chore: Add variable/output changes to upgrade guide

Author: bryantbiggs

.pre-commit-config.yaml

@@ -24,7 +24,7 @@ repos:
           - '--args=--only=terraform_workspace_remote'
       - id: terraform_validate
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer

README.md

@@ -192,6 +192,10 @@ module "iam_role_saml" {
 
 ### IAM Role for EKS Service Accounts (IRSA)
 
+> [!TIP]
+> Upgrade to use EKS Pod Identity instead of IRSA
+> A similar module for EKS Pod Identity is available [here](https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity).
+
 Creates an IAM role that is suitable for EKS IAM role for service accounts (IRSA) with a set of pre-defined policies for common EKS addons.
 
 ```hcl

docs/UPGRADE-6.0.md

@@ -6,6 +6,8 @@ If you find a bug, please open an issue with supporting configuration to reprodu
 
 ## List of backwards incompatible changes
 
+- `iam-account`:
+    - The `aws_caller_identity` data source and associated outputs have been removed. Users should instead use the data source directly in their configuration
 - `iam-assumable-role` has been renamed to `iam-role`
 - `iam-assumable-role-with-oidc` has been merged into `iam-role`
 - `iam-assumable-role-with-saml` has been merged into `iam-role`
@@ -17,6 +19,10 @@ If you find a bug, please open an issue with supporting configuration to reprodu
 - `iam-group-with-assumable-roles-policy` has been merged into `iam-group`
 - `iam-eks-role` has been removed; `iam-role-for-service-accounts` or [`eks-pod-identity`](https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity) should be used instead
 - `iam-policy` has been removed; the `aws_iam_policy` resource should be used directly instead
+- `iam-role-for-service-accounts`:
+    - Individual policy creation and attachment has been consolidated under one policy creation and attachment
+    - Default values that enable permissive permissions have been removed; users will need to be explicit about the scope of access (i.e. ARNs) they provide when enabling permissions
+    - AppMesh policy support has been removed due to service reaching end of support
 
 ```mermaid
 stateDiagram
@@ -69,6 +75,8 @@ stateDiagram
 
 1. Removed variables:
 
+    - `iam-account`
+        - `get_caller_identity`
     - `iam-role`
         - `trusted_role_actions`
         - `trusted_role_arns`
@@ -85,6 +93,24 @@ stateDiagram
     - `iam-group`
         - `custom_group_policies`
         - `assumable_roles`
+    - `iam-oidc-provider`
+        - `additional_thumbprints` - no longer required by GitHub
+    - `iam-role-for-service-accounts`
+        - `cluster_autoscaler_cluster_ids` - use `cluster_autoscaler_cluster_names` instead
+        - `role_name_prefix` - functionality covered under `name`
+        - `policy_name_prefix` - functionality covered under `policy_name`
+        - `allow_self_assume_role`
+        - `attach_karpenter_controller_policy`
+        - `karpenter_controller_cluster_id`
+        - `karpenter_controller_cluster_name`
+        - `karpenter_tag_key`
+        - `karpenter_controller_ssm_parameter_arns`
+        - `karpenter_controller_node_iam_role_arns`
+        - `karpenter_subnet_account_id`
+        - `karpenter_sqs_queue_arn`
+        - `enable_karpenter_instance_profile_creation`
+        - `attach_appmesh_controller_policy`
+        - `attach_appmesh_envoy_proxy_policy`
 
 2. Renamed variables:
 
@@ -103,19 +129,52 @@ stateDiagram
         - `attach_iam_self_management_policy` -> `create_policy`
         - `iam_self_management_policy_name_prefix` -> `policy_name_prefix`
         - `aws_account_id` -> `users_account_id`
+    - `iam-read-only-policy`
+        - `name_prefix` (string) -> `use_name_prefix` (bool)
+    - `iam-role-for-service-accounts`
+        - `create_role` -> `create`
+        - `role_name` -> `name`
+        - `role_path` -> `path`
+        - `role_name_prefix` (string) -> `use_name_prefix` (bool)
+        - `role_permissions_boundary_arn` -> `permissions_boundary`
+        - `role_description` -> `description`
+        - `role_policy_arns` -> `policies`
+        - `ebs_csi_kms_cmk_ids` -> `ebs_csi_kms_cmk_arns`
+    - `iam-user`
+        - `create_user` -> `create`
+        - `create_iam_user_login_profile` -> `create_login_profile`
+        - `create_iam_access_key` -> `create_access_key`
+        - `iam_access_key_status` -> `access_key_status`
+        - `policy_arns` -> `policies`
+        - `upload_iam_user_ssh_key` -> `create_ssh_key`
 
