IRSA module refactor (No Breaking changes) (#832)

Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
aws-ia · Aug 9, 2022 · fb2346f · fb2346f
1 parent bba0a11
commit fb2346f
Show file tree

Hide file tree

Showing 17 changed files with 120 additions and 84 deletions.
diff --git a/FAQ.md b/FAQ.md
@@ -75,6 +75,13 @@ data "aws_eks_cluster_auth" "this" {
 
 ### `exec()` Example
 
+Usage of exec plugin for AWS credentials
+
+Links to References related to this issue
+
+- https://github.com/hashicorp/terraform/issues/29182
+- https://github.com/aws/aws-cli/pull/6476
+
 ```hcl
 provider "kubernetes" {
   host                   = module.eks_blueprints.eks_cluster_endpoint
@@ -114,7 +121,17 @@ provider "kubectl" {
 }
 ```
 
-### References
+### How to use IRSA module
 
-- https://github.com/hashicorp/terraform/issues/29182
-- https://github.com/aws/aws-cli/pull/6476
+Sample code snippet for using IRSA module directly
+
+```hcl
+module "irsa" {
+    source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/irsa"
+    kubernetes_namespace       = "<ENTER_NAMESPACE>"
+    kubernetes_service_account = "<ENTER_SERVICE_ACCOUNT_NAME>"
+    irsa_iam_policies          = ["<ENTER_IAM_POLICY_ARN>"]
+    eks_cluster_id             = module.eks_blueprints.eks_cluster_id
+    eks_oidc_provider_arn      = module.eks_blueprints.eks_oidc_provider_arn
+}
+```
diff --git a/...ternal-secrets-kubernetes-addon/README.md → examples/external-secrets/README.md b/...ternal-secrets-kubernetes-addon/README.md → examples/external-secrets/README.md
@@ -25,7 +25,7 @@ git clone https://github.com/aws-ia/terraform-aws-eks-blueprints.git
 Initialize a working directory with configuration files
 
 ```sh
-cd examples/external-secrets-kubernetes-addon/
+cd examples/external-secrets/
 terraform init
 ```
 

diff --git a/...external-secrets-kubernetes-addon/main.tf → examples/external-secrets/main.tf b/...external-secrets-kubernetes-addon/main.tf → examples/external-secrets/main.tf
@@ -27,7 +27,6 @@ data "aws_eks_cluster_auth" "this" {
 }
 
 data "aws_availability_zones" "available" {}
-data "aws_partition" "current" {}
 data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
 
@@ -182,18 +181,8 @@ module "cluster_secretstore_role" {
   create_kubernetes_namespace = false
   kubernetes_service_account  = local.cluster_secretstore_sa
   irsa_iam_policies           = [aws_iam_policy.cluster_secretstore.arn]
-
-  addon_context = {
-    aws_caller_identity_account_id = data.aws_caller_identity.current.account_id
-    aws_caller_identity_arn        = data.aws_caller_identity.current.arn
-    aws_eks_cluster_endpoint       = module.eks_blueprints.eks_cluster_endpoint
-    aws_partition_id               = data.aws_partition.current.partition
-    aws_region_name                = data.aws_region.current.name
-    eks_cluster_id                 = module.eks_blueprints.eks_cluster_id
-    eks_oidc_issuer_url            = module.eks_blueprints.eks_oidc_issuer_url
-    eks_oidc_provider_arn          = module.eks_blueprints.eks_oidc_provider_arn
-    tags                           = {}
-  }
+  eks_cluster_id              = module.eks_blueprints.eks_cluster_id
+  eks_oidc_provider_arn       = module.eks_blueprints.eks_oidc_provider_arn
 
