feat: Added appmesh controller support to iam-role-for-service-accounts-eks (#231)

Co-authored-by: Bryant Biggs <[email protected]>
Co-authored-by: Anton Babenko <[email protected]>

Author: 3 people

examples/iam-role-for-service-accounts-eks/README.md

@@ -31,6 +31,8 @@ No providers.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_amazon_managed_service_prometheus_irsa_role"></a> [amazon\_managed\_service\_prometheus\_irsa\_role](#module\_amazon\_managed\_service\_prometheus\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
+| <a name="module_appmesh_controller_irsa_role"></a> [appmesh\_controller\_irsa\_role](#module\_appmesh\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
+| <a name="module_appmesh_envoy_proxy_irsa_role"></a> [appmesh\_envoy\_proxy\_irsa\_role](#module\_appmesh\_envoy\_proxy\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_cert_manager_irsa_role"></a> [cert\_manager\_irsa\_role](#module\_cert\_manager\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_cluster_autoscaler_irsa_role"></a> [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_disabled"></a> [disabled](#module\_disabled) | ../../modules/iam-role-for-service-accounts-eks | n/a |

examples/iam-role-for-service-accounts-eks/main.tf

@@ -213,6 +213,38 @@ module "load_balancer_controller_targetgroup_binding_only_irsa_role" {
   tags = local.tags
 }
 
+module "appmesh_controller_irsa_role" {
+  source = "../../modules/iam-role-for-service-accounts-eks"
+
+  role_name                        = "appmesh-controller"
+  attach_appmesh_controller_policy = true
+
+  oidc_providers = {
+    ex = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["appmesh-system:appmesh-controller"]
+    }
+  }
+
+  tags = local.tags
+}
+
+module "appmesh_envoy_proxy_irsa_role" {
+  source = "../../modules/iam-role-for-service-accounts-eks"
+
+  role_name                         = "appmesh-envoy-proxy"
+  attach_appmesh_envoy_proxy_policy = true
+
+  oidc_providers = {
+    ex = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["appmesh-system:appmesh-envoy-proxy"]
+    }
+  }
+
+  tags = local.tags
+}
+
 module "amazon_managed_service_prometheus_irsa_role" {
   source = "../../modules/iam-role-for-service-accounts-eks"
 

modules/iam-role-for-service-accounts-eks/README.md

@@ -11,6 +11,7 @@ Creates an IAM role which can be assumed by AWS EKS `ServiceAccount`s with optio
 - [Karpenter](https://github.com/aws/karpenter/blob/main/website/content/en/preview/getting-started/cloudformation.yaml)
 - [Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json)
   - [Load Balancer Controller Target Group Binding Only](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/installation/#iam-permission-subset-for-those-who-use-targetgroupbinding-only-and-dont-plan-to-use-the-aws-load-balancer-controller-to-manage-security-group-rules)
+- [Appmesh Controller](https://github.com/aws/aws-app-mesh-controller-for-k8s/blob/master/config/iam/controller-iam-policy.json)
 - [Managed Service for Prometheus](https://docs.aws.amazon.com/prometheus/latest/userguide/set-up-irsa.html)
 - [Node Termination Handler](https://github.com/aws/aws-node-termination-handler#5-create-an-iam-role-for-the-pods)
 - [VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html)
@@ -115,6 +116,8 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_iam_policy.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.appmesh_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.appmesh_envoy_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -129,6 +132,8 @@ No modules.
 | [aws_iam_policy.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.appmesh_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.appmesh_envoy_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -144,6 +149,8 @@ No modules.
 | [aws_iam_role_policy_attachment.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.appmesh_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.appmesh_envoy_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -166,6 +173,8 @@ No modules.
 | <a name="input_amazon_managed_service_prometheus_workspace_arns"></a> [amazon\_managed\_service\_prometheus\_workspace\_arns](#input\_amazon\_managed\_service\_prometheus\_workspace\_arns) | List of AMP Workspace ARNs to read and write metrics | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_assume_role_condition_test"></a> [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no |
 | <a name="input_attach_amazon_managed_service_prometheus_policy"></a> [attach\_amazon\_managed\_service\_prometheus\_policy](#input\_attach\_amazon\_managed\_service\_prometheus\_policy) | Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role | `bool` | `false` | no |
+| <a name="input_attach_appmesh_controller_policy"></a> [attach\_appmesh\_controller\_policy](#input\_attach\_appmesh\_controller\_policy) | Determines whether to attach the Appmesh Controller policy to the role | `bool` | `false` | no |
+| <a name="input_attach_appmesh_envoy_proxy_policy"></a> [attach\_appmesh\_envoy\_proxy\_policy](#input\_attach\_appmesh\_envoy\_proxy\_policy) | Determines whether to attach the Appmesh envoy proxy policy to the role | `bool` | `false` | no |
 | <a name="input_attach_cert_manager_policy"></a> [attach\_cert\_manager\_policy](#input\_attach\_cert\_manager\_policy) | Determines whether to attach the Cert Manager IAM policy to the role | `bool` | `false` | no |
 | <a name="input_attach_cluster_autoscaler_policy"></a> [attach\_cluster\_autoscaler\_policy](#input\_attach\_cluster\_autoscaler\_policy) | Determines whether to attach the Cluster Autoscaler IAM policy to the role | `bool` | `false` | no |
 | <a name="input_attach_ebs_csi_policy"></a> [attach\_ebs\_csi\_policy](#input\_attach\_ebs\_csi\_policy) | Determines whether to attach the EBS CSI IAM policy to the role | `bool` | `false` | no |

