feat: Add new addon policy for AWS load balancer controller to IRSA role (#189)

bryantbiggs · web-flow · commit e2ce5c943f2a · 2022-02-17T21:24:37.000+01:00
diff --git a/examples/iam-eks-role/README.md b/examples/iam-eks-role/README.md
@@ -21,14 +21,14 @@ Run `terraform destroy` when you don't need these resources.
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.6 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.23 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.23 |
-| <a name="provider_random"></a> [random](#provider\_random) | >= 2 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
 
diff --git a/examples/iam-eks-role/versions.tf b/examples/iam-eks-role/versions.tf
@@ -2,7 +2,13 @@ terraform {
   required_version = ">= 0.12.6"
 
   required_providers {
-    aws    = ">= 2.23"
-    random = ">= 2"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 2.23"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 2.0"
+    }
   }
 }
diff --git a/examples/iam-role-for-service-accounts-eks/README.md b/examples/iam-role-for-service-accounts-eks/README.md
@@ -37,6 +37,7 @@ No providers.
 | <a name="module_external_dns_irsa_role"></a> [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_irsa_role"></a> [irsa\_role](#module\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_karpenter_controller_irsa_role"></a> [karpenter\_controller\_irsa\_role](#module\_karpenter\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
+| <a name="module_load_balancer_controller_irsa_role"></a> [load\_balancer\_controller\_irsa\_role](#module\_load\_balancer\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_node_termination_handler_irsa_role"></a> [node\_termination\_handler\_irsa\_role](#module\_node\_termination\_handler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
 | <a name="module_vpc_cni_ipv4_irsa_role"></a> [vpc\_cni\_ipv4\_irsa\_role](#module\_vpc\_cni\_ipv4\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf
@@ -57,7 +57,7 @@ module "cluster_autoscaler_irsa_role" {
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["default:my-app", "canary:my-app"]
+      namespace_service_accounts = ["kube-system:cluster-autoscaler"]
     }
   }
 
@@ -90,7 +90,7 @@ module "ebs_csi_irsa_role" {
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["default:my-app", "canary:my-app"]
+      namespace_service_accounts = ["kube-system:aws-ebs-csi-driver"]
     }
   }
 
@@ -107,7 +107,7 @@ module "vpc_cni_ipv4_irsa_role" {
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["default:my-app", "canary:my-app"]
+      namespace_service_accounts = ["kube-system:aws-vpc-cni"]
     }
   }
 
@@ -124,7 +124,7 @@ module "vpc_cni_ipv6_irsa_role" {
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["default:my-app", "canary:my-app"]
+      namespace_service_accounts = ["kube-system:aws-vpc-cni"]
     }
   }
 
@@ -140,7 +140,7 @@ module "node_termination_handler_irsa_role" {
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["default:my-app", "canary:my-app"]
+      namespace_service_accounts = ["kube-system:aws-node"]
     }
   }
 
@@ -159,7 +159,23 @@ module "karpenter_controller_irsa_role" {
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["default:my-app", "canary:my-app"]
+      namespace_service_accounts = ["karpenter:karpenter"]
+    }
+  }
+
+  tags = local.tags
+}
+
+module "load_balancer_controller_irsa_role" {
+  source = "../../modules/iam-role-for-service-accounts-eks"
+
+  role_name                              = "load_balancer_controller"
+  attach_load_balancer_controller_policy = true
+
+  oidc_providers = {
+    ex = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:aws-load-balancer-controller"]
     }
   }
 
diff --git a/modules/iam-eks-role/main.tf b/modules/iam-eks-role/main.tf
@@ -73,7 +73,8 @@ resource "aws_iam_role" "this" {
 }
 
 resource "aws_iam_role_policy_attachment" "custom" {
-  for_each   = var.create_role ? toset(var.role_policy_arns) : []
+  for_each = toset([for arn in var.role_policy_arns : arn if var.create_role])
+
   role       = aws_iam_role.this[0].name
   policy_arn = each.key
 }
diff --git a/modules/iam-eks-role/versions.tf b/modules/iam-eks-role/versions.tf
@@ -2,6 +2,9 @@ terraform {
   required_version = ">= 0.12.6"
 
   required_providers {
-    aws = ">= 2.23"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 2.23"
+    }
   }
 }
diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md
@@ -1,6 +1,13 @@
 # IAM Role for Service Accounts in EKS
 