   depends_on = [module.eks_blueprints_kubernetes_addons]
 }
@@ -288,20 +277,9 @@ module "secretstore_role" {
   create_kubernetes_namespace = false
   kubernetes_service_account  = local.secretstore_sa
   irsa_iam_policies           = [aws_iam_policy.secretstore.arn]
-
-  addon_context = {
-    aws_caller_identity_account_id = data.aws_caller_identity.current.account_id
-    aws_caller_identity_arn        = data.aws_caller_identity.current.arn
-    aws_eks_cluster_endpoint       = module.eks_blueprints.eks_cluster_endpoint
-    aws_partition_id               = data.aws_partition.current.partition
-    aws_region_name                = data.aws_region.current.name
-    eks_cluster_id                 = module.eks_blueprints.eks_cluster_id
-    eks_oidc_issuer_url            = module.eks_blueprints.eks_oidc_issuer_url
-    eks_oidc_provider_arn          = module.eks_blueprints.eks_oidc_provider_arn
-    tags                           = {}
-  }
-
-  depends_on = [module.eks_blueprints_kubernetes_addons]
+  eks_cluster_id              = module.eks_blueprints.eks_cluster_id
+  eks_oidc_provider_arn       = module.eks_blueprints.eks_oidc_provider_arn
+  depends_on                  = [module.eks_blueprints_kubernetes_addons]
 }
 
 resource "aws_iam_policy" "secretstore" {

diff --git a/...ernal-secrets-kubernetes-addon/outputs.tf → examples/external-secrets/outputs.tf b/...ernal-secrets-kubernetes-addon/outputs.tf → examples/external-secrets/outputs.tf
diff --git a/...nal-secrets-kubernetes-addon/variables.tf → examples/external-secrets/variables.tf b/...nal-secrets-kubernetes-addon/variables.tf → examples/external-secrets/variables.tf
diff --git a/...rnal-secrets-kubernetes-addon/versions.tf → examples/external-secrets/versions.tf b/...rnal-secrets-kubernetes-addon/versions.tf → examples/external-secrets/versions.tf
diff --git a/examples/secrets-management/csi-secrets-driver/main.tf b/examples/secrets-management/csi-secrets-driver/main.tf
@@ -21,8 +21,6 @@ data "aws_eks_cluster_auth" "this" {
 }
 
 data "aws_availability_zones" "available" {}
-data "aws_caller_identity" "current" {}
-data "aws_partition" "current" {}
 
 locals {
   name         = basename(path.cwd)
@@ -140,18 +138,9 @@ resource "aws_iam_policy" "this" {
 # Creating IAM Role for Service Account
 #---------------------------------------------------------------
 module "iam_role_service_account" {
-  source = "../../../modules/irsa"
-  addon_context = {
-    aws_caller_identity_account_id = data.aws_caller_identity.current.account_id
-    aws_caller_identity_arn        = data.aws_caller_identity.current.arn
-    aws_eks_cluster_endpoint       = module.eks_blueprints.eks_cluster_endpoint
-    aws_partition_id               = data.aws_partition.current.partition
-    aws_region_name                = local.region
-    eks_cluster_id                 = module.eks_blueprints.eks_cluster_id
-    eks_oidc_issuer_url            = module.eks_blueprints.eks_oidc_issuer_url
-    eks_oidc_provider_arn          = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${module.eks_blueprints.eks_oidc_issuer_url}"
-    tags                           = {}
-  }
+  source                     = "../../../modules/irsa"
+  eks_cluster_id             = module.eks_blueprints.eks_cluster_id
+  eks_oidc_provider_arn      = module.eks_blueprints.eks_oidc_provider_arn
   kubernetes_namespace       = local.application
   kubernetes_service_account = "${local.application}-sa"
   irsa_iam_policies          = [aws_iam_policy.this.arn]

