + +resource "aws_iam_policy" "vpc_cni" { + count = var.create_role && var.attach_vpc_cni_policy ? 1 : 0 + + name_prefix = "AmazonEKS_CNI_Policy-" + path = var.role_path + description = "Provides the Amazon VPC CNI Plugin (amazon-vpc-cni-k8s) the permissions it requires to modify the IPv4/IPv6 address configuration on your EKS worker nodes" + policy = data.aws_iam_policy_document.vpc_cni[0].json + + tags = var.tags +} + +resource "aws_iam_role_policy_attachment" "vpc_cni" { + count = var.create_role && var.attach_vpc_cni_policy ? 1 : 0 + + role = aws_iam_role.this[0].name + policy_arn = aws_iam_policy.vpc_cni[0].arn } diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf index 11c1a21e..65ccacdd 100644 --- a/modules/iam-role-for-service-accounts-eks/variables.tf +++ b/modules/iam-role-for-service-accounts-eks/variables.tf @@ -74,43 +74,30 @@ variable "assume_role_condition_test" { # Policies ################################################################################ -# Cluster autoscaler -variable "attach_cluster_autoscaler_policy" { - description = "Determines whether to attach the Cluster Autoscaler IAM policy to the role" - type = bool - default = false -} - -variable "cluster_autoscaler_cluster_ids" { - description = "List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy" - type = list(string) - default = [] -} - -# External DNS -variable "attach_external_dns_policy" { - description = "Determines whether to attach the External DNS IAM policy to the role" +# Cert Manager +variable "attach_cert_manager_policy" { + description = "Determines whether to attach the Cert Manager IAM policy to the role" type = bool default = false } -variable "external_dns_hosted_zone_arns" { - description = "Route53 hosted zone ARNs to allow External DNS to manage records" +variable "cert_manager_hosted_zone_arns" { + description = "Route53 hosted zone ARNs to allow Cert manager to manage records" type = list(string) default = ["arn:aws:route53:::hostedzone/*"] } -# Cert Manager -variable "attach_cert_manager_policy" { - description = "Determines whether to attach the Cert Manager IAM policy to the role" +# Cluster autoscaler +variable "attach_cluster_autoscaler_policy" { + description = "Determines whether to attach the Cluster Autoscaler IAM policy to the role" type = bool default = false } -variable "cert_manager_hosted_zone_arns" { - description = "Route53 hosted zone ARNs to allow Cert manager to manage records" +variable "cluster_autoscaler_cluster_ids" { + description = "List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy" type = list(string) - default = ["arn:aws:route53:::hostedzone/*"] + default = [] } # EBS CSI @@ -133,49 +120,49 @@ variable "attach_efs_csi_policy" { default = false } -# FSx Lustre CSI -variable "attach_fsx_lustre_csi_policy" { - description = "Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role" +# External DNS +variable "attach_external_dns_policy" { + description = "Determines whether to attach the External DNS IAM policy to the role" type = bool default = false } -variable "fsx_lustre_csi_service_role_arns" { - description = "Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles" +variable "external_dns_hosted_zone_arns" { + description = "Route53 hosted zone ARNs to allow External DNS to manage records" type = list(string) - default = ["arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"] + default = ["arn:aws:route53:::hostedzone/*"] } -# VPC CNI -variable "attach_vpc_cni_policy" { - description = "Determines whether to attach the VPC CNI IAM policy to the role" +# External Secrets +variable "attach_external_secrets_policy" { + description = "Determines whether to attach the External Secrets policy to the role" type = bool default = false } -variable "vpc_cni_enable_ipv4" { - description = "Determines whether to enable IPv4 permissions for VPC CNI policy" - type = bool - default = false +variable "external_secrets_ssm_parameter_arns" { + description = "List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets" + type = list(string) + default = ["arn:aws:ssm:*:*:parameter/*"] } -variable "vpc_cni_enable_ipv6" { - description = "Determines whether to enable IPv6 permissions for VPC CNI policy" - type = bool - default = false +variable "external_secrets_secrets_manager_arns" { + description = "List of Secrets Manager ARNs that contain secrets to mount using External Secrets" + type = list(string) + default = ["arn:aws:secretsmanager:*:*:secret:*"] } -# Node termination handler -variable "attach_node_termination_handler_policy" { - description = "Determines whether to attach the Node Termination Handler policy to the role" +# FSx Lustre CSI +variable "attach_fsx_lustre_csi_policy" { + description = "Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role" type = bool default = false } -variable "node_termination_handler_sqs_queue_arns" { - description = "List of SQS ARNs that contain node termination events" +variable "fsx_lustre_csi_service_role_arns" { + description = "Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles" type = list(string) - default = ["*"] + default = ["arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"] } # Karpenter controller @@ -238,21 +225,34 @@ variable "amazon_managed_service_prometheus_workspace_arns" { default = ["*"] } -# External Secrets -variable "attach_external_secrets_policy" { - description = "Determines whether to attach the External Secrets policy to the role" +# VPC CNI +variable "attach_vpc_cni_policy" { + description = "Determines whether to attach the VPC CNI IAM policy to the role" type = bool default = false } -variable "external_secrets_ssm_parameter_arns" { - description = "List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets" - type = list(string) - default = ["arn:aws:ssm:*:*:parameter/*"] +variable "vpc_cni_enable_ipv4" { + description = "Determines whether to enable IPv4 permissions for VPC CNI policy" + type = bool + default = false } -variable "external_secrets_secrets_manager_arns" { - description = "List of Secrets Manager ARNs that contain secrets to mount using External Secrets" +variable "vpc_cni_enable_ipv6" { + description = "Determines whether to enable IPv6 permissions for VPC CNI policy" + type = bool + default = false +} + +# Node termination handler +variable "attach_node_termination_handler_policy" { + description = "Determines whether to attach the Node Termination Handler policy to the role" + type = bool + default = false +} + +variable "node_termination_handler_sqs_queue_arns" { + description = "List of SQS ARNs that contain node termination events" type = list(string) - default = ["arn:aws:secretsmanager:*:*:secret:*"] + default = ["*"] }