docs: Add example of custom IRSA role (#328)

Co-authored-by: Adrian Rico <[email protected]>
Co-authored-by: Bryant Biggs <[email protected]>

Author: 3 people

examples/iam-role-for-service-accounts-eks/README.md

@@ -44,6 +44,8 @@ Run `terraform destroy` when you don't need these resources.
 | <a name="module_external_dns_irsa_role"></a> [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_external_secrets_irsa_role"></a> [external\_secrets\_irsa\_role](#module\_external\_secrets\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_fsx_lustre_csi_irsa_role"></a> [fsx\_lustre\_csi\_irsa\_role](#module\_fsx\_lustre\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
+| <a name="module_iam_eks_role"></a> [iam\_eks\_role](#module\_iam\_eks\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
+| <a name="module_iam_policy"></a> [iam\_policy](#module\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | n/a |
 | <a name="module_irsa_role"></a> [irsa\_role](#module\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_karpenter_controller_irsa_role"></a> [karpenter\_controller\_irsa\_role](#module\_karpenter\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_load_balancer_controller_irsa_role"></a> [load\_balancer\_controller\_irsa\_role](#module\_load\_balancer\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |

examples/iam-role-for-service-accounts-eks/main.tf

@@ -328,6 +328,53 @@ module "vpc_cni_ipv6_irsa_role" {
   tags = local.tags
 }
 
+################################################################################
+# Custom IRSA Roles
+################################################################################
+
+# This is an example of a custom IRSA role which allows workloads with the specified serviceccount to perform actions in a S3 bucket.
+module "iam_policy" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-policy"
+
+  name        = "myapp"
+  path        = "/"
+  description = "Example policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:*",
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+
+}
+
+module "iam_eks_role" {
+  source    = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  role_name = "my-app"
+
+  role_policy_arns = {
+    policy = "arn:aws:iam::012345678901:policy/myapp"
+  }
+
+  oidc_providers = {
+    one = {
+      provider_arn               = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
+      namespace_service_accounts = ["default:my-app-staging", "canary:my-app-staging"]
+    }
+    two = {
+      provider_arn               = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.ap-southeast-1.amazonaws.com/id/5C54DDF35ER54476848E7333374FF09G"
+      namespace_service_accounts = ["default:my-app-staging"]
+    }
+  }
+}
+
 ################################################################################
 # Supporting Resources
 ################################################################################

modules/iam-role-for-service-accounts-eks/README.md

@@ -27,6 +27,10 @@ module "iam_eks_role" {
   source    = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
   role_name = "my-app"
 
+  role_policy_arns = {
+    policy = "arn:aws:iam::012345678901:policy/myapp"
+  }
+
   oidc_providers = {
     one = {
       provider_arn               = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"