diff --git a/modules/irsa/README.md b/modules/irsa/README.md
@@ -49,12 +49,17 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br>    aws_caller_identity_account_id = string<br>    aws_caller_identity_arn        = string<br>    aws_eks_cluster_endpoint       = string<br>    aws_partition_id               = string<br>    aws_region_name                = string<br>    eks_cluster_id                 = string<br>    eks_oidc_issuer_url            = string<br>    eks_oidc_provider_arn          = string<br>    tags                           = map(string)<br>    irsa_iam_role_name             = optional(string)<br>    irsa_iam_role_path             = optional(string)<br>    irsa_iam_permissions_boundary  = optional(string)<br>  })</pre> | n/a | yes |
 | <a name="input_create_kubernetes_namespace"></a> [create\_kubernetes\_namespace](#input\_create\_kubernetes\_namespace) | Should the module create the namespace | `bool` | `true` | no |
 | <a name="input_create_kubernetes_service_account"></a> [create\_kubernetes\_service\_account](#input\_create\_kubernetes\_service\_account) | Should the module create the Service Account | `bool` | `true` | no |
+| <a name="input_eks_cluster_id"></a> [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS Cluster ID | `string` | n/a | yes |
+| <a name="input_eks_oidc_provider_arn"></a> [eks\_oidc\_provider\_arn](#input\_eks\_oidc\_provider\_arn) | EKS OIDC Provider ARN e.g., arn:aws:iam::<ACCOUNT-ID>:oidc-provider/<var.eks\_oidc\_provider> | `string` | n/a | yes |
+| <a name="input_irsa_iam_permissions_boundary"></a> [irsa\_iam\_permissions\_boundary](#input\_irsa\_iam\_permissions\_boundary) | IAM permissions boundary for IRSA roles | `string` | `""` | no |
 | <a name="input_irsa_iam_policies"></a> [irsa\_iam\_policies](#input\_irsa\_iam\_policies) | IAM Policies for IRSA IAM role | `list(string)` | `[]` | no |
+| <a name="input_irsa_iam_role_name"></a> [irsa\_iam\_role\_name](#input\_irsa\_iam\_role\_name) | IAM role name for IRSA | `string` | `""` | no |
+| <a name="input_irsa_iam_role_path"></a> [irsa\_iam\_role\_path](#input\_irsa\_iam\_role\_path) | IAM role path for IRSA roles | `string` | `"/"` | no |
 | <a name="input_kubernetes_namespace"></a> [kubernetes\_namespace](#input\_kubernetes\_namespace) | Kubernetes Namespace name | `string` | n/a | yes |
 | <a name="input_kubernetes_service_account"></a> [kubernetes\_service\_account](#input\_kubernetes\_service\_account) | Kubernetes Service Account Name | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit`,`XYZ`) | `map(string)` | `{}` | no |
 
 ## Outputs
 

diff --git a/modules/irsa/main.tf b/modules/irsa/main.tf
@@ -1,3 +1,7 @@
+locals {
+  eks_oidc_issuer_url = "${replace(var.eks_oidc_provider_arn, "/^(.*provider/)/", "")}:sub"
+}
+
 resource "kubernetes_namespace_v1" "irsa" {
   count = var.create_kubernetes_namespace && var.kubernetes_namespace != "kube-system" ? 1 : 0
   metadata {
@@ -20,31 +24,31 @@ resource "kubernetes_service_account_v1" "irsa" {
 resource "aws_iam_role" "irsa" {
   count = var.irsa_iam_policies != null ? 1 : 0
 
