feat: add irsa permissions boundary

lablabs · Jun 27, 2024 · 88b83c5 · 88b83c5
1 parent ddee442
commit 88b83c5
Show file tree

Hide file tree

Showing 5 changed files with 75 additions and 30 deletions.
diff --git a/README.md b/README.md
@@ -50,7 +50,7 @@ See [Basic example](examples/basic/README.md) for further information.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_addon"></a> [addon](#module\_addon) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon | v0.0.4 |
-| <a name="module_addon-irsa"></a> [addon-irsa](#module\_addon-irsa) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa | v0.0.4 |
+| <a name="module_addon-irsa"></a> [addon-irsa](#module\_addon-irsa) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa | v0.0.5 |
 ## Resources
 
 | Name | Type |
@@ -118,16 +118,19 @@ See [Basic example](examples/basic/README.md) for further information.
 | <a name="input_helm_wait"></a> [helm\_wait](#input\_helm\_wait) | Will wait until all Helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout. Defaults to `false`. | `bool` |
 | <a name="input_helm_wait_for_jobs"></a> [helm\_wait\_for\_jobs](#input\_helm\_wait\_for\_jobs) | If wait is enabled, will wait until all Helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout. Defaults to `false`. | `bool` |
 | <a name="input_irsa_additional_policies"></a> [irsa\_additional\_policies](#input\_irsa\_additional\_policies) | Map of the additional policies to be attached to IRSA role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`. | `map(string)` |
-| <a name="input_irsa_assume_role_arns"></a> [irsa\_assume\_role\_arns](#input\_irsa\_assume\_role\_arns) | List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `""`. | `list(string)` |
-| <a name="input_irsa_assume_role_enabled"></a> [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Defaults to `false`. | `bool` |
-| <a name="input_irsa_permissions_boundary"></a> [irsa\_permissions\_boundary](#input\_irsa\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `null`. | `string` |
+| <a name="input_irsa_assume_role_arns"></a> [irsa\_assume\_role\_arns](#input\_irsa\_assume\_role\_arns) | List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`. | `list(string)` |
+| <a name="input_irsa_assume_role_enabled"></a> [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`. | `bool` |
+| <a name="input_irsa_permissions_boundary"></a> [irsa\_permissions\_boundary](#input\_irsa\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `""`. | `string` |
+| <a name="input_irsa_policy"></a> [irsa\_policy](#input\_irsa\_policy) | Policy to be attached to the IRSA role. Applied only if `irsa_policy_enabled` is `true`. | `string` |
+| <a name="input_irsa_policy_enabled"></a> [irsa\_policy\_enabled](#input\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `irsa_policy`. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`. | `bool` |
 | <a name="input_irsa_role_create"></a> [irsa\_role\_create](#input\_irsa\_role\_create) | Whether to create IRSA role and annotate Service Account. Defaults to `true`. | `bool` |
 | <a name="input_irsa_role_name"></a> [irsa\_role\_name](#input\_irsa\_role\_name) | IRSA role name. The value is prefixed by `var.irsa_role_name_prefix`. Defaults to addon Helm chart name. | `string` |
 | <a name="input_irsa_role_name_prefix"></a> [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | IRSA role name prefix. Defaults to addon IRSA component name with `irsa` suffix. | `string` |
