Skip to content

feat(iam): support loki s3 iam role #176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
maxsxu merged 5 commits into from
Feb 12, 2026
Merged

feat(iam): support loki s3 iam role #176

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b482197
feat(iam): support loki iam role
maxsxu Jan 20, 2026
6ca41a3
Update
maxsxu Jan 22, 2026
6a44a96
Add enable_loki
maxsxu Feb 12, 2026
15dc2b3
Updsate tfdocs
maxsxu Feb 12, 2026
5ca6c0c
Update
maxsxu Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions modules/iam/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ A basic module used to create IAM Roles, Policies for StreamNative Cloud Applica

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.64.2 |
| <a name="provider_aws.source"></a> [aws.source](#provider\_aws.source) | 5.99.1 |
| <a name="provider_aws.target"></a> [aws.target](#provider\_aws.target) | 5.99.1 |

## Modules

Expand All @@ -45,7 +46,9 @@ No modules.
| [aws_iam_role.csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.loki](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy.irsa_s3_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_role_policy.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_role_policy_attachment.aws_load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
Expand All @@ -54,6 +57,7 @@ No modules.
| [aws_iam_role_policy_attachment.csi_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_s3_bucket_policy.loki_bucket_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.aws_load_balancer_controller_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cert_manager_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
Expand All @@ -62,26 +66,26 @@ No modules.
| [aws_iam_policy_document.external_dns_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.karpenter_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.loki_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.velero_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_backup_bucket"></a> [backup\_bucket](#input\_backup\_bucket) | The name of the s3 bucket to use for backups | `string` | n/a | yes |
| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name of the cluster | `string` | n/a | yes |
| <a name="input_cluster_node_group_iam_role_arn"></a> [cluster\_node\_group\_iam\_role\_arn](#input\_cluster\_node\_group\_iam\_role\_arn) | n/a | `string` | n/a | yes |
| <a name="input_enable_karpenter"></a> [enable\_karpenter](#input\_enable\_karpenter) | Enable karpenter for autoscaling. If set to false, no karpenter resources will be created. | `bool` | `false` | no |
| <a name="input_enable_loki"></a> [enable\_loki](#input\_enable\_loki) | Enable loki for logging. If set to false, no loki resources will be created. | `bool` | `true` | no |
| <a name="input_enable_velero"></a> [enable\_velero](#input\_enable\_velero) | Enable velero for backups. If set to false, no velero resources will be created. | `bool` | `true` | no |
| <a name="input_extra_aws_tags"></a> [extra\_aws\_tags](#input\_extra\_aws\_tags) | extra aws tags to add to any resources | `map(string)` | `{}` | no |
| <a name="input_load_balancer_policy_arn_override"></a> [load\_balancer\_policy\_arn\_override](#input\_load\_balancer\_policy\_arn\_override) | Override the runtime policy arn, otherwise will construct an arn | `string` | `""` | no |
| <a name="input_loki_bucket"></a> [loki\_bucket](#input\_loki\_bucket) | The name of the AWS S3 bucket to use for Loki | `string` | n/a | yes |
| <a name="input_oidc_issuer"></a> [oidc\_issuer](#input\_oidc\_issuer) | The oidc issuer for the cluster | `string` | n/a | yes |
| <a name="input_permissions_boundary_arn_override"></a> [permissions\_boundary\_arn\_override](#input\_permissions\_boundary\_arn\_override) | Override the permission boundary arn, otherwise will construct an arn | `string` | `""` | no |
| <a name="input_region"></a> [region](#input\_region) | AWS Region | `string` | n/a | yes |
| <a name="input_runtime_policy_arn_override"></a> [runtime\_policy\_arn\_override](#input\_runtime\_policy\_arn\_override) | Override the runtime policy arn, otherwise will construct an arn | `string` | `""` | no |
| <a name="input_s3_encryption_kms_key_arn"></a> [s3\_encryption\_kms\_key\_arn](#input\_s3\_encryption\_kms\_key\_arn) | KMS key ARN to use for S3 encryption. If not set, the default AWS S3 key will be used. | `string` | `""` | no |
| <a name="input_velero_backup_schedule"></a> [velero\_backup\_schedule](#input\_velero\_backup\_schedule) | The scheduled time for Velero to perform backups. Written in cron expression, defaults to "0 5 * * *" or "at 5:00am every day" | `string` | `"0 5 * * *"` | no |

