Refine default iam roles for eks

tedilabs · Nov 10, 2023 · 8a32ed0 · 8a32ed0
1 parent 117742e
commit 8a32ed0
Show file tree

Hide file tree

Showing 9 changed files with 138 additions and 67 deletions.
diff --git a/modules/eks-cluster/README.md b/modules/eks-cluster/README.md
@@ -26,16 +26,15 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.24.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.25.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_oidc_provider"></a> [oidc\_provider](#module\_oidc\_provider) | tedilabs/account/aws//modules/iam-oidc-identity-provider | ~> 0.27.0 |
 | <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
-| <a name="module_role__control_plane"></a> [role\_\_control\_plane](#module\_role\_\_control\_plane) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 |
-| <a name="module_role__fargate_profile"></a> [role\_\_fargate\_profile](#module\_role\_\_fargate\_profile) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 |
+| <a name="module_role"></a> [role](#module\_role) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 |
 | <a name="module_role__node"></a> [role\_\_node](#module\_role\_\_node) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 |
 | <a name="module_security_group__control_plane"></a> [security\_group\_\_control\_plane](#module\_security\_group\_\_control\_plane) | tedilabs/network/aws//modules/security-group | 0.24.0 |
 | <a name="module_security_group__node"></a> [security\_group\_\_node](#module\_security\_group\_\_node) | tedilabs/network/aws//modules/security-group | 0.24.0 |
@@ -58,6 +57,9 @@ This module creates following resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_name"></a> [name](#input\_name) | (Required) Name of the EKS cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores. | `string` | n/a | yes |
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | (Required) A list of subnets to creates cross-account elastic network interfaces to allow communication between your worker nodes and the Kubernetes control plane. Must be in at least two different availability zones. | `list(string)` | n/a | yes |
+| <a name="input_cluster_role"></a> [cluster\_role](#input\_cluster\_role) | (Optional) The ARN (Amazon Resource Name) of the IAM Role for the EKS cluster role. Only required if `default_cluster_role.enabled` is `false`. | `string` | `null` | no |
+| <a name="input_default_cluster_role"></a> [default\_cluster\_role](#input\_default\_cluster\_role) | (Optional) A configuration for the default IAM role for EKS cluster. Use `cluster_role` if `default_cluster_role.enabled` is `false`. `default_cluster_role` as defined below.<br>    (Optional) `enabled` - Whether to create the default cluster role. Defaults to `true`.<br>    (Optional) `name` - The name of the default cluster role. Defaults to `eks-${var.name}-cluster`.<br>    (Optional) `path` - The path of the default cluster role. Defaults to `/`.<br>    (Optional) `description` - The description of the default cluster role.<br>    (Optional) `policies` - A list of IAM policy ARNs to attach to the default cluster role. `AmazonEKSClusterPolicy` is always attached. Defaults to `[]`.<br>    (Optional) `inline_policies` - A Map of inline IAM policies to attach to the default cluster role. (`name` => `policy`). | <pre>object({<br>    enabled     = optional(bool, true)<br>    name        = optional(string)<br>    path        = optional(string, "/")<br>    description = optional(string, "Managed by Terraform.")<br><br>    policies        = optional(list(string), [])<br>    inline_policies = optional(map(string), {})<br>  })</pre> | `{}` | no |