 | <a name="input_irsa_tags"></a> [irsa\_tags](#input\_irsa\_tags) | IRSA resources tags. Defaults to `{}`. | `map(string)` |
 | <a name="input_keda_metric_server_irsa_additional_policies"></a> [keda\_metric\_server\_irsa\_additional\_policies](#input\_keda\_metric\_server\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role of the KEDA metrics server. Where key is arbitrary id and value is policy ARN. | `map(string)` |
 | <a name="input_keda_metric_server_irsa_assume_role_arns"></a> [keda\_metric\_server\_irsa\_assume\_role\_arns](#input\_keda\_metric\_server\_irsa\_assume\_role\_arns) | Assume role ARNs for the KEDA metrics server. Applied only if `keda_metric_server_irsa_assume_role_enabled` is `true`. | `list(string)` |
 | <a name="input_keda_metric_server_irsa_assume_role_enabled"></a> [keda\_metric\_server\_irsa\_assume\_role\_enabled](#input\_keda\_metric\_server\_irsa\_assume\_role\_enabled) | Whether IRSA for the KEDA metrics server is allowed to assume role defined by `keda_metric_server_irsa_assume_role_arn`. Mutually exclusive with `keda_metric_server_irsa_policy_enabled`. | `bool` |
+| <a name="input_keda_metric_server_irsa_permissions_boundary"></a> [keda\_metric\_server\_irsa\_permissions\_boundary](#input\_keda\_metric\_server\_irsa\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IRSA role of the KEDA metrics server. Defaults to `""`. | `string` |
 | <a name="input_keda_metric_server_irsa_policy"></a> [keda\_metric\_server\_irsa\_policy](#input\_keda\_metric\_server\_irsa\_policy) | Policy to be attached to the default role of the KEDA metrics server. Applied only if `keda_metric_server_irsa_policy_enabled` is `true`. | `string` |
 | <a name="input_keda_metric_server_irsa_policy_enabled"></a> [keda\_metric\_server\_irsa\_policy\_enabled](#input\_keda\_metric\_server\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `keda_metric_server_irsa_policy` for the KEDA metrics server. Mutually exclusive with `keda_metric_server_irsa_assume_role_enabled`. | `bool` |
 | <a name="input_keda_metric_server_irsa_role_create"></a> [keda\_metric\_server\_irsa\_role\_create](#input\_keda\_metric\_server\_irsa\_role\_create) | Whether to create the IRSA role for the KEDA metrics server. | `bool` |
@@ -136,6 +139,7 @@ See [Basic example](examples/basic/README.md) for further information.
 | <a name="input_keda_operator_irsa_additional_policies"></a> [keda\_operator\_irsa\_additional\_policies](#input\_keda\_operator\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role of the KEDA operator. Where key is arbitrary id and value is policy ARN. | `map(string)` |
 | <a name="input_keda_operator_irsa_assume_role_arns"></a> [keda\_operator\_irsa\_assume\_role\_arns](#input\_keda\_operator\_irsa\_assume\_role\_arns) | Assume role ARNs for the KEDA operator. Applied only if `keda_operator_irsa_assume_role_enabled` is `true`. | `list(string)` |
 | <a name="input_keda_operator_irsa_assume_role_enabled"></a> [keda\_operator\_irsa\_assume\_role\_enabled](#input\_keda\_operator\_irsa\_assume\_role\_enabled) | Whether IRSA for the KEDA operator is allowed to assume role defined by `keda_operator_irsa_assume_role_arn`. Mutually exclusive with `keda_operator_irsa_policy_enabled`. | `bool` |