-Creates an IAM role which can be assumed by AWS EKS `ServiceAccount`s with optional policies for commonly used controllers/custom resources within EKS.
+Creates an IAM role which can be assumed by AWS EKS `ServiceAccount`s with optional policies for commonly used controllers/custom resources within EKS. The optional policies supported include:
+- [Cluster Autoscaler](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md)
+- [External DNS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy)
+- [EBS CSI Driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/example-iam-policy.json)
+- [VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html)
+- [Node Termination Hanlder](https://github.com/aws/aws-node-termination-handler#5-create-an-iam-role-for-the-pods)
+- [Karpenter](https://github.com/aws/karpenter/blob/main/website/content/en/preview/getting-started/cloudformation.yaml)
+- [Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json)
 
 This module is intended to be used with AWS EKS. For details of how a `ServiceAccount` in EKS can assume an IAM role, see the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
 
@@ -105,20 +112,23 @@ No modules.
 | [aws_iam_policy.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -132,6 +142,7 @@ No modules.
 | <a name="input_attach_ebs_csi_policy"></a> [attach\_ebs\_csi\_policy](#input\_attach\_ebs\_csi\_policy) | Determines whether to attach the EBS CSI IAM policy to the role | `bool` | `false` | no |
 | <a name="input_attach_external_dns_policy"></a> [attach\_external\_dns\_policy](#input\_attach\_external\_dns\_policy) | Determines whether to attach the External DNS IAM policy to the role | `bool` | `false` | no |
 | <a name="input_attach_karpenter_controller_policy"></a> [attach\_karpenter\_controller\_policy](#input\_attach\_karpenter\_controller\_policy) | Determines whether to attach the Karpenter Controller policy to the role | `bool` | `false` | no |
+| <a name="input_attach_load_balancer_controller_policy"></a> [attach\_load\_balancer\_controller\_policy](#input\_attach\_load\_balancer\_controller\_policy) | Determines whether to attach the Load Balancer Controller policy to the role | `bool` | `false` | no |
 | <a name="input_attach_node_termination_handler_policy"></a> [attach\_node\_termination\_handler\_policy](#input\_attach\_node\_termination\_handler\_policy) | Determines whether to attach the Node Termination Handler policy to the role | `bool` | `false` | no |
 | <a name="input_attach_vpc_cni_policy"></a> [attach\_vpc\_cni\_policy](#input\_attach\_vpc\_cni\_policy) | Determines whether to attach the VPC CNI IAM policy to the role | `bool` | `false` | no |
 | <a name="input_cluster_autoscaler_cluster_ids"></a> [cluster\_autoscaler\_cluster\_ids](#input\_cluster\_autoscaler\_cluster\_ids) | List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy | `list(string)` | `[]` | no |
diff --git a/modules/iam-role-for-service-accounts-eks/main.tf b/modules/iam-role-for-service-accounts-eks/main.tf
@@ -39,7 +39,7 @@ resource "aws_iam_role" "this" {
 }
 
 resource "aws_iam_role_policy_attachment" "this" {
-  for_each = var.create_role ? toset(var.role_policy_arns) : []
+  for_each = toset([for arn in var.role_policy_arns : arn if var.create_role])
 
