Provide conditional S3 permissions policy to EKS worker node group role

Author: burmek

main.tf

@@ -1,12 +1,10 @@
 data "aws_availability_zones" "available" {}
 
-
 data "aws_eks_cluster_auth" "this" {
   count = var.enable_eks ? 1 : 0
   name = module.comet_eks[0].cluster_name
 }
 
-
 locals {
   resource_name = "comet-${var.environment}"
   vpc_cidr      = "10.0.0.0/16"
@@ -60,7 +58,7 @@ module "comet_ec2" {
 
   s3_enabled = var.enable_s3
   comet_ml_s3_bucket  = var.s3_bucket_name
-  comet_ec2_s3_iam_policy = module.comet_s3[0].comet_s3_iam_policy_arn
+  comet_ec2_s3_iam_policy = var.enable_s3 ? module.comet_s3[0].comet_s3_iam_policy_arn : null
 }
 
 module "comet_eks" {
@@ -71,6 +69,9 @@ module "comet_eks" {
   vpc_private_subnets = module.vpc.private_subnets
   cluster_name = var.eks_cluster_name
   cluster_version = var.eks_cluster_version
+
+  s3_enabled = var.enable_s3
+  comet_ec2_s3_iam_policy = var.enable_s3 ? module.comet_s3[0].comet_s3_iam_policy_arn : null
 }
 
 module "comet_elasticache" {

modules/comet_ec2/main.tf

@@ -47,6 +47,7 @@ resource "aws_vpc_security_group_ingress_rule" "comet_ec2_ingress_ssh" {
   from_port   = local.ssh_port
   to_port     = local.ssh_port
   ip_protocol    = "tcp"
+  # make more restrictive
   cidr_ipv4 = local.cidr_anywhere
 }
 
@@ -56,8 +57,7 @@ resource "aws_vpc_security_group_ingress_rule" "comet_ec2_ingress_http" {
   from_port   = local.http_port
   to_port     = local.http_port
   ip_protocol    = "tcp"
-  # We recommend restricting that to your company IP or by Using a bastion host
-  #security_groups = [aws_security_group.bastion_inbound_sg.id]
+  # make more restrictive
   cidr_ipv4 = local.cidr_anywhere
 }
 
@@ -100,30 +100,8 @@ resource "aws_iam_instance_profile" "comet-ec2-instance-profile" {
   role  = aws_iam_role.comet-ec2-s3-access-role.name
 }
 
-/*
-resource "aws_iam_policy" "comet-ml-s3-policy" {
-  count       = var.s3_enabled ? 1 : 0
-  name        = "comet-s3-access-policy"
-  description = "comet-s3-access-policy"
-  policy = jsonencode({
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": "s3:*",
-            "Resource": [
-              "arn:aws:s3:::${var.comet_ml_s3_bucket}",
-              "arn:aws:s3:::${var.comet_ml_s3_bucket}/*"
-            ]
-        }
-    ]
-  })
-}
-*/
-
 resource "aws_iam_role_policy_attachment" "comet-ml-s3-access-attachment" {
   count      = var.s3_enabled ? 1 : 0
   role       = aws_iam_role.comet-ec2-s3-access-role.name
-  #policy_arn = aws_iam_policy.comet-ml-s3-policy[0].arn
   policy_arn = var.comet_ec2_s3_iam_policy
 }

modules/comet_eks/main.tf

@@ -52,6 +52,8 @@ module "eks" {
       min_size     = 3
       max_size     = 6
       desired_size = 3
+
+      iam_role_additional_policies = var.s3_enabled ? {comet_s3_access = var.comet_ec2_s3_iam_policy} : null
     }
   }
 

modules/comet_eks/variables.tf

@@ -23,4 +23,16 @@ variable "vpc_private_subnets" {
   description = "IDs of private subnets within the VPC"
   type        = list(string)
   default     = []
+}
+
+variable "s3_enabled" {
+  description = "Indicates if S3 bucket is being provisioned for Comet"
+  type        = bool
+  default     = null
+}
+
+variable "comet_ec2_s3_iam_policy" {
+  description = "Policy with access to S3 to associate with EKS worker nodes"
+  type = string
+  default = null
 }

terraform.tfvars

@@ -1,11 +1,11 @@
-enable_ec2 = true
+enable_ec2 = false
 
-enable_eks = false
+enable_eks = true
 
 enable_elasticache = true
 
 enable_rds = false
 
 enable_s3 = true
 
-s3_bucket_name = "cometeoteoitheoihiahg"
+s3_bucket_name = "comet-use2-from-eks"