fix: Prefix for forward reference of service accounts is wrong

gtoonstra · gtoonstra · commit 693af4e6ceda · 2025-11-25T16:22:14.000-03:00
diff --git a/main.tf b/main.tf
@@ -206,6 +206,7 @@ module "eks" {
 
   k8s_access_bedrock                  = var.k8s_access_bedrock
   clickhouse_backup_bucket_arn        = local.clickhouse_backup_bucket_arn
+  service_account_prefix              = var.service_account_prefix
 }
 
 locals {
diff --git a/modules/eks/main.tf b/modules/eks/main.tf
@@ -6,6 +6,7 @@ module "ebs_csi_irsa_role" {
 
   name                  = "${var.deployment_name}-ebs-csi-controller"
   attach_ebs_csi_policy = true
+  use_name_prefix       = false
 
   oidc_providers = {
     ex = {
@@ -21,6 +22,7 @@ module "k8s_load_balancer_controller_role" {
 
   name                                   = "${var.deployment_name}-lb-controller"
   attach_load_balancer_controller_policy = true
+  use_name_prefix                        = false
 
   oidc_providers = {
     ex = {
@@ -37,6 +39,7 @@ module "cluster_autoscaler_role" {
   name                             = "${var.deployment_name}-cluster-autoscaler"
   attach_cluster_autoscaler_policy = true
   cluster_autoscaler_cluster_names = [module.eks.cluster_name]
+  use_name_prefix                  = false
 
   oidc_providers = {
     ex = {
@@ -79,7 +82,7 @@ module "eks" {
       })
     },
     aws-ebs-csi-driver = {
-      service_account_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.deployment_name}-ebs-csi-controller"
+      service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn
       most_recent              = true
       before_compute           = true
       configuration_values = jsonencode({
diff --git a/modules/eks/roles.tf b/modules/eks/roles.tf
@@ -64,208 +64,222 @@ resource "aws_iam_policy" "clickhouse_backup_policy" {
 
 # dfshell
 module "dfshell_role" {
-  count   = 1
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
-  name    = "${var.deployment_name}-${var.dfshell_service_account_name}"
-  version = "6.2.1"
+  count           = 1
+  source          = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  name            = "${var.deployment_name}-${var.dfshell_service_account_name}"
+  version         = "6.2.1"
+  use_name_prefix = false
 
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["${var.deployment_name}:${var.dfshell_service_account_name}"]
+      namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.dfshell_service_account_name}"]
     }
   }
 }
 
 # worker_portal
 module "worker_portal_role" {
-  count   = 1
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
-  name    = "${var.deployment_name}-${var.worker_portal_service_account_name}"
-  version = "6.2.1"
+  count           = 1
+  source          = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  name            = "${var.deployment_name}-${var.worker_portal_service_account_name}"
+  version         = "6.2.1"
+  use_name_prefix = false
 
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["${var.deployment_name}:${var.worker_portal_service_account_name}"]
+      namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.worker_portal_service_account_name}"]
     }
   }
 }
 
 # operator
 module "operator_role" {
-  count   = 1
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
-  name    = "${var.deployment_name}-${var.operator_service_account_name}"
-  version = "6.2.1"
+  count           = 1
+  source          = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  name            = "${var.deployment_name}-${var.operator_service_account_name}"
+  version         = "6.2.1"
+  use_name_prefix = false
 
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["${var.deployment_name}:${var.operator_service_account_name}"]
+      namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.operator_service_account_name}"]
     }
   }
 }
 
 # server
 module "server_role" {
-  count   = 1
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
-  name    = "${var.deployment_name}-${var.server_service_account_name}"
-  version = "6.2.1"
+  count           = 1
+  source          = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  name            = "${var.deployment_name}-${var.server_service_account_name}"
+  version         = "6.2.1"
+  use_name_prefix = false
 
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["${var.deployment_name}:${var.server_service_account_name}"]
+      namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.server_service_account_name}"]
     }
   }
 }
 
 # scheduler
 module "scheduler_role" {
-  count   = 1
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
-  name    = "${var.deployment_name}-${var.scheduler_service_account_name}"
-  version = "6.2.1"
+  count           = 1
+  source          = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  name            = "${var.deployment_name}-${var.scheduler_service_account_name}"
+  version         = "6.2.1"
+  use_name_prefix = false
 
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["${var.deployment_name}:${var.scheduler_service_account_name}"]
+      namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.scheduler_service_account_name}"]
     }
   }
 }
 
 # worker
 module "worker_role" {
-  count   = 1
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
-  name    = "${var.deployment_name}-${var.worker_service_account_name}"
-  version = "6.2.1"
+  count           = 1
+  source          = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  name            = "${var.deployment_name}-${var.worker_service_account_name}"
+  version         = "6.2.1"
+  use_name_prefix = false
 
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["${var.deployment_name}:${var.worker_service_account_name}"]
+      namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.worker_service_account_name}"]
     }
   }
 }
 
 # worker_catalog
 module "worker_catalog_role" {
-  count   = 1
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
-  name    = "${var.deployment_name}-${var.worker_catalog_service_account_name}"
-  version = "6.2.1"
+  count           = 1
+  source          = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  name            = "${var.deployment_name}-${var.worker_catalog_service_account_name}"
+  version         = "6.2.1"
+  use_name_prefix = false
 
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["${var.deployment_name}:${var.worker_catalog_service_account_name}"]
+      namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.worker_catalog_service_account_name}"]
     }
   }
 }
 
