From 9ec52426eed3fc95f74062d59640a85db7d36ff4 Mon Sep 17 00:00:00 2001 From: Vincent Marguerie <24724195+vincentmrg@users.noreply.github.com> Date: Wed, 10 Apr 2024 17:58:23 +0200 Subject: [PATCH] Add configuration for external-dns IAM (#59) * Add configuration for external-dns IAM * Update variables.tf --------- Co-authored-by: Antonin <9219052+antonincms@users.noreply.github.com> --- iam_external_dns.tf | 83 +++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 26 ++++++++++++++ 2 files changed, 109 insertions(+) create mode 100644 iam_external_dns.tf diff --git a/iam_external_dns.tf b/iam_external_dns.tf new file mode 100644 index 0000000..c72e81c --- /dev/null +++ b/iam_external_dns.tf @@ -0,0 +1,83 @@ +/** + * Copyright 2020 Quortex + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +*/ + +locals { + handle_iam_external_dns = var.handle_iam_resources && var.handle_iam_external_dns +} + +resource "aws_iam_role" "external_dns" { + count = local.handle_iam_external_dns ? 1 : 0 + name = var.external_dns_role_name + description = "IAM Role required for external-dns." + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Principal = { + Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.cluster_oidc_issuer}" + } + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringEquals = { + "${local.cluster_oidc_issuer}:aud" : "sts.amazonaws.com" + "${local.cluster_oidc_issuer}:sub" : "system:serviceaccount:${var.external_dns_sa.namespace}:${var.external_dns_sa.name}" + } + } + } + ] + }) + + tags = var.tags +} + +resource "aws_iam_policy" "external_dns" { + count = local.handle_iam_external_dns ? 1 : 0 + description = "The policy required for external-dns." + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + "Effect" : "Allow", + "Action" : [ + "route53:ChangeResourceRecordSets" + ], + "Resource" : [ + "arn:aws:route53:::hostedzone/*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "route53:ListHostedZones", + "route53:ListResourceRecordSets", + "route53:ListTagsForResource" + ], + "Resource" : [ + "*" + ] + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "external_dns" { + count = local.handle_iam_external_dns ? 1 : 0 + policy_arn = aws_iam_policy.external_dns[0].arn + role = aws_iam_role.external_dns[0].name +} diff --git a/variables.tf b/variables.tf index ec5a003..b29c185 100644 --- a/variables.tf +++ b/variables.tf @@ -108,6 +108,26 @@ variable "aws_load_balancer_controller_sa" { } } +variable "external_dns_role_name" { + type = string + description = "A name to be used as the AWS resource name for the external-dns role." + default = "quortex-external-dns" +} + +variable "external_dns_sa" { + description = "Service Account name for external-dns" + + type = object({ + namespace = string + name = string + }) + + default = { + namespace = "kube-system" + name = "external-dns" + } +} + variable "kubernetes_version" { type = string description = "Kubernetes master version." @@ -217,6 +237,12 @@ variable "handle_iam_aws_load_balancer_controller" { default = false } +variable "handle_iam_external_dns" { + type = bool + description = "Whether to handle IAM resources lifecycle for external-dns addon" + default = false +} + variable "master_role_arn" { type = string description = "The ARN of a role with the necessary permissions for EKS master. (to be used with handle_iam_resources = false)"