terraform-aws-modules · bryantbiggs · Feb 1, 2022 · Feb 1, 2022
diff --git a/examples/irsa/README.md b/examples/irsa/README.md
@@ -0,0 +1,62 @@
+# IRSA example
+
+Configuration in this directory creates an an IAM role, Kubernetes namespace, and Kubernetes service account to provide an [IAM role for service account](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.72 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_disabled_irsa"></a> [disabled\_irsa](#module\_disabled\_irsa) | ../../modules/irsa | n/a |
+| <a name="module_eks"></a> [eks](#module\_eks) | ../.. | n/a |
+| <a name="module_irsa"></a> [irsa](#module\_irsa) | ../../modules/irsa | n/a |
+| <a name="module_irsa_simple"></a> [irsa\_simple](#module\_irsa\_simple) | ../../modules/irsa | n/a |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | The name of the IAM role |
+| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| <a name="output_namespace"></a> [namespace](#output\_namespace) | The full map of attributes for the namespace created |
+| <a name="output_service_account"></a> [service\_account](#output\_service\_account) | The full map of attributes for the service account created |
+| <a name="output_service_account_name"></a> [service\_account\_name](#output\_service\_account\_name) | The full map of attributes for the service account created |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/irsa/main.tf b/examples/irsa/main.tf
@@ -0,0 +1,154 @@
+provider "aws" {
+  region = local.region
+}
+
+provider "kubernetes" {
+  host                   = module.eks.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+  token                  = data.aws_eks_cluster_auth.cluster.token
+}
+
+locals {
+  name            = "ex-${replace(basename(path.cwd), "_", "-")}"
+  cluster_version = "1.21"
+  region          = "eu-west-1"
+
+  tags = {
+    Example    = local.name
+    GithubRepo = "terraform-aws-eks"
+    GithubOrg  = "terraform-aws-modules"
+  }
+}
+
+data "aws_eks_cluster_auth" "cluster" {
+  name = module.eks.cluster_id
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+module "disabled_irsa" {
+  source = "../../modules/irsa"
+
+  create = false
+}
+
+module "irsa_simple" {
+  source = "../../modules/irsa"
+
+  name         = "${local.name}-simple"
+  cluster_name = module.eks.cluster_id
+
+  tags = local.tags
+}
+
+module "irsa" {
+  source = "../../modules/irsa"
+
+  cluster_name = module.eks.cluster_id
+  annotations = {
+    global = "annotation"
+  }
+  labels = {
+    global = "label"
+  }
+
+  # IAM Role
+  iam_role_name        = local.name
+  iam_role_description = "Example IRSA role"
+
+  iam_role_additional_policies  = ["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"]
+  iam_role_max_session_duration = 7200
+
+  # Namespace
+  namespace_name = "${local.name}-ns"
+  namespace_annotations = {
+    namespace = true
+  }
+  namespace_labels = {
+    namespace = true
+  }
+  namespace_timeouts = {
+    delete = "10m"
+  }
+
+  # Service Account
+  service_account_name            = "${local.name}-sa"
+  automount_service_account_token = false
+  service_account_annotations = {
+    service_account = true
+  }
+  service_account_labels = {
+    service_account = true
+  }
+  image_pull_secrets = [
+    "one",
+    "two",
+  ]
+  secrets = [
+    "three",
+    "four",
+  ]
+
+  tags = local.tags
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 3.0"
+
+  name = local.name
+  cidr = "10.0.0.0/16"
+
+  azs             = ["${local.region}a", "${local.region}b", "${local.region}c"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
+
+  enable_nat_gateway   = true
+  single_nat_gateway   = true
+  enable_dns_hostnames = true
+
+  enable_flow_log                      = true
+  create_flow_log_cloudwatch_iam_role  = true
+  create_flow_log_cloudwatch_log_group = true
+
+  public_subnet_tags = {
+    "kubernetes.io/cluster/${local.name}" = "shared"
+    "kubernetes.io/role/elb"              = 1
+  }
+
+  private_subnet_tags = {
+    "kubernetes.io/cluster/${local.name}" = "shared"
+    "kubernetes.io/role/internal-elb"     = 1
+  }
+
+  tags = local.tags
+}
+
+module "eks" {
+  source = "../.."
+
+  cluster_name                    = local.name
+  cluster_version                 = local.cluster_version
+  cluster_endpoint_private_access = true
+  cluster_endpoint_public_access  = true
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  enable_irsa = true
+
+  eks_managed_node_groups = {
+    default_node_group = {
+      create_launch_template = false
+      launch_template_name   = ""
+    }
+  }
+
+  tags = local.tags
+}
diff --git a/examples/irsa/outputs.tf b/examples/irsa/outputs.tf
@@ -0,0 +1,41 @@
+################################################################################
+# Kubernetes Namespace
+################################################################################
+
+output "namespace" {
+  description = "The full map of attributes for the namespace created"
+  value       = module.irsa.namespace
+}
+
+################################################################################
+# Kubernetes Service Account
+################################################################################
+
+output "service_account" {
+  description = "The full map of attributes for the service account created"
+  value       = module.irsa.service_account
+}
+
+output "service_account_name" {
+  description = "The full map of attributes for the service account created"
+  value       = module.irsa.service_account_name
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+output "iam_role_name" {
+  description = "The name of the IAM role"
+  value       = module.irsa.iam_role_name
+}
+
+output "iam_role_arn" {
+  description = "The Amazon Resource Name (ARN) specifying the IAM role"
+  value       = module.irsa.iam_role_arn
+}
+
+output "iam_role_unique_id" {
+  description = "Stable and unique string identifying the IAM role"
+  value       = module.irsa.iam_role_unique_id
+}
diff --git a/examples/irsa/variables.tf b/examples/irsa/variables.tf
diff --git a/examples/irsa/versions.tf b/examples/irsa/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 0.13.1"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.72"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.0"
+    }
+  }
+}
diff --git a/examples/irsa_autoscale_refresh/README.md b/examples/irsa_autoscale_refresh/README.md
@@ -26,6 +26,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
 