 # worker_interactive
 module "worker_interactive_role" {
-  count   = 1
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
-  name    = "${var.deployment_name}-${var.worker_interactive_service_account_name}"
-  version = "6.2.1"
+  count           = 1
+  source          = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  name            = "${var.deployment_name}-${var.worker_interactive_service_account_name}"
+  version         = "6.2.1"
+  use_name_prefix = false
 
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["${var.deployment_name}:${var.worker_interactive_service_account_name}"]
+      namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.worker_interactive_service_account_name}"]
     }
   }
 }
 
 # worker_singletons
 module "worker_singletons_role" {
-  count   = 1
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
-  name    = "${var.deployment_name}-${var.worker_singletons_service_account_name}"
-  version = "6.2.1"
+  count           = 1
+  source          = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  name            = "${var.deployment_name}-${var.worker_singletons_service_account_name}"
+  version         = "6.2.1"
+  use_name_prefix = false
 
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["${var.deployment_name}:${var.worker_singletons_service_account_name}"]
+      namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.worker_singletons_service_account_name}"]
     }
   }
 }
 
 # worker_lineage
 module "worker_lineage_role" {
-  count   = 1
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
-  name    = "${var.deployment_name}-${var.worker_lineage_service_account_name}"
-  version = "6.2.1"
+  count           = 1
+  source          = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  name            = "${var.deployment_name}-${var.worker_lineage_service_account_name}"
+  version         = "6.2.1"
+  use_name_prefix = false
 
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["${var.deployment_name}:${var.worker_lineage_service_account_name}"]
+      namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.worker_lineage_service_account_name}"]
     }
   }
 }
 
 # worker_monitor
 module "worker_monitor_role" {
-  count   = 1
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
-  name    = "${var.deployment_name}-${var.worker_monitor_service_account_name}"
-  version = "6.2.1"
+  count           = 1
+  source          = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  name            = "${var.deployment_name}-${var.worker_monitor_service_account_name}"
+  version         = "6.2.1"
+  use_name_prefix = false
 
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["${var.deployment_name}:${var.worker_monitor_service_account_name}"]
+      namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.worker_monitor_service_account_name}"]
     }
   }
 }
 
 # storage_worker
 module "storage_worker_role" {
-  count   = 1
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
-  name    = "${var.deployment_name}-${var.storage_worker_service_account_name}"
-  version = "6.2.1"
+  count           = 1
+  source          = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  name            = "${var.deployment_name}-${var.storage_worker_service_account_name}"
+  version         = "6.2.1"
+  use_name_prefix = false
 
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["${var.deployment_name}:${var.storage_worker_service_account_name}"]
+      namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.storage_worker_service_account_name}"]
     }
   }
 }
 
 module "clickhouse_backup_role" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
-  name    = "${var.deployment_name}-${var.clickhouse_backup_service_account_name}"
-  version = "6.2.1"
+  source          = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  name            = "${var.deployment_name}-${var.clickhouse_backup_service_account_name}"
+  version         = "6.2.1"
+  use_name_prefix = false
 
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["${var.deployment_name}:${var.clickhouse_backup_service_account_name}"]
+      namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.clickhouse_backup_service_account_name}"]
     }
   }
 }
 
 # storage_worker
 module "dma_role" {
-  count   = 1
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
-  name    = "${var.deployment_name}-${var.dma_service_account_name}"
-  version = "6.2.1"
+  count           = 1
+  source          = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  name            = "${var.deployment_name}-${var.dma_service_account_name}"
+  version         = "6.2.1"
+  use_name_prefix = false
 
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["${var.deployment_name}:${var.dma_service_account_name}"]
+      namespace_service_accounts = ["${var.deployment_name}:${var.service_account_prefix}${var.dma_service_account_name}"]
     }
   }
 }
diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf
@@ -107,6 +107,12 @@ variable "sg_tags" {
   default     = {}
 }
 
+variable "service_account_prefix" {
+  type        = string
+  default     = "datafold-"
+  description = "Prefix for service account names (e.g., 'datafold-' for 'datafold-server', or '' for no prefix)"
+}
+
 variable "clickhouse_backup_service_account_name" {
   type        = string
   default     = "clickhouse"
diff --git a/variables.tf b/variables.tf
@@ -771,6 +771,12 @@ variable "k8s_access_bedrock" {
   description = "Allow cluster to access bedrock in this region"
 }
 
+variable "service_account_prefix" {
+  type        = string
+  default     = "datafold-"
+  description = "Prefix for service account names to match Helm chart naming (e.g., 'datafold-' for 'datafold-server', or '' for no prefix)"
+}
+
 # ┏━╸╻╺┳╸╻ ╻╻ ╻┏┓    ┏━┓┏━╸╻ ╻┏━╸┏━┓┏━┓┏━╸   ┏━┓┏━┓┏━┓╻ ╻╻ ╻
 # ┃╺┓┃ ┃ ┣━┫┃ ┃┣┻┓   ┣┳┛┣╸ ┃┏┛┣╸ ┣┳┛┗━┓┣╸    ┣━┛┣┳┛┃ ┃┏╋┛┗┳┛
 # ┗━┛╹ ╹ ╹ ╹┗━┛┗━┛   ╹┗╸┗━╸┗┛ ┗━╸╹┗╸┗━┛┗━╸   ╹  ╹┗╸┗━┛╹ ╹ ╹

Original file line number	Diff line number	Diff line change
`@@ -206,6 +206,7 @@ module "eks" {`
`206`	`206`
`207`	`207`	`k8s_access_bedrock = var.k8s_access_bedrock`
`208`	`208`	`clickhouse_backup_bucket_arn = local.clickhouse_backup_bucket_arn`
	`209`	`+ service_account_prefix = var.service_account_prefix`
`209`	`210`	`}`
`210`	`211`
`211`	`212`	`locals {`