From 6381151aaffdc02fccf8a872ab4a6fb0e4b243f5 Mon Sep 17 00:00:00 2001 From: Rodrigo Bersa Date: Sun, 9 Jun 2024 18:56:39 -0400 Subject: [PATCH 1/5] Adding Pod Identity --- README.md | 7 +++++++ main.tf | 38 +++++++++++++++++++++++++++++++++++--- outputs.tf | 12 +++++++++++- variables.tf | 26 +++++++++++++++++++++++++- 4 files changed, 78 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 502483a..e9c9eff 100644 --- a/README.md +++ b/README.md @@ -148,6 +148,7 @@ No modules. | Name | Type | |------|------| +| [aws_eks_pod_identity_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_pod_identity_association) | resource | | [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | @@ -168,8 +169,10 @@ No modules. | [chart](#input\_chart) | Chart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if `repository` is specified | `string` | `""` | no | | [chart\_version](#input\_chart\_version) | Specify the exact chart version to install. If this is not specified, the latest version is installed | `string` | `null` | no | | [cleanup\_on\_fail](#input\_cleanup\_on\_fail) | Allow deletion of new resources created in this upgrade when upgrade fails. Defaults to `false` | `bool` | `null` | no | +| [cluster\_name](#input\_cluster\_name) | The name of the EKS cluster | `string` | `""` | no | | [create](#input\_create) | Controls if resources should be created (affects all resources) | `bool` | `true` | no | | [create\_namespace](#input\_create\_namespace) | Create the namespace if it does not yet exist. Defaults to `false` | `bool` | `null` | no | +| [create\_pod\_identity\_association](#input\_create\_pod\_identity\_association) | Determines whether to create Pod Identity association | `bool` | `false` | no | | [create\_policy](#input\_create\_policy) | Whether to create an IAM policy that is attached to the IAM role created | `bool` | `true` | no | | [create\_release](#input\_create\_release) | Determines whether the Helm release is created | `bool` | `true` | no | | [create\_role](#input\_create\_role) | Determines whether to create an IAM role | `bool` | `false` | no | @@ -178,6 +181,7 @@ No modules. | [devel](#input\_devel) | Use chart development versions, too. Equivalent to version '>0.0.0-0'. If version is set, this is ignored | `bool` | `null` | no | | [disable\_openapi\_validation](#input\_disable\_openapi\_validation) | If set, the installation process will not validate rendered templates against the Kubernetes OpenAPI Schema. Defaults to `false` | `bool` | `null` | no | | [disable\_webhooks](#input\_disable\_webhooks) | Prevent hooks from running. Defaults to `false` | `bool` | `null` | no | +| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Determines whether to enable support for EKS Pod Identity | `bool` | `false` | no | | [force\_update](#input\_force\_update) | Force resource update through delete/recreate if needed. Defaults to `false` | `bool` | `null` | no | | [keyring](#input\_keyring) | Location of public keys used for verification. Used only if verify is true. Defaults to `/.gnupg/pubring.gpg` in the location set by `home` | `string` | `null` | no | | [lint](#input\_lint) | Run the helm chart linter during the plan. Defaults to `false` | `bool` | `null` | no | @@ -210,6 +214,7 @@ No modules. | [role\_path](#input\_role\_path) | Path of IAM role | `string` | `"/"` | no | | [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no | | [role\_policies](#input\_role\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no | +| [service\_account](#input\_service\_account) | Service account to associate with the Pod Identity | `string` | `""` | no | | [set](#input\_set) | Value block with custom values to be merged with the values yaml | `any` | `[]` | no | | [set\_irsa\_names](#input\_set\_irsa\_names) | Value annotations name where IRSA role ARN created by module will be assigned to the `value` | `list(string)` | `[]` | no | | [set\_sensitive](#input\_set\_sensitive) | Value block with custom sensitive values to be merged with the values yaml that won't be exposed in the plan's diff | `any` | `[]` | no | @@ -228,6 +233,7 @@ No modules. |------|-------------| | [app\_version](#output\_app\_version) | The version number of the application being deployed | | [chart](#output\_chart) | The name of the chart | +| [create\_pod\_identity\_association](#output\_create\_pod\_identity\_association) | Pod Identity configuration | | [iam\_policy](#output\_iam\_policy) | The policy document | | [iam\_policy\_arn](#output\_iam\_policy\_arn) | The ARN assigned by AWS to this policy | | [iam\_role\_arn](#output\_iam\_role\_arn) | ARN of IAM role | @@ -237,6 +243,7 @@ No modules. | [name](#output\_name) | Name is the name of the release | | [namespace](#output\_namespace) | Name of Kubernetes namespace | | [revision](#output\_revision) | Version is an int32 which represents the version of the release | +| [service\_account](#output\_service\_account) | Service Account associated with the Pod Identity | | [values](#output\_values) | The compounded values from `values` and `set*` attributes | | [version](#output\_version) | A SemVer 2 conformant version string of the chart | diff --git a/main.tf b/main.tf index 63d4da5..09f71cc 100644 --- a/main.tf +++ b/main.tf @@ -64,7 +64,7 @@ resource "helm_release" "this" { } dynamic "set" { - for_each = { for k, v in toset(var.set_irsa_names) : k => v if var.create && var.create_role } + for_each = { for k, v in toset(var.set_irsa_names) : k => v if var.create && var.create_role && var.enable_pod_identity == false && var.create_pod_identity_association == false } iterator = each content { name = each.value @@ -84,7 +84,7 @@ resource "helm_release" "this" { } ################################################################################ -# IAM Role for Service Account(s) (IRSA) +# Pod Identity and IAM Role for Service Account(s) (IRSA) ################################################################################ data "aws_partition" "current" { @@ -129,8 +129,25 @@ data "aws_iam_policy_document" "assume" { } } + # Pod Identity dynamic "statement" { - for_each = var.oidc_providers + for_each = var.enable_pod_identity ? [1] : [] + + content { + actions = [ + "sts:AssumeRole", + "sts:TagSession", + ] + + principals { + type = "Service" + identifiers = ["pods.eks.amazonaws.com"] + } + } + } + + dynamic "statement" { + for_each = var.enable_pod_identity && var.create_pod_identity_association ? {} : var.oidc_providers content { effect = "Allow" @@ -257,3 +274,18 @@ resource "aws_iam_role_policy_attachment" "this" { role = aws_iam_role.this[0].name policy_arn = aws_iam_policy.this[0].arn } + +################################################################################ +# Pod Identity Association +################################################################################ + +resource "aws_eks_pod_identity_association" "this" { + count = local.create_role && var.enable_pod_identity && var.create_pod_identity_association ? 1 : 0 + + cluster_name = var.cluster_name + namespace = var.namespace + service_account = var.service_account + role_arn = aws_iam_role.this[0].arn + + tags = var.tags +} diff --git a/outputs.tf b/outputs.tf index 2251c79..5dcde5e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -38,7 +38,7 @@ output "values" { } ################################################################################ -# IAM Role for Service Account(s) (IRSA) +# Pod Identity and IAM Role for Service Account(s) (IRSA) ################################################################################ output "iam_role_arn" { @@ -61,6 +61,16 @@ output "iam_role_unique_id" { value = try(aws_iam_role.this[0].unique_id, null) } +output "service_account" { + description = "Service Account associated with the Pod Identity" + value = var.service_account +} + +output "create_pod_identity_association" { + description = "Pod Identity configuration" + value = aws_eks_pod_identity_association.this +} + ################################################################################ # IAM Policy ################################################################################ diff --git a/variables.tf b/variables.tf index ab09aaf..9a2793e 100644 --- a/variables.tf +++ b/variables.tf @@ -10,6 +10,12 @@ variable "tags" { default = {} } +variable "cluster_name" { + description = "The name of the EKS cluster" + type = string + default = "" +} + ################################################################################ # Helm Release ################################################################################ @@ -243,7 +249,7 @@ variable "set_irsa_names" { } ################################################################################ -# IAM Role for Service Account(s) (IRSA) +# Pod Identity and IAM Role for Service Account(s) (IRSA) ################################################################################ variable "create_role" { @@ -312,6 +318,24 @@ variable "allow_self_assume_role" { default = false } +variable "enable_pod_identity" { + description = "Determines whether to enable support for EKS Pod Identity" + type = bool + default = false +} + +variable "create_pod_identity_association" { + description = "Determines whether to create Pod Identity association" + type = bool + default = false +} + +variable "service_account" { + description = "Service account to associate with the Pod Identity" + type = string + default = "" +} + ################################################################################ # IAM Policy ################################################################################ From 5ee9041d9aa135fd5c67892fa3ea53a3837efd6f Mon Sep 17 00:00:00 2001 From: Rodrigo Bersa Date: Mon, 5 Aug 2024 15:56:37 -0400 Subject: [PATCH 2/5] Checks --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index e9c9eff..ea8129e 100644 --- a/README.md +++ b/README.md @@ -257,3 +257,4 @@ No modules. ## License Apache-2.0 Licensed. See [LICENSE](https://github.com/aws-ia/terraform-aws-eks-blueprints-addon/blob/main/LICENSE). + From f1a2198a9fa6470f2329ab6ccd6dd462dc343f17 Mon Sep 17 00:00:00 2001 From: Rodrigo Bersa Date: Mon, 5 Aug 2024 17:03:27 -0400 Subject: [PATCH 3/5] Fix end of file --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index ea8129e..e9c9eff 100644 --- a/README.md +++ b/README.md @@ -257,4 +257,3 @@ No modules. ## License Apache-2.0 Licensed. See [LICENSE](https://github.com/aws-ia/terraform-aws-eks-blueprints-addon/blob/main/LICENSE). - From 3cd9223a33036df27696a5bf39890a0e92f46a43 Mon Sep 17 00:00:00 2001 From: Rodrigo Bersa Date: Mon, 5 Aug 2024 17:32:31 -0400 Subject: [PATCH 4/5] Fix end of file --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index e9c9eff..ea8129e 100644 --- a/README.md +++ b/README.md @@ -257,3 +257,4 @@ No modules. ## License Apache-2.0 Licensed. See [LICENSE](https://github.com/aws-ia/terraform-aws-eks-blueprints-addon/blob/main/LICENSE). + From e1a2efd651c31d6b6926c316f8b096fc128112ad Mon Sep 17 00:00:00 2001 From: Rodrigo Bersa Date: Mon, 5 Aug 2024 18:54:24 -0400 Subject: [PATCH 5/5] Pre commit --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index ea8129e..e9c9eff 100644 --- a/README.md +++ b/README.md @@ -257,4 +257,3 @@ No modules. ## License Apache-2.0 Licensed. See [LICENSE](https://github.com/aws-ia/terraform-aws-eks-blueprints-addon/blob/main/LICENSE). -