-  name        = try(coalesce(var.addon_context.irsa_iam_role_name, format("%s-%s-%s", var.addon_context.eks_cluster_id, trim(var.kubernetes_service_account, "-*"), "irsa")), null)
+  name        = try(coalesce(var.irsa_iam_role_name, format("%s-%s-%s", var.eks_cluster_id, trim(var.kubernetes_service_account, "-*"), "irsa")), null)
   description = "AWS IAM Role for the Kubernetes service account ${var.kubernetes_service_account}."
   assume_role_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [
       {
         "Effect" : "Allow",
         "Principal" : {
-          "Federated" : "${var.addon_context.eks_oidc_provider_arn}"
+          "Federated" : "${var.eks_oidc_provider_arn}"
         },
         "Action" : "sts:AssumeRoleWithWebIdentity",
         "Condition" : {
           "StringLike" : {
-            "${var.addon_context.eks_oidc_issuer_url}:sub" : "system:serviceaccount:${var.kubernetes_namespace}:${var.kubernetes_service_account}",
-            "${var.addon_context.eks_oidc_issuer_url}:aud" : "sts.amazonaws.com"
+            "${local.eks_oidc_issuer_url}:sub" : "system:serviceaccount:${var.kubernetes_namespace}:${var.kubernetes_service_account}",
+            "${local.eks_oidc_issuer_url}:aud" : "sts.amazonaws.com"
           }
         }
       }
     ]
   })
-  path                  = var.addon_context.irsa_iam_role_path
+  path                  = var.irsa_iam_role_path
   force_detach_policies = true
-  permissions_boundary  = var.addon_context.irsa_iam_permissions_boundary
+  permissions_boundary  = var.irsa_iam_permissions_boundary
 
-  tags = var.addon_context.tags
+  tags = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "irsa" {

diff --git a/modules/irsa/variables.tf b/modules/irsa/variables.tf
@@ -26,20 +26,36 @@ variable "irsa_iam_policies" {
   default     = []
 }
 
-variable "addon_context" {
-  description = "Input configuration for the addon"
-  type = object({
-    aws_caller_identity_account_id = string
-    aws_caller_identity_arn        = string
-    aws_eks_cluster_endpoint       = string
-    aws_partition_id               = string
-    aws_region_name                = string
-    eks_cluster_id                 = string
-    eks_oidc_issuer_url            = string
-    eks_oidc_provider_arn          = string
-    tags                           = map(string)
-    irsa_iam_role_name             = optional(string)
-    irsa_iam_role_path             = optional(string)
-    irsa_iam_permissions_boundary  = optional(string)
-  })
+variable "irsa_iam_role_name" {
+  type        = string
+  description = "IAM role name for IRSA"
+  default     = ""
+}
+
+variable "irsa_iam_role_path" {
+  description = "IAM role path for IRSA roles"
+  type        = string
+  default     = "/"
+}
+
+variable "irsa_iam_permissions_boundary" {
+  description = "IAM permissions boundary for IRSA roles"
+  type        = string
+  default     = ""
+}
+
+variable "eks_oidc_provider_arn" {
+  description = "EKS OIDC Provider ARN e.g., arn:aws:iam::<ACCOUNT-ID>:oidc-provider/<var.eks_oidc_provider>"
+  type        = string
+}
+
+variable "eks_cluster_id" {
+  description = "EKS Cluster ID"
+  type        = string
+}
+
+variable "tags" {
+  description = "Additional tags (e.g. `map('BusinessUnit`,`XYZ`)"
+  type        = map(string)
+  default     = {}
 }
diff --git a/modules/kubernetes-addons/aws-ebs-csi-driver/main.tf b/modules/kubernetes-addons/aws-ebs-csi-driver/main.tf
@@ -26,7 +26,10 @@ module "irsa_addon" {
   kubernetes_namespace              = "kube-system"
   kubernetes_service_account        = "ebs-csi-controller-sa"
   irsa_iam_policies                 = concat([aws_iam_policy.aws_ebs_csi_driver[0].arn], try(var.addon_config.additional_iam_policies, []))
-  addon_context                     = var.addon_context
+  irsa_iam_role_path                = var.addon_context.irsa_iam_role_path
+  irsa_iam_permissions_boundary     = var.addon_context.irsa_iam_permissions_boundary
+  eks_cluster_id                    = var.addon_context.eks_cluster_id
+  eks_oidc_provider_arn             = var.addon_context.eks_oidc_provider_arn
 }
 