modules/iam-role-for-service-accounts-eks/policies.tf

@@ -896,6 +896,161 @@ resource "aws_iam_role_policy_attachment" "load_balancer_controller_targetgroup_
   policy_arn = aws_iam_policy.load_balancer_controller_targetgroup_only[0].arn
 }
 
+################################################################################
+# Appmesh Controller
+################################################################################
+# https://github.com/aws/eks-charts/tree/master/stable/appmesh-controller#prerequisites
+# https://raw.githubusercontent.com/aws/aws-app-mesh-controller-for-k8s/master/config/iam/controller-iam-policy.json
+data "aws_iam_policy_document" "appmesh_controller" {
+  count = var.create_role && var.attach_appmesh_controller_policy ? 1 : 0
+
+  statement {
+    actions = [
+      "appmesh:ListVirtualRouters",
+      "appmesh:ListVirtualServices",
+      "appmesh:ListRoutes",
+      "appmesh:ListGatewayRoutes",
+      "appmesh:ListMeshes",
+      "appmesh:ListVirtualNodes",
+      "appmesh:ListVirtualGateways",
+      "appmesh:DescribeMesh",
+      "appmesh:DescribeVirtualRouter",
+      "appmesh:DescribeRoute",
+      "appmesh:DescribeVirtualNode",
+      "appmesh:DescribeVirtualGateway",
+      "appmesh:DescribeGatewayRoute",
+      "appmesh:DescribeVirtualService",
+      "appmesh:CreateMesh",
+      "appmesh:CreateVirtualRouter",
+      "appmesh:CreateVirtualGateway",
+      "appmesh:CreateVirtualService",
+      "appmesh:CreateGatewayRoute",
+      "appmesh:CreateRoute",
+      "appmesh:CreateVirtualNode",
+      "appmesh:UpdateMesh",
+      "appmesh:UpdateRoute",
+      "appmesh:UpdateVirtualGateway",
+      "appmesh:UpdateVirtualRouter",
+      "appmesh:UpdateGatewayRoute",
+      "appmesh:UpdateVirtualService",
+      "appmesh:UpdateVirtualNode",
+      "appmesh:DeleteMesh",
+      "appmesh:DeleteRoute",
+      "appmesh:DeleteVirtualRouter",
+      "appmesh:DeleteGatewayRoute",
+      "appmesh:DeleteVirtualService",
+      "appmesh:DeleteVirtualNode",
+      "appmesh:DeleteVirtualGateway"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
+      "arn:${local.partition}:iam::*:role/aws-service-role/appmesh.${local.dns_suffix}/AWSServiceRoleForAppMesh"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      variable = "iam:AWSServiceName"
+      values   = ["appmesh.${local.dns_suffix}"]
+    }
+  }
+
+  statement {
+    actions = [
+      "acm:ListCertificates",
+      "acm:DescribeCertificate",
+      "acm-pca:DescribeCertificateAuthority",
+      "acm-pca:ListCertificateAuthorities"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
+      "servicediscovery:CreateService",
+      "servicediscovery:DeleteService",
+      "servicediscovery:GetService",
+      "servicediscovery:GetInstance",
+      "servicediscovery:RegisterInstance",
+      "servicediscovery:DeregisterInstance",
+      "servicediscovery:ListInstances",
+      "servicediscovery:ListNamespaces",
+      "servicediscovery:ListServices",
+      "servicediscovery:GetInstancesHealthStatus",
+      "servicediscovery:UpdateInstanceCustomHealthStatus",
+      "servicediscovery:GetOperation",
+      "route53:GetHealthCheck",
+      "route53:CreateHealthCheck",
