refactor: update to have users pass in details instead of deriving, this solves dependency issue

Author: bryantbiggs

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.62.3
+    rev: v1.64.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

examples/iam-eks-role/README.md

@@ -1,6 +1,6 @@
 # IAM EKS role
 
-Configuration in this directory creates an IAM role that can be assumed by multiple EKS `ServiceAccount`.
+Configuration in this directory creates IAM roles that can be assumed by multiple EKS `ServiceAccount`s for various tasks.
 
 # Usage
 
@@ -9,7 +9,6 @@ To run this example you need to execute:
 ```bash
 $ terraform init
 $ terraform plan
-$ terraform apply -target module.vpc -target module.eks
 $ terraform apply
 ```
 
@@ -33,10 +32,12 @@ No providers.
 |------|--------|---------|
 | <a name="module_cluster_autoscaler_irsa_role"></a> [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | ../../modules/iam-eks-role | n/a |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | ../../modules/iam-eks-role | n/a |
-| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 18.0 |
+| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 18.6 |
 | <a name="module_external_dns_irsa_role"></a> [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-eks-role | n/a |
 | <a name="module_iam_eks_role"></a> [iam\_eks\_role](#module\_iam\_eks\_role) | ../../modules/iam-eks-role | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
+| <a name="module_vpc_cni_ipv4_irsa_role"></a> [vpc\_cni\_ipv4\_irsa\_role](#module\_vpc\_cni\_ipv4\_irsa\_role) | ../../modules/iam-eks-role | n/a |
+| <a name="module_vpc_cni_ipv6_irsa_role"></a> [vpc\_cni\_ipv6\_irsa\_role](#module\_vpc\_cni\_ipv6\_irsa\_role) | ../../modules/iam-eks-role | n/a |
 
 ## Resources
 

examples/iam-eks-role/main.tf

@@ -23,16 +23,17 @@ module "iam_eks_role" {
 
   role_name = local.name
 
-  cluster_service_accounts = {
-    (module.eks.cluster_id) = ["default:my-app", "canary:my-app"]
-  }
-
-  provider_url_sa_pairs = {
-    "oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D" = ["default:my-app2"]
-    "oidc.eks.ap-southeast-1.amazonaws.com/id/5C54DDF35ER54476848E7333374FF09G" = [
-      "default:my-app2",
-      "canary:my-app2",
-    ]
+  oidc_providers = {
+    one = {
+      provider         = module.eks.oidc_provider
+      provider_arns    = [module.eks.oidc_provider_arn]
+      service_accounts = ["default:my-app", "canary:my-app"]
+    }
+    two = {
+      provider         = module.eks.oidc_provider
+      provider_arns    = [module.eks.oidc_provider_arn]
+      service_accounts = ["default:blue", "canary:blue"]
+    }
   }
 
   role_policy_arns = [
@@ -48,8 +49,12 @@ module "cluster_autoscaler_irsa_role" {
   role_name                        = "cluster-autoscaler"
   attach_cluster_autoscaler_policy = true
 
-  cluster_service_accounts = {
-    (module.eks.cluster_id) = ["default:my-app", "canary:my-app"]
+  oidc_providers = {
+    ex = {
+      provider         = module.eks.oidc_provider
+      provider_arns    = [module.eks.oidc_provider_arn]
+      service_accounts = ["default:my-app", "canary:my-app"]
+    }
   }
 
   tags = local.tags
@@ -62,8 +67,12 @@ module "external_dns_irsa_role" {
   attach_external_dns_policy = true
   external_dns_hosted_zones  = ["IClearlyMadeThisUp"]
 
-  cluster_service_accounts = {
-    (module.eks.cluster_id) = ["default:my-app", "canary:my-app"]
+  oidc_providers = {
+    ex = {
+      provider         = module.eks.oidc_provider
+      provider_arns    = [module.eks.oidc_provider_arn]
+      service_accounts = ["default:my-app", "canary:my-app"]
+    }
   }
 
   tags = local.tags
@@ -75,8 +84,48 @@ module "ebs_csi_irsa_role" {
   role_name             = "ebs_csi"
   attach_ebs_csi_policy = true
 