## Outputs

Expand All @@ -93,5 +97,6 @@ No modules.
| <a name="output_csi_arn"></a> [csi\_arn](#output\_csi\_arn) | n/a |
| <a name="output_external_dns_arn"></a> [external\_dns\_arn](#output\_external\_dns\_arn) | n/a |
| <a name="output_karpenter_arn"></a> [karpenter\_arn](#output\_karpenter\_arn) | n/a |
| <a name="output_loki_arn"></a> [loki\_arn](#output\_loki\_arn) | n/a |
| <a name="output_velero_arn"></a> [velero\_arn](#output\_velero\_arn) | n/a |
<!-- END_TF_DOCS -->
6 changes: 6 additions & 0 deletions modules/iam/aws_load_balancer_controller.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
data "aws_iam_policy_document" "aws_load_balancer_controller_sts" {
provider = aws.target

statement {
actions = [
"sts:AssumeRoleWithWebIdentity"
Expand All @@ -17,6 +19,8 @@ data "aws_iam_policy_document" "aws_load_balancer_controller_sts" {
}

resource "aws_iam_role" "aws_load_balancer_controller" {
provider = aws.target

name = format("%s-lbc-role", var.cluster_name)
description = format("Role used by IRSA and the KSA aws-load-balancer-controller on StreamNative Cloud EKS cluster %s", var.cluster_name)
assume_role_policy = data.aws_iam_policy_document.aws_load_balancer_controller_sts.json
Expand All @@ -26,6 +30,8 @@ resource "aws_iam_role" "aws_load_balancer_controller" {
}

resource "aws_iam_role_policy_attachment" "aws_load_balancer_controller" {
provider = aws.target

role = aws_iam_role.aws_load_balancer_controller.name
policy_arn = local.default_lb_policy_arn
}
8 changes: 7 additions & 1 deletion modules/iam/cert_manager.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
data "aws_iam_policy_document" "cert_manager_sts" {
provider = aws.target

statement {
actions = [
"sts:AssumeRoleWithWebIdentity"
Expand All @@ -17,6 +19,8 @@ data "aws_iam_policy_document" "cert_manager_sts" {
}

resource "aws_iam_role" "cert_manager" {
provider = aws.target

name = format("%s-cm-role", var.cluster_name)
description = format("Role assumed by IRSA and the KSA cert-manager on StreamNative Cloud EKS cluster %s", var.cluster_name)
assume_role_policy = data.aws_iam_policy_document.cert_manager_sts.json
Expand All @@ -26,6 +30,8 @@ resource "aws_iam_role" "cert_manager" {
}

resource "aws_iam_role_policy_attachment" "cert_manager" {
provider = aws.target

role = aws_iam_role.cert_manager.name
policy_arn = local.default_service_policy_arn
}
}
9 changes: 6 additions & 3 deletions modules/iam/cluster_autoscaler.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
data "aws_iam_policy_document" "cluster_autoscaler_sts" {
count = var.enable_karpenter ? 0 : 1
count = var.enable_karpenter ? 0 : 1
provider = aws.target

statement {
actions = [
Expand All @@ -24,7 +25,8 @@ data "aws_iam_policy_document" "cluster_autoscaler_sts" {
}

resource "aws_iam_role" "cluster_autoscaler" {
count = var.enable_karpenter ? 0 : 1
count = var.enable_karpenter ? 0 : 1
provider = aws.target

name = format("%s-ca-role", var.cluster_name)
description = format("Role used by IRSA and the KSA cluster-autoscaler on StreamNative Cloud EKS cluster %s", var.cluster_name)
Expand All @@ -35,7 +37,8 @@ resource "aws_iam_role" "cluster_autoscaler" {
}

resource "aws_iam_role_policy_attachment" "cluster_autoscaler" {
count = var.enable_karpenter ? 0 : 1
count = var.enable_karpenter ? 0 : 1
provider = aws.target

policy_arn = local.default_service_policy_arn
role = aws_iam_role.cluster_autoscaler.0.name
Expand Down
8 changes: 8 additions & 0 deletions modules/iam/csi.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
data "aws_iam_policy_document" "csi_sts" {
provider = aws.target

statement {
actions = [
"sts:AssumeRoleWithWebIdentity"
Expand All @@ -22,6 +24,8 @@ data "aws_iam_policy_document" "csi_sts" {
}

resource "aws_iam_role" "csi" {
provider = aws.target

name = format("%s-csi-role", var.cluster_name)
description = format("Role used by IRSA and the KSA ebs-csi-controller-sa on StreamNative Cloud EKS cluster %s", var.cluster_name)
assume_role_policy = data.aws_iam_policy_document.csi_sts.json
Expand All @@ -31,11 +35,15 @@ resource "aws_iam_role" "csi" {
}

resource "aws_iam_role_policy_attachment" "csi" {
provider = aws.target

role = aws_iam_role.csi.name
policy_arn = local.default_service_policy_arn
}

resource "aws_iam_role_policy_attachment" "csi_managed" {
provider = aws.target

role = aws_iam_role.csi.name
policy_arn = "arn:${local.aws_partition}:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
}
6 changes: 6 additions & 0 deletions modules/iam/external_dns.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
data "aws_iam_policy_document" "external_dns_sts" {
provider = aws.target

statement {
actions = [
"sts:AssumeRoleWithWebIdentity"
Expand All @@ -17,6 +19,8 @@ data "aws_iam_policy_document" "external_dns_sts" {
}

