fix: Remove broken IRSA migrations.tf; add default IRSA policy descriptions for backwards compat (#592)

Author: bryantbiggs

docs/UPGRADE-6.0.md

@@ -813,7 +813,7 @@ None
 
 #### `iam-role-for-service-accounts`
 
-None
+TODO - coming soon after `v6.0.1` patch release
 
 #### `iam-user`
 

examples/iam-role-for-service-accounts/main.tf

@@ -231,9 +231,10 @@ module "load_balancer_controller_irsa" {
 module "load_balancer_controller_targetgroup_binding_only_irsa" {
   source = "../../modules/iam-role-for-service-accounts"
 
-  name = "load-balancer-controller-targetgroup-binding-only"
+  name = "lbc-targetgroup-binding-only"
 
   attach_load_balancer_controller_targetgroup_binding_only_policy = true
+  load_balancer_controller_targetgroup_arns                       = ["arn:aws:elasticloadbalancing:eu-west-1:012345678901:targetgroup/my-target-group"]
 
   oidc_providers = {
     this = {
@@ -250,7 +251,8 @@ module "amazon_managed_service_prometheus_irsa" {
 
   name = "amazon-managed-service-prometheus"
 
-  attach_amazon_managed_service_prometheus_policy = true
+  attach_amazon_managed_service_prometheus_policy  = true
+  amazon_managed_service_prometheus_workspace_arns = ["arn:aws:prometheus:eu-west-1:012345678901:workspace/12345678-1234-1234-1234-123456789012"]
 
   oidc_providers = {
     this = {
@@ -267,7 +269,8 @@ module "node_termination_handler_irsa" {
 
   name = "node-termination-handler"
 
-  attach_node_termination_handler_policy = true
+  attach_node_termination_handler_policy  = true
+  node_termination_handler_sqs_queue_arns = ["arn:aws:sqs:eu-west-1:012345678901:node-termination-handler"]
 
   oidc_providers = {
     this = {

modules/iam-role-for-service-accounts/README.md

@@ -201,7 +201,7 @@ No modules.
 | <a name="input_mountpoint_s3_csi_bucket_arns"></a> [mountpoint\_s3\_csi\_bucket\_arns](#input\_mountpoint\_s3\_csi\_bucket\_arns) | S3 bucket ARNs to allow Mountpoint S3 CSI to list buckets | `list(string)` | `[]` | no |
 | <a name="input_mountpoint_s3_csi_kms_arns"></a> [mountpoint\_s3\_csi\_kms\_arns](#input\_mountpoint\_s3\_csi\_kms\_arns) | KMS Key ARNs to allow Mountpoint S3 CSI driver to download and upload Objects of a S3 bucket using `aws:kms` SSE | `list(string)` | `[]` | no |
 | <a name="input_mountpoint_s3_csi_path_arns"></a> [mountpoint\_s3\_csi\_path\_arns](#input\_mountpoint\_s3\_csi\_path\_arns) | S3 path ARNs to allow Mountpoint S3 CSI driver to manage items at the provided path(s). This is required if `attach_mountpoint_s3_csi_policy = true` | `list(string)` | `[]` | no |
-| <a name="input_name"></a> [name](#input\_name) | Name to use on IAM role created | `string` | `null` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name to use on IAM role created | `string` | `""` | no |
 | <a name="input_node_termination_handler_sqs_queue_arns"></a> [node\_termination\_handler\_sqs\_queue\_arns](#input\_node\_termination\_handler\_sqs\_queue\_arns) | List of SQS ARNs that contain node termination events | `list(string)` | `[]` | no |
 | <a name="input_oidc_providers"></a> [oidc\_providers](#input\_oidc\_providers) | Map of OIDC providers where each provider map should contain the `provider`, `provider_arn`, and `namespace_service_accounts` | `any` | `{}` | no |
 | <a name="input_override_inline_policy_documents"></a> [override\_inline\_policy\_documents](#input\_override\_inline\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no |

