Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add new IAM module iam-eks-role #179

Merged
merged 10 commits into from
Jan 14, 2022
Merged

feat: Add new IAM module iam-eks-role #179

merged 10 commits into from
Jan 14, 2022

Conversation

max-rocket-internet
Copy link
Contributor

Description

Adding a new, user-friendly module that is specifically for AWS EKS users.

Motivation and Context

Currently EKS users would use the module iam-assumable-role-with-oidc but the way it is structured/implemented is quite confusing:

  1. You have to deal with or know your cluster OIDC URL
  2. Can't create a role that is assumable by multiple ServiceAccount per multiple clusters as provider_urls and oidc_fully_qualified_subjects are separate.
  3. Most EKS users don't know what oidc_fully_qualified_subjects are and shouldn't need to.
  4. It still needs to be wrapped in another module or requires a data resource to get the OIDC URL of each cluster

This module solves these in a nice clean way for EKS users by using a data resource inside the module and having a one-to-many relationship from provider_url to oidc_fully_qualified_subjects but implemented simply as EKS cluster name to ServiceAccount, like this:

module "iam_eks_role" {
  source    = "terraform-aws-modules/iam/aws//modules/iam-eks-role"
  role_name = "my-app"

 cluster_service_accounts = {
    "cluster-main-1" = [
      "default:my-app-staging",
      "canary:my-app-staging"
    ]
    "cluster-backup-1" = [
      "default:my-app-staging",
    ]
  }

Breaking Changes

It's a new module so no breaking changes.

How Has This Been Tested?

  • I have tested and validated these changes using one or more of the provided examples/* projects.
  • I have also tested this in our environment

antonbabenko
antonbabenko reviewed Jan 11, 2022
View reviewed changes
Copy link
Member

@antonbabenko antonbabenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks pretty good to me. Minor comments.

examples/iam-eks-role/main.tf Outdated Show resolved Hide resolved
examples/iam-eks-role/main.tf Outdated

module "iam_eks_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-eks-role"
version = "~> 4"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And remove version

examples/iam-eks-role/main.tf Outdated Show resolved Hide resolved
modules/iam-eks-role/README.md Show resolved Hide resolved
modules/iam-eks-role/data.tf Outdated Show resolved Hide resolved
modules/iam-eks-role/data.tf Outdated Show resolved Hide resolved
modules/iam-eks-role/main.tf Outdated Show resolved Hide resolved
modules/iam-eks-role/main.tf Outdated Show resolved Hide resolved
modules/iam-eks-role/main.tf Outdated Show resolved Hide resolved
README.md Show resolved Hide resolved
@max-rocket-internet
Copy link
Contributor Author

Thanks for the review @antonbabenko! I think I've addressed everything 🙏

@antonbabenko antonbabenko merged commit 61cf542 into terraform-aws-modules:master Jan 14, 2022
antonbabenko pushed a commit that referenced this pull request Jan 14, 2022
@semantic-release-bot
chore(release): version 4.9.0 [skip ci]
e2cd87f 
## [4.9.0](v4.8.0...v4.9.0) (2022-01-14)

### Features

* Add new IAM module iam-eks-role ([#179](#179)) ([61cf542](61cf542))
@antonbabenko
Copy link
Member

This PR is included in version 4.9.0 🎉

@max-rocket-internet max-rocket-internet deleted the eks_iam_role branch January 14, 2022 15:16
@bryantbiggs bryantbiggs mentioned this pull request Jan 22, 2022
Closed
@github-actions
Copy link

github-actions bot commented Nov 9, 2022

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 9, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@antonbabenko antonbabenko antonbabenko left review comments

@bryantbiggs bryantbiggs Awaiting requested review from bryantbiggs

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@max-rocket-internet @antonbabenko