diff --git a/README.md b/README.md
index 4586faa..ddad5fa 100644
--- a/README.md
+++ b/README.md
@@ -208,6 +208,9 @@ Here are automated tests for the complete example using [bats](https://github.co
| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| [iam\_actions](#input\_iam\_actions) | List of actions to allow for the user IAM roles, _e.g._ `es:ESHttpGet`, `es:ESHttpPut`, `es:ESHttpPost` | `list(string)` | `[]` | no |
| [iam\_authorizing\_role\_arns](#input\_iam\_authorizing\_role\_arns) | List of IAM role ARNs to permit to assume the Elasticsearch user role | `list(string)` | `[]` | no |
+| [iam\_irsa\_openid\_connect\_provider\_arn](#input\_iam\_irsa\_openid\_connect\_provider\_arn) | ARN of the OpenID connect provider to allow usage of IRSA | `string` | `""` | no |
+| [iam\_irsa\_openid\_connect\_provider\_url](#input\_iam\_irsa\_openid\_connect\_provider\_url) | URL of the OpenID connect provider to allow usage of IRSA | `string` | `""` | no |
+| [iam\_irsa\_service\_account](#input\_iam\_irsa\_service\_account) | Kubernetes ServiceAccount to allow to access the Elastic Domain via IRSA | `string` | `"system:serviceaccount:default:*"` | no |
| [iam\_role\_arns](#input\_iam\_role\_arns) | List of IAM role ARNs to permit access to the Elasticsearch domain | `list(string)` | `[]` | no |
| [iam\_role\_max\_session\_duration](#input\_iam\_role\_max\_session\_duration) | The maximum session duration (in seconds) for the user role. Can have a value from 1 hour to 12 hours | `number` | `3600` | no |
| [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | The ARN of the permissions boundary policy which will be attached to the Elasticsearch user role | `string` | `null` | no |
@@ -284,6 +287,7 @@ For additional context, refer to some of these links.
- [Control Access to Amazon Elasticsearch Service Domain](https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/) - Describes how to Control Access to Amazon Elasticsearch Service Domain
- [elasticsearch_domain](https://www.terraform.io/docs/providers/aws/r/elasticsearch_domain.html) - Terraform reference documentation for the `elasticsearch_domain` resource
- [elasticsearch_domain_policy](https://www.terraform.io/docs/providers/aws/r/elasticsearch_domain_policy.html) - Terraform reference documentation for the `elasticsearch_domain_policy` resource
+- [AWS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) - Associate an IAM role with a Kubernetes service account
diff --git a/README.yaml b/README.yaml
index 696b87b..cd13be2 100644
--- a/README.yaml
+++ b/README.yaml
@@ -109,6 +109,9 @@ references:
- name: "elasticsearch_domain_policy"
description: "Terraform reference documentation for the `elasticsearch_domain_policy` resource"
url: "https://www.terraform.io/docs/providers/aws/r/elasticsearch_domain_policy.html"
+ - name: "AWS IAM roles for service accounts"
+ description: "Associate an IAM role with a Kubernetes service account"
+ url: "https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html"
# Contributors to this project
contributors: []
diff --git a/main.tf b/main.tf
index 6a4eb09..a19db05 100644
--- a/main.tf
+++ b/main.tf
@@ -107,12 +107,46 @@ data "aws_iam_policy_document" "assume_role" {
identifiers = var.aws_ec2_service_name
}
- principals {
- type = "AWS"
- identifiers = compact(concat(var.iam_authorizing_role_arns, var.iam_role_arns))
+ effect = "Allow"
+ }
+
+ dynamic "statement" {
+ for_each = length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0 ? [true] : []
+
+ content {
+ effect = "Allow"
+
+ actions = [
+ "sts:AssumeRole"
+ ]
+
+ principals {
+ type = "AWS"
+ identifiers = compact(concat(var.iam_authorizing_role_arns, var.iam_role_arns))
+ }
}
+ }
- effect = "Allow"
+ dynamic "statement" {
+ for_each = var.iam_irsa_openid_connect_provider_arn != "" ? [true] : []
+ content {
+ effect = "Allow"
+
+ actions = [
+ "sts:AssumeRoleWithWebIdentity"
+ ]
+
+ principals {
+ type = "Federated"
+ identifiers = [var.iam_irsa_openid_connect_provider_arn]
+ }
+
+ condition {
+ test = "StringLike"
+ variable = join(":", [var.iam_irsa_openid_connect_provider_url, "sub"])
+ values = [var.iam_irsa_service_account]
+ }
+ }
}
}
diff --git a/variables.tf b/variables.tf
index 5477d97..5367cb3 100644
--- a/variables.tf
+++ b/variables.tf
@@ -124,6 +124,24 @@ variable "anonymous_iam_actions" {
description = "List of actions to allow for the anonymous (`*`) IAM roles, _e.g._ `es:ESHttpGet`, `es:ESHttpPut`, `es:ESHttpPost`"
}
+variable "iam_irsa_openid_connect_provider_arn" {
+ type = string
+ default = ""
+ description = "ARN of the OpenID connect provider to allow usage of IRSA"
+}
+
+variable "iam_irsa_openid_connect_provider_url" {
+ type = string
+ default = ""
+ description = "URL of the OpenID connect provider to allow usage of IRSA"
+}
+
+variable "iam_irsa_service_account" {
+ type = string
+ default = "system:serviceaccount:default:*"
+ description = "Kubernetes ServiceAccount to allow to access the Elastic Domain via IRSA"
+}
+
variable "zone_awareness_enabled" {
type = bool
default = true