Support assumable_roles for eks-irsa (#3)

Author: posquit0

VERSION

@@ -1 +1 @@
-0.14.0
+0.15.0

modules/eks-cluster/README.md

@@ -25,16 +25,16 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.63.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.71.0 |
 | <a name="provider_tls"></a> [tls](#provider\_tls) | 3.1.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_role__control_plane"></a> [role\_\_control\_plane](#module\_role\_\_control\_plane) | tedilabs/account/aws//modules/iam-role | 0.16.1 |
-| <a name="module_role__fargate_profile"></a> [role\_\_fargate\_profile](#module\_role\_\_fargate\_profile) | tedilabs/account/aws//modules/iam-role | 0.16.1 |
-| <a name="module_role__node"></a> [role\_\_node](#module\_role\_\_node) | tedilabs/account/aws//modules/iam-role | 0.16.1 |
+| <a name="module_role__control_plane"></a> [role\_\_control\_plane](#module\_role\_\_control\_plane) | tedilabs/account/aws//modules/iam-role | 0.19.0 |
+| <a name="module_role__fargate_profile"></a> [role\_\_fargate\_profile](#module\_role\_\_fargate\_profile) | tedilabs/account/aws//modules/iam-role | 0.19.0 |
+| <a name="module_role__node"></a> [role\_\_node](#module\_role\_\_node) | tedilabs/account/aws//modules/iam-role | 0.19.0 |
 | <a name="module_security_group__control_plane"></a> [security\_group\_\_control\_plane](#module\_security\_group\_\_control\_plane) | tedilabs/network/aws//modules/security-group | 0.24.0 |
 | <a name="module_security_group__node"></a> [security\_group\_\_node](#module\_security\_group\_\_node) | tedilabs/network/aws//modules/security-group | 0.24.0 |
 | <a name="module_security_group__pod"></a> [security\_group\_\_pod](#module\_security\_group\_\_pod) | tedilabs/network/aws//modules/security-group | 0.24.0 |
@@ -47,6 +47,8 @@ This module creates following resources.
 | [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster) | resource |
 | [aws_iam_openid_connect_provider.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
 | [aws_resourcegroups_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource |
+| [aws_security_group_rule.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.pod](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_subnet.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
 | [tls_certificate.this](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source |
 

modules/eks-cluster/iam.tf

@@ -28,7 +28,7 @@ resource "aws_iam_openid_connect_provider" "this" {
 
 module "role__control_plane" {
   source  = "tedilabs/account/aws//modules/iam-role"
-  version = "0.16.1"
+  version = "0.19.0"
 
   name        = "eks-${local.metadata.name}-control-plane"
   path        = "/"
@@ -57,7 +57,7 @@ module "role__control_plane" {
 
 module "role__node" {
   source  = "tedilabs/account/aws//modules/iam-role"
-  version = "0.16.1"
+  version = "0.19.0"
 
   name        = "eks-${local.metadata.name}-node"
   path        = "/"
@@ -90,7 +90,7 @@ module "role__node" {
 
 module "role__fargate_profile" {
   source  = "tedilabs/account/aws//modules/iam-role"
-  version = "0.16.1"
+  version = "0.19.0"
 
   name        = "eks-${local.metadata.name}-fargate-profile"
   path        = "/"

modules/eks-cluster/security-groups.tf

@@ -16,9 +16,9 @@ resource "aws_security_group_rule" "node" {
   type              = "ingress"
   description       = "Allow nodes to communicate to the cluster security group(for fargate pods)."
 
-  protocol    = "-1"
-  from_port   = 0
-  to_port     = 0
+  protocol  = "-1"
+  from_port = 0
+  to_port   = 0
 
   source_security_group_id = module.security_group__node.id
 }
@@ -28,9 +28,9 @@ resource "aws_security_group_rule" "pod" {
   type              = "ingress"
   description       = "Allow pods to communicate to the cluster security group(for fargate pods)."
 
-  protocol    = "-1"
-  from_port   = 0
-  to_port     = 0
+  protocol  = "-1"
+  from_port = 0
+  to_port   = 0
 
   source_security_group_id = module.security_group__pod.id
 }

modules/eks-irsa/README.md

@@ -18,13 +18,13 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.63.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.71.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_this"></a> [this](#module\_this) | tedilabs/account/aws//modules/iam-role | 0.16.1 |
+| <a name="module_this"></a> [this](#module\_this) | tedilabs/account/aws//modules/iam-role | 0.19.0 |
 
 ## Resources
 
@@ -38,6 +38,7 @@ This module creates following resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_name"></a> [name](#input\_name) | Desired name of the IAM role for EKS service accounts. | `string` | n/a | yes |
 | <a name="input_oidc_provider_urls"></a> [oidc\_provider\_urls](#input\_oidc\_provider\_urls) | A list of URLs of OIDC identity providers. | `list(string)` | n/a | yes |
+| <a name="input_assumable_roles"></a> [assumable\_roles](#input\_assumable\_roles) | List of IAM roles ARNs which can be assumed by the role. | `list(string)` | `[]` | no |
 | <a name="input_conditions"></a> [conditions](#input\_conditions) | Required conditions to assume the role. | <pre>list(object({<br>    key       = string<br>    condition = string<br>    values    = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_description"></a> [description](#input\_description) | The description of the role. | `string` | `""` | no |
 | <a name="input_effective_date"></a> [effective\_date](#input\_effective\_date) | Allow to assume IAM role only after a specific date and time. | `string` | `null` | no |
@@ -66,6 +67,7 @@ This module creates following resources.
 | Name | Description |
 |------|-------------|
 | <a name="output_arn"></a> [arn](#output\_arn) | The ARN assigned by AWS for this role. |
+| <a name="output_assumable_roles"></a> [assumable\_roles](#output\_assumable\_roles) | List of ARNs of IAM roles which members of IAM role can assume. |
 | <a name="output_description"></a> [description](#output\_description) | The description of the role. |
 | <a name="output_effective_date"></a> [effective\_date](#output\_effective\_date) | Allow to assume IAM role only after this date and time. |
 | <a name="output_expiration_date"></a> [expiration\_date](#output\_expiration\_date) | Allow to assume IAM role only before this date and time. |

modules/eks-irsa/main.tf

@@ -43,7 +43,7 @@ locals {
 
 module "this" {
   source  = "tedilabs/account/aws//modules/iam-role"
-  version = "0.16.1"
+  version = "0.19.0"
 
   name        = local.metadata.name
   path        = var.path
@@ -69,6 +69,7 @@ module "this" {
   source_ip_whitelist = var.source_ip_whitelist
   source_ip_blacklist = var.source_ip_blacklist
 
+  assumable_roles = var.assumable_roles
   policies        = var.policies
   inline_policies = var.inline_policies
 

modules/eks-irsa/outputs.tf

@@ -48,6 +48,11 @@ output "source_ip_blacklist" {
   value       = var.source_ip_blacklist
 }
 
+output "assumable_roles" {
+  description = "List of ARNs of IAM roles which members of IAM role can assume."
+  value       = var.assumable_roles
+}
+
 output "policies" {
   description = "List of ARNs of IAM policies which are atached to IAM role."
   value       = var.policies

modules/eks-irsa/variables.tf

@@ -118,6 +118,12 @@ variable "source_ip_blacklist" {
   default     = []
 }
 
+variable "assumable_roles" {
+  description = "List of IAM roles ARNs which can be assumed by the role."
+  type        = list(string)
+  default     = []
+}
+
 variable "policies" {
   description = "List of IAM policies ARNs to attach to IAM role."
   type        = list(string)