 resource "aws_iam_policy" "aws_ebs_csi_driver" {

diff --git a/modules/kubernetes-addons/aws-vpc-cni/main.tf b/modules/kubernetes-addons/aws-vpc-cni/main.tf
@@ -27,7 +27,10 @@ module "irsa_addon" {
   create_kubernetes_service_account = false
   kubernetes_namespace              = "kube-system"
   kubernetes_service_account        = "aws-node"
-  addon_context                     = var.addon_context
+  irsa_iam_role_path                = var.addon_context.irsa_iam_role_path
+  irsa_iam_permissions_boundary     = var.addon_context.irsa_iam_permissions_boundary
+  eks_cluster_id                    = var.addon_context.eks_cluster_id
+  eks_oidc_provider_arn             = var.addon_context.eks_oidc_provider_arn
   irsa_iam_policies = concat(
     ["arn:${var.addon_context.aws_partition_id}:iam::aws:policy/AmazonEKS_CNI_Policy"],
     local.cni_ipv6_policy,

diff --git a/modules/kubernetes-addons/crossplane/main.tf b/modules/kubernetes-addons/crossplane/main.tf
@@ -50,9 +50,11 @@ module "aws_provider_irsa" {
   kubernetes_namespace              = local.namespace
   kubernetes_service_account        = "${local.aws_provider_sa}-*"
   irsa_iam_policies                 = concat([aws_iam_policy.aws_provider[0].arn], var.aws_provider.additional_irsa_policies)
-  addon_context                     = var.addon_context
-
-  depends_on = [kubectl_manifest.aws_provider]
+  irsa_iam_role_path                = var.addon_context.irsa_iam_role_path
+  irsa_iam_permissions_boundary     = var.addon_context.irsa_iam_permissions_boundary
+  eks_cluster_id                    = var.addon_context.eks_cluster_id
+  eks_oidc_provider_arn             = var.addon_context.eks_oidc_provider_arn
+  depends_on                        = [kubectl_manifest.aws_provider]
 }
 
 resource "aws_iam_policy" "aws_provider" {
@@ -102,9 +104,11 @@ module "jet_aws_provider_irsa" {
   kubernetes_namespace              = local.namespace
   kubernetes_service_account        = "${local.jet_aws_provider_sa}-*"
   irsa_iam_policies                 = concat([aws_iam_policy.jet_aws_provider[0].arn], var.jet_aws_provider.additional_irsa_policies)
-  addon_context                     = var.addon_context
-
-  depends_on = [kubectl_manifest.jet_aws_provider]
+  irsa_iam_role_path                = var.addon_context.irsa_iam_role_path
+  irsa_iam_permissions_boundary     = var.addon_context.irsa_iam_permissions_boundary
+  eks_cluster_id                    = var.addon_context.eks_cluster_id
+  eks_oidc_provider_arn             = var.addon_context.eks_oidc_provider_arn
+  depends_on                        = [kubectl_manifest.jet_aws_provider]
 }
 
 resource "aws_iam_policy" "jet_aws_provider" {

diff --git a/modules/kubernetes-addons/helm-addon/README.md b/modules/kubernetes-addons/helm-addon/README.md
@@ -40,6 +40,7 @@ Helm Addon module can be used to provision a generic Helm Chart as an Add-On for
 | <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br>    aws_caller_identity_account_id = string<br>    aws_caller_identity_arn        = string<br>    aws_eks_cluster_endpoint       = string<br>    aws_partition_id               = string<br>    aws_region_name                = string<br>    eks_cluster_id                 = string<br>    eks_oidc_issuer_url            = string<br>    eks_oidc_provider_arn          = string<br>    tags                           = map(string)<br>    irsa_iam_role_path             = optional(string)<br>    irsa_iam_permissions_boundary  = optional(string)<br>  })</pre> | n/a | yes |
 | <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm chart config. Repository and version required. See https://registry.terraform.io/providers/hashicorp/helm/latest/docs | `any` | n/a | yes |
 | <a name="input_irsa_config"></a> [irsa\_config](#input\_irsa\_config) | Input configuration for IRSA module | <pre>object({<br>    kubernetes_namespace              = string<br>    create_kubernetes_namespace       = optional(bool)<br>    kubernetes_service_account        = string<br>    create_kubernetes_service_account = optional(bool)<br>    irsa_iam_policies                 = optional(list(string))<br>  })</pre> | `null` | no |
+| <a name="input_irsa_iam_role_name"></a> [irsa\_iam\_role\_name](#input\_irsa\_iam\_role\_name) | IAM role name for IRSA | `string` | `""` | no |
 | <a name="input_manage_via_gitops"></a> [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps | `bool` | `false` | no |
 | <a name="input_set_sensitive_values"></a> [set\_sensitive\_values](#input\_set\_sensitive\_values) | Forced set\_sensitive values | `any` | `[]` | no |
 | <a name="input_set_values"></a> [set\_values](#input\_set\_values) | Forced set values | `any` | `[]` | no |