+| <a name="input_keda_operator_irsa_permissions_boundary"></a> [keda\_operator\_irsa\_permissions\_boundary](#input\_keda\_operator\_irsa\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IRSA role of the KEDA operator. Defaults to `""`. | `string` |
 | <a name="input_keda_operator_irsa_policy"></a> [keda\_operator\_irsa\_policy](#input\_keda\_operator\_irsa\_policy) | Policy to be attached to the default role of the KEDA operator. Applied only if `keda_operator_irsa_policy_enabled` is `true`. | `string` |
 | <a name="input_keda_operator_irsa_policy_enabled"></a> [keda\_operator\_irsa\_policy\_enabled](#input\_keda\_operator\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `keda_operator_irsa_policy` for the KEDA operator. Mutually exclusive with `keda_operator_irsa_assume_role_enabled`. | `bool` |
 | <a name="input_keda_operator_irsa_role_create"></a> [keda\_operator\_irsa\_role\_create](#input\_keda\_operator\_irsa\_role\_create) | Whether to create the IRSA role for the KEDA operator. | `bool` |
@@ -144,6 +148,7 @@ See [Basic example](examples/basic/README.md) for further information.
 | <a name="input_keda_webhooks_irsa_additional_policies"></a> [keda\_webhooks\_irsa\_additional\_policies](#input\_keda\_webhooks\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role of the KEDA webhooks. Where key is arbitrary id and value is policy ARN. | `map(string)` |
 | <a name="input_keda_webhooks_irsa_assume_role_arns"></a> [keda\_webhooks\_irsa\_assume\_role\_arns](#input\_keda\_webhooks\_irsa\_assume\_role\_arns) | Assume role ARNs for the KEDA webhooks. Applied only if `keda_webhooks_irsa_assume_role_enabled` is `true`. | `list(string)` |
 | <a name="input_keda_webhooks_irsa_assume_role_enabled"></a> [keda\_webhooks\_irsa\_assume\_role\_enabled](#input\_keda\_webhooks\_irsa\_assume\_role\_enabled) | Whether IRSA for the KEDA webhooks is allowed to assume role defined by `keda_webhooks_irsa_assume_role_arn`. Mutually exclusive with `keda_webhooks_irsa_policy_enabled`. | `bool` |
+| <a name="input_keda_webhooks_irsa_permissions_boundary"></a> [keda\_webhooks\_irsa\_permissions\_boundary](#input\_keda\_webhooks\_irsa\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IRSA role of the KEDA webhooks. Defaults to `""`. | `string` |
 | <a name="input_keda_webhooks_irsa_policy"></a> [keda\_webhooks\_irsa\_policy](#input\_keda\_webhooks\_irsa\_policy) | Policy to be attached to the default role of the KEDA webhooks. Applied only if `keda_webhooks_irsa_policy_enabled` is `true`. | `string` |
 | <a name="input_keda_webhooks_irsa_policy_enabled"></a> [keda\_webhooks\_irsa\_policy\_enabled](#input\_keda\_webhooks\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `keda_webhooks_irsa_policy` for the KEDA operator. Mutually exclusive with `keda_webhooks_irsa_assume_role_enabled`. | `bool` |
 | <a name="input_keda_webhooks_irsa_role_create"></a> [keda\_webhooks\_irsa\_role\_create](#input\_keda\_webhooks\_irsa\_role\_create) | Whether to create the IRSA role for the KEDA webhooks. | `bool` |
@@ -161,6 +166,7 @@ See [Basic example](examples/basic/README.md) for further information.
 | Name | Description |
 |------|-------------|
 | <a name="output_addon"></a> [addon](#output\_addon) | The addon module outputs |
+| <a name="output_addon_irsa"></a> [addon\_irsa](#output\_addon\_irsa) | The addon IRSA module outputs |
 ## Contributing and reporting issues
 
