fix: Update IRSA module to align with upstream changes

Author: bryantbiggs

examples/iam-role-for-service-accounts/README.md

@@ -33,9 +33,8 @@ Run `terraform destroy` when you don't need these resources.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_amazon_managed_service_prometheus_irsa"></a> [amazon\_managed\_service\_prometheus\_irsa](#module\_amazon\_managed\_service\_prometheus\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
-| <a name="module_appmesh_controller_irsa"></a> [appmesh\_controller\_irsa](#module\_appmesh\_controller\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
-| <a name="module_appmesh_envoy_proxy_irsa"></a> [appmesh\_envoy\_proxy\_irsa](#module\_appmesh\_envoy\_proxy\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_cert_manager_irsa"></a> [cert\_manager\_irsa](#module\_cert\_manager\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
+| <a name="module_cloudwatch_observability_irsa"></a> [cloudwatch\_observability\_irsa](#module\_cloudwatch\_observability\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_cluster_autoscaler_irsa"></a> [cluster\_autoscaler\_irsa](#module\_cluster\_autoscaler\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_disabled"></a> [disabled](#module\_disabled) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_ebs_csi_irsa"></a> [ebs\_csi\_irsa](#module\_ebs\_csi\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
@@ -45,12 +44,13 @@ Run `terraform destroy` when you don't need these resources.
 | <a name="module_external_dns_irsa"></a> [external\_dns\_irsa](#module\_external\_dns\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_external_secrets_irsa"></a> [external\_secrets\_irsa](#module\_external\_secrets\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_fsx_lustre_csi_irsa"></a> [fsx\_lustre\_csi\_irsa](#module\_fsx\_lustre\_csi\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
+| <a name="module_fsx_openzfs_csi_irsa"></a> [fsx\_openzfs\_csi\_irsa](#module\_fsx\_openzfs\_csi\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_irsa"></a> [irsa](#module\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_irsa_v2_custom_policy"></a> [irsa\_v2\_custom\_policy](#module\_irsa\_v2\_custom\_policy) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_irsa_v2_empty"></a> [irsa\_v2\_empty](#module\_irsa\_v2\_empty) | ../../modules/iam-role-for-service-accounts | n/a |
-| <a name="module_karpenter_irsa"></a> [karpenter\_irsa](#module\_karpenter\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_load_balancer_controller_irsa"></a> [load\_balancer\_controller\_irsa](#module\_load\_balancer\_controller\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_load_balancer_controller_targetgroup_binding_only_irsa"></a> [load\_balancer\_controller\_targetgroup\_binding\_only\_irsa](#module\_load\_balancer\_controller\_targetgroup\_binding\_only\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
+| <a name="module_mountpoint_s3_csi_irsa"></a> [mountpoint\_s3\_csi\_irsa](#module\_mountpoint\_s3\_csi\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_node_termination_handler_irsa"></a> [node\_termination\_handler\_irsa](#module\_node\_termination\_handler\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_velero_irsa"></a> [velero\_irsa](#module\_velero\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |

examples/iam-role-for-service-accounts/main.tf

@@ -163,6 +163,25 @@ module "efs_csi_irsa" {
   tags = local.tags
 }
 
+module "mountpoint_s3_csi_irsa" {
+  source = "../../modules/iam-role-for-service-accounts"
+
+  name = "mountpoint-s3-csi"
+
+  attach_mountpoint_s3_csi_policy = true
+  mountpoint_s3_csi_bucket_arns   = ["arn:aws:s3:::mountpoint-s3-csi-bucket"]
+  mountpoint_s3_csi_path_arns     = ["arn:aws:s3:::mountpoint-s3-csi-bucket/example/*"]
+
+  oidc_providers = {
+    ex = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:s3-csi-driver-sa"]
+    }
+  }
+
+  tags = local.tags
+}
+
 module "external_dns_irsa" {
   source = "../../modules/iam-role-for-service-accounts"
 
@@ -217,19 +236,17 @@ module "fsx_lustre_csi_irsa" {
   tags = local.tags
 }
 
-module "karpenter_irsa" {
+module "fsx_openzfs_csi_irsa" {
   source = "../../modules/iam-role-for-service-accounts"
 
-  name = "karpenter"
+  name = "fsx-openzfs-csi"
 