+      "route53:UpdateHealthCheck",
+      "route53:ChangeResourceRecordSets",
+      "route53:DeleteHealthCheck"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "appmesh_controller" {
+  count = var.create_role && var.attach_appmesh_controller_policy ? 1 : 0
+
+  name_prefix = "AmazonEKS_Appmesh_Controller-"
+  path        = var.role_path
+  description = "Provides permissions to for appmesh controller"
+  policy      = data.aws_iam_policy_document.appmesh_controller[0].json
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "appmesh_controller" {
+  count = var.create_role && var.attach_appmesh_controller_policy ? 1 : 0
+
+  role       = aws_iam_role.this[0].name
+  policy_arn = aws_iam_policy.appmesh_controller[0].arn
+}
+
+################################################################################
+# Appmesh envoy proxy
+################################################################################
+# https://github.com/aws/aws-app-mesh-controller-for-k8s/blob/f4a551399c4a4428d31692d0e6d944c2b78f2753/config/helm/appmesh-controller/README.md#with-irsa
+# https://raw.githubusercontent.com/aws/aws-app-mesh-controller-for-k8s/master/config/iam/envoy-iam-policy.json
+data "aws_iam_policy_document" "appmesh_envoy_proxy" {
+  count = var.create_role && var.attach_appmesh_envoy_proxy_policy ? 1 : 0
+
+  statement {
+    actions = [
+      "appmesh:StreamAggregatedResources"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
+      "acm:ExportCertificate",
+      "acm-pca:GetCertificateAuthorityCertificate"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "appmesh_envoy_proxy" {
+  count = var.create_role && var.attach_appmesh_envoy_proxy_policy ? 1 : 0
+
+  name_prefix = "AmazonEKS_Appmesh_Envoy_Proxy-"
+  path        = var.role_path
+  description = "Provides permissions to for appmesh envoy proxy"
+  policy      = data.aws_iam_policy_document.appmesh_envoy_proxy[0].json
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "appmesh_envoy_proxy" {
+  count = var.create_role && var.attach_appmesh_envoy_proxy_policy ? 1 : 0
+
+  role       = aws_iam_role.this[0].name
+  policy_arn = aws_iam_policy.appmesh_envoy_proxy[0].arn
+}
+
 ################################################################################
 # Amazon Managed Service for Prometheus Policy
 ################################################################################

modules/iam-role-for-service-accounts-eks/variables.tf

@@ -212,6 +212,20 @@ variable "attach_load_balancer_controller_targetgroup_binding_only_policy" {
   default     = false
 }
 
+# AWS Appmesh Controller
+variable "attach_appmesh_controller_policy" {
+  description = "Determines whether to attach the Appmesh Controller policy to the role"
+  type        = bool
+  default     = false
+}
+
+# AWS Appmesh envoy proxy
+variable "attach_appmesh_envoy_proxy_policy" {
+  description = "Determines whether to attach the Appmesh envoy proxy policy to the role"
+  type        = bool
+  default     = false
+}
+
 # Amazon Managed Service for Prometheus
 variable "attach_amazon_managed_service_prometheus_policy" {
   description = "Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role"