Skip to content

Commit 7122f7a

Browse files
bryantbiggsbryantbiggs
committed
chore: update documentation
1 parent bd1a209 commit 7122f7a

File tree

3 files changed

+72
-32
lines changed

3 files changed

+72
-32
lines changed

examples/iam-eks-role/main.tf

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -26,12 +26,12 @@ module "iam_eks_role" {
2626
oidc_providers = {
2727
one = {
2828
provider = module.eks.oidc_provider
29-
provider_arns = [module.eks.oidc_provider_arn]
29+
provider_arn = module.eks.oidc_provider_arn
3030
service_accounts = ["default:my-app", "canary:my-app"]
3131
}
3232
two = {
3333
provider = module.eks.oidc_provider
34-
provider_arns = [module.eks.oidc_provider_arn]
34+
provider_arn = module.eks.oidc_provider_arn
3535
service_accounts = ["default:blue", "canary:blue"]
3636
}
3737
}
@@ -52,7 +52,7 @@ module "cluster_autoscaler_irsa_role" {
5252
oidc_providers = {
5353
ex = {
5454
provider = module.eks.oidc_provider
55-
provider_arns = [module.eks.oidc_provider_arn]
55+
provider_arn = module.eks.oidc_provider_arn
5656
service_accounts = ["default:my-app", "canary:my-app"]
5757
}
5858
}
@@ -70,7 +70,7 @@ module "external_dns_irsa_role" {
7070
oidc_providers = {
7171
ex = {
7272
provider = module.eks.oidc_provider
73-
provider_arns = [module.eks.oidc_provider_arn]
73+
provider_arn = module.eks.oidc_provider_arn
7474
service_accounts = ["default:my-app", "canary:my-app"]
7575
}
7676
}
@@ -87,7 +87,7 @@ module "ebs_csi_irsa_role" {
8787
oidc_providers = {
8888
ex = {
8989
provider = module.eks.oidc_provider
90-
provider_arns = [module.eks.oidc_provider_arn]
90+
provider_arn = module.eks.oidc_provider_arn
9191
service_accounts = ["default:my-app", "canary:my-app"]
9292
}
9393
}
@@ -105,7 +105,7 @@ module "vpc_cni_ipv4_irsa_role" {
105105
oidc_providers = {
106106
ex = {
107107
provider = module.eks.oidc_provider
108-
provider_arns = [module.eks.oidc_provider_arn]
108+
provider_arn = module.eks.oidc_provider_arn
109109
service_accounts = ["default:my-app", "canary:my-app"]
110110
}
111111
}
@@ -123,7 +123,7 @@ module "vpc_cni_ipv6_irsa_role" {
123123
oidc_providers = {
124124
ex = {
125125
provider = module.eks.oidc_provider
126-
provider_arns = [module.eks.oidc_provider_arn]
126+
provider_arn = module.eks.oidc_provider_arn
127127
service_accounts = ["default:my-app", "canary:my-app"]
128128
}
129129
}

modules/iam-eks-role/README.md

Lines changed: 64 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -1,27 +1,32 @@
11
# iam-eks-role
22

3-
Creates single IAM role which can be assumed by one or more EKS `ServiceAccount` and optionally also OpenID Connect Federated Users.
3+
Creates an IAM role which can be assumed by AWS EKS `ServiceAccount`s.
44

5-
This module is for use with AWS EKS. For details of how a `ServiceAccount` in EKS can assume an IAM role, see the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
5+
This module is intended to be used with AWS EKS. For details of how a `ServiceAccount` in EKS can assume an IAM role, see the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
66

7-
This module supports multiple `ServiceAccount` in multiple clusters and/or namespaces. This allows for a single IAM role to be used when an application may span multiple clusters (e.g. for DR) or multiple namespaces (e.g. for canary deployments). The variables `cluster_service_accounts` and `provider_url_sa_pairs` are used for this as follows:
7+
This module supports multiple `ServiceAccount` in multiple clusters and/or namespaces. This allows for a single IAM role to be used when an application may span multiple clusters (e.g. for DR) or multiple namespaces (e.g. for canary deployments):
88