-  attach_karpenter_policy      = true
-  karpenter_cluster_name       = module.eks.cluster_name
-  karpenter_node_iam_role_arns = [module.eks.eks_managed_node_groups["default"].iam_role_arn]
+  attach_fsx_openzfs_csi_policy = true
 
   oidc_providers = {
-    this = {
+    ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["karpenter:karpenter"]
+      namespace_service_accounts = ["kube-system:fsx-openzfs-csi-controller-sa"]
     }
   }
 
@@ -270,40 +287,6 @@ module "load_balancer_controller_targetgroup_binding_only_irsa" {
   tags = local.tags
 }
 
-module "appmesh_controller_irsa" {
-  source = "../../modules/iam-role-for-service-accounts"
-
-  name = "appmesh-controller"
-
-  attach_appmesh_controller_policy = true
-
-  oidc_providers = {
-    this = {
-      provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["appmesh-system:appmesh-controller"]
-    }
-  }
-
-  tags = local.tags
-}
-
-module "appmesh_envoy_proxy_irsa" {
-  source = "../../modules/iam-role-for-service-accounts"
-
-  name = "appmesh-envoy-proxy"
-
-  attach_appmesh_envoy_proxy_policy = true
-
-  oidc_providers = {
-    this = {
-      provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["appmesh-system:appmesh-envoy-proxy"]
-    }
-  }
-
-  tags = local.tags
-}
-
 module "amazon_managed_service_prometheus_irsa" {
   source = "../../modules/iam-role-for-service-accounts"
 
@@ -392,6 +375,23 @@ module "vpc_cni_ipv6_irsa" {
   tags = local.tags
 }
 
+module "cloudwatch_observability_irsa" {
+  source = "../../modules/iam-role-for-service-accounts"
+
+  name = "cloudwatch-observability"
+
+  attach_cloudwatch_observability_policy = true
+
+  oidc_providers = {
+    ex = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["amazon-cloudwatch:cloudwatch-agent"]
+    }
+  }
+
+  tags = local.tags
+}
+
 ################################################################################
 # Supporting Resources
 ################################################################################

examples/iam-role/README.md

@@ -54,18 +54,25 @@ No inputs.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_condition_iam_instance_profile_arn"></a> [condition\_iam\_instance\_profile\_arn](#output\_condition\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
-| <a name="output_condition_iam_instance_profile_id"></a> [condition\_iam\_instance\_profile\_id](#output\_condition\_iam\_instance\_profile\_id) | Instance profile's ID |
-| <a name="output_condition_iam_instance_profile_name"></a> [condition\_iam\_instance\_profile\_name](#output\_condition\_iam\_instance\_profile\_name) | Name of IAM instance profile |
-| <a name="output_condition_iam_instance_profile_unique_id"></a> [condition\_iam\_instance\_profile\_unique\_id](#output\_condition\_iam\_instance\_profile\_unique\_id) | Stable and unique string identifying the IAM instance profile |
-| <a name="output_condition_iam_role_arn"></a> [condition\_iam\_role\_arn](#output\_condition\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
-| <a name="output_condition_iam_role_name"></a> [condition\_iam\_role\_name](#output\_condition\_iam\_role\_name) | The name of the IAM role |
-| <a name="output_condition_iam_role_unique_id"></a> [condition\_iam\_role\_unique\_id](#output\_condition\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| <a name="output_github_oidc_iam_instance_profile_arn"></a> [github\_oidc\_iam\_instance\_profile\_arn](#output\_github\_oidc\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
+| <a name="output_github_oidc_iam_instance_profile_id"></a> [github\_oidc\_iam\_instance\_profile\_id](#output\_github\_oidc\_iam\_instance\_profile\_id) | Instance profile's ID |
+| <a name="output_github_oidc_iam_instance_profile_name"></a> [github\_oidc\_iam\_instance\_profile\_name](#output\_github\_oidc\_iam\_instance\_profile\_name) | Name of IAM instance profile |
+| <a name="output_github_oidc_iam_instance_profile_unique_id"></a> [github\_oidc\_iam\_instance\_profile\_unique\_id](#output\_github\_oidc\_iam\_instance\_profile\_unique\_id) | Stable and unique string identifying the IAM instance profile |
+| <a name="output_github_oidc_iam_role_arn"></a> [github\_oidc\_iam\_role\_arn](#output\_github\_oidc\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| <a name="output_github_oidc_iam_role_name"></a> [github\_oidc\_iam\_role\_name](#output\_github\_oidc\_iam\_role\_name) | The name of the IAM role |
+| <a name="output_github_oidc_iam_role_unique_id"></a> [github\_oidc\_iam\_role\_unique\_id](#output\_github\_oidc\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
 | <a name="output_instance_profile_iam_instance_profile_arn"></a> [instance\_profile\_iam\_instance\_profile\_arn](#output\_instance\_profile\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
 | <a name="output_instance_profile_iam_instance_profile_id"></a> [instance\_profile\_iam\_instance\_profile\_id](#output\_instance\_profile\_iam\_instance\_profile\_id) | Instance profile's ID |
 | <a name="output_instance_profile_iam_instance_profile_name"></a> [instance\_profile\_iam\_instance\_profile\_name](#output\_instance\_profile\_iam\_instance\_profile\_name) | Name of IAM instance profile |
 | <a name="output_instance_profile_iam_instance_profile_unique_id"></a> [instance\_profile\_iam\_instance\_profile\_unique\_id](#output\_instance\_profile\_iam\_instance\_profile\_unique\_id) | Stable and unique string identifying the IAM instance profile |
 | <a name="output_instance_profile_iam_role_arn"></a> [instance\_profile\_iam\_role\_arn](#output\_instance\_profile\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
 | <a name="output_instance_profile_iam_role_name"></a> [instance\_profile\_iam\_role\_name](#output\_instance\_profile\_iam\_role\_name) | The name of the IAM role |
 | <a name="output_instance_profile_iam_role_unique_id"></a> [instance\_profile\_iam\_role\_unique\_id](#output\_instance\_profile\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| <a name="output_saml_iam_instance_profile_arn"></a> [saml\_iam\_instance\_profile\_arn](#output\_saml\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
+| <a name="output_saml_iam_instance_profile_id"></a> [saml\_iam\_instance\_profile\_id](#output\_saml\_iam\_instance\_profile\_id) | Instance profile's ID |
+| <a name="output_saml_iam_instance_profile_name"></a> [saml\_iam\_instance\_profile\_name](#output\_saml\_iam\_instance\_profile\_name) | Name of IAM instance profile |
+| <a name="output_saml_iam_instance_profile_unique_id"></a> [saml\_iam\_instance\_profile\_unique\_id](#output\_saml\_iam\_instance\_profile\_unique\_id) | Stable and unique string identifying the IAM instance profile |
+| <a name="output_saml_iam_role_arn"></a> [saml\_iam\_role\_arn](#output\_saml\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| <a name="output_saml_iam_role_name"></a> [saml\_iam\_role\_name](#output\_saml\_iam\_role\_name) | The name of the IAM role |
+| <a name="output_saml_iam_role_unique_id"></a> [saml\_iam\_role\_unique\_id](#output\_saml\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
 <!-- END_TF_DOCS -->

examples/iam-role/outputs.tf

@@ -38,40 +38,79 @@ output "instance_profile_iam_instance_profile_unique_id" {
 }
 
 ################################################################################
-# IAM Role - Condition
+# IAM Role - GitHub OIDC
 ################################################################################
 
-output "condition_iam_role_name" {
+output "github_oidc_iam_role_name" {
   description = "The name of the IAM role"
-  value       = module.iam_role_condition.name
+  value       = module.iam_role_github_oidc.name
 }
 
-output "condition_iam_role_arn" {
+output "github_oidc_iam_role_arn" {
   description = "The Amazon Resource Name (ARN) specifying the IAM role"
-  value       = module.iam_role_condition.arn
+  value       = module.iam_role_github_oidc.arn
 }
 
-output "condition_iam_role_unique_id" {
+output "github_oidc_iam_role_unique_id" {
   description = "Stable and unique string identifying the IAM role"
-  value       = module.iam_role_condition.unique_id
+  value       = module.iam_role_github_oidc.unique_id
 }
 
