Use a single role for every node to avoid aws auth issues (#58)

quortex · Jan 23, 2024 · 4aa59ce · 4aa59ce
1 parent 7da0e36
commit 4aa59ce
Show file tree

Hide file tree

Showing 5 changed files with 7 additions and 59 deletions.
diff --git a/aws_auth.tf b/aws_auth.tf
@@ -12,7 +12,7 @@ locals {
   # Formats data to be written to aws-auth configmap.
   aws_auth_configmap_data = {
     mapRoles = replace(yamlencode(concat(
-      [for r in concat(aws_iam_role.quortex_role_worker, aws_iam_role.quortex_role_self_managed_worker) : {
+      [for r in aws_iam_role.quortex_role_worker : {
         rolearn  = r.arn
         username = "system:node:{{EC2PrivateDNSName}}"
         groups = [

diff --git a/iam_eks_worker.tf b/iam_eks_worker.tf
@@ -19,12 +19,8 @@
 # IAM Role to allow the worker nodes to manage or retrieve data from other AWS
 # services. It is used by Kubernetes to allow worker nodes to join the cluster.
 
-locals {
-  handle_quortex_role_worker_iam = var.handle_iam_resources && length(var.node_groups) > 0
-}
-
 resource "aws_iam_role" "quortex_role_worker" {
-  count       = local.handle_quortex_role_worker_iam ? 1 : 0
+  count       = var.handle_iam_resources ? 1 : 0
   name        = var.worker_role_name
   description = "IAM Role to allow the EKS managed worker nodes to manage or retrieve data from other AWS services. It is used by Kubernetes to allow worker nodes to join the cluster."
   tags        = var.tags
@@ -45,55 +41,13 @@ resource "aws_iam_role" "quortex_role_worker" {
 }
 
 resource "aws_iam_role_policy_attachment" "quortex_amazon_eks_worker_node_policy" {
-  count      = local.handle_quortex_role_worker_iam ? 1 : 0
+  count      = var.handle_iam_resources ? 1 : 0
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
   role       = aws_iam_role.quortex_role_worker[0].name
 }
 
 resource "aws_iam_role_policy_attachment" "quortex_amazon_ec2_container_registry_readonly" {
-  count      = local.handle_quortex_role_worker_iam ? 1 : 0
+  count      = var.handle_iam_resources ? 1 : 0
   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
   role       = aws_iam_role.quortex_role_worker[0].name
 }
-
-# Self managed worker nodes IAM
-#
-# IAM Role to allow the worker nodes to manage or retrieve data from other AWS
-# services. It is used by Kubernetes to allow worker nodes to join the cluster.
-
-locals {
-  handle_quortex_role_self_managed_worker_iam = var.handle_iam_resources && length(var.node_groups_advanced) > 0
-}
-
-resource "aws_iam_role" "quortex_role_self_managed_worker" {
-  count       = local.handle_quortex_role_self_managed_worker_iam ? 1 : 0
-  name        = var.self_managed_worker_role_name
-  description = "IAM Role to allow the self managed worker nodes to manage or retrieve data from other AWS services. It is used by Kubernetes to allow worker nodes to join the cluster."
-  tags        = var.tags
-
-  assume_role_policy = jsonencode(
-    {
-      Version = "2012-10-17",
-      Statement = [
-        {
-          Effect = "Allow",
-          Principal = {
-            Service = "ec2.amazonaws.com"
-          },
-          Action = "sts:AssumeRole"
-        }
-      ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "quortex_self_managed_amazon_eks_worker_node_policy" {
-  count      = local.handle_quortex_role_self_managed_worker_iam ? 1 : 0
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
-  role       = aws_iam_role.quortex_role_self_managed_worker[0].name
-}
-
-resource "aws_iam_role_policy_attachment" "quortex_self_managed_amazon_ec2_container_registry_readonly" {
-  count      = local.handle_quortex_role_self_managed_worker_iam ? 1 : 0
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
-  role       = aws_iam_role.quortex_role_self_managed_worker[0].name
-}
diff --git a/main.tf b/main.tf
@@ -108,7 +108,7 @@ resource "aws_eks_node_group" "quortex" {
   cluster_name    = aws_eks_cluster.quortex.name
   version         = var.kubernetes_worker_nodes_version
   node_group_name = lookup(each.value, "name", "${var.cluster_name}_${each.key}")
-  node_role_arn   = local.handle_quortex_role_worker_iam ? aws_iam_role.quortex_role_worker[0].arn : var.worker_role_arn
+  node_role_arn   = var.handle_iam_resources ? aws_iam_role.quortex_role_worker[0].arn : var.worker_role_arn
   subnet_ids      = lookup(each.value, "subnet_ids", [])
 
   scaling_config {

diff --git a/node_group_advanced.tf b/node_group_advanced.tf
@@ -60,9 +60,9 @@ data "aws_ec2_instance_type_offerings" "available" {
 # Common resources
 
 resource "aws_iam_instance_profile" "quortex" {
-  count = local.handle_quortex_role_self_managed_worker_iam ? 1 : 0
+  count = var.handle_iam_resources ? 1 : 0
   name  = var.instance_profile_name
-  role  = aws_iam_role.quortex_role_self_managed_worker[0].name
+  role  = aws_iam_role.quortex_role_worker[0].name
 }
 
 data "aws_ami" "eks_worker_image" {

diff --git a/variables.tf b/variables.tf
@@ -32,12 +32,6 @@ variable "worker_role_name" {
   default     = "quortex-worker-managed"
 }
 
-variable "self_managed_worker_role_name" {
-  type        = string
-  description = "A name to be used as the AWS resource name for the IAM role used by self managed worker nodes"
-  default     = "quortex-worker-self-managed"
-}
-
 variable "autoscaler_role_name" {
   type        = string
   description = "A name to be used as the AWS resource name for the autoscaler role"