aws-eks-self-hosted/iam.tf at main · secoda/aws-eks-self-hosted · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
################################################################################
#  IAMs
################################################################################

### Prerequisites IAM resources

resource "aws_iam_policy" "secoda_instance_policy" {
  name        = "${var.name_identifier}_secoda_instance_policy"
  description = "Secoda Instance Policy"

  policy = jsonencode({
    Statement = [
      {
        Action = [
          "s3:GetObject",
          "s3:PutObject",
          "s3:DeleteObject",
          "s3:ListBucket"
        ],
        Effect = "Allow",
        Resource = [
          "arn:aws:s3:::${local.bucket_name}/*"
        ],
        Sid = "s3"
      },
      {
        Action = [
          "logs:CreateLogGroup",
          "logs:CreateLogStream",
          "logs:PutLogEvents",
          "logs:DescribeLogStreams"
        ],
        Effect = "Allow",
        Resource = [
          "*"
        ]
      }
    ],
    Version = "2012-10-17"
  })

  tags = local.tags
}

resource "aws_iam_role" "secoda_instance_profile" {
  name = "${var.name_identifier}_secoda_instance_profile"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "ec2.amazonaws.com"
        }
      },
      {
        Effect = "Allow",
        Principal = {
          Federated = module.eks.oidc_provider_arn
        },
        Action = "sts:AssumeRoleWithWebIdentity",
        Condition = {
          StringLike = {
            "${module.eks.oidc_provider}:sub" = ["system:serviceaccount:*:${var.name_identifier}"],
            "${module.eks.oidc_provider}:aud" = "sts.amazonaws.com"
          }
        }
      }
    ]
  })

  managed_policy_arns = [aws_iam_policy.secoda_instance_policy.arn, "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess"]
}

###
# ACK Controller permissions

module "aws_controller_irsa" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
  version = "~> 5.44.0"

  role_name = "aws-controller-${var.cluster_name}"

  oidc_providers = {
    ex = {
      provider_arn               = module.eks.oidc_provider_arn
      namespace_service_accounts = ["${var.namespace}-adm:aws-controller"]
    }
  }

  role_policy_arns = {
    rds_full_access         = "arn:aws:iam::aws:policy/AmazonRDSFullAccess"
    s3_full_access          = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
    elasticache_full_access = "arn:aws:iam::aws:policy/AmazonElastiCacheFullAccess"
    opensearch_full_access  = "arn:aws:iam::aws:policy/AmazonOpenSearchServiceFullAccess"
  }

  tags = local.tags
}