Cross account role (#15)

* Add ability to assume role * Improve example * Fix github actions system path
lablabs · Nov 26, 2020 · 3221fa4 · 3221fa4
1 parent 2acda21
commit 3221fa4
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 13 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -42,7 +42,7 @@ jobs:
 
       - shell: bash
         name: "SETUP: Go path"
-        run: echo '::add-path::~/go/bin/'
+        run: echo '~/go/bin/' >> $GITHUB_PATH
 
       - uses: actions/checkout@v1
         name: Checkout source code
@@ -84,8 +84,7 @@ jobs:
 
       - shell: bash
         name: "SETUP: TFLint path"
-        run: |
-          echo '::add-path::~/tflint/bin/'
+        run: echo '~/tflint/bin/' >> $GITHUB_PATH
 
       - uses: pre-commit/action@v2.0.0
         name: "RUN: pre-commit"

diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -85,6 +85,12 @@ module "extenral_dns" {
     # "extraEnv[2].valueFrom.secretKeyRef.name" = "existing-secret"
     # "extraEnv[2].valueFrom.secretKeyRef.key" = "varname3-key"
 
+    # domainFilters:
+    #   - foo.com
+    #   - bar.com
+    "domainFilters[0]" = "foo.com"
+    "domainFilters[1]" = "bar.com"
+
   }
 
 }
diff --git a/iam.tf b/iam.tf
@@ -1,3 +1,9 @@
+# aws.assumeRoleArn
+
+locals {
+  assume_role = length(try(var.settings["aws.assumeRoleArn"], "")) > 0 ? true : false
+}
+
 resource "kubernetes_namespace" "external_dns" {
   depends_on = [var.mod_dependency]
   count      = (var.enabled && var.k8s_create_namespace && var.k8s_namespace != "kube-system") ? 1 : 0
@@ -10,7 +16,7 @@ resource "kubernetes_namespace" "external_dns" {
 ### iam ###
 # Policy
 data "aws_iam_policy_document" "external_dns" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && ! local.assume_role ? 1 : 0
 
   statement {
     sid = "ChangeResourceRecordSets"
@@ -41,18 +47,39 @@ data "aws_iam_policy_document" "external_dns" {
   }
 }
 
+data "aws_iam_policy_document" "external_dns_assume" {
+  count = var.enabled && local.assume_role ? 1 : 0
+
+  statement {
+    sid = "AllowAssumeExternalDNSRole"
+
+    effect = "Allow"
+
+    actions = [
+      "sts:AssumeRole"
+    ]
+
+    resources = [
+      var.settings["aws.assumeRoleArn"]
+    ]
+  }
+}
+
+
 resource "aws_iam_policy" "external_dns" {
-  depends_on  = [var.mod_dependency]
-  count       = var.enabled ? 1 : 0
+  count = var.enabled ? 1 : 0
+
   name        = "${var.cluster_name}-external-dns"
   path        = "/"
   description = "Policy for external-dns service"
 
-  policy = data.aws_iam_policy_document.external_dns[0].json
+  policy = local.assume_role ? data.aws_iam_policy_document.external_dns_assume[0].json : data.aws_iam_policy_document.external_dns[0].json
+
+  depends_on = [var.mod_dependency]
 }
 
 # Role
-data "aws_iam_policy_document" "external_dns_assume" {
+data "aws_iam_policy_document" "external_dns_irsa" {
   count = var.enabled ? 1 : 0
 
   statement {
@@ -77,15 +104,19 @@ data "aws_iam_policy_document" "external_dns_assume" {
 }
 
 resource "aws_iam_role" "external_dns" {
-  depends_on         = [var.mod_dependency]
-  count              = var.enabled ? 1 : 0
+  count = var.enabled ? 1 : 0
+
   name               = "${var.cluster_name}-external-dns"
-  assume_role_policy = data.aws_iam_policy_document.external_dns_assume[0].json
+  assume_role_policy = data.aws_iam_policy_document.external_dns_irsa[0].json
+
+  depends_on = [var.mod_dependency]
 }
 
 resource "aws_iam_role_policy_attachment" "external_dns" {
-  depends_on = [var.mod_dependency]
-  count      = var.enabled ? 1 : 0
+  count = var.enabled ? 1 : 0
+
   role       = aws_iam_role.external_dns[0].name
   policy_arn = aws_iam_policy.external_dns[0].arn
+
+  depends_on = [var.mod_dependency]
 }