99
```hcl
1010
module "iam_eks_role" {
1111
source = "terraform-aws-modules/iam/aws//modules/iam-eks-role"
1212
13-
cluster_service_accounts = {
14-
"<EKS cluster name>" = [
15-
"<namespace>:<ServiceAccount name>",
16-
"<namespace>:<another ServiceAccount name>"
17-
]
18-
}
19-
20-
provider_url_sa_pairs = {
21-
"<OIDC provider without protocol prefix>" = [
22-
"<namespace>:<ServiceAccount name>",
23-
"<namespace>:<another ServiceAccount name>"
24-
]
13+
oidc_providers = {
14+
one = {
15+
provider = "<OIDC provider without protocol prefix>"
16+
provider_arn = "<OIDC provider ARN>"
17+
service_accounts = [
18+
"<namespace>:<ServiceAccount name>",
19+
"<namespace>:<another ServiceAccount name>"
20+
]
21+
}
22+
two = {
23+
provider = "<OIDC provider without protocol prefix>"
24+
provider_arn = "<OIDC provider ARN>"
25+
service_accounts = [
26+
"<namespace>:<ServiceAccount name>",
27+
"<namespace>:<another ServiceAccount name>"
28+
]
29+
}
2530
}
2631
}
2732
```
@@ -33,19 +38,54 @@ module "iam_eks_role" {
3338
source = "terraform-aws-modules/iam/aws//modules/iam-eks-role"
3439
role_name = "my-app"
3540
36-
cluster_service_accounts = {
37-
"cluster-main-1" = [
38-
"default:my-app-staging",
39-
"canary:my-app-staging"
40-
],
41-
"cluster-backup-1" = [
42-
"default:my-app-staging",
43-
]
41+
oidc_providers = {
42+
one = {
43+
provider = "oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
44+
provider_arn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
45+
service_accounts = ["default:my-app-staging", "canary:my-app-staging"]
46+
}
47+
two = {
48+
provider = "oidc.eks.ap-southeast-1.amazonaws.com/id/5C54DDF35ER54476848E7333374FF09G"
49+
provider_arn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.ap-southeast-1.amazonaws.com/id/5C54DDF35ER54476848E7333374FF09G"
50+
service_accounts = ["default:my-app-staging"]
51+
}
4452
}
4553
}
4654
```
4755

48-
Note: the EKS clusters must in the current AWS region and account as they use the default AWS provider.
56+
This module has been design in conjunction with the [`terraform-aws-eks`](https://github.com/terraform-aws-modules/terraform-aws-eks) module and easily integrates with it:
57+
58+
```hcl
59+
module "iam_eks_role" {
60+
source = "terraform-aws-modules/iam/aws//modules/iam-eks-role"
61+
62+
role_name = "my-app"
63+
64+
oidc_providers = {
65+
one = {
66+
provider = module.eks.oidc_provider
67+
provider_arn = module.eks.oidc_provider_arn
68+
service_accounts = ["default:my-app", "canary:my-app"]
69+
}
70+
two = {
71+
provider = module.eks.oidc_provider
72+
provider_arn = module.eks.oidc_provider_arn
73+
service_accounts = ["default:blue", "canary:blue"]
74+
}
75+
}
76+
}
77+
78+
module "eks" {
79+
source = "terraform-aws-modules/eks/aws"
80+
version = "~> 18.6"
81+
82+
cluster_name = "my-cluster"
83+
cluster_version = "1.21"
84+
85+
vpc_id = module.vpc.vpc_id
86+
subnet_ids = module.vpc.private_subnets
87+
}
88+
```
4989

5090
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
5191
## Requirements

modules/iam-eks-role/main.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
1010

1111
principals {
1212
type = "Federated"
13-
identifiers = statement.value.provider_arns
13+
identifiers = [statement.value.provider_arn]
1414
}
1515

1616
condition {

0 commit comments

Comments
 (0)