enha: added the option to create IAM roles linked to ServiceAccounts …

…inside Kubernetes
custom-terraform-aws-modules · Apr 4, 2024 · 64429e5 · 64429e5
1 parent df5dbcd
commit 64429e5
Show file tree

Hide file tree

Showing 3 changed files with 92 additions and 2 deletions.
diff --git a/main.tf b/main.tf
@@ -112,8 +112,6 @@ resource "aws_iam_role_policy_attachment" "xray" {
   role       = aws_iam_role.worker.name
 }
 
-# TODO give IAM permission to read ECR registries and S3 buckets
-
 ################################
 # EKS Cluster                  #
 ################################
@@ -153,3 +151,82 @@ resource "aws_eks_node_group" "main" {
 
   tags = var.tags
 }
+
+################################
+# IAM Roles for Pods           #
+################################
+
+# OIDC provider to map IAM roles to kubernetes service accounts
+data "tls_certificate" "main" {
+  url = aws_eks_cluster.main.identity[0].oidc[0].issuer
+}
+
+resource "aws_iam_openid_connect_provider" "main" {
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = [data.tls_certificate.main.certificates[0].sha1_fingerprint]
+  url             = aws_eks_cluster.cluster.identity[0].oidc[0].issuer
+}
+
+# creating the IAM roles
+data "aws_iam_policy_document" "main" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(aws_iam_openid_connect_provider.main.url, "https://", "")}:sub"
+      values   = ["system:serviceaccount:kube-system:aws-node"]
+    }
+
+    principals {
+      identifiers = [aws_iam_openid_connect_provider.main.arn]
+      type        = "Federated"
+    }
+  }
+}
+
+resource "aws_iam_role" "main" {
+  count              = length(var.pod_roles)
+  assume_role_policy = data.aws_iam_policy_document.main.json
+  name               = var.pod_roles[count.index]["identifier"]
+}
+
+# map each policy to it's role from hierarchical objects
+locals {
+  policy_mapping = flatten([for v in var.pod_roles : [for w in v["policies"] : {
+    role       = v["identifier"],
+    policy_arn = w
+  }]])
+}
+
+resource "aws_iam_role_policy_attachment" "main" {
+  count      = length(local.policy_mapping)
+  role       = local.policy_mapping[count.index]["role"]
+  policy_arn = local.policy_mapping[count.index]["policy_arn"]
+}
+
+# Kubernetes provider to create ServiceAccounts inside the EKS cluster
+provider "kubernetes" {
+  host                   = aws_eks_cluster.main.endpoint
+  cluster_ca_certificate = base64decode(aws_eks_cluster.main.certificate_authority[0].data)
+
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    args        = ["eks", "get-token", "--cluster-name", var.identifier]
+    command     = "aws"
+  }
+}
+
+# map each created IAM role to a ServiceAccount in Kubernetes
+resource "kubernetes_service_account" "main" {
+  count = length(var.pod_roles)
+
+  metadata {
+    name      = var.pod_roles
+    namespace = "default"
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.iam_role_test.arn
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -66,6 +66,15 @@ variable "max_size" {
   default     = 1
 }
 
+vairable "pod_roles" {
+  description = "A list of objects which define IAM roles which can be assumed by pods via ServiceAccounts."
+  type = list(object({
+    identifier = string
+    policies = list(string)
+  }))
+  default = []
+}
+
 variable "tags" {
   description = "A map of tags to add to all resources."
   type        = map(string)

diff --git a/versions.tf b/versions.tf
@@ -6,5 +6,9 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 5.20"
     }
+    tls = {
+      source  = "hashicorp/tls"
+      version = ">= 2.2.0"
+    }
   }
 }