feat: create service account role module for EKS (#636)

* fix: create service account role for EKS * don't need these variables * finish my sentence * apply jake's feedback/suggestions Co-authored-by: Jake Heath <76011913+jakeyheath@users.noreply.github.com> * remove unneeded stuff --------- Co-authored-by: Jake Heath <76011913+jakeyheath@users.noreply.github.com>
chanzuckerberg · Sep 3, 2024 · d6ecfd3 · d6ecfd3
1 parent 9b226ee
commit d6ecfd3
Show file tree

Hide file tree

Showing 6 changed files with 101 additions and 0 deletions.
diff --git a/aws-iam-service-account-eks/README.md b/aws-iam-service-account-eks/README.md
diff --git a/aws-iam-service-account-eks/main.tf b/aws-iam-service-account-eks/main.tf
@@ -0,0 +1,32 @@
+locals {
+  iam_path             = coalesce(var.iam_path, "/${var.eks_cluster.cluster_id}/")
+  oidc_provider_url    = replace(var.eks_cluster.cluster_oidc_issuer_url, "https://", "")
+  name                 = "${var.tags.service}-${var.tags.env}-${var.tags.project}"
+}
+
+data "aws_iam_policy_document" "assume-role" {
+  statement {
+    principals {
+      type        = "Federated"
+      identifiers = [var.eks_cluster.oidc_provider_arn]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "${local.oidc_provider_url}:sub"
+      values   = ["system:serviceaccount:${var.k8s_namespace}:${var.service_account_name}"]
+    }
+
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+  }
+}
+
+resource "aws_iam_role" "role" {
+  name                 = local.name
+  description          = "Service account role for ${local.name}"
+  assume_role_policy   = data.aws_iam_policy_document.assume-role.json
+  path                 = local.iam_path
+  max_session_duration = var.max_session_duration
+  permissions_boundary = var.role_permissions_boundary_arn
+}
+
diff --git a/aws-iam-service-account-eks/module_test.go b/aws-iam-service-account-eks/module_test.go
@@ -0,0 +1 @@
+package test
diff --git a/aws-iam-service-account-eks/outputs.tf b/aws-iam-service-account-eks/outputs.tf
@@ -0,0 +1,11 @@
+output "iam_role_name_with_path" {
+  value = "${substr(local.iam_path, 1, -1)}${aws_iam_role.role.name}"
+}
+
+output "iam_role" {
+  value = aws_iam_role.role.name
+}
+
+output "iam_role_arn" {
+  value = aws_iam_role.role.arn
+}
diff --git a/aws-iam-service-account-eks/terraform.tf b/aws-iam-service-account-eks/terraform.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.14"
+    }
+  }
+  required_version = ">= 1.3"
+}
diff --git a/aws-iam-service-account-eks/variables.tf b/aws-iam-service-account-eks/variables.tf
@@ -0,0 +1,48 @@
+variable "eks_cluster" {
+  type = object({
+    cluster_id : string,
+    cluster_arn : string,
+    cluster_endpoint : string,
+    cluster_ca : string,
+    cluster_oidc_issuer_url : string,
+    cluster_version : string,
+    worker_iam_role_name : string,
+    worker_security_group : string,
+    oidc_provider_arn : string,
+  })
+  description = "eks-cluster module output"
+}
+
+variable "k8s_namespace" {
+  description = "Kubernetes namespace that the service account is in"
+  type        = string
+}
+
+variable "iam_path" {
+  type        = string
+  default     = ""
+  description = "IAM path for the role."
+}
+
+variable "role_permissions_boundary_arn" {
+  description = "Permissions boundary ARN to use for IAM role"
+  type        = string
+  default     = ""
+}
+
+variable "max_session_duration" {
+  description = "Maximum CLI/API session duration in seconds between 3600 and 43200"
+  type        = number
+  default     = 3600
+}
+
+variable "service_account_name" {
+  type        = string
+  default     = "*"
+  description = "Specified Service Account Name in case you want to customize it"
+}
+
+variable "tags" {
+  type = object({ project : string, env : string, service : string, owner : string, managedBy : string })
+  description = "Basic metadata about the service account"
+}