datafold · fpopa · Mar 26, 2025 · Mar 26, 2025
@@ -32,6 +32,32 @@ resource "local_file" "infra_config" {
       redis_data_volume_id           = module.aws[0].redis_data_volume_id,
       server_name                    = module.aws[0].domain_name,
       vpc_cidr                       = module.aws[0].vpc_cidr,
+
+      # service accounts vars
+      dfshell_role_arn                           = module.aws[0].dfshell_role_arn,
+      dfshell_service_account_name               = module.aws[0].dfshell_service_account_name,
+      worker_portal_role_arn                     = module.aws[0].worker_portal_role_arn,
+      worker_portal_service_account_name         = module.aws[0].worker_portal_service_account_name,
+      operator_role_arn                          = module.aws[0].operator_role_arn,
+      operator_service_account_name              = module.aws[0].operator_service_account_name,
+      server_role_arn                            = module.aws[0].server_role_arn,
+      server_service_account_name                = module.aws[0].server_service_account_name,
+      scheduler_role_arn                         = module.aws[0].scheduler_role_arn,
+      scheduler_service_account_name             = module.aws[0].scheduler_service_account_name,
+      worker_role_arn                            = module.aws[0].worker_role_arn,
+      worker_service_account_name                = module.aws[0].worker_service_account_name,
+      worker_catalog_role_arn                    = module.aws[0].worker_catalog_role_arn,
+      worker_catalog_service_account_name        = module.aws[0].worker_catalog_service_account_name,
+      worker_interactive_role_arn                = module.aws[0].worker_interactive_role_arn,
+      worker_interactive_service_account_name    = module.aws[0].worker_interactive_service_account_name,
+      worker_singletons_role_arn                 = module.aws[0].worker_singletons_role_arn,
+      worker_singletons_service_account_name     = module.aws[0].worker_singletons_service_account_name,
+      worker_lineage_role_arn                    = module.aws[0].worker_lineage_role_arn,
+      worker_lineage_service_account_name        = module.aws[0].worker_lineage_service_account_name,
+      worker_monitor_role_arn                    = module.aws[0].worker_monitor_role_arn,
+      worker_monitor_service_account_name        = module.aws[0].worker_monitor_service_account_name,
+      storage_worker_role_arn                    = module.aws[0].storage_worker_role_arn,
+      storage_worker_service_account_name        = module.aws[0].storage_worker_service_account_name,
     }
   )
 

@@ -180,7 +180,6 @@ module "eks" {
   k8s_public_access_cidrs             = var.k8s_public_access_cidrs
 
   k8s_access_bedrock                  = var.k8s_access_bedrock
-  bedrock_model_arn                   = var.bedrock_model_arn
 }
 
 locals {

@@ -29,26 +29,3 @@ resource "aws_iam_role_policy_attachment" "node_autoscaling" {
   policy_arn = aws_iam_policy.node_autoscaling.arn
   role       = each.value.iam_role_name
 }
-
-resource "aws_iam_policy" "bedrock_access_policy" {
-  count              = var.k8s_access_bedrock ? 1 : 0
-
-  name        = "${var.deployment_name}-bedrock"
-  description = "${var.deployment_name} bedrock access policy"
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = [
-          "bedrock:InvokeModel",
-        ]
-        Effect   = "Allow"
-        Resource = var.bedrock_model_arn
-      },
-    ]
-  })
-
-  tags = var.tags
-}
-
@@ -43,24 +43,6 @@ module "cluster_autoscaler_role" {
   }
 }
 
-module "bedrock_invoker_role" {
-  count              = var.k8s_access_bedrock ? 1 : 0
-
-  source    = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  role_name = "${var.deployment_name}-bedrock-invoke-model"
-
-  role_policy_arns = {
-    policy = aws_iam_policy.bedrock_access_policy[0].arn
-  }
-
-  oidc_providers = {
-    ex = {
-      provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["${var.deployment_name}:bedrock-invoke-model"]
-    }
-  }
-}
-
 module "eks" {
   # https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/docs
 

@@ -16,4 +16,124 @@ output "control_plane_security_group_id" {
 
 output "cluster_endpoint" {
   value = module.eks.cluster_endpoint
+}
+
+# dfshell
+output "dfshell_role_arn" {
+  value = module.dfshell_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "dfshell_service_account_name" {
+  value = var.dfshell_service_account_name
+  description = "The name of the service account for dfshell"
+}
+
+# worker_portal
+output "worker_portal_role_arn" {
+  value = module.worker_portal_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "worker_portal_service_account_name" {
+  value = var.worker_portal_service_account_name
+  description = "The name of the service account for worker_portal"
+}
+
+# operator
+output "operator_role_arn" {
+  value = module.operator_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "operator_service_account_name" {
+  value = var.operator_service_account_name
+  description = "The name of the service account for operator"
+}
+
+# server
+output "server_role_arn" {
+  value = module.server_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "server_service_account_name" {
+  value = var.server_service_account_name
+  description = "The name of the service account for server"
+}
+
+# scheduler
+output "scheduler_role_arn" {
+  value = module.scheduler_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "scheduler_service_account_name" {
+  value = var.scheduler_service_account_name
+  description = "The name of the service account for scheduler"
+}
+
+# worker, worker1, worker2 etc.
+output "worker_role_arn" {
+  value = module.worker_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "worker_service_account_name" {
+  value = var.worker_service_account_name
+  description = "The name of the service account for worker"
+}
+
+# worker_catalog
+output "worker_catalog_role_arn" {
+  value = module.worker_catalog_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "worker_catalog_service_account_name" {
+  value = var.worker_catalog_service_account_name
+  description = "The name of the service account for worker_catalog"
+}
+
+# worker_interactive
+output "worker_interactive_role_arn" {
+  value = module.worker_interactive_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "worker_interactive_service_account_name" {
+  value = var.worker_interactive_service_account_name
+  description = "The name of the service account for worker_interactive"
+}
+
+# worker_singletons
+output "worker_singletons_role_arn" {
+  value = module.worker_singletons_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "worker_singletons_service_account_name" {
+  value = var.worker_singletons_service_account_name
+  description = "The name of the service account for worker_singletons"
+}
+
+# worker_lineage
+output "worker_lineage_role_arn" {
+  value = module.worker_lineage_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "worker_lineage_service_account_name" {
+  value = var.worker_lineage_service_account_name
+  description = "The name of the service account for worker_lineage"
+}
+
+# worker_monitor
+output "worker_monitor_role_arn" {
+  value = module.worker_monitor_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "worker_monitor_service_account_name" {
+  value = var.worker_monitor_service_account_name
+  description = "The name of the service account for worker_monitor"
+}
+
+# storage_worker
+output "storage_worker_role_arn" {
+  value = module.storage_worker_role[0].iam_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "storage_worker_service_account_name" {
+  value = var.storage_worker_service_account_name
+  description = "The name of the service account for storage_worker"
 }