modules/iam-role-for-service-accounts/main.tf

@@ -5,6 +5,26 @@ data "aws_partition" "current" {
 locals {
   partition  = try(data.aws_partition.current[0].partition, "")
   dns_suffix = try(data.aws_partition.current[0].dns_suffix, "")
+
+  policy_description = try(coalesce(
+    var.policy_description,
+    var.attach_aws_gateway_controller_policy ? "Provides permissions for the AWS Gateway Controller" : null,
+    var.attach_cert_manager_policy ? "Cert Manager policy to allow management of Route53 hosted zone records" : null,
+    var.attach_cluster_autoscaler_policy ? "Cluster autoscaler policy to allow examination and modification of EC2 Auto Scaling Groups" : null,
+    var.attach_ebs_csi_policy ? "Provides permissions to manage EBS volumes via the container storage interface driver" : null,
+    var.attach_efs_csi_policy ? "Provides permissions to manage EFS volumes via the container storage interface driver" : null,
+    var.attach_mountpoint_s3_csi_policy ? "Mountpoint S3 CSI driver policy to allow management of S3" : null,
+    var.attach_external_dns_policy ? "External DNS policy to allow management of Route53 hosted zone records" : null,
+    var.attach_external_secrets_policy ? "Provides permissions to for External Secrets to retrieve secrets from AWS SSM and AWS Secrets Manager" : null,
+    var.attach_fsx_lustre_csi_policy ? "Provides permissions to manage FSx Lustre volumes via the container storage interface driver" : null,
+    var.attach_fsx_openzfs_csi_policy ? "Provides permissions to manage FSx OpenZFS volumes via the container storage interface driver" : null,
+    var.attach_load_balancer_controller_policy ? "Provides permissions for AWS Load Balancer Controller addon" : null,
+    var.attach_load_balancer_controller_targetgroup_binding_only_policy ? "Provides permissions for AWS Load Balancer Controller addon in TargetGroup binding only scenario" : null,
+    var.attach_amazon_managed_service_prometheus_policy ? "Provides permissions to for Amazon Managed Service for Prometheus" : null,
+    var.attach_node_termination_handler_policy ? "Provides permissions to handle node termination events via the Node Termination Handler" : null,
+    var.attach_velero_policy ? "Provides Velero permissions to backup and restore cluster resources" : null,
+    var.attach_vpc_cni_policy ? "Provides the Amazon VPC CNI Plugin (amazon-vpc-cni-k8s) the permissions it requires to modify the IPv4/IPv6 address configuration on your EKS worker nodes" : null,
+  ), null)
 }
 
 ################################################################################
@@ -70,7 +90,7 @@ resource "aws_iam_role_policy_attachment" "additional" {
 ################################################################################
 
 locals {
-  create_policy = var.create && var.create_policy
+  create_policy = var.create && var.create_policy && (length(local.source_policy_documents) > 0 || length(var.override_policy_documents) > 0 || var.permissions != null)
 
   source_policy_documents = flatten(concat(
     data.aws_iam_policy_document.aws_gateway_controller[*].json,
@@ -151,7 +171,7 @@ resource "aws_iam_policy" "this" {
   name        = var.use_name_prefix ? null : local.policy_name
   name_prefix = var.use_name_prefix ? "${local.policy_name}-" : null
   path        = coalesce(var.policy_path, var.path)
-  description = try(coalesce(var.policy_description, var.description), null)
+  description = try(coalesce(var.policy_description, local.policy_description), null)
   policy      = data.aws_iam_policy_document.this[0].json
 
   tags = var.tags

modules/iam-role-for-service-accounts/migrations.tf

@@ -17,7 +17,7 @@ variable "tags" {
 variable "name" {
   description = "Name to use on IAM role created"
   type        = string
-  default     = null
+  default     = ""
 }
 
 variable "use_name_prefix" {

modules/iam-role-for-service-accounts/variables.tf

@@ -41,7 +41,7 @@ module "wrapper" {
   mountpoint_s3_csi_bucket_arns                                   = try(each.value.mountpoint_s3_csi_bucket_arns, var.defaults.mountpoint_s3_csi_bucket_arns, [])
   mountpoint_s3_csi_kms_arns                                      = try(each.value.mountpoint_s3_csi_kms_arns, var.defaults.mountpoint_s3_csi_kms_arns, [])
   mountpoint_s3_csi_path_arns                                     = try(each.value.mountpoint_s3_csi_path_arns, var.defaults.mountpoint_s3_csi_path_arns, [])
-  name                                                            = try(each.value.name, var.defaults.name, null)
+  name                                                            = try(each.value.name, var.defaults.name, "")
   node_termination_handler_sqs_queue_arns                         = try(each.value.node_termination_handler_sqs_queue_arns, var.defaults.node_termination_handler_sqs_queue_arns, [])
   oidc_providers                                                  = try(each.value.oidc_providers, var.defaults.oidc_providers, {})
   override_inline_policy_documents                                = try(each.value.override_inline_policy_documents, var.defaults.override_inline_policy_documents, [])