-  cluster_service_accounts = {
-    (module.eks.cluster_id) = ["default:my-app", "canary:my-app"]
+  oidc_providers = {
+    ex = {
+      provider         = module.eks.oidc_provider
+      provider_arns    = [module.eks.oidc_provider_arn]
+      service_accounts = ["default:my-app", "canary:my-app"]
+    }
+  }
+
+  tags = local.tags
+}
+
+module "vpc_cni_ipv4_irsa_role" {
+  source = "../../modules/iam-eks-role"
+
+  role_name             = "vpc_cni_ipv4"
+  attach_vpc_cni_policy = true
+  vpc_cni_enable_ipv4   = true
+
+  oidc_providers = {
+    ex = {
+      provider         = module.eks.oidc_provider
+      provider_arns    = [module.eks.oidc_provider_arn]
+      service_accounts = ["default:my-app", "canary:my-app"]
+    }
+  }
+
+  tags = local.tags
+}
+
+module "vpc_cni_ipv6_irsa_role" {
+  source = "../../modules/iam-eks-role"
+
+  role_name             = "vpc_cni_ipv6"
+  attach_vpc_cni_policy = true
+  vpc_cni_enable_ipv6   = true
+
+  oidc_providers = {
+    ex = {
+      provider         = module.eks.oidc_provider
+      provider_arns    = [module.eks.oidc_provider_arn]
+      service_accounts = ["default:my-app", "canary:my-app"]
+    }
   }
 
   tags = local.tags
@@ -120,7 +169,7 @@ module "vpc" {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 18.0"
+  version = "~> 18.6"
 
   cluster_name    = local.name
   cluster_version = local.cluster_version

modules/iam-eks-role/README.md

@@ -72,40 +72,43 @@ No modules.
 | [aws_iam_policy.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_eks_cluster.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_iam_role_policy_attachment.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_policy_document.assume_role_with_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_attach_cluster_autoscaler_policy"></a> [attach\_cluster\_autoscaler\_policy](#input\_attach\_cluster\_autoscaler\_policy) | Whether to attach the Cluster Autoscaler IAM policy to the role | `bool` | `false` | no |
-| <a name="input_attach_ebs_csi_policy"></a> [attach\_ebs\_csi\_policy](#input\_attach\_ebs\_csi\_policy) | Whether to attach the EBS CSI IAM policy to the role | `bool` | `false` | no |
-| <a name="input_attach_external_dns_policy"></a> [attach\_external\_dns\_policy](#input\_attach\_external\_dns\_policy) | Whether to attach the External DNS IAM policy to the role | `bool` | `false` | no |
-| <a name="input_cluster_service_accounts"></a> [cluster\_service\_accounts](#input\_cluster\_service\_accounts) | EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details | `map(list(string))` | `{}` | no |
+| <a name="input_attach_cluster_autoscaler_policy"></a> [attach\_cluster\_autoscaler\_policy](#input\_attach\_cluster\_autoscaler\_policy) | Determines whether to attach the Cluster Autoscaler IAM policy to the role | `bool` | `false` | no |
+| <a name="input_attach_ebs_csi_policy"></a> [attach\_ebs\_csi\_policy](#input\_attach\_ebs\_csi\_policy) | Determines whether to attach the EBS CSI IAM policy to the role | `bool` | `false` | no |
+| <a name="input_attach_external_dns_policy"></a> [attach\_external\_dns\_policy](#input\_attach\_external\_dns\_policy) | Determines whether to attach the External DNS IAM policy to the role | `bool` | `false` | no |
+| <a name="input_attach_vpc_cni_policy"></a> [attach\_vpc\_cni\_policy](#input\_attach\_vpc\_cni\_policy) | Determines whether to attach the VPC CNI IAM policy to the role | `bool` | `false` | no |
 | <a name="input_create_role"></a> [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `true` | no |
 | <a name="input_ebs_csi_kms_cmk_ids"></a> [ebs\_csi\_kms\_cmk\_ids](#input\_ebs\_csi\_kms\_cmk\_ids) | KMS CMK IDs to allow EBS CSI to manage encrypted volumes | `list(string)` | `[]` | no |
 | <a name="input_external_dns_hosted_zones"></a> [external\_dns\_hosted\_zones](#input\_external\_dns\_hosted\_zones) | Route53 hosted zone IDs to allow external DNS to manage records | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
-| <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
-| <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `43200` | no |
-| <a name="input_provider_url_sa_pairs"></a> [provider\_url\_sa\_pairs](#input\_provider\_url\_sa\_pairs) | OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used | `map(list(string))` | `{}` | no |
-| <a name="input_role_description"></a> [role\_description](#input\_role\_description) | IAM Role description | `string` | `""` | no |
+| <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no |
+| <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no |
+| <a name="input_oidc_providers"></a> [oidc\_providers](#input\_oidc\_providers) | Map of OIDC providers where each provdier map should contain the `provider`, `provider_arns`, and `service_accounts` | `any` | `{}` | no |
+| <a name="input_role_description"></a> [role\_description](#input\_role\_description) | IAM Role description | `string` | `null` | no |
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | Name of IAM role | `string` | `null` | no |
 | <a name="input_role_name_prefix"></a> [role\_name\_prefix](#input\_role\_name\_prefix) | IAM role name prefix | `string` | `null` | no |
-| <a name="input_role_path"></a> [role\_path](#input\_role\_path) | Path of IAM role | `string` | `"/"` | no |
-| <a name="input_role_permissions_boundary_arn"></a> [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
+| <a name="input_role_path"></a> [role\_path](#input\_role\_path) | Path of IAM role | `string` | `null` | no |
+| <a name="input_role_permissions_boundary_arn"></a> [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no |
 | <a name="input_role_policy_arns"></a> [role\_policy\_arns](#input\_role\_policy\_arns) | ARNs of any policies to attach to the IAM role | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add the the IAM role | `map(any)` | `{}` | no |
+| <a name="input_vpc_cni_enable_ipv4"></a> [vpc\_cni\_enable\_ipv4](#input\_vpc\_cni\_enable\_ipv4) | Determines whether to enable IPv4 permissions for VPC CNI policy | `bool` | `false` | no |
+| <a name="input_vpc_cni_enable_ipv6"></a> [vpc\_cni\_enable\_ipv6](#input\_vpc\_cni\_enable\_ipv6) | Determines whether to enable IPv6 permissions for VPC CNI policy | `bool` | `false` | no |
 