+| <a name="input_default_node_role"></a> [default\_node\_role](#input\_default\_node\_role) | (Optional) A configuration for the default IAM role for EKS nodes. `default_node_role` as defined below.<br>    (Optional) `enabled` - Whether to create the default node role. Defaults to `false`.<br>    (Optional) `name` - The name of the default node role. Defaults to `eks-${var.name}-node`.<br>    (Optional) `path` - The path of the default node role. Defaults to `/`.<br>    (Optional) `description` - The description of the default node role.<br>    (Optional) `policies` - A list of IAM policy ARNs to attach to the default node role. `AmazonEKSWorkerNodePolicy`, `AmazonEKS_CNI_Policy`, `AmazonEC2ContainerRegistryReadOnly` are always attached. Defaults to `[]`.<br>    (Optional) `inline_policies` - A Map of inline IAM policies to attach to the default node role. (`name` => `policy`). | <pre>object({<br>    enabled     = optional(bool, false)<br>    name        = optional(string)<br>    path        = optional(string, "/")<br>    description = optional(string, "Managed by Terraform.")<br><br>    policies        = optional(list(string), [])<br>    inline_policies = optional(map(string), {})<br>  })</pre> | `{}` | no |
 | <a name="input_endpoint_private_access"></a> [endpoint\_private\_access](#input\_endpoint\_private\_access) | (Optional) Indicates whether or not the Amazon EKS private API server endpoint is enabled. | `bool` | `true` | no |
 | <a name="input_endpoint_private_access_cidrs"></a> [endpoint\_private\_access\_cidrs](#input\_endpoint\_private\_access\_cidrs) | (Optional) A list of allowed CIDR to communicate to the Amazon EKS private API server endpoint. | `list(string)` | `[]` | no |
 | <a name="input_endpoint_private_access_source_security_group_ids"></a> [endpoint\_private\_access\_source\_security\_group\_ids](#input\_endpoint\_private\_access\_source\_security\_group\_ids) | (Optional) A list of allowed source security group to communicate to the Amazon EKS private API server endpoint. | `list(string)` | `[]` | no |
@@ -83,8 +85,10 @@ This module creates following resources.
 |------|-------------|
 | <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the cluster. |
 | <a name="output_ca_cert"></a> [ca\_cert](#output\_ca\_cert) | The base64 encoded certificate data required to communicate with your cluster. Add this to the `certificate-authority-data` section of the `kubeconfig` file for your cluster. |
+| <a name="output_cluster_role"></a> [cluster\_role](#output\_cluster\_role) | The IAM Role for the EKS cluster. |
+| <a name="output_default_cluster_role"></a> [default\_cluster\_role](#output\_default\_cluster\_role) | The default IAM Role for the EKS cluster. |
+| <a name="output_default_node_role"></a> [default\_node\_role](#output\_default\_node\_role) | The default IAM Role for the EKS node. |
 | <a name="output_endpoint"></a> [endpoint](#output\_endpoint) | The endpoint for the Kubernetes API server. |
-| <a name="output_iam_roles"></a> [iam\_roles](#output\_iam\_roles) | IAM Roles for the EKS cluster. |
 | <a name="output_irsa_oidc_provider"></a> [irsa\_oidc\_provider](#output\_irsa\_oidc\_provider) | The configurations of the OIDC provider for IRSA (IAM Roles for Service Accounts).<br>    `arn` - The ARN assigned by AWS for this provider.<br>    `url` - The URL of the identity provider.<br>    `urn` - The URN of the identity provider.<br>    `audiences` - A list of audiences (also known as client IDs) for the IAM OIDC provider. |
 | <a name="output_kubernetes_network_config"></a> [kubernetes\_network\_config](#output\_kubernetes\_network\_config) | The configurations of Kubernetes network.<br>    `service_ipv4_cidr` - The CIDR block which is assigned to Kubernetes service IP addresses.<br>    `ip_family` - The IP family used to assign Kubernetes pod and service addresses. |
 | <a name="output_logging"></a> [logging](#output\_logging) | The configurations of the control plane logging. |

