From 73ef83dcca2d6b7bec267281066646c81cc1bd38 Mon Sep 17 00:00:00 2001 From: Gerard Toonstra Date: Thu, 18 Sep 2025 12:44:48 +0200 Subject: [PATCH] fix: Add role for DMA --- modules/eks/outputs.tf | 10 ++++++++++ modules/eks/roles.tf | 20 ++++++++++++++++++++ modules/eks/variables.tf | 6 ++++++ outputs.tf | 9 +++++++++ 4 files changed, 45 insertions(+) diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf index c0ca861..919ee09 100644 --- a/modules/eks/outputs.tf +++ b/modules/eks/outputs.tf @@ -138,6 +138,16 @@ output "storage_worker_service_account_name" { description = "The name of the service account for storage_worker" } +# dma +output "dma_role_arn" { + value = module.dma_role[0].arn + description = "The ARN of the AWS Bedrock role" +} +output "dma_service_account_name" { + value = var.dma_service_account_name + description = "The name of the service account for dma" +} + # Clickhouse backup output "clickhouse_backup_role_name" { value = module.clickhouse_backup_role.arn diff --git a/modules/eks/roles.tf b/modules/eks/roles.tf index efb155d..8b2911d 100644 --- a/modules/eks/roles.tf +++ b/modules/eks/roles.tf @@ -255,6 +255,21 @@ module "clickhouse_backup_role" { } } +# storage_worker +module "dma_role" { + count = 1 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + name = "${var.deployment_name}-${var.dma_service_account_name}" + version = "6.2.1" + + oidc_providers = { + ex = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["${var.deployment_name}:${var.dma_service_account_name}"] + } + } +} + # Policy Attachments resource "aws_iam_role_policy_attachment" "bedrock_dfshell_attachment" { count = var.k8s_access_bedrock ? 1 : 0 @@ -285,3 +300,8 @@ resource "aws_iam_role_policy_attachment" "clickhouse_backup_attachment" { policy_arn = aws_iam_policy.clickhouse_backup_policy.arn } +resource "aws_iam_role_policy_attachment" "bedrock_dma_attachment" { + count = var.k8s_access_bedrock ? 1 : 0 + role = module.dma_role[0].name + policy_arn = aws_iam_policy.bedrock_access_policy[0].arn +} diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf index 37f7c7c..cf9ec67 100644 --- a/modules/eks/variables.tf +++ b/modules/eks/variables.tf @@ -189,3 +189,9 @@ variable "storage_worker_service_account_name" { default = "storage-worker" description = "Name of the service account for storage_worker" } + +variable "dma_service_account_name" { + type = string + default = "dma" + description = "Name of the service account for dma" +} diff --git a/outputs.tf b/outputs.tf index cfdd648..bba5d86 100644 --- a/outputs.tf +++ b/outputs.tf @@ -282,3 +282,12 @@ output "storage_worker_service_account_name" { value = module.eks.storage_worker_service_account_name description = "The name of the service account for storage_worker" } + +output "dma_role_arn" { + value = module.eks.dma_role_arn + description = "The ARN of the AWS Bedrock role" +} +output "dma_service_account_name" { + value = module.eks.dma_service_account_name + description = "The name of the service account for dma" +} \ No newline at end of file