port #137 - feat: add possibiblity to use AWS IAM roles for service accounts (#209)

* feat: add possibiblity to use AWS IAM roles for service accounts

* Auto Format

* Update main.tf

---------

Co-authored-by: David Valentin <[email protected]>
Co-authored-by: cloudpossebot <[email protected]>
Co-authored-by: Matt Gowie <[email protected]>
Co-authored-by: David <[email protected]>

Author: 5 people

README.md

@@ -208,6 +208,9 @@ Here are automated tests for the complete example using [bats](https://github.co
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
 | <a name="input_iam_actions"></a> [iam\_actions](#input\_iam\_actions) | List of actions to allow for the user IAM roles, _e.g._ `es:ESHttpGet`, `es:ESHttpPut`, `es:ESHttpPost` | `list(string)` | `[]` | no |
 | <a name="input_iam_authorizing_role_arns"></a> [iam\_authorizing\_role\_arns](#input\_iam\_authorizing\_role\_arns) | List of IAM role ARNs to permit to assume the Elasticsearch user role | `list(string)` | `[]` | no |
+| <a name="input_iam_irsa_openid_connect_provider_arn"></a> [iam\_irsa\_openid\_connect\_provider\_arn](#input\_iam\_irsa\_openid\_connect\_provider\_arn) | ARN of the OpenID connect provider to allow usage of IRSA | `string` | `""` | no |
+| <a name="input_iam_irsa_openid_connect_provider_url"></a> [iam\_irsa\_openid\_connect\_provider\_url](#input\_iam\_irsa\_openid\_connect\_provider\_url) | URL of the OpenID connect provider to allow usage of IRSA | `string` | `""` | no |
+| <a name="input_iam_irsa_service_account"></a> [iam\_irsa\_service\_account](#input\_iam\_irsa\_service\_account) | Kubernetes ServiceAccount to allow to access the Elastic Domain via IRSA | `string` | `"system:serviceaccount:default:*"` | no |
 | <a name="input_iam_role_arns"></a> [iam\_role\_arns](#input\_iam\_role\_arns) | List of IAM role ARNs to permit access to the Elasticsearch domain | `list(string)` | `[]` | no |
 | <a name="input_iam_role_max_session_duration"></a> [iam\_role\_max\_session\_duration](#input\_iam\_role\_max\_session\_duration) | The maximum session duration (in seconds) for the user role. Can have a value from 1 hour to 12 hours | `number` | `3600` | no |
 | <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | The ARN of the permissions boundary policy which will be attached to the Elasticsearch user role | `string` | `null` | no |
@@ -284,6 +287,7 @@ For additional context, refer to some of these links.
 - [Control Access to Amazon Elasticsearch Service Domain](https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/) - Describes how to Control Access to Amazon Elasticsearch Service Domain
 - [elasticsearch_domain](https://www.terraform.io/docs/providers/aws/r/elasticsearch_domain.html) - Terraform reference documentation for the `elasticsearch_domain` resource
 - [elasticsearch_domain_policy](https://www.terraform.io/docs/providers/aws/r/elasticsearch_domain_policy.html) - Terraform reference documentation for the `elasticsearch_domain_policy` resource
+- [AWS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) - Associate an IAM role with a Kubernetes service account
 
 
 

README.yaml

@@ -109,6 +109,9 @@ references:
   - name: "elasticsearch_domain_policy"
     description: "Terraform reference documentation for the `elasticsearch_domain_policy` resource"
     url: "https://www.terraform.io/docs/providers/aws/r/elasticsearch_domain_policy.html"
+  - name: "AWS IAM roles for service accounts"
+    description: "Associate an IAM role with a Kubernetes service account"
+    url: "https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html"
 
 # Contributors to this project
 contributors: []

main.tf

@@ -107,12 +107,46 @@ data "aws_iam_policy_document" "assume_role" {
       identifiers = var.aws_ec2_service_name
     }
 
-    principals {
-      type        = "AWS"
-      identifiers = compact(concat(var.iam_authorizing_role_arns, var.iam_role_arns))
+    effect = "Allow"
+  }
+
+  dynamic "statement" {
+    for_each = length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0 ? [true] : []
+
+    content {
+      effect = "Allow"
+
+      actions = [
+        "sts:AssumeRole"
+      ]
+
+      principals {
+        type        = "AWS"
+        identifiers = compact(concat(var.iam_authorizing_role_arns, var.iam_role_arns))
+      }
     }
+  }
 
-    effect = "Allow"
+  dynamic "statement" {
+    for_each = var.iam_irsa_openid_connect_provider_arn != "" ? [true] : []
+    content {
+      effect = "Allow"
+
+      actions = [
+        "sts:AssumeRoleWithWebIdentity"
+      ]
+
+      principals {
+        type        = "Federated"
+        identifiers = [var.iam_irsa_openid_connect_provider_arn]
+      }
+
+      condition {
+        test     = "StringLike"
+        variable = join(":", [var.iam_irsa_openid_connect_provider_url, "sub"])
+        values   = [var.iam_irsa_service_account]
+      }
+    }
   }
 }
 

variables.tf

@@ -124,6 +124,24 @@ variable "anonymous_iam_actions" {
   description = "List of actions to allow for the anonymous (`*`) IAM roles, _e.g._ `es:ESHttpGet`, `es:ESHttpPut`, `es:ESHttpPost`"
 }
 
+variable "iam_irsa_openid_connect_provider_arn" {
+  type        = string
+  default     = ""
+  description = "ARN of the OpenID connect provider to allow usage of IRSA"
+}
+
+variable "iam_irsa_openid_connect_provider_url" {
+  type        = string
+  default     = ""
+  description = "URL of the OpenID connect provider to allow usage of IRSA"
+}
+
+variable "iam_irsa_service_account" {
+  type        = string
+  default     = "system:serviceaccount:default:*"
+  description = "Kubernetes ServiceAccount to allow to access the Elastic Domain via IRSA"
+}
+
 variable "zone_awareness_enabled" {
   type        = bool
   default     = true