From daaa5850d58f79fa321491eaf000f45a5eb1b1af Mon Sep 17 00:00:00 2001 From: Bryce Lowe Date: Mon, 10 Feb 2025 13:24:40 -0800 Subject: [PATCH 1/6] fix: allow empty kms and ssm arns I'd like the option to remove access to KMS and SSM permissions on my IRSA roles while still providing the ability to use this module with the default encryption key provided by AWS. When I attempt to provide an empty list, the IAM policy is invalid because a resource definition is required. --- .../policies.tf | 25 ++++++++++++------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index 147ae8a5..dc11a7e8 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -539,12 +539,16 @@ data "aws_iam_policy_document" "external_secrets" { resources = ["*"] } - statement { - actions = [ - "ssm:GetParameter", - "ssm:GetParameters", - ] - resources = var.external_secrets_ssm_parameter_arns + dynamic "statement" { + for_each = length(var.external_secrets_ssm_parameter_arns) > 0 ? [1] : [] + content { + actions = [ + "ssm:GetParameter", + "ssm:GetParameters", + ] + + resources = var.external_secrets_ssm_parameter_arns + } } statement { @@ -562,9 +566,12 @@ data "aws_iam_policy_document" "external_secrets" { resources = var.external_secrets_secrets_manager_arns } - statement { - actions = ["kms:Decrypt"] - resources = var.external_secrets_kms_key_arns + dynamic "statement" { + for_each = length(var.external_secrets_kms_key_arns) > 0 ? [1] : [] + content { + actions = ["kms:Decrypt"] + resources = var.external_secrets_kms_key_arns + } } dynamic "statement" { From 48dbbb51f53a011be1cf381a927e1c718ed20078 Mon Sep 17 00:00:00 2001 From: Bryce Lowe Date: Mon, 10 Feb 2025 13:36:58 -0800 Subject: [PATCH 2/6] fix: linters --- modules/iam-role-for-service-accounts-eks/policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index dc11a7e8..0691b155 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -546,7 +546,7 @@ data "aws_iam_policy_document" "external_secrets" { "ssm:GetParameter", "ssm:GetParameters", ] - + resources = var.external_secrets_ssm_parameter_arns } } From 5e3a3f8ecdfc8aebac6fb01137e68b38acaec103 Mon Sep 17 00:00:00 2001 From: Bryce Lowe Date: Mon, 10 Feb 2025 13:39:59 -0800 Subject: [PATCH 3/6] fix: include examples --- .../iam-role-for-service-accounts-eks/main.tf | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf index a38319a7..303a579a 100644 --- a/examples/iam-role-for-service-accounts-eks/main.tf +++ b/examples/iam-role-for-service-accounts-eks/main.tf @@ -191,6 +191,26 @@ module "external_secrets_irsa_role" { tags = local.tags } +module "external_secrets_without_kms_or_ssm_irsa_role" { + source = "../../modules/iam-role-for-service-accounts-eks" + + role_name = "external-secrets" + attach_external_secrets_policy = true + external_secrets_ssm_parameter_arns = [] + external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:*:*:secret:bar"] + external_secrets_kms_key_arns = [] + external_secrets_secrets_manager_create_permission = false + + oidc_providers = { + ex = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["default:kubernetes-external-secrets"] + } + } + + tags = local.tags +} + module "fsx_lustre_csi_irsa_role" { source = "../../modules/iam-role-for-service-accounts-eks" From 82eab625d97efd1a90d2ee53eebeeb553fc11c20 Mon Sep 17 00:00:00 2001 From: Bryce Lowe Date: Mon, 10 Feb 2025 13:51:58 -0800 Subject: [PATCH 4/6] fix: pre-commit --- examples/iam-role-for-service-accounts-eks/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/iam-role-for-service-accounts-eks/README.md b/examples/iam-role-for-service-accounts-eks/README.md index 224389f0..84b83982 100644 --- a/examples/iam-role-for-service-accounts-eks/README.md +++ b/examples/iam-role-for-service-accounts-eks/README.md @@ -45,6 +45,7 @@ Run `terraform destroy` when you don't need these resources. | [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.21 | | [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [external\_secrets\_irsa\_role](#module\_external\_secrets\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | +| [external\_secrets\_without\_kms\_or\_ssm\_irsa\_role](#module\_external\_secrets\_without\_kms\_or\_ssm\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [fsx\_lustre\_csi\_irsa\_role](#module\_fsx\_lustre\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [iam\_eks\_role](#module\_iam\_eks\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [iam\_policy](#module\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | n/a | From abf7c72df3c27f77c8c8c72b20db99aa1fac12f7 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Mon, 14 Apr 2025 13:15:14 -0500 Subject: [PATCH 5/6] chore: Add white space between loop and content --- .pre-commit-config.yaml | 2 +- modules/iam-role-for-service-accounts-eks/policies.tf | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 19691e52..7900442e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.96.3 + rev: v1.99.0 hooks: - id: terraform_fmt - id: terraform_wrapper_module_for_each diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index 0691b155..39654a80 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -541,6 +541,7 @@ data "aws_iam_policy_document" "external_secrets" { dynamic "statement" { for_each = length(var.external_secrets_ssm_parameter_arns) > 0 ? [1] : [] + content { actions = [ "ssm:GetParameter", @@ -568,6 +569,7 @@ data "aws_iam_policy_document" "external_secrets" { dynamic "statement" { for_each = length(var.external_secrets_kms_key_arns) > 0 ? [1] : [] + content { actions = ["kms:Decrypt"] resources = var.external_secrets_kms_key_arns From 0398bfc62bb199b9813b87d04502912c82dc3a77 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Mon, 14 Apr 2025 13:31:47 -0500 Subject: [PATCH 6/6] chore: Fix all whitespaces and remove example --- .../README.md | 1 - .../iam-role-for-service-accounts-eks/main.tf | 20 ------------------- .../policies.tf | 12 +++++++++++ 3 files changed, 12 insertions(+), 21 deletions(-) diff --git a/examples/iam-role-for-service-accounts-eks/README.md b/examples/iam-role-for-service-accounts-eks/README.md index 84b83982..224389f0 100644 --- a/examples/iam-role-for-service-accounts-eks/README.md +++ b/examples/iam-role-for-service-accounts-eks/README.md @@ -45,7 +45,6 @@ Run `terraform destroy` when you don't need these resources. | [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.21 | | [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [external\_secrets\_irsa\_role](#module\_external\_secrets\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | -| [external\_secrets\_without\_kms\_or\_ssm\_irsa\_role](#module\_external\_secrets\_without\_kms\_or\_ssm\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [fsx\_lustre\_csi\_irsa\_role](#module\_fsx\_lustre\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [iam\_eks\_role](#module\_iam\_eks\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [iam\_policy](#module\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | n/a | diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf index 303a579a..a38319a7 100644 --- a/examples/iam-role-for-service-accounts-eks/main.tf +++ b/examples/iam-role-for-service-accounts-eks/main.tf @@ -191,26 +191,6 @@ module "external_secrets_irsa_role" { tags = local.tags } -module "external_secrets_without_kms_or_ssm_irsa_role" { - source = "../../modules/iam-role-for-service-accounts-eks" - - role_name = "external-secrets" - attach_external_secrets_policy = true - external_secrets_ssm_parameter_arns = [] - external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:*:*:secret:bar"] - external_secrets_kms_key_arns = [] - external_secrets_secrets_manager_create_permission = false - - oidc_providers = { - ex = { - provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["default:kubernetes-external-secrets"] - } - } - - tags = local.tags -} - module "fsx_lustre_csi_irsa_role" { source = "../../modules/iam-role-for-service-accounts-eks" diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index 39654a80..3ca5fe9c 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -110,6 +110,7 @@ data "aws_iam_policy_document" "cluster_autoscaler" { dynamic "statement" { # TODO - remove *_ids at next breaking change for_each = toset(coalescelist(var.cluster_autoscaler_cluster_ids, var.cluster_autoscaler_cluster_names)) + content { actions = [ "autoscaling:SetDesiredCapacity", @@ -306,6 +307,7 @@ data "aws_iam_policy_document" "ebs_csi" { dynamic "statement" { for_each = length(var.ebs_csi_kms_cmk_ids) > 0 ? [1] : [] + content { actions = [ "kms:CreateGrant", @@ -325,6 +327,7 @@ data "aws_iam_policy_document" "ebs_csi" { dynamic "statement" { for_each = length(var.ebs_csi_kms_cmk_ids) > 0 ? [1] : [] + content { actions = [ "kms:Encrypt", @@ -455,6 +458,7 @@ data "aws_iam_policy_document" "mountpoint_s3_csi" { dynamic "statement" { for_each = length(var.mountpoint_s3_csi_kms_arns) > 0 ? [1] : [] + content { actions = [ "kms:GenerateDataKey", @@ -578,6 +582,7 @@ data "aws_iam_policy_document" "external_secrets" { dynamic "statement" { for_each = var.external_secrets_secrets_manager_create_permission ? [1] : [] + content { actions = [ "secretsmanager:CreateSecret", @@ -590,9 +595,11 @@ data "aws_iam_policy_document" "external_secrets" { dynamic "statement" { for_each = var.external_secrets_secrets_manager_create_permission ? [1] : [] + content { actions = ["secretsmanager:DeleteSecret"] resources = var.external_secrets_secrets_manager_arns + condition { test = "StringEquals" variable = "secretsmanager:ResourceTag/managed-by" @@ -640,6 +647,7 @@ data "aws_iam_policy_document" "fsx_lustre_csi" { statement { actions = ["iam:CreateServiceLinkedRole"] resources = ["*"] + condition { test = "StringLike" variable = "iam:AWSServiceName" @@ -1210,6 +1218,7 @@ data "aws_iam_policy_document" "appmesh_controller" { "iam:CreateServiceLinkedRole" ] resources = ["arn:${local.partition}:iam::*:role/aws-service-role/appmesh.${local.dns_suffix}/AWSServiceRoleForAppMesh"] + condition { test = "StringLike" variable = "iam:AWSServiceName" @@ -1468,6 +1477,7 @@ data "aws_iam_policy_document" "vpc_cni" { # arn:${local.partition}:iam::aws:policy/AmazonEKS_CNI_Policy dynamic "statement" { for_each = var.vpc_cni_enable_ipv4 ? [1] : [] + content { sid = "IPV4" actions = [ @@ -1491,6 +1501,7 @@ data "aws_iam_policy_document" "vpc_cni" { # https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy dynamic "statement" { for_each = var.vpc_cni_enable_ipv6 ? [1] : [] + content { sid = "IPV6" actions = [ @@ -1507,6 +1518,7 @@ data "aws_iam_policy_document" "vpc_cni" { # https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html#cni-network-policy-setup dynamic "statement" { for_each = var.vpc_cni_enable_cloudwatch_logs ? [1] : [] + content { sid = "CloudWatchLogs" actions = [