 Feel free to create an issue in this repository if you have questions, suggestions or feature requests.

diff --git a/addon-irsa.tf b/addon-irsa.tf
@@ -2,7 +2,7 @@
 module "addon-irsa" {
   for_each = local.addon_irsa
 
-  source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.4"
+  source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.5"
 
   enabled = var.enabled
 
@@ -18,11 +18,17 @@ module "addon-irsa" {
   irsa_role_name_prefix = var.irsa_role_name_prefix != null ? var.irsa_role_name_prefix : try(each.value.irsa_role_name_prefix, "${each.key}-irsa")
   irsa_role_name        = var.irsa_role_name != null ? var.irsa_role_name : try(each.value.irsa_role_name, local.addon_helm_chart_name)
 
-  irsa_assume_role_arns    = var.irsa_assume_role_arns != null ? var.irsa_assume_role_arns : try(each.value.irsa_assume_role_arns, "")
-  irsa_assume_role_enabled = var.irsa_assume_role_enabled != null ? var.irsa_assume_role_enabled : try(each.value.irsa_assume_role_enabled, false)
-
-  irsa_permissions_boundary = var.irsa_permissions_boundary != null ? var.irsa_permissions_boundary : try(each.value.irsa_permissions_boundary, null)
+  irsa_policy_enabled       = var.irsa_policy_enabled != null ? var.irsa_policy_enabled : try(each.value.irsa_policy_enabled, false)
+  irsa_policy               = var.irsa_policy != null ? var.irsa_policy : try(each.value.irsa_policy, "")
+  irsa_assume_role_enabled  = var.irsa_assume_role_enabled != null ? var.irsa_assume_role_enabled : try(each.value.irsa_assume_role_enabled, false)
+  irsa_assume_role_arns     = var.irsa_assume_role_arns != null ? var.irsa_assume_role_arns : try(each.value.irsa_assume_role_arns, [])
+  irsa_permissions_boundary = var.irsa_permissions_boundary != null ? var.irsa_permissions_boundary : try(each.value.irsa_permissions_boundary, "")
   irsa_additional_policies  = var.irsa_additional_policies != null ? var.irsa_additional_policies : try(each.value.irsa_additional_policies, tomap({}))
 
   irsa_tags = var.irsa_tags != null ? var.irsa_tags : try(each.value.irsa_tags, tomap({}))
 }
+
+output "addon_irsa" {
+  description = "The addon IRSA module outputs"
+  value       = module.addon-irsa
+}
diff --git a/main.tf b/main.tf
@@ -20,34 +20,37 @@ locals {
       service_account_create = var.keda_operator_service_account_create
       service_account_name   = var.keda_operator_service_account_name
 
-      irsa_role_create         = var.keda_operator_irsa_role_create
-      irsa_policy_enabled      = var.keda_operator_irsa_policy_enabled
-      irsa_policy              = var.keda_operator_irsa_policy
-      irsa_assume_role_enabled = var.keda_operator_irsa_assume_role_enabled
-      irsa_assume_role_arns    = var.keda_operator_irsa_assume_role_arns
-      irsa_additional_policies = var.keda_operator_irsa_additional_policies
+      irsa_role_create          = var.keda_operator_irsa_role_create
+      irsa_policy_enabled       = var.keda_operator_irsa_policy_enabled
+      irsa_policy               = var.keda_operator_irsa_policy
+      irsa_assume_role_enabled  = var.keda_operator_irsa_assume_role_enabled
+      irsa_assume_role_arns     = var.keda_operator_irsa_assume_role_arns
+      irsa_permissions_boundary = var.keda_operator_irsa_permissions_boundary
+      irsa_additional_policies  = var.keda_operator_irsa_additional_policies
     }
     metricServer = {
       service_account_create = var.keda_metric_server_service_account_create
       service_account_name   = var.keda_metric_server_service_account_name
 
-      irsa_role_create         = var.keda_metric_server_irsa_role_create
-      irsa_policy_enabled      = var.keda_metric_server_irsa_policy_enabled
-      irsa_policy              = var.keda_metric_server_irsa_policy
-      irsa_assume_role_enabled = var.keda_metric_server_irsa_assume_role_enabled
-      irsa_assume_role_arns    = var.keda_metric_server_irsa_assume_role_arns
-      irsa_additional_policies = var.keda_metric_server_irsa_additional_policies
+      irsa_role_create          = var.keda_metric_server_irsa_role_create
+      irsa_policy_enabled       = var.keda_metric_server_irsa_policy_enabled
+      irsa_policy               = var.keda_metric_server_irsa_policy
+      irsa_assume_role_enabled  = var.keda_metric_server_irsa_assume_role_enabled
+      irsa_assume_role_arns     = var.keda_metric_server_irsa_assume_role_arns
+      irsa_permissions_boundary = var.keda_metric_server_irsa_permissions_boundary
+      irsa_additional_policies  = var.keda_metric_server_irsa_additional_policies
     }
     webhooks = {
       service_account_create = var.keda_webhooks_service_account_create
       service_account_name   = var.keda_webhooks_service_account_name
 
