feat: Added appmesh controller support

yutachaos · yutachaos · commit ca019168f233 · 2022-04-19T11:30:51.000+09:00
diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md
@@ -11,6 +11,7 @@ Creates an IAM role which can be assumed by AWS EKS `ServiceAccount`s with optio
 - [Karpenter](https://github.com/aws/karpenter/blob/main/website/content/en/preview/getting-started/cloudformation.yaml)
 - [Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json)
   - [Load Balancer Controller Target Group Binding Only](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/installation/#iam-permission-subset-for-those-who-use-targetgroupbinding-only-and-dont-plan-to-use-the-aws-load-balancer-controller-to-manage-security-group-rules)
+- [Appmesh Controller](https://github.com/aws/aws-app-mesh-controller-for-k8s/blob/master/config/iam/controller-iam-policy.json)
 - [Managed Service for Prometheus](https://docs.aws.amazon.com/prometheus/latest/userguide/set-up-irsa.html)
 - [Node Termination Handler](https://github.com/aws/aws-node-termination-handler#5-create-an-iam-role-for-the-pods)
 - [VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html)
@@ -115,6 +116,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_iam_policy.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.appmesh_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -129,6 +131,7 @@ No modules.
 | [aws_iam_policy.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.appmesh_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -144,6 +147,7 @@ No modules.
 | [aws_iam_role_policy_attachment.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.appmesh_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -166,6 +170,7 @@ No modules.
 | <a name="input_amazon_managed_service_prometheus_workspace_arns"></a> [amazon\_managed\_service\_prometheus\_workspace\_arns](#input\_amazon\_managed\_service\_prometheus\_workspace\_arns) | List of AMP Workspace ARNs to read and write metrics | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_assume_role_condition_test"></a> [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no |
 | <a name="input_attach_amazon_managed_service_prometheus_policy"></a> [attach\_amazon\_managed\_service\_prometheus\_policy](#input\_attach\_amazon\_managed\_service\_prometheus\_policy) | Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role | `bool` | `false` | no |
+| <a name="input_attach_appmesh_controller_policy"></a> [attach\_appmesh\_controller\_policy](#input\_attach\_appmesh\_controller\_policy) | Determines whether to attach the Appmesh Controller policy to the role | `bool` | `false` | no |
 | <a name="input_attach_cert_manager_policy"></a> [attach\_cert\_manager\_policy](#input\_attach\_cert\_manager\_policy) | Determines whether to attach the Cert Manager IAM policy to the role | `bool` | `false` | no |
 | <a name="input_attach_cluster_autoscaler_policy"></a> [attach\_cluster\_autoscaler\_policy](#input\_attach\_cluster\_autoscaler\_policy) | Determines whether to attach the Cluster Autoscaler IAM policy to the role | `bool` | `false` | no |
 | <a name="input_attach_ebs_csi_policy"></a> [attach\_ebs\_csi\_policy](#input\_attach\_ebs\_csi\_policy) | Determines whether to attach the EBS CSI IAM policy to the role | `bool` | `false` | no |
diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -894,6 +894,119 @@ resource "aws_iam_role_policy_attachment" "load_balancer_controller_targetgroup_
   policy_arn = aws_iam_policy.load_balancer_controller_targetgroup_only[0].arn
 }
 