diff --git a/modules/eks-cluster/eks-control-plane.tf b/modules/eks-cluster/eks-control-plane.tf
@@ -22,9 +22,12 @@ locals {
 # TODO:
 # - `outpost_config`
 resource "aws_eks_cluster" "this" {
-  name     = var.name
-  version  = var.kubernetes_version
-  role_arn = module.role__control_plane.arn
+  name    = var.name
+  version = var.kubernetes_version
+  role_arn = (var.default_cluster_role.enabled
+    ? module.role[0].arn
+    : var.cluster_role
+  )
 
   enabled_cluster_log_types = var.log_types
 
@@ -68,7 +71,6 @@ resource "aws_eks_cluster" "this" {
   )
 
   depends_on = [
-    module.role__control_plane,
     aws_cloudwatch_log_group.this,
   ]
 }
diff --git a/modules/eks-cluster/iam.tf b/modules/eks-cluster/iam.tf
@@ -2,24 +2,30 @@
 # IAM Role for Control Plane
 ###################################################
 
-module "role__control_plane" {
+module "role" {
+  count = var.default_cluster_role.enabled ? 1 : 0
+
   source  = "tedilabs/account/aws//modules/iam-role"
   version = "~> 0.28.0"
 
-  name        = "eks-${local.metadata.name}-control-plane"
-  path        = "/"
-  description = "Role for the EKS cluster(${local.metadata.name}) control plane"
+  name = coalesce(
+    var.default_cluster_role.name,
+    "eks-${local.metadata.name}-cluster",
+  )
+  path        = var.default_cluster_role.path
+  description = var.default_cluster_role.description
 
   trusted_service_policies = [
     {
       services = ["eks.amazonaws.com"]
     }
   ]
 
-  policies = [
-    "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
-    "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController",
-  ]
+  policies = concat(
+    ["arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"],
+    var.default_cluster_role.policies,
+  )
+  inline_policies = var.default_cluster_role.inline_policies
 
   force_detach_policies  = true
   resource_group_enabled = false
@@ -37,25 +43,33 @@ module "role__control_plane" {
 ###################################################
 
 module "role__node" {
+  count = var.default_node_role.enabled ? 1 : 0
+
   source  = "tedilabs/account/aws//modules/iam-role"
   version = "~> 0.28.0"
 
-  name        = "eks-${local.metadata.name}-node"
-  path        = "/"
-  description = "Role for the EKS cluster(${local.metadata.name}) nodes"
+  name = coalesce(
+    var.default_node_role.name,
+    "eks-${local.metadata.name}-node",
+  )
+  path        = var.default_node_role.path
+  description = var.default_node_role.description
 
   trusted_service_policies = [
     {
       services = ["ec2.amazonaws.com"]
     }
   ]
 
-  policies = [
-    "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
-    # TODO: https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html
-    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
-    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
-  ]
+  policies = concat(
+    [
+      "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
+      # TODO: https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html
+      "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
+    ],
+    var.default_node_role.policies,
+  )
+  inline_policies = var.default_node_role.inline_policies
 
   instance_profile = {
     enabled = true
@@ -70,34 +84,3 @@ module "role__node" {
     var.tags,
   )
 }
-
-
-###################################################
-# IAM Role for Fargate Profiles
-###################################################
-
-module "role__fargate_profile" {
-  source  = "tedilabs/account/aws//modules/iam-role"
-  version = "~> 0.28.0"
-
-  name        = "eks-${local.metadata.name}-fargate-profile"
-  path        = "/"
-  description = "Role for the EKS cluster(${local.metadata.name}) Fargate profiles"
-
-  trusted_service_policies = [
-    {
-      services = ["eks-fargate-pods.amazonaws.com"]
-    }
-  ]
-
-  policies = ["arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"]
-
-  force_detach_policies  = true
-  resource_group_enabled = false
-  module_tags_enabled    = false
-
-  tags = merge(
-    local.module_tags,
-    var.tags,
-  )
-}
diff --git a/modules/eks-cluster/migrations.tf b/modules/eks-cluster/migrations.tf
@@ -1,4 +1,16 @@
-# 2023-11-10
+# 2023-11-10: Add variable to decide whether to create IAM role for EKS node
+moved {
+  from = module.role__node
+  to   = module.role__node[0]
+}
+
+# 2023-11-10: Add variable to decide whether to create IAM role for EKS cluster
+moved {
+  from = module.role__control_plane
+  to   = module.role[0]
+}
+
+# 2023-11-10: Migrate OIDC provider from resource to module
 moved {
   from = aws_iam_openid_connect_provider.this
   to   = module.oidc_provider.aws_iam_openid_connect_provider.this

diff --git a/modules/eks-cluster/outputs.tf b/modules/eks-cluster/outputs.tf
@@ -75,13 +75,19 @@ output "security_group_ids" {
   }
 }
 
-output "iam_roles" {
-  description = "IAM Roles for the EKS cluster."
-  value = {
-    control_plane   = module.role__control_plane
-    node            = module.role__node
-    fargate_profile = module.role__fargate_profile
-  }
+output "cluster_role" {
+  description = "The IAM Role for the EKS cluster."
+  value       = aws_eks_cluster.this.role_arn
+}
+
+output "default_cluster_role" {
+  description = "The default IAM Role for the EKS cluster."
+  value       = one(module.role)
+}
+
+output "default_node_role" {
+  description = "The default IAM Role for the EKS node."
+  value       = one(module.role__node)
 }
 
 output "irsa_oidc_provider" {

diff --git a/modules/eks-cluster/variables.tf b/modules/eks-cluster/variables.tf
@@ -76,6 +76,61 @@ variable "endpoint_private_access_source_security_group_ids" {
   nullable    = false
 }
 
+variable "default_cluster_role" {
+  description = <<EOF
+  (Optional) A configuration for the default IAM role for EKS cluster. Use `cluster_role` if `default_cluster_role.enabled` is `false`. `default_cluster_role` as defined below.
+    (Optional) `enabled` - Whether to create the default cluster role. Defaults to `true`.
+    (Optional) `name` - The name of the default cluster role. Defaults to `eks-$${var.name}-cluster`.
+    (Optional) `path` - The path of the default cluster role. Defaults to `/`.
+    (Optional) `description` - The description of the default cluster role.
+    (Optional) `policies` - A list of IAM policy ARNs to attach to the default cluster role. `AmazonEKSClusterPolicy` is always attached. Defaults to `[]`.
+    (Optional) `inline_policies` - A Map of inline IAM policies to attach to the default cluster role. (`name` => `policy`).
+  EOF
+  type = object({
+    enabled     = optional(bool, true)
+    name        = optional(string)
+    path        = optional(string, "/")
+    description = optional(string, "Managed by Terraform.")
+
+    policies        = optional(list(string), [])
+    inline_policies = optional(map(string), {})
+  })
+  default  = {}
+  nullable = false
+}
+
+variable "cluster_role" {
+  description = <<EOF
+  (Optional) The ARN (Amazon Resource Name) of the IAM Role for the EKS cluster role. Only required if `default_cluster_role.enabled` is `false`.
+  EOF
+  type        = string
+  default     = null
+  nullable    = true
+}
+
+variable "default_node_role" {
+  description = <<EOF
+  (Optional) A configuration for the default IAM role for EKS nodes. `default_node_role` as defined below.
+    (Optional) `enabled` - Whether to create the default node role. Defaults to `false`.
+    (Optional) `name` - The name of the default node role. Defaults to `eks-$${var.name}-node`.
+    (Optional) `path` - The path of the default node role. Defaults to `/`.
+    (Optional) `description` - The description of the default node role.
+    (Optional) `policies` - A list of IAM policy ARNs to attach to the default node role. `AmazonEKSWorkerNodePolicy`, `AmazonEKS_CNI_Policy`, `AmazonEC2ContainerRegistryReadOnly` are always attached. Defaults to `[]`.
+    (Optional) `inline_policies` - A Map of inline IAM policies to attach to the default node role. (`name` => `policy`).
+  EOF
+  type = object({
+    enabled     = optional(bool, false)
+    name        = optional(string)
+    path        = optional(string, "/")
+    description = optional(string, "Managed by Terraform.")
+
+    policies        = optional(list(string), [])
+    inline_policies = optional(map(string), {})
+  })
+  default  = {}
+  nullable = false
+}
+
 variable "log_types" {
   description = "(Optional) A set of the desired control plane logging to enable."
   type        = set(string)