-      irsa_role_create         = var.keda_webhooks_irsa_role_create
-      irsa_policy_enabled      = var.keda_webhooks_irsa_policy_enabled
-      irsa_policy              = var.keda_webhooks_irsa_policy
-      irsa_assume_role_enabled = var.keda_webhooks_irsa_assume_role_enabled
-      irsa_assume_role_arns    = var.keda_webhooks_irsa_assume_role_arns
-      irsa_additional_policies = var.keda_webhooks_irsa_additional_policies
+      irsa_role_create          = var.keda_webhooks_irsa_role_create
+      irsa_policy_enabled       = var.keda_webhooks_irsa_policy_enabled
+      irsa_policy               = var.keda_webhooks_irsa_policy
+      irsa_assume_role_enabled  = var.keda_webhooks_irsa_assume_role_enabled
+      irsa_assume_role_arns     = var.keda_webhooks_irsa_assume_role_arns
+      irsa_permissions_boundary = var.keda_webhooks_irsa_permissions_boundary
+      irsa_additional_policies  = var.keda_webhooks_irsa_additional_policies
     }
   }
 

diff --git a/variables-addon-irsa.tf b/variables-addon-irsa.tf
@@ -56,22 +56,34 @@ variable "irsa_role_name" {
   description = "IRSA role name. The value is prefixed by `var.irsa_role_name_prefix`. Defaults to addon Helm chart name."
 }
 
+variable "irsa_policy_enabled" {
+  type        = bool
+  default     = null
+  description = "Whether to create IAM policy specified by `irsa_policy`. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`."
+}
+
+variable "irsa_policy" {
+  type        = string
+  default     = null
+  description = "Policy to be attached to the IRSA role. Applied only if `irsa_policy_enabled` is `true`."
+}
+
 variable "irsa_assume_role_enabled" {
   type        = bool
   default     = null
-  description = "Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Defaults to `false`."
+  description = "Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`."
 }
 
 variable "irsa_assume_role_arns" {
   type        = list(string)
   default     = null
-  description = "List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `\"\"`."
+  description = "List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`."
 }
 
 variable "irsa_permissions_boundary" {
   type        = string
   default     = null
-  description = "ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `null`."
+  description = "ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `\"\"`."
 }
 
 variable "irsa_additional_policies" {

diff --git a/variables.tf b/variables.tf
@@ -47,6 +47,12 @@ variable "keda_operator_irsa_assume_role_arns" {
   description = "Assume role ARNs for the KEDA operator. Applied only if `keda_operator_irsa_assume_role_enabled` is `true`."
 }
 
+variable "keda_operator_irsa_permissions_boundary" {
+  type        = string
+  default     = null
+  description = "ARN of the policy that is used to set the permissions boundary for the IRSA role of the KEDA operator. Defaults to `\"\"`."
+}
+
 variable "keda_operator_irsa_additional_policies" {
   type        = map(string)
   default     = {}
@@ -95,6 +101,12 @@ variable "keda_metric_server_irsa_assume_role_arns" {
   description = "Assume role ARNs for the KEDA metrics server. Applied only if `keda_metric_server_irsa_assume_role_enabled` is `true`."
 }
 
+variable "keda_metric_server_irsa_permissions_boundary" {
+  type        = string
+  default     = null
+  description = "ARN of the policy that is used to set the permissions boundary for the IRSA role of the KEDA metrics server. Defaults to `\"\"`."
+}
+
 variable "keda_metric_server_irsa_additional_policies" {
   type        = map(string)
   default     = {}
@@ -143,6 +155,12 @@ variable "keda_webhooks_irsa_assume_role_arns" {
   description = "Assume role ARNs for the KEDA webhooks. Applied only if `keda_webhooks_irsa_assume_role_enabled` is `true`."
 }
 
+variable "keda_webhooks_irsa_permissions_boundary" {
+  type        = string
+  default     = null
+  description = "ARN of the policy that is used to set the permissions boundary for the IRSA role of the KEDA webhooks. Defaults to `\"\"`."
+}
+
 variable "keda_webhooks_irsa_additional_policies" {
   type        = map(string)
   default     = {}