Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add support for AMP, cert-manager, and external-secrets to iam-role-for-service-accounts-eks #223

Merged
merged 8 commits into from
Apr 13, 2022
Merged

feat: Add support for AMP, cert-manager, and external-secrets to iam-role-for-service-accounts-eks #223

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
cb714a0
feat: Add support for Amazon Managed Service for Prometheus to `iam-r…
bryantbiggs Apr 2, 2022
f0d1182
feat: Add support for Cert Manager IAM policy
bryantbiggs Apr 13, 2022
e06d626
feat: Add support for External Secrets IAM policy
bryantbiggs Apr 13, 2022
8f51e4f
chore: update examples to reflect new policies added
bryantbiggs Apr 13, 2022
ca608d5
chore: update readme for new policies
bryantbiggs Apr 13, 2022
049112f
fix: correct variable description
bryantbiggs Apr 13, 2022
80bda8d
feat: Add support for FSx for Lustre CSI IAM policy
bryantbiggs Apr 13, 2022
96ab68d
chore: re-order IAM role for service account policies alphabetically
bryantbiggs Apr 13, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions examples/iam-role-for-service-accounts-eks/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,16 @@ No providers.

| Name | Source | Version |
|------|--------|---------|
| <a name="module_amazon_managed_service_prometheus_irsa_role"></a> [amazon\_managed\_service\_prometheus\_irsa\_role](#module\_amazon\_managed\_service\_prometheus\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_cert_manager_irsa_role"></a> [cert\_manager\_irsa\_role](#module\_cert\_manager\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_cluster_autoscaler_irsa_role"></a> [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_disabled"></a> [disabled](#module\_disabled) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 18.6 |
| <a name="module_external_dns_irsa_role"></a> [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_external_secrets_irsa_role"></a> [external\_secrets\_irsa\_role](#module\_external\_secrets\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_fsx_lustre_csi_irsa_role"></a> [fsx\_lustre\_csi\_irsa\_role](#module\_fsx\_lustre\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_irsa_role"></a> [irsa\_role](#module\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_karpenter_controller_irsa_role"></a> [karpenter\_controller\_irsa\_role](#module\_karpenter\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_load_balancer_controller_irsa_role"></a> [load\_balancer\_controller\_irsa\_role](#module\_load\_balancer\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
Expand Down
117 changes: 91 additions & 26 deletions examples/iam-role-for-service-accounts-eks/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,34 +47,34 @@ module "irsa_role" {
tags = local.tags
}

module "cluster_autoscaler_irsa_role" {
module "cert_manager_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "cluster-autoscaler"
attach_cluster_autoscaler_policy = true
cluster_autoscaler_cluster_ids = [module.eks.cluster_id]
role_name = "cert-manager"
attach_external_dns_policy = true
cert_manager_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"]

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:cluster-autoscaler"]
namespace_service_accounts = ["kube-system:cert-manager"]
}
}

tags = local.tags
}

module "external_dns_irsa_role" {
module "cluster_autoscaler_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "external-dns"
attach_external_dns_policy = true
external_dns_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"]
role_name = "cluster-autoscaler"
attach_cluster_autoscaler_policy = true
cluster_autoscaler_cluster_ids = [module.eks.cluster_id]

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["default:my-app", "canary:my-app"]
namespace_service_accounts = ["kube-system:cluster-autoscaler"]
}
}

Expand Down Expand Up @@ -113,54 +113,53 @@ module "efs_csi_irsa_role" {
tags = local.tags
}

module "vpc_cni_ipv4_irsa_role" {
module "external_dns_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "vpc-cni-ipv4"
attach_vpc_cni_policy = true
vpc_cni_enable_ipv4 = true
role_name = "external-dns"
attach_external_dns_policy = true
external_dns_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"]

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:aws-vpc-cni"]
namespace_service_accounts = ["kube-system:external-dns"]
}
}

tags = local.tags
}

module "vpc_cni_ipv6_irsa_role" {
module "external_secrets_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "vpc-cni-ipv6"
attach_vpc_cni_policy = true
vpc_cni_enable_ipv6 = true
role_name = "external-secrets"
attach_external_secrets_policy = true
external_secrets_ssm_parameter_arns = ["arn:aws:ssm:*:*:parameter/foo"]
external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:*:*:secret:bar"]

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:aws-vpc-cni"]
namespace_service_accounts = ["default:kubernetes-external-secrets"]
}
}

tags = local.tags
}

module "node_termination_handler_irsa_role" {
module "fsx_lustre_csi_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "node-termination-handler"
attach_node_termination_handler_policy = true
role_name = "fsx-lustre-csi"
attach_fsx_lustre_csi_policy = true

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:aws-node"]
namespace_service_accounts = ["kube-system:fsx-csi-controller-sa"]
}
}

tags = local.tags
}

module "karpenter_controller_irsa_role" {
Expand Down Expand Up @@ -214,6 +213,72 @@ module "load_balancer_controller_targetgroup_binding_only_irsa_role" {
tags = local.tags
}

module "amazon_managed_service_prometheus_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "amazon-managed-service-prometheus"
attach_amazon_managed_service_prometheus_policy = true

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["prometheus:amp-ingest"]
}
}

tags = local.tags
}

module "node_termination_handler_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "node-termination-handler"
attach_node_termination_handler_policy = true

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:aws-node"]
}
}

tags = local.tags
}

module "vpc_cni_ipv4_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "vpc-cni-ipv4"
attach_vpc_cni_policy = true
vpc_cni_enable_ipv4 = true

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:aws-vpc-cni"]
}
}

tags = local.tags
}

module "vpc_cni_ipv6_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "vpc-cni-ipv6"
attach_vpc_cni_policy = true
vpc_cni_enable_ipv6 = true

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:aws-vpc-cni"]
}
}

tags = local.tags
}

################################################################################
# Supporting Resources
################################################################################
Expand Down
Loading