 3. Added variables:
 
+    - `iam-account`
+        - `create`
     - `iam-role`
         - `assume_role_policy_statements` which allows for any number of custom statements to be added to the role's trust policy. This covers the majority of the variables that were removed
     - `iam-group`
         - `permission_statements` which allows for any number of custom statements to be added to the role's trust policy. This covers the majority of the variables that were removed
         - `path`/`policy_path`
         - `create_policy`
         - `enable_mfa_enforcment`
+    - `iam-read-only-policy`
+        - `create`
+    - `iam-role-for-service-accounts`
+        - `create_policy`
+        - `source_policy_documents`
+        - `override_policy_documents`
+        - `policy_statements`
+        - `policy_name`
+        - `policy_description`
 
 4. Removed outputs:
 
+    - `iam-account`
+        - `caller_identity_account_id`
+        - `caller_identity_arn`
+        - `caller_identity_user_id`
     - `iam-role`
         - `iam_role_path`
         - `role_requires_mfa`
@@ -124,6 +183,18 @@ stateDiagram
     - `iam-group`
         - `assumable_roles`
         - `aws_account_id`
+    - `iam-read-only-policy`
+        - `description`
+        - `path`
+    - `iam-user`
+        - `pgp_key`
+        - `keybase_password_decrypt_command`
+        - `keybase_password_pgp_message`
+        - `keybase_secret_key_decrypt_command`
+        - `keybase_secret_key_pgp_message`
+        - `keybase_ses_smtp_password_v4_decrypt_command`
+        - `keybase_ses_smtp_password_v4_pgp_message`
+        - `policy_arns`
 
 5. Renamed outputs:
 
@@ -140,6 +211,22 @@ stateDiagram
         - `group_name` -> `name`
         - `group_arn` -> `arn`
         - `group_users` -> `users`
+    - `iam-user`
+        - `iam_user_arn` -> `arn`
+        - `iam_user_name` -> `name`
+        - `iam_user_unique_id` -> `unique_id`
+        - `iam_user_login_profile_password` -> `login_profile_password`
+        - `iam_user_login_profile_key_fingerprint` -> `login_profile_key_fingerprint`
+        - `iam_user_login_profile_encrypted_password` -> `login_profile_encrypted_password`
+        - `iam_access_key_id` -> `access_key_id`
+        - `iam_access_key_secret` -> `access_key_secret`
+        - `iam_access_key_key_fingerprint` -> `access_key_key_fingerprint`
+        - `iam_access_key_encrypted_secret` -> `access_key_encrypted_secret`
+        - `iam_access_key_ses_smtp_password_v4` -> `access_key_ses_smtp_password_v4`
+        - `iam_access_key_encrypted_ses_smtp_password_v4` -> `access_key_encrypted_ses_smtp_password_v4`
+        - `iam_access_key_status` -> `access_key_status`
+        - `iam_user_ssh_key_ssh_public_key_id` -> `ssh_key_public_key_id`
+        - `iam_user_ssh_key_fingerprint` -> `ssh_key_fingerprint`
 
