Update iam-role version

tedilabs · Nov 10, 2023 · 117742e · 117742e
1 parent 2a5faa7
commit 117742e
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 12 deletions.
diff --git a/modules/eks-cluster/README.md b/modules/eks-cluster/README.md
@@ -34,9 +34,9 @@ This module creates following resources.
 |------|--------|---------|
 | <a name="module_oidc_provider"></a> [oidc\_provider](#module\_oidc\_provider) | tedilabs/account/aws//modules/iam-oidc-identity-provider | ~> 0.27.0 |
 | <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
-| <a name="module_role__control_plane"></a> [role\_\_control\_plane](#module\_role\_\_control\_plane) | tedilabs/account/aws//modules/iam-role | 0.19.0 |
-| <a name="module_role__fargate_profile"></a> [role\_\_fargate\_profile](#module\_role\_\_fargate\_profile) | tedilabs/account/aws//modules/iam-role | 0.19.0 |
-| <a name="module_role__node"></a> [role\_\_node](#module\_role\_\_node) | tedilabs/account/aws//modules/iam-role | 0.19.0 |
+| <a name="module_role__control_plane"></a> [role\_\_control\_plane](#module\_role\_\_control\_plane) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 |
+| <a name="module_role__fargate_profile"></a> [role\_\_fargate\_profile](#module\_role\_\_fargate\_profile) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 |
+| <a name="module_role__node"></a> [role\_\_node](#module\_role\_\_node) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 |
 | <a name="module_security_group__control_plane"></a> [security\_group\_\_control\_plane](#module\_security\_group\_\_control\_plane) | tedilabs/network/aws//modules/security-group | 0.24.0 |
 | <a name="module_security_group__node"></a> [security\_group\_\_node](#module\_security\_group\_\_node) | tedilabs/network/aws//modules/security-group | 0.24.0 |
 | <a name="module_security_group__pod"></a> [security\_group\_\_pod](#module\_security\_group\_\_pod) | tedilabs/network/aws//modules/security-group | 0.24.0 |

diff --git a/modules/eks-cluster/iam.tf b/modules/eks-cluster/iam.tf
@@ -4,19 +4,24 @@
 
 module "role__control_plane" {
   source  = "tedilabs/account/aws//modules/iam-role"
-  version = "0.19.0"
+  version = "~> 0.28.0"
 
   name        = "eks-${local.metadata.name}-control-plane"
   path        = "/"
   description = "Role for the EKS cluster(${local.metadata.name}) control plane"
 
-  trusted_services = ["eks.amazonaws.com"]
+  trusted_service_policies = [
+    {
+      services = ["eks.amazonaws.com"]
+    }
+  ]
 
   policies = [
     "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
     "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController",
   ]
 
+  force_detach_policies  = true
   resource_group_enabled = false
   module_tags_enabled    = false
 
@@ -33,13 +38,17 @@ module "role__control_plane" {
 
 module "role__node" {
   source  = "tedilabs/account/aws//modules/iam-role"
-  version = "0.19.0"
+  version = "~> 0.28.0"
 
   name        = "eks-${local.metadata.name}-node"
   path        = "/"
   description = "Role for the EKS cluster(${local.metadata.name}) nodes"
 
-  trusted_services = ["ec2.amazonaws.com"]
+  trusted_service_policies = [
+    {
+      services = ["ec2.amazonaws.com"]
+    }
+  ]
 
   policies = [
     "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
@@ -48,8 +57,11 @@ module "role__node" {
     "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
   ]
 
-  instance_profile_enabled = true
+  instance_profile = {
+    enabled = true
+  }
 
+  force_detach_policies  = true
   resource_group_enabled = false
   module_tags_enabled    = false
 
@@ -66,16 +78,21 @@ module "role__node" {
 
 module "role__fargate_profile" {
   source  = "tedilabs/account/aws//modules/iam-role"
-  version = "0.19.0"
+  version = "~> 0.28.0"
 
   name        = "eks-${local.metadata.name}-fargate-profile"
   path        = "/"
   description = "Role for the EKS cluster(${local.metadata.name}) Fargate profiles"
 
-  trusted_services = ["eks-fargate-pods.amazonaws.com"]
+  trusted_service_policies = [
+    {
+      services = ["eks-fargate-pods.amazonaws.com"]
+    }
+  ]
 
   policies = ["arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"]
 
+  force_detach_policies  = true
   resource_group_enabled = false
   module_tags_enabled    = false
 

diff --git a/modules/eks-cluster/migrations.tf b/modules/eks-cluster/migrations.tf
@@ -1,3 +1,9 @@
+# 2023-11-10
+moved {
+  from = aws_iam_openid_connect_provider.this
+  to   = module.oidc_provider.aws_iam_openid_connect_provider.this
+}
+
 # 2022-10-20
 moved {
   from = aws_resourcegroups_group.this[0]

diff --git a/modules/eks-fargate-profile/README.md b/modules/eks-fargate-profile/README.md
@@ -27,7 +27,7 @@ This module creates following resources.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
-| <a name="module_role"></a> [role](#module\_role) | tedilabs/account/aws//modules/iam-role | ~> 0.27.0 |
+| <a name="module_role"></a> [role](#module\_role) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 |
 
 ## Resources
 

diff --git a/modules/eks-fargate-profile/iam.tf b/modules/eks-fargate-profile/iam.tf
@@ -6,7 +6,7 @@ module "role" {
   count = var.default_pod_execution_role.enabled ? 1 : 0
 
   source  = "tedilabs/account/aws//modules/iam-role"
-  version = "~> 0.27.0"
+  version = "~> 0.28.0"
 
   name = coalesce(
     var.default_pod_execution_role.name,