+################################################################################
+# Appmesh Controller
+################################################################################
+# https://github.com/aws/eks-charts/tree/master/stable/appmesh-controller#prerequisites
+# https://raw.githubusercontent.com/aws/aws-app-mesh-controller-for-k8s/master/config/iam/controller-iam-policy.json
+data "aws_iam_policy_document" "appmesh_controller" {
+  count = var.create_role && var.attach_appmesh_controller_policy ? 1 : 0
+
+  statement {
+    actions = [
+      "appmesh:ListVirtualRouters",
+      "appmesh:ListVirtualServices",
+      "appmesh:ListRoutes",
+      "appmesh:ListGatewayRoutes",
+      "appmesh:ListMeshes",
+      "appmesh:ListVirtualNodes",
+      "appmesh:ListVirtualGateways",
+      "appmesh:DescribeMesh",
+      "appmesh:DescribeVirtualRouter",
+      "appmesh:DescribeRoute",
+      "appmesh:DescribeVirtualNode",
+      "appmesh:DescribeVirtualGateway",
+      "appmesh:DescribeGatewayRoute",
+      "appmesh:DescribeVirtualService",
+      "appmesh:CreateMesh",
+      "appmesh:CreateVirtualRouter",
+      "appmesh:CreateVirtualGateway",
+      "appmesh:CreateVirtualService",
+      "appmesh:CreateGatewayRoute",
+      "appmesh:CreateRoute",
+      "appmesh:CreateVirtualNode",
+      "appmesh:UpdateMesh",
+      "appmesh:UpdateRoute",
+      "appmesh:UpdateVirtualGateway",
+      "appmesh:UpdateVirtualRouter",
+      "appmesh:UpdateGatewayRoute",
+      "appmesh:UpdateVirtualService",
+      "appmesh:UpdateVirtualNode",
+      "appmesh:DeleteMesh",
+      "appmesh:DeleteRoute",
+      "appmesh:DeleteVirtualRouter",
+      "appmesh:DeleteGatewayRoute",
+      "appmesh:DeleteVirtualService",
+      "appmesh:DeleteVirtualNode",
+      "appmesh:DeleteVirtualGateway"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
+      "arn:aws:iam::*:role/aws-service-role/appmesh.amazonaws.com/AWSServiceRoleForAppMesh"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      variable = "iam:AWSServiceName"
+      values   = ["appmesh.amazonaws.com"]
+    }
+  }
+
+  statement {
+    actions = [
+      "acm:ListCertificates",
+      "acm:DescribeCertificate",
+      "acm-pca:DescribeCertificateAuthority",
+      "acm-pca:ListCertificateAuthorities"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
+      "servicediscovery:CreateService",
+      "servicediscovery:DeleteService",
+      "servicediscovery:GetService",
+      "servicediscovery:GetInstance",
+      "servicediscovery:RegisterInstance",
+      "servicediscovery:DeregisterInstance",
+      "servicediscovery:ListInstances",
+      "servicediscovery:ListNamespaces",
+      "servicediscovery:ListServices",
+      "servicediscovery:GetInstancesHealthStatus",
+      "servicediscovery:UpdateInstanceCustomHealthStatus",
+      "servicediscovery:GetOperation",
+      "route53:GetHealthCheck",
+      "route53:CreateHealthCheck",
+      "route53:UpdateHealthCheck",
+      "route53:ChangeResourceRecordSets",
+      "route53:DeleteHealthCheck"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "appmesh_controller" {
+  count = var.create_role && var.attach_appmesh_controller_policy ? 1 : 0
+
+  name_prefix = "AmazonEKS_Appmesh_Controller-"
+  path        = var.role_path
+  description = "Provides permissions to for appmesh controller"
+  policy      = data.aws_iam_policy_document.appmesh_controller[0].json
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "appmesh_controller" {
+  count = var.create_role && var.attach_appmesh_controller_policy ? 1 : 0
+
+  role       = aws_iam_role.this[0].name
+  policy_arn = aws_iam_policy.appmesh_controller[0].arn
+}
+
 ################################################################################
 # Amazon Managed Service for Prometheus Policy
 ################################################################################
diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf
@@ -212,6 +212,13 @@ variable "attach_load_balancer_controller_targetgroup_binding_only_policy" {
   default     = false
 }
 
+# AWS Appmesh Controller
+variable "attach_appmesh_controller_policy" {
+  description = "Determines whether to attach the Appmesh Controller policy to the role"
+  type        = bool
+  default     = false
+}
+
 # Amazon Managed Service for Prometheus
 variable "attach_amazon_managed_service_prometheus_policy" {
   description = "Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role"