resource "aws_iam_role" "external_dns" {
provider = aws.target

name = format("%s-extdns-role", var.cluster_name)
description = format("Role used by IRSA and the KSA external-dns on StreamNative Cloud EKS cluster %s", var.cluster_name)
assume_role_policy = data.aws_iam_policy_document.external_dns_sts.json
Expand All @@ -26,6 +30,8 @@ resource "aws_iam_role" "external_dns" {
}

resource "aws_iam_role_policy_attachment" "external_dns" {
provider = aws.target

role = aws_iam_role.external_dns.name
policy_arn = local.default_service_policy_arn
}
12 changes: 8 additions & 4 deletions modules/iam/karpenter.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
data "aws_iam_policy_document" "karpenter_sts" {
count = var.enable_karpenter ? 1 : 0
count = var.enable_karpenter ? 1 : 0
provider = aws.target

statement {
effect = "Allow"
Expand Down Expand Up @@ -27,7 +28,8 @@ data "aws_iam_policy_document" "karpenter_sts" {
}

resource "aws_iam_role" "karpenter" {
count = var.enable_karpenter ? 1 : 0
count = var.enable_karpenter ? 1 : 0
provider = aws.target

name = format("%s-karpenter", var.cluster_name)
path = "/StreamNative/"
Expand All @@ -39,7 +41,8 @@ resource "aws_iam_role" "karpenter" {
}

data "aws_iam_policy_document" "karpenter" {
count = var.enable_karpenter ? 1 : 0
count = var.enable_karpenter ? 1 : 0
provider = aws.target

statement {
sid = "AllowScopedEC2InstanceAccessActions"
Expand Down Expand Up @@ -391,7 +394,8 @@ data "aws_iam_policy_document" "karpenter" {
}

resource "aws_iam_role_policy" "karpenter" {
count = var.enable_karpenter ? 1 : 0
count = var.enable_karpenter ? 1 : 0
provider = aws.target

name_prefix = "KarpenterController"
role = aws_iam_role.karpenter[0].name
Expand Down
8 changes: 6 additions & 2 deletions modules/iam/locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
data "aws_caller_identity" "current" {}
data "aws_caller_identity" "current" {
provider = aws.target
}

data "aws_partition" "current" {}
data "aws_partition" "current" {
provider = aws.target
}

locals {
account_id = data.aws_caller_identity.current.account_id
Expand Down
90 changes: 90 additions & 0 deletions modules/iam/loki.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
data "aws_iam_policy_document" "loki_sts" {
count = var.enable_loki ? 1 : 0
provider = aws.target

statement {
actions = [
"sts:AssumeRoleWithWebIdentity"
]
effect = "Allow"
principals {
type = "Federated"
identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", local.aws_partition, local.account_id, local.oidc_issuer)]
}
condition {
test = "StringLike"
values = [format("system:serviceaccount:%s:%s", "sn-system", "loki")]
variable = format("%s:sub", local.oidc_issuer)
}
}
}

resource "aws_iam_role" "loki" {
count = var.enable_loki ? 1 : 0
provider = aws.target

name = format("%s-loki-s3-role", var.cluster_name)
description = format("Role used by IRSA for Loki on StreamNative Cloud EKS cluster %s", var.cluster_name)
tags = local.tags
path = "/StreamNative/"
permissions_boundary = local.permissions_boundary_arn
assume_role_policy = data.aws_iam_policy_document.loki_sts[0].json
}

resource "aws_iam_role_policy" "irsa_s3_rw" {
count = var.enable_loki ? 1 : 0
provider = aws.target

name = "AllowS3ReadWriteAccess"
role = aws_iam_role.loki[0].id

policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Sid = "AllowS3ReadWriteAccess",
Effect = "Allow",
Action = [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
Resource = [
"arn:aws:s3:::${var.loki_bucket}",
"arn:aws:s3:::${var.loki_bucket}/*"
]
}
]
})
}

resource "aws_s3_bucket_policy" "loki_bucket_admin" {
count = var.enable_loki ? 1 : 0
provider = aws.source

bucket = var.loki_bucket

policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Sid = "AllowCrossAccountIRSAAccessS3",
Effect = "Allow",
Principal = {
AWS = aws_iam_role.loki[0].arn
},
Action = [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
Resource = [
"arn:aws:s3:::${var.loki_bucket}",
"arn:aws:s3:::${var.loki_bucket}/*"
]
}
]
})
}
6 changes: 5 additions & 1 deletion modules/iam/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,8 @@ output "karpenter_arn" {

output "velero_arn" {
value = try(aws_iam_role.velero[0].arn, null)
}
}

output "loki_arn" {
value = try(aws_iam_role.loki[0].arn, null)
}
11 changes: 11 additions & 0 deletions modules/iam/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,4 +51,15 @@ variable "extra_aws_tags" {
default = {}
description = "extra aws tags to add to any resources"
type = map(string)
}

variable "enable_loki" {
type = bool
default = true
description = "Enable loki for logging. If set to false, no loki resources will be created."
}

variable "loki_bucket" {
description = "The name of the AWS S3 bucket to use for Loki"
type = string
}
Loading
Loading