 ## Outputs
 

modules/iam-eks-role/main.tf

@@ -1,56 +1,22 @@
-data "aws_caller_identity" "current" {}
-
-data "aws_partition" "current" {}
-
-data "aws_eks_cluster" "main" {
-  for_each = var.cluster_service_accounts
-
-  name = each.key
-}
-
 data "aws_iam_policy_document" "assume_role_with_oidc" {
-  dynamic "statement" {
-    for_each = var.cluster_service_accounts
-
-    content {
-      effect  = "Allow"
-      actions = ["sts:AssumeRoleWithWebIdentity"]
-
-      principals {
-        type = "Federated"
-
-        identifiers = [
-          "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(data.aws_eks_cluster.main[statement.key].identity[0].oidc[0].issuer, "https://", "")}"
-        ]
-      }
-
-      condition {
-        test     = "StringEquals"
-        variable = "${replace(data.aws_eks_cluster.main[statement.key].identity[0].oidc[0].issuer, "https://", "")}:sub"
-        values   = [for s in statement.value : "system:serviceaccount:${s}"]
-      }
-    }
-  }
+  count = var.create_role ? 1 : 0
 
   dynamic "statement" {
-    for_each = var.provider_url_sa_pairs
+    for_each = var.oidc_providers
 
     content {
       effect  = "Allow"
       actions = ["sts:AssumeRoleWithWebIdentity"]
 
       principals {
-        type = "Federated"
-
-        identifiers = [
-          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${statement.key}"
-        ]
+        type        = "Federated"
+        identifiers = statement.value.provider_arns
       }
 
       condition {
         test     = "StringEquals"
-        variable = "${statement.key}:sub"
-        values   = [for s in statement.value : "system:serviceaccount:${s}"]
+        variable = "${statement.value.provider}:sub"
+        values   = [for sa in statement.value.service_accounts : "system:serviceaccount:${sa}"]
       }
     }
   }
@@ -59,15 +25,17 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
 resource "aws_iam_role" "this" {
   count = var.create_role ? 1 : 0
 
-  assume_role_policy    = data.aws_iam_policy_document.assume_role_with_oidc.json
-  description           = var.role_description
-  force_detach_policies = var.force_detach_policies
+  name        = var.role_name
+  name_prefix = var.role_name_prefix
+  path        = var.role_path
+  description = var.role_description
+
+  assume_role_policy    = data.aws_iam_policy_document.assume_role_with_oidc[0].json
   max_session_duration  = var.max_session_duration
-  name                  = var.role_name
-  name_prefix           = var.role_name_prefix
-  path                  = var.role_path
   permissions_boundary  = var.role_permissions_boundary_arn
-  tags                  = var.tags
+  force_detach_policies = var.force_detach_policies
+
+  tags = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "custom" {