 ## Providers
@@ -40,10 +41,10 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_aws_node_termination_handler_role"></a> [aws\_node\_termination\_handler\_role](#module\_aws\_node\_termination\_handler\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 4.0 |
+| <a name="module_aws_node_termination_handler_role"></a> [aws\_node\_termination\_handler\_role](#module\_aws\_node\_termination\_handler\_role) | ../../modules/irsa | n/a |
 | <a name="module_aws_node_termination_handler_sqs"></a> [aws\_node\_termination\_handler\_sqs](#module\_aws\_node\_termination\_handler\_sqs) | terraform-aws-modules/sqs/aws | ~> 3.0 |
 | <a name="module_eks"></a> [eks](#module\_eks) | ../.. | n/a |
-| <a name="module_iam_assumable_role_cluster_autoscaler"></a> [iam\_assumable\_role\_cluster\_autoscaler](#module\_iam\_assumable\_role\_cluster\_autoscaler) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 4.0 |
+| <a name="module_iam_assumable_role_cluster_autoscaler"></a> [iam\_assumable\_role\_cluster\_autoscaler](#module\_iam\_assumable\_role\_cluster\_autoscaler) | ../../modules/irsa | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
 
 ## Resources

diff --git a/examples/irsa_autoscale_refresh/charts.tf b/examples/irsa_autoscale_refresh/charts.tf
@@ -1,3 +1,9 @@
+provider "kubernetes" {
+  host                   = module.eks.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+  token                  = data.aws_eks_cluster_auth.cluster.token
+}
+
 provider "helm" {
   kubernetes {
     host                   = module.eks.cluster_endpoint
@@ -25,9 +31,14 @@ resource "helm_release" "cluster_autoscaler" {
     value = local.region
   }
 
+  set {
+    name  = "rbac.serviceAccount.create"
+    value = "false"
+  }
+
   set {
     name  = "rbac.serviceAccount.name"
-    value = "cluster-autoscaler-aws"
+    value = module.iam_assumable_role_cluster_autoscaler.service_account_name
   }
 
   set {
@@ -58,17 +69,17 @@ resource "helm_release" "cluster_autoscaler" {
 }
 
 module "iam_assumable_role_cluster_autoscaler" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version = "~> 4.0"
+  source = "../../modules/irsa"
+
+  name         = "cluster-autoscaler"
+  cluster_name = module.eks.cluster_id
 
-  create_role      = true
-  role_name_prefix = "cluster-autoscaler"
-  role_description = "IRSA role for cluster autoscaler"
+  iam_role_description         = "IRSA role for cluster autoscaler"
+  iam_role_additional_policies = [aws_iam_policy.cluster_autoscaler.arn]
 
-  provider_url                   = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
-  role_policy_arns               = [aws_iam_policy.cluster_autoscaler.arn]
-  oidc_fully_qualified_subjects  = ["system:serviceaccount:kube-system:cluster-autoscaler-aws"]
-  oidc_fully_qualified_audiences = ["sts.amazonaws.com"]
+  # System namespace
+  create_namespace = false
+  namespace_name   = "kube-system"
 
   tags = local.tags
 }
@@ -136,8 +147,13 @@ resource "helm_release" "aws_node_termination_handler" {
   }
 
   set {
-    name  = "serviceAccount.name"
-    value = "aws-node-termination-handler"
+    name  = "rbac.serviceAccount.create"
+    value = "false"
+  }
+
+  set {
+    name  = "rbac.serviceAccount.name"
+    value = module.aws_node_termination_handler_role.service_account_name
   }
 
   set {
@@ -173,17 +189,17 @@ resource "helm_release" "aws_node_termination_handler" {
 }
 
 module "aws_node_termination_handler_role" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version = "~> 4.0"
+  source = "../../modules/irsa"
+
+  name         = "node-termination-handler"
+  cluster_name = module.eks.cluster_id
 
-  create_role      = true
-  role_name_prefix = "node-termination-handler"
-  role_description = "IRSA role for node termination handler"
+  iam_role_description         = "IRSA role for node termination handler"
+  iam_role_additional_policies = [aws_iam_policy.aws_node_termination_handler.arn]
 
-  provider_url                   = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
-  role_policy_arns               = [aws_iam_policy.aws_node_termination_handler.arn]
-  oidc_fully_qualified_subjects  = ["system:serviceaccount:kube-system:aws-node-termination-handler"]
-  oidc_fully_qualified_audiences = ["sts.amazonaws.com"]
+  # System namespace
+  create_namespace = false
+  namespace_name   = "kube-system"
 
   tags = local.tags
 }