Dynamic Assume Role Creation (#421) (#426)

sethAmazon · web-flow · commit 1c2f946db4d7 · 2021-12-08T13:51:51.000-05:00
diff --git a/terraform/eks/container-insights-agent/service_account_fargate.tpl b/terraform/eks/container-insights-agent/service_account_fargate.tpl
@@ -4,4 +4,4 @@ metadata:
   name: adot-collector-service-account
   namespace: default
   annotations:
-    eks.amazonaws.com/role-arn: arn:aws:iam::611364707713:role/ServiceAccount-eks-test-aoc-role
+    eks.amazonaws.com/role-arn: ${RoleArn}
diff --git a/terraform/eks/container_insights_agent.tf b/terraform/eks/container_insights_agent.tf
@@ -31,8 +31,14 @@ data "template_file" "daemonset_file" {
 }
 
 resource "kubectl_manifest" "service_account" {
-  count     = var.aoc_base_scenario == "infra" && var.deployment_type == "fargate" ? 1 : 0
-  yaml_body = file("./container-insights-agent/service_account_fargate.yml")
+  count = var.aoc_base_scenario == "infra" && var.deployment_type == "fargate" ? 1 : 0
+  yaml_body = templatefile("./container-insights-agent/service_account_fargate.tpl",
+    {
+      RoleArn : module.iam_assumable_role_admin.iam_role_arn
+  })
+  depends_on = [
+    module.iam_assumable_role_admin
+  ]
 }
 
 resource "kubectl_manifest" "cluster_role" {
diff --git a/terraform/eks/main.tf b/terraform/eks/main.tf
@@ -116,11 +116,28 @@ resource "kubernetes_service_account" "aoc-fargate-role" {
     name      = "aoc-fargate-role-${module.common.testing_id}"
     namespace = "default"
     annotations = {
-      "eks.amazonaws.com/role-arn" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/ServiceAccount-eks-test-aoc-role"
+      "eks.amazonaws.com/role-arn" : module.iam_assumable_role_admin.iam_role_arn
     }
   }
 
   automount_service_account_token = true
+  depends_on                      = [module.iam_assumable_role_admin]
+}
+
+module "iam_assumable_role_admin" {
+  create_role = true
+
+  role_name = "aoc-eks-assume-role-${module.common.testing_id}"
+
+  provider_url = trimprefix(data.aws_eks_cluster.testing_cluster.identity[0].oidc[0].issuer, "https://")
+
+  role_policy_arns = [
+    "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
+    "arn:aws:iam::aws:policy/AWSXrayFullAccess",
+    "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
+  ]
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version = "4.7.0"
 }
 
 resource "kubernetes_cluster_role_binding" "aoc-role-binding" {