diff --git a/modules/kubernetes-addons/helm-addon/main.tf b/modules/kubernetes-addons/helm-addon/main.tf
@@ -66,5 +66,9 @@ module "irsa" {
   kubernetes_namespace              = var.irsa_config.kubernetes_namespace
   kubernetes_service_account        = var.irsa_config.kubernetes_service_account
   irsa_iam_policies                 = var.irsa_config.irsa_iam_policies
-  addon_context                     = var.addon_context
+  irsa_iam_role_name                = var.irsa_iam_role_name
+  irsa_iam_role_path                = var.addon_context.irsa_iam_role_path
+  irsa_iam_permissions_boundary     = var.addon_context.irsa_iam_permissions_boundary
+  eks_cluster_id                    = var.addon_context.eks_cluster_id
+  eks_oidc_provider_arn             = var.addon_context.eks_oidc_provider_arn
 }
diff --git a/modules/kubernetes-addons/helm-addon/variables.tf b/modules/kubernetes-addons/helm-addon/variables.tf
@@ -21,6 +21,12 @@ variable "manage_via_gitops" {
   default     = false
 }
 
+variable "irsa_iam_role_name" {
+  type        = string
+  description = "IAM role name for IRSA"
+  default     = ""
+}
+
 variable "irsa_config" {
   description = "Input configuration for IRSA module"
   type = object({

diff --git a/modules/kubernetes-addons/prometheus/main.tf b/modules/kubernetes-addons/prometheus/main.tf
@@ -108,9 +108,12 @@ module "irsa_amp_ingest" {
   create_kubernetes_namespace = false
   kubernetes_namespace        = local.namespace
 
-  kubernetes_service_account = local.ingest_service_account
-  irsa_iam_policies          = [aws_iam_policy.ingest[0].arn]
-  addon_context              = var.addon_context
+  kubernetes_service_account    = local.ingest_service_account
+  irsa_iam_policies             = [aws_iam_policy.ingest[0].arn]
+  irsa_iam_role_path            = var.addon_context.irsa_iam_role_path
+  irsa_iam_permissions_boundary = var.addon_context.irsa_iam_permissions_boundary
+  eks_cluster_id                = var.addon_context.eks_cluster_id
+  eks_oidc_provider_arn         = var.addon_context.eks_oidc_provider_arn
 }
 
 # ------------------------------------------
@@ -148,7 +151,10 @@ module "irsa_amp_query" {
   create_kubernetes_namespace = false
   kubernetes_namespace        = local.namespace
 
-  kubernetes_service_account = "amp-query"
-  irsa_iam_policies          = [aws_iam_policy.query[0].arn]
-  addon_context              = var.addon_context
+  kubernetes_service_account    = "amp-query"
+  irsa_iam_policies             = [aws_iam_policy.query[0].arn]
+  irsa_iam_role_path            = var.addon_context.irsa_iam_role_path
+  irsa_iam_permissions_boundary = var.addon_context.irsa_iam_permissions_boundary
+  eks_cluster_id                = var.addon_context.eks_cluster_id
+  eks_oidc_provider_arn         = var.addon_context.eks_oidc_provider_arn
 }