   role       = aws_iam_role.this[0].name
   policy_arn = each.key
diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ module "cluster_autoscaler_irsa_role" {`
`57`	`57`	`oidc_providers = {`
`58`	`58`	`ex = {`
`59`	`59`	`provider_arn = module.eks.oidc_provider_arn`
`60`		`- namespace_service_accounts = ["default:my-app", "canary:my-app"]`
	`60`	`+ namespace_service_accounts = ["kube-system:cluster-autoscaler"]`
`61`	`61`	`}`
`62`	`62`	`}`
`63`	`63`
`@@ -90,7 +90,7 @@ module "ebs_csi_irsa_role" {`
`90`	`90`	`oidc_providers = {`
`91`	`91`	`ex = {`
`92`	`92`	`provider_arn = module.eks.oidc_provider_arn`
`93`		`- namespace_service_accounts = ["default:my-app", "canary:my-app"]`
	`93`	`+ namespace_service_accounts = ["kube-system:aws-ebs-csi-driver"]`
`94`	`94`	`}`
`95`	`95`	`}`
`96`	`96`
`@@ -107,7 +107,7 @@ module "vpc_cni_ipv4_irsa_role" {`
`107`	`107`	`oidc_providers = {`
`108`	`108`	`ex = {`
`109`	`109`	`provider_arn = module.eks.oidc_provider_arn`
`110`		`- namespace_service_accounts = ["default:my-app", "canary:my-app"]`
	`110`	`+ namespace_service_accounts = ["kube-system:aws-vpc-cni"]`
`111`	`111`	`}`
`112`	`112`	`}`
`113`	`113`
`@@ -124,7 +124,7 @@ module "vpc_cni_ipv6_irsa_role" {`
`124`	`124`	`oidc_providers = {`
`125`	`125`	`ex = {`
`126`	`126`	`provider_arn = module.eks.oidc_provider_arn`
`127`		`- namespace_service_accounts = ["default:my-app", "canary:my-app"]`
	`127`	`+ namespace_service_accounts = ["kube-system:aws-vpc-cni"]`
`128`	`128`	`}`
`129`	`129`	`}`
`130`	`130`
`@@ -140,7 +140,7 @@ module "node_termination_handler_irsa_role" {`
`140`	`140`	`oidc_providers = {`
`141`	`141`	`ex = {`
`142`	`142`	`provider_arn = module.eks.oidc_provider_arn`
`143`		`- namespace_service_accounts = ["default:my-app", "canary:my-app"]`
	`143`	`+ namespace_service_accounts = ["kube-system:aws-node"]`
`144`	`144`	`}`
`145`	`145`	`}`
`146`	`146`
`@@ -159,7 +159,23 @@ module "karpenter_controller_irsa_role" {`
`159`	`159`	`oidc_providers = {`
`160`	`160`	`ex = {`
`161`	`161`	`provider_arn = module.eks.oidc_provider_arn`
`162`		`- namespace_service_accounts = ["default:my-app", "canary:my-app"]`
	`162`	`+ namespace_service_accounts = ["karpenter:karpenter"]`
	`163`	`+ }`
	`164`	`+ }`
	`165`	`+`
	`166`	`+ tags = local.tags`
	`167`	`+}`
	`168`	`+`
	`169`	`+module "load_balancer_controller_irsa_role" {`
	`170`	`+ source = "../../modules/iam-role-for-service-accounts-eks"`
	`171`	`+`
	`172`	`+ role_name = "load_balancer_controller"`
	`173`	`+ attach_load_balancer_controller_policy = true`
	`174`	`+`
	`175`	`+ oidc_providers = {`
	`176`	`+ ex = {`
	`177`	`+ provider_arn = module.eks.oidc_provider_arn`
	`178`	`+ namespace_service_accounts = ["kube-system:aws-load-balancer-controller"]`
`163`	`179`	`}`
`164`	`180`	`}`
`165`	`181`
Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,8 @@ resource "aws_iam_role" "this" {`
`73`	`73`	`}`
`74`	`74`
`75`	`75`	`resource "aws_iam_role_policy_attachment" "custom" {`
`76`		`- for_each = var.create_role ? toset(var.role_policy_arns) : []`
	`76`	`+ for_each = toset([for arn in var.role_policy_arns : arn if var.create_role])`
	`77`	`+`
`77`	`78`	`role = aws_iam_role.this[0].name`
`78`	`79`	`policy_arn = each.key`
`79`	`80`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,9 @@ terraform {`
`2`	`2`	`required_version = ">= 0.12.6"`
`3`	`3`
`4`	`4`	`required_providers {`
`5`		`- aws = ">= 2.23"`
	`5`	`+ aws = {`
	`6`	`+ source = "hashicorp/aws"`
	`7`	`+ version = ">= 2.23"`
	`8`	`+ }`
`6`	`9`	`}`
`7`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ resource "aws_iam_role" "this" {`
`39`	`39`	`}`
`40`	`40`
`41`	`41`	`resource "aws_iam_role_policy_attachment" "this" {`
`42`		`- for_each = var.create_role ? toset(var.role_policy_arns) : []`
	`42`	`+ for_each = toset([for arn in var.role_policy_arns : arn if var.create_role])`
`43`	`43`
`44`	`44`	`role = aws_iam_role.this[0].name`
`45`	`45`	`policy_arn = each.key`