diff --git a/modules/eks-fargate-profile/README.md b/modules/eks-fargate-profile/README.md
@@ -42,7 +42,7 @@ This module creates following resources.
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | (Required) The name of the Amazon EKS cluster to apply the Fargate profile to. | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | (Required) The name of Fargate Profile. | `string` | n/a | yes |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | (Required) The IDs of subnets to launch your pods into. At this time, pods running on Fargate are not assigned public IP addresses, so only private subnets (with no direct route to an Internet Gateway) are accepted | `list(string)` | n/a | yes |
-| <a name="input_default_pod_execution_role"></a> [default\_pod\_execution\_role](#input\_default\_pod\_execution\_role) | (Optional) A configuration for the default pod execution role to use for pods that match the selectors in the Fargate profile. Only one of `default_pod_execution_role.role` or `pod_execution_role` can be specified. `default_pod_execution_role` as defined below.<br>    (Optional) `enabled` - Whether to create the default pod execution role. Defaults to `true`.<br>    (Optional) `name` - The name of the default pod execution role. Defaults to `eks-${var.cluster_name}-fargate-profile-${var.name}`.<br>    (Optional) `path` - The path of the default pod execution role. Defaults to `/`.<br>    (Optional) `description` - The description of the default pod execution role. | <pre>object({<br>    enabled     = optional(bool, true)<br>    name        = optional(string)<br>    path        = optional(string, "/")<br>    description = optional(string, "Managed by Terraform.")<br>  })</pre> | `{}` | no |
+| <a name="input_default_pod_execution_role"></a> [default\_pod\_execution\_role](#input\_default\_pod\_execution\_role) | (Optional) A configuration for the default pod execution role to use for pods that match the selectors in the Fargate profile. Use `pod_execution_role` if `default_pod_execution_role.enabled` is `false`. `default_pod_execution_role` as defined below.<br>    (Optional) `enabled` - Whether to create the default pod execution role. Defaults to `true`.<br>    (Optional) `name` - The name of the default pod execution role. Defaults to `eks-${var.cluster_name}-fargate-profile-${var.name}`.<br>    (Optional) `path` - The path of the default pod execution role. Defaults to `/`.<br>    (Optional) `description` - The description of the default pod execution role.<br>    (Optional) `policies` - A list of IAM policy ARNs to attach to the default pod execution role. `AmazonEKSFargatePodExecutionRolePolicy` is always attached. Defaults to `[]`.<br>    (Optional) `inline_policies` - A Map of inline IAM policies to attach to the default pod execution role. (`name` => `policy`). | <pre>object({<br>    enabled     = optional(bool, true)<br>    name        = optional(string)<br>    path        = optional(string, "/")<br>    description = optional(string, "Managed by Terraform.")<br><br>    policies        = optional(list(string), [])<br>    inline_policies = optional(map(string), {})<br>  })</pre> | `{}` | no |
 | <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
 | <a name="input_pod_execution_role"></a> [pod\_execution\_role](#input\_pod\_execution\_role) | (Optional) The ARN (Amazon Resource Name) of the IAM Role that provides permissions for the EKS Fargate Profile. Only required if `default_pod_execution_role.enabled` is `false`. | `string` | `null` | no |
 | <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |

diff --git a/modules/eks-fargate-profile/iam.tf b/modules/eks-fargate-profile/iam.tf
@@ -21,7 +21,11 @@ module "role" {
     }
   ]
 
-  policies = ["arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"]
+  policies = concat(
+    ["arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"],
+    var.default_pod_execution_role.policies,
+  )
+  inline_policies = var.default_pod_execution_role.inline_policies
 
   force_detach_policies  = true
   resource_group_enabled = false