 6. Added outputs:
 
@@ -149,6 +236,12 @@ stateDiagram
 
 ### Diff of before <> after
 
+#### `iam-account`
+
+None
+
+
+
 #### `iam-role`
 
 ```diff

examples/iam-role-for-service-accounts/README.md

@@ -1,5 +1,9 @@
 # AWS IAM Role for Service Accounts in EKS
 
+> [!TIP]
+> Upgrade to use EKS Pod Identity instead of IRSA
+> A similar module for EKS Pod Identity is available [here](https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity).
+
 Configuration in this directory creates IAM roles that can be assumed by multiple EKS `ServiceAccount`s for various tasks.
 
 # Usage

modules/iam-read-only-policy/README.md

@@ -1,4 +1,4 @@
-### AWS IAM ReadOnly Policy Terraform Module
+# AWS IAM ReadOnly Policy Terraform Module
 
 Creates an IAM policy that allows read-only access to the list of AWS services provided.
 

modules/iam-role-for-service-accounts/README.md

@@ -1,23 +1,29 @@
-# AWS IAM Role for Service Accounts in EKS Terraform Module
+# AWS IAM Role for EKS Service Accounts Terraform Module
+
+> [!TIP]
+> Upgrade to use EKS Pod Identity instead of IRSA
+> A similar module for EKS Pod Identity is available [here](https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity).
+
+> [!INFO]
+> The [karpenter](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/modules/karpenter) sub-module contains the necessary AWS resources for running Karpenter, including the Karpenter controller IAM role & policy
 
 Creates an IAM role which can be assumed by AWS EKS `ServiceAccount`s with optional policies for commonly used controllers/custom resources within EKS. The optional policies supported include:
 - [Cert-Manager](https://cert-manager.io/docs/configuration/acme/dns01/route53/#set-up-an-iam-role)
 - [Cluster Autoscaler](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md)
 - [EBS CSI Driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/example-iam-policy.json)
 - [EFS CSI Driver](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json)
 - [External DNS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy)
-- [External Secrets](https://github.com/external-secrets/kubernetes-external-secrets#add-a-secret)
+- [External Secrets](https://github.com/external-secrets/external-secrets#add-a-secret)
 - [FSx for Lustre CSI Driver](https://github.com/kubernetes-sigs/aws-fsx-csi-driver/blob/master/docs/README.md)
-- [Karpenter](https://github.com/aws/karpenter/blob/main/website/content/en/preview/getting-started/cloudformation.yaml)
+- [FSx for OpenZFS CSI Driver](https://github.com/kubernetes-sigs/aws-fsx-openzfs-csi-driver/blob/main/README.md)
+- [Karpenter](https://github.com/aws/karpenter/blob/main/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml)
 - [Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json)
   - [Load Balancer Controller Target Group Binding Only](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/installation/#iam-permission-subset-for-those-who-use-targetgroupbinding-only-and-dont-plan-to-use-the-aws-load-balancer-controller-to-manage-security-group-rules)
-- [App Mesh Controller](https://github.com/aws/aws-app-mesh-controller-for-k8s/blob/master/config/iam/controller-iam-policy.json)
-  - [App Mesh Envoy Proxy](https://raw.githubusercontent.com/aws/aws-app-mesh-controller-for-k8s/master/config/iam/envoy-iam-policy.json)
 - [Managed Service for Prometheus](https://docs.aws.amazon.com/prometheus/latest/userguide/set-up-irsa.html)
+- [Mountpoint S3 CSI Driver](https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#iam-permissions)
 - [Node Termination Handler](https://github.com/aws/aws-node-termination-handler#5-create-an-iam-role-for-the-pods)
 - [Velero](https://github.com/vmware-tanzu/velero-plugin-for-aws#option-1-set-permissions-with-an-iam-user)
 - [VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html)
-
 This module is intended to be used with AWS EKS. For details of how a `ServiceAccount` in EKS can assume an IAM role, see the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
 
 This module supports multiple `ServiceAccount`s across multiple clusters and/or namespaces. This allows for a single IAM role to be used when an application may span multiple clusters (e.g. for DR) or multiple namespaces (e.g. for canary deployments). For example, to create an IAM role named `my-app` that can be assumed from the `ServiceAccount` named `my-app-staging` in the namespace `default` and `canary` in a cluster in `us-east-1`; and also the `ServiceAccount` name `my-app-staging` in the namespace `default` in a cluster in `ap-southeast-1`, the configuration would be: