feat: Add conditional policy statement attachments for EKS IAM role module (#184)

Author: bryantbiggs

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.62.3
+    rev: v1.64.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

README.md

@@ -3,7 +3,7 @@
 ## Features
 
 1. **Cross-account access.** Define IAM roles using `iam_assumable_role` or `iam_assumable_roles` submodules in "resource AWS accounts (prod, staging, dev)" and IAM groups and users using `iam-group-with-assumable-roles-policy` submodule in "IAM AWS Account" to setup access controls between accounts. See [iam-group-with-assumable-roles-policy example](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-with-assumable-roles-policy) for more details.
-1. **Individual IAM resources (users, roles, policies).** See usage snippets and [examples](https://github.com/terraform-aws-modules/terraform-aws-iam#examples) listed below.
+2. **Individual IAM resources (users, roles, policies).** See usage snippets and [examples](https://github.com/terraform-aws-modules/terraform-aws-iam#examples) listed below.
 
 ## Usage
 
@@ -134,63 +134,31 @@ module "iam_assumable_roles_with_saml" {
 }
 ```
 
-`iam-user`:
+`iam-eks-role`:
 
 ```hcl
-module "iam_user" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-user"
-  version = "~> 4"
-
-  name          = "vasya.pupkin"
-  force_destroy = true
-
-  pgp_key = "keybase:test"
-
-  password_reset_required = false
-}
-```
+module "iam_eks_role" {
+  source      = "terraform-aws-modules/iam/aws//modules/iam-eks-role"
+  version     = "~> 4"
 
-`iam-policy`:
+  role_name   = "my-app"
 
-```hcl
-module "iam_policy" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "~> 4"
+  cluster_service_accounts = {
+    "cluster1" = ["default:my-app"]
+    "cluster2" = [
+      "default:my-app",
+      "canary:my-app",
+    ]
+  }
 
-  name        = "example"
-  path        = "/"
-  description = "My example policy"
+  tags = {
+    Name = "eks-role"
+  }
 
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "ec2:Describe*"
-      ],
-      "Effect": "Allow",
-      "Resource": "*"
-    }
+  role_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
   ]
 }
-EOF
-}
-```
-
-`iam-read-only-policy`:
-
-```hcl
-module "iam_read_only_policy" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-read-only-policy"
-  version = "~> 4"
-
-  name        = "example"
-  path        = "/"
-  description = "My example read-only policy"
-
-  allowed_services = ["rds", "dynamo", "health"]
-}
 ```
 
 `iam-group-with-assumable-roles-policy`:
@@ -242,30 +210,87 @@ module "iam_group_with_policies" {
 }
 ```
 
-`iam-eks-role`:
+`iam-policy`:
 
 ```hcl
-module "iam_eks_role" {
-  source      = "terraform-aws-modules/iam/aws//modules/iam-eks-role"
+module "iam_policy" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "~> 4"
+
+  name        = "example"
+  path        = "/"
+  description = "My example policy"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "ec2:Describe*"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+```
+
+`iam-read-only-policy`:
+
+```hcl
+module "iam_read_only_policy" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-read-only-policy"
+  version = "~> 4"
+
+  name        = "example"
+  path        = "/"
+  description = "My example read-only policy"
+
+  allowed_services = ["rds", "dynamo", "health"]
+}
+```
+
+`iam-role-for-service-accounts-eks`:
+
+```hcl
+module "vpc_cni_irsa" {
+  source      = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
   version     = "~> 4"
 
-  role_name   = "my-app"
+  role_name   = "vpc-cni"
 
-  cluster_service_accounts = {
-    "cluster1" = ["default:my-app"]
-    "cluster2" = [
-      "default:my-app",
-      "canary:my-app",
-    ]
+  attach_vpc_cni_policy = true
+  vpc_cni_enable_ipv4   = true
+
+  oidc_providers = {
+    main = {
+      provider_arn               = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
+      namespace_service_accounts = ["default:my-app", "canary:my-app"]
+    }
   }
 
   tags = {
-    Name = "eks-role"
+    Name = "vpc-cni-irsa"
   }
+}
+```
 
-  role_policy_arns = [
-    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
-  ]
+`iam-user`:
+
+```hcl
+module "iam_user" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-user"
+  version = "~> 4"
+
+  name          = "vasya.pupkin"
+  force_destroy = true
+
+  pgp_key = "keybase:test"
+
+  password_reset_required = false
 }
 ```
 
