feat: add service accounts, roles individual policies

Author: fpopa

main.tf

@@ -180,7 +180,6 @@ module "eks" {
   k8s_public_access_cidrs             = var.k8s_public_access_cidrs
 
   k8s_access_bedrock                  = var.k8s_access_bedrock
-  bedrock_model_arn                   = var.bedrock_model_arn
 }
 
 locals {

modules/eks/iam.tf

@@ -29,26 +29,3 @@ resource "aws_iam_role_policy_attachment" "node_autoscaling" {
   policy_arn = aws_iam_policy.node_autoscaling.arn
   role       = each.value.iam_role_name
 }
-
-resource "aws_iam_policy" "bedrock_access_policy" {
-  count              = var.k8s_access_bedrock ? 1 : 0
-
-  name        = "${var.deployment_name}-bedrock"
-  description = "${var.deployment_name} bedrock access policy"
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = [
-          "bedrock:InvokeModel",
-        ]
-        Effect   = "Allow"
-        Resource = var.bedrock_model_arn
-      },
-    ]
-  })
-
-  tags = var.tags
-}
-

modules/eks/main.tf

@@ -43,24 +43,6 @@ module "cluster_autoscaler_role" {
   }
 }
 
-module "bedrock_invoker_role" {
-  count              = var.k8s_access_bedrock ? 1 : 0
-
-  source    = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  role_name = "${var.deployment_name}-bedrock-invoke-model"
-
-  role_policy_arns = {
-    policy = aws_iam_policy.bedrock_access_policy[0].arn
-  }
-
-  oidc_providers = {
-    ex = {
-      provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["${var.deployment_name}:bedrock-invoke-model"]
-    }
-  }
-}
-
 module "eks" {
   # https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/docs
 

modules/eks/outputs.tf

@@ -16,4 +16,124 @@ output "control_plane_security_group_id" {
 
 output "cluster_endpoint" {
   value = module.eks.cluster_endpoint
+}
+
+# dfshell
+output "dfshell_role_arn" {
+  value = module.dfshell_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "dfshell_service_account_name" {
+  value = var.dfshell_service_account_name
+  description = "The name of the service account for dfshell"
+}
+
+# worker_portal
+output "worker_portal_role_arn" {
+  value = module.worker_portal_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "worker_portal_service_account_name" {
+  value = var.worker_portal_service_account_name
+  description = "The name of the service account for worker_portal"
+}
+
+# operator
+output "operator_role_arn" {
+  value = module.operator_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "operator_service_account_name" {
+  value = var.operator_service_account_name
+  description = "The name of the service account for operator"
+}
+
+# server
+output "server_role_arn" {
+  value = module.server_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "server_service_account_name" {
+  value = var.server_service_account_name
+  description = "The name of the service account for server"
+}
+
+# scheduler
+output "scheduler_role_arn" {
+  value = module.scheduler_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "scheduler_service_account_name" {
+  value = var.scheduler_service_account_name
+  description = "The name of the service account for scheduler"
+}
+
+# worker, worker1, worker2 etc.
+output "worker_role_arn" {
+  value = module.worker_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "worker_service_account_name" {
+  value = var.worker_service_account_name
+  description = "The name of the service account for worker"
+}
+
+# worker_catalog
+output "worker_catalog_role_arn" {
+  value = module.worker_catalog_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "worker_catalog_service_account_name" {
+  value = var.worker_catalog_service_account_name
+  description = "The name of the service account for worker_catalog"
+}
+
+# worker_interactive
+output "worker_interactive_role_arn" {
+  value = module.worker_interactive_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "worker_interactive_service_account_name" {
+  value = var.worker_interactive_service_account_name
+  description = "The name of the service account for worker_interactive"
+}
+
+# worker_singletons
+output "worker_singletons_role_arn" {
+  value = module.worker_singletons_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "worker_singletons_service_account_name" {
+  value = var.worker_singletons_service_account_name
+  description = "The name of the service account for worker_singletons"
+}
+
+# worker_lineage
+output "worker_lineage_role_arn" {
+  value = module.worker_lineage_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "worker_lineage_service_account_name" {
+  value = var.worker_lineage_service_account_name
+  description = "The name of the service account for worker_lineage"
+}
+
+# worker_monitor
+output "worker_monitor_role_arn" {
+  value = module.worker_monitor_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "worker_monitor_service_account_name" {
+  value = var.worker_monitor_service_account_name
+  description = "The name of the service account for worker_monitor"
+}
+
+# storage_worker
+output "storage_worker_role_arn" {
+  value = module.storage_worker_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "storage_worker_service_account_name" {
+  value = var.storage_worker_service_account_name
+  description = "The name of the service account for storage_worker"
 }