-output "condition_iam_instance_profile_arn" {
+output "github_oidc_iam_instance_profile_arn" {
   description = "ARN assigned by AWS to the instance profile"
-  value       = module.iam_role_condition.instance_profile_arn
+  value       = module.iam_role_github_oidc.instance_profile_arn
 }
 
-output "condition_iam_instance_profile_id" {
+output "github_oidc_iam_instance_profile_id" {
   description = "Instance profile's ID"
-  value       = module.iam_role_condition.instance_profile_id
+  value       = module.iam_role_github_oidc.instance_profile_id
 }
 
-output "condition_iam_instance_profile_name" {
+output "github_oidc_iam_instance_profile_name" {
   description = "Name of IAM instance profile"
-  value       = module.iam_role_condition.instance_profile_name
+  value       = module.iam_role_github_oidc.instance_profile_name
 }
 
-output "condition_iam_instance_profile_unique_id" {
+output "github_oidc_iam_instance_profile_unique_id" {
   description = "Stable and unique string identifying the IAM instance profile"
-  value       = module.iam_role_condition.instance_profile_unique_id
+  value       = module.iam_role_github_oidc.instance_profile_unique_id
+}
+
+################################################################################
+# IAM Role - SAML 2.0
+################################################################################
+
+output "saml_iam_role_name" {
+  description = "The name of the IAM role"
+  value       = module.iam_role_saml.name
+}
+
+output "saml_iam_role_arn" {
+  description = "The Amazon Resource Name (ARN) specifying the IAM role"
+  value       = module.iam_role_saml.arn
+}
+
+output "saml_iam_role_unique_id" {
+  description = "Stable and unique string identifying the IAM role"
+  value       = module.iam_role_saml.unique_id
+}
+
+output "saml_iam_instance_profile_arn" {
+  description = "ARN assigned by AWS to the instance profile"
+  value       = module.iam_role_saml.instance_profile_arn
+}
+
+output "saml_iam_instance_profile_id" {
+  description = "Instance profile's ID"
+  value       = module.iam_role_saml.instance_profile_id
+}
+
+output "saml_iam_instance_profile_name" {
+  description = "Name of IAM instance profile"
+  value       = module.iam_role_saml.instance_profile_name
+}
+
+output "saml_iam_instance_profile_unique_id" {
+  description = "Stable and unique string identifying the IAM instance profile"
+  value       = module.iam_role_saml.instance_profile_unique_id
 }

modules/iam-role/README.md

@@ -179,6 +179,10 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_arn"></a> [arn](#output\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| <a name="output_instance_profile_arn"></a> [instance\_profile\_arn](#output\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
+| <a name="output_instance_profile_id"></a> [instance\_profile\_id](#output\_instance\_profile\_id) | Instance profile's ID |
+| <a name="output_instance_profile_name"></a> [instance\_profile\_name](#output\_instance\_profile\_name) | Name of IAM instance profile |
+| <a name="output_instance_profile_unique_id"></a> [instance\_profile\_unique\_id](#output\_instance\_profile\_unique\_id) | Stable and unique string identifying the IAM instance profile |
 | <a name="output_name"></a> [name](#output\_name) | The name of the IAM role |
 | <a name="output_unique_id"></a> [unique\_id](#output\_unique\_id) | Stable and unique string identifying the IAM role |
 <!-- END_TF_DOCS -->

modules/iam-role/outputs.tf

@@ -16,3 +16,27 @@ output "unique_id" {
   description = "Stable and unique string identifying the IAM role"
   value       = try(aws_iam_role.this[0].unique_id, null)
 }
+
+################################################################################
+# IAM Instance Profile
+################################################################################
+
+output "instance_profile_arn" {
+  description = "ARN assigned by AWS to the instance profile"
+  value       = try(aws_iam_instance_profile.this[0].arn, null)
+}
+
+output "instance_profile_id" {
+  description = "Instance profile's ID"
+  value       = try(aws_iam_instance_profile.this[0].id, null)
+}
+
+output "instance_profile_name" {
+  description = "Name of IAM instance profile"
+  value       = try(aws_iam_instance_profile.this[0].name, null)
+}
+
+output "instance_profile_unique_id" {
+  description = "Stable and unique string identifying the IAM instance profile"
+  value       = try(aws_iam_instance_profile.this[0].unique_id, null)
+}