diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index fbfa584..bd312e6 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -42,7 +42,7 @@ jobs: - shell: bash name: "SETUP: Go path" - run: echo '::add-path::~/go/bin/' + run: echo '~/go/bin/' >> $GITHUB_PATH - uses: actions/checkout@v1 name: Checkout source code @@ -84,8 +84,7 @@ jobs: - shell: bash name: "SETUP: TFLint path" - run: | - echo '::add-path::~/tflint/bin/' + run: echo '~/tflint/bin/' >> $GITHUB_PATH - uses: pre-commit/action@v2.0.0 name: "RUN: pre-commit" diff --git a/examples/basic/main.tf b/examples/basic/main.tf index c424775..126b2a7 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -85,6 +85,12 @@ module "extenral_dns" { # "extraEnv[2].valueFrom.secretKeyRef.name" = "existing-secret" # "extraEnv[2].valueFrom.secretKeyRef.key" = "varname3-key" + # domainFilters: + # - foo.com + # - bar.com + "domainFilters[0]" = "foo.com" + "domainFilters[1]" = "bar.com" + } } diff --git a/iam.tf b/iam.tf index 39bc5b2..6e9e7ca 100644 --- a/iam.tf +++ b/iam.tf @@ -1,3 +1,9 @@ +# aws.assumeRoleArn + +locals { + assume_role = length(try(var.settings["aws.assumeRoleArn"], "")) > 0 ? true : false +} + resource "kubernetes_namespace" "external_dns" { depends_on = [var.mod_dependency] count = (var.enabled && var.k8s_create_namespace && var.k8s_namespace != "kube-system") ? 1 : 0 @@ -10,7 +16,7 @@ resource "kubernetes_namespace" "external_dns" { ### iam ### # Policy data "aws_iam_policy_document" "external_dns" { - count = var.enabled ? 1 : 0 + count = var.enabled && ! local.assume_role ? 1 : 0 statement { sid = "ChangeResourceRecordSets" @@ -41,18 +47,39 @@ data "aws_iam_policy_document" "external_dns" { } } +data "aws_iam_policy_document" "external_dns_assume" { + count = var.enabled && local.assume_role ? 1 : 0 + + statement { + sid = "AllowAssumeExternalDNSRole" + + effect = "Allow" + + actions = [ + "sts:AssumeRole" + ] + + resources = [ + var.settings["aws.assumeRoleArn"] + ] + } +} + + resource "aws_iam_policy" "external_dns" { - depends_on = [var.mod_dependency] - count = var.enabled ? 1 : 0 + count = var.enabled ? 1 : 0 + name = "${var.cluster_name}-external-dns" path = "/" description = "Policy for external-dns service" - policy = data.aws_iam_policy_document.external_dns[0].json + policy = local.assume_role ? data.aws_iam_policy_document.external_dns_assume[0].json : data.aws_iam_policy_document.external_dns[0].json + + depends_on = [var.mod_dependency] } # Role -data "aws_iam_policy_document" "external_dns_assume" { +data "aws_iam_policy_document" "external_dns_irsa" { count = var.enabled ? 1 : 0 statement { @@ -77,15 +104,19 @@ data "aws_iam_policy_document" "external_dns_assume" { } resource "aws_iam_role" "external_dns" { - depends_on = [var.mod_dependency] - count = var.enabled ? 1 : 0 + count = var.enabled ? 1 : 0 + name = "${var.cluster_name}-external-dns" - assume_role_policy = data.aws_iam_policy_document.external_dns_assume[0].json + assume_role_policy = data.aws_iam_policy_document.external_dns_irsa[0].json + + depends_on = [var.mod_dependency] } resource "aws_iam_role_policy_attachment" "external_dns" { - depends_on = [var.mod_dependency] - count = var.enabled ? 1 : 0 + count = var.enabled ? 1 : 0 + role = aws_iam_role.external_dns[0].name policy_arn = aws_iam_policy.external_dns[0].arn + + depends_on = [var.mod_dependency] }