From 117742e3698b57beee924c7df1f89c46f1cdee69 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Fri, 10 Nov 2023 14:55:48 +0900 Subject: [PATCH] Update iam-role version --- modules/eks-cluster/README.md | 6 +++--- modules/eks-cluster/iam.tf | 31 +++++++++++++++++++++------ modules/eks-cluster/migrations.tf | 6 ++++++ modules/eks-fargate-profile/README.md | 2 +- modules/eks-fargate-profile/iam.tf | 2 +- 5 files changed, 35 insertions(+), 12 deletions(-) diff --git a/modules/eks-cluster/README.md b/modules/eks-cluster/README.md index a78b35e..8354a03 100644 --- a/modules/eks-cluster/README.md +++ b/modules/eks-cluster/README.md @@ -34,9 +34,9 @@ This module creates following resources. |------|--------|---------| | [oidc\_provider](#module\_oidc\_provider) | tedilabs/account/aws//modules/iam-oidc-identity-provider | ~> 0.27.0 | | [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | -| [role\_\_control\_plane](#module\_role\_\_control\_plane) | tedilabs/account/aws//modules/iam-role | 0.19.0 | -| [role\_\_fargate\_profile](#module\_role\_\_fargate\_profile) | tedilabs/account/aws//modules/iam-role | 0.19.0 | -| [role\_\_node](#module\_role\_\_node) | tedilabs/account/aws//modules/iam-role | 0.19.0 | +| [role\_\_control\_plane](#module\_role\_\_control\_plane) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 | +| [role\_\_fargate\_profile](#module\_role\_\_fargate\_profile) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 | +| [role\_\_node](#module\_role\_\_node) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 | | [security\_group\_\_control\_plane](#module\_security\_group\_\_control\_plane) | tedilabs/network/aws//modules/security-group | 0.24.0 | | [security\_group\_\_node](#module\_security\_group\_\_node) | tedilabs/network/aws//modules/security-group | 0.24.0 | | [security\_group\_\_pod](#module\_security\_group\_\_pod) | tedilabs/network/aws//modules/security-group | 0.24.0 | diff --git a/modules/eks-cluster/iam.tf b/modules/eks-cluster/iam.tf index 1f3dfe1..5ee6d7e 100644 --- a/modules/eks-cluster/iam.tf +++ b/modules/eks-cluster/iam.tf @@ -4,19 +4,24 @@ module "role__control_plane" { source = "tedilabs/account/aws//modules/iam-role" - version = "0.19.0" + version = "~> 0.28.0" name = "eks-${local.metadata.name}-control-plane" path = "/" description = "Role for the EKS cluster(${local.metadata.name}) control plane" - trusted_services = ["eks.amazonaws.com"] + trusted_service_policies = [ + { + services = ["eks.amazonaws.com"] + } + ] policies = [ "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController", ] + force_detach_policies = true resource_group_enabled = false module_tags_enabled = false @@ -33,13 +38,17 @@ module "role__control_plane" { module "role__node" { source = "tedilabs/account/aws//modules/iam-role" - version = "0.19.0" + version = "~> 0.28.0" name = "eks-${local.metadata.name}-node" path = "/" description = "Role for the EKS cluster(${local.metadata.name}) nodes" - trusted_services = ["ec2.amazonaws.com"] + trusted_service_policies = [ + { + services = ["ec2.amazonaws.com"] + } + ] policies = [ "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", @@ -48,8 +57,11 @@ module "role__node" { "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", ] - instance_profile_enabled = true + instance_profile = { + enabled = true + } + force_detach_policies = true resource_group_enabled = false module_tags_enabled = false @@ -66,16 +78,21 @@ module "role__node" { module "role__fargate_profile" { source = "tedilabs/account/aws//modules/iam-role" - version = "0.19.0" + version = "~> 0.28.0" name = "eks-${local.metadata.name}-fargate-profile" path = "/" description = "Role for the EKS cluster(${local.metadata.name}) Fargate profiles" - trusted_services = ["eks-fargate-pods.amazonaws.com"] + trusted_service_policies = [ + { + services = ["eks-fargate-pods.amazonaws.com"] + } + ] policies = ["arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"] + force_detach_policies = true resource_group_enabled = false module_tags_enabled = false diff --git a/modules/eks-cluster/migrations.tf b/modules/eks-cluster/migrations.tf index 0c687ff..ae77ead 100644 --- a/modules/eks-cluster/migrations.tf +++ b/modules/eks-cluster/migrations.tf @@ -1,3 +1,9 @@ +# 2023-11-10 +moved { + from = aws_iam_openid_connect_provider.this + to = module.oidc_provider.aws_iam_openid_connect_provider.this +} + # 2022-10-20 moved { from = aws_resourcegroups_group.this[0] diff --git a/modules/eks-fargate-profile/README.md b/modules/eks-fargate-profile/README.md index 7ae3a07..a8c0608 100644 --- a/modules/eks-fargate-profile/README.md +++ b/modules/eks-fargate-profile/README.md @@ -27,7 +27,7 @@ This module creates following resources. | Name | Source | Version | |------|--------|---------| | [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | -| [role](#module\_role) | tedilabs/account/aws//modules/iam-role | ~> 0.27.0 | +| [role](#module\_role) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 | ## Resources diff --git a/modules/eks-fargate-profile/iam.tf b/modules/eks-fargate-profile/iam.tf index f39f1ca..0396424 100644 --- a/modules/eks-fargate-profile/iam.tf +++ b/modules/eks-fargate-profile/iam.tf @@ -6,7 +6,7 @@ module "role" { count = var.default_pod_execution_role.enabled ? 1 : 0 source = "tedilabs/account/aws//modules/iam-role" - version = "~> 0.27.0" + version = "~> 0.28.0" name = coalesce( var.default_pod_execution_role.name,