Skip to content

Commit

Permalink
Allow service role to be passed in (cloudposse#116)
Browse files Browse the repository at this point in the history
* allow the eks service role to be passed in instead of created

Co-authored-by: Andriy Knysh <[email protected]>
Co-authored-by: Ben Leibig <[email protected]>
Co-authored-by: Ben Leibig <[email protected]>
Co-authored-by: devslx <[email protected]>
  • Loading branch information
5 people authored Jun 15, 2021
1 parent 2b3eecb commit c25940a
Show file tree
Hide file tree
Showing 6 changed files with 22 additions and 8 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -444,6 +444,7 @@ Available targets:
| <a name="input_cluster_log_retention_period"></a> [cluster\_log\_retention\_period](#input\_cluster\_log\_retention\_period) | Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. | `number` | `0` | no |
| <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br> "additional_tag_map": {},<br> "attributes": [],<br> "delimiter": null,<br> "enabled": true,<br> "environment": null,<br> "id_length_limit": null,<br> "label_key_case": null,<br> "label_order": [],<br> "label_value_case": null,<br> "name": null,<br> "namespace": null,<br> "regex_replace_chars": null,<br> "stage": null,<br> "tags": {}<br>}</pre> | no |
| <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
| <a name="input_eks_cluster_service_role_arn"></a> [eks\_cluster\_service\_role\_arn](#input\_eks\_cluster\_service\_role\_arn) | The ARN of an externally created EKS service role to use, or leave blank to create one | `string` | `null` | no |
| <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| <a name="input_enabled_cluster_log_types"></a> [enabled\_cluster\_log\_types](#input\_enabled\_cluster\_log\_types) | A list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [`api`, `audit`, `authenticator`, `controllerManager`, `scheduler`] | `list(string)` | `[]` | no |
| <a name="input_endpoint_private_access"></a> [endpoint\_private\_access](#input\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default to AWS EKS resource and it is false | `bool` | `false` | no |
Expand Down
1 change: 1 addition & 0 deletions docs/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@
| <a name="input_cluster_log_retention_period"></a> [cluster\_log\_retention\_period](#input\_cluster\_log\_retention\_period) | Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. | `number` | `0` | no |
| <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br> "additional_tag_map": {},<br> "attributes": [],<br> "delimiter": null,<br> "enabled": true,<br> "environment": null,<br> "id_length_limit": null,<br> "label_key_case": null,<br> "label_order": [],<br> "label_value_case": null,<br> "name": null,<br> "namespace": null,<br> "regex_replace_chars": null,<br> "stage": null,<br> "tags": {}<br>}</pre> | no |
| <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
| <a name="input_eks_cluster_service_role_arn"></a> [eks\_cluster\_service\_role\_arn](#input\_eks\_cluster\_service\_role\_arn) | The ARN of an externally created EKS service role to use, or leave blank to create one | `string` | `null` | no |
| <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| <a name="input_enabled_cluster_log_types"></a> [enabled\_cluster\_log\_types](#input\_enabled\_cluster\_log\_types) | A list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [`api`, `audit`, `authenticator`, `controllerManager`, `scheduler`] | `list(string)` | `[]` | no |
| <a name="input_endpoint_private_access"></a> [endpoint\_private\_access](#input\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default to AWS EKS resource and it is false | `bool` | `false` | no |
Expand Down
16 changes: 11 additions & 5 deletions iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -12,22 +12,28 @@ data "aws_iam_policy_document" "assume_role" {
}
}

locals {
eks_service_role = var.eks_cluster_service_role_arn != null ? var.eks_cluster_service_role_arn : join("", aws_iam_role.default.*.arn)

create_eks_service_role = local.enabled && var.eks_cluster_service_role_arn == null
}

resource "aws_iam_role" "default" {
count = local.enabled ? 1 : 0
count = local.create_eks_service_role ? 1 : 0
name = module.label.id
assume_role_policy = join("", data.aws_iam_policy_document.assume_role.*.json)
tags = module.label.tags
permissions_boundary = var.permissions_boundary
}

resource "aws_iam_role_policy_attachment" "amazon_eks_cluster_policy" {
count = local.enabled ? 1 : 0
count = local.create_eks_service_role ? 1 : 0
policy_arn = format("arn:%s:iam::aws:policy/AmazonEKSClusterPolicy", join("", data.aws_partition.current.*.partition))
role = join("", aws_iam_role.default.*.name)
}

resource "aws_iam_role_policy_attachment" "amazon_eks_service_policy" {
count = local.enabled ? 1 : 0
count = local.create_eks_service_role ? 1 : 0
policy_arn = format("arn:%s:iam::aws:policy/AmazonEKSServicePolicy", join("", data.aws_partition.current.*.partition))
role = join("", aws_iam_role.default.*.name)
}
Expand All @@ -37,7 +43,7 @@ resource "aws_iam_role_policy_attachment" "amazon_eks_service_policy" {
# Because of that, on a new AWS account (where load balancers have not been provisioned yet, `nginx-ingress` fails to provision a load balancer

data "aws_iam_policy_document" "cluster_elb_service_role" {
count = local.enabled ? 1 : 0
count = local.create_eks_service_role ? 1 : 0

statement {
effect = "Allow"
Expand All @@ -53,7 +59,7 @@ data "aws_iam_policy_document" "cluster_elb_service_role" {
}

resource "aws_iam_role_policy" "cluster_elb_service_role" {
count = local.enabled ? 1 : 0
count = local.create_eks_service_role ? 1 : 0
name = module.label.id
role = join("", aws_iam_role.default.*.name)
policy = join("", data.aws_iam_policy_document.cluster_elb_service_role.*.json)
Expand Down
4 changes: 2 additions & 2 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ locals {
provider_key_arn = local.enabled && var.cluster_encryption_config_enabled && var.cluster_encryption_config_kms_key_id == "" ? join("", aws_kms_key.cluster.*.arn) : var.cluster_encryption_config_kms_key_id
}

security_group_enabled = module.this.enabled && var.security_group_enabled
security_group_enabled = local.enabled && var.security_group_enabled
}

module "label" {
Expand Down Expand Up @@ -48,7 +48,7 @@ resource "aws_eks_cluster" "default" {
count = local.enabled ? 1 : 0
name = module.label.id
tags = module.label.tags
role_arn = join("", aws_iam_role.default.*.arn)
role_arn = local.eks_service_role
version = var.kubernetes_version
enabled_cluster_log_types = var.enabled_cluster_log_types

Expand Down
2 changes: 1 addition & 1 deletion outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ output "eks_cluster_managed_security_group_id" {

output "eks_cluster_role_arn" {
description = "ARN of the EKS cluster IAM role"
value = join("", aws_iam_role.default.*.arn)
value = local.eks_service_role
}

output "kubernetes_config_map_id" {
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,12 @@ variable "security_groups" {
description = "A list of Security Group IDs to associate with EKS cluster."
}

variable "eks_cluster_service_role_arn" {
type = string
description = "The ARN of an externally created EKS service role to use, or leave blank to create one"
default = null
}

variable "workers_role_arns" {
type = list(string)
description = "List of Role ARNs of the worker nodes"
Expand Down

0 comments on commit c25940a

Please sign in to comment.