@@ -318,12 +343,13 @@ Use [iam-read-only-policy module](https://github.com/terraform-aws-modules/terra
 - [iam-assumable-roles](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-roles) - Create several IAM roles which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
 - [iam-assumable-roles-with-saml](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-roles-with-saml) - Create several IAM roles which can be assumed by users with a SAML Identity Provider
 - [iam-eks-role](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-eks-role) - Create an IAM role which can be assumed by one or more EKS `ServiceAccount`
+- [iam-group-complete](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-complete) - IAM group with users who are allowed to assume IAM roles in another AWS account and have access to specified IAM policies
 - [iam-group-with-assumable-roles-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-with-assumable-roles-policy) - IAM group with users who are allowed to assume IAM roles in the same or in separate AWS account
 - [iam-group-with-policies](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-with-policies) - IAM group with users who are allowed specified IAM policies (eg, "manage their own IAM user")
-- [iam-group-complete](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-complete) - IAM group with users who are allowed to assume IAM roles in another AWS account and have access to specified IAM policies
-- [iam-user](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-user) - Add IAM user, login profile and access keys (with PGP enabled or disabled)
 - [iam-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-policy) - Create IAM policy
 - [iam-read-only-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-read-only-policy) - Create IAM read-only policy
+- [iam-role-for-service-accounts-eks](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-role-for-service-accounts-eks) - Create IAM role for service accounts (IRSA) for use within EKS clusters
+- [iam-user](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-user) - Add IAM user, login profile and access keys (with PGP enabled or disabled)
 
 ## Authors
 

examples/iam-account/versions.tf

@@ -2,6 +2,9 @@ terraform {
   required_version = ">= 0.12.6"
 
   required_providers {
-    aws = ">= 2.23"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 2.23"
+    }
   }
 }

examples/iam-assumable-role-with-oidc/versions.tf

@@ -2,6 +2,9 @@ terraform {
   required_version = ">= 0.12.6"
 
   required_providers {
-    aws = ">= 2.23"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 2.23"
+    }
   }
 }

examples/iam-assumable-role-with-saml/versions.tf

@@ -2,6 +2,9 @@ terraform {
   required_version = ">= 0.12.6"
 
   required_providers {
-    aws = ">= 2.23"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 2.23"
+    }
   }
 }

examples/iam-assumable-role/versions.tf

@@ -2,6 +2,9 @@ terraform {
   required_version = ">= 0.12.6"
 
   required_providers {
-    aws = ">= 2.23"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 2.23"
+    }
   }
 }

examples/iam-assumable-roles-with-saml/versions.tf

@@ -2,6 +2,9 @@ terraform {
   required_version = ">= 0.12.6"
 
   required_providers {
-    aws = ">= 2.23"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 2.23"
+    }
   }
 }

examples/iam-assumable-roles/versions.tf

@@ -2,6 +2,9 @@ terraform {
   required_version = ">= 0.12.6"
 
   required_providers {
-    aws = ">= 2.23"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 2.23"
+    }
   }
 }

examples/iam-group-complete/versions.tf

@@ -2,6 +2,9 @@ terraform {
   required_version = ">= 0.12.6"
 
   required_providers {
-    aws = ">= 2.23"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 2.23"
+    }
   }
 }

examples/iam-group-with-assumable-roles-policy/versions.tf

@@ -2,6 +2,9 @@ terraform {
   required_version = ">= 0.12.6"
 
   required_providers {
-    aws = ">= 2.23"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 2.23"
+    }
   }
 }