terraform-aws-eks-blueprints icon indicating copy to clipboard operation
terraform-aws-eks-blueprints copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

Create service account for an existing IAM role

Open nitrocode opened this issue 2 years ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

I'd like to create service account for an existing IAM role that's managed in a different root terraform module.

Describe the solution you would like

I'd like to disable IAM role creation and only create the service account resource for an existing IAM role arn that I pass in

Describe alternatives you have considered

Recreating IAM roles using the current module

Additional context

N/A

nitrocode avatar Dec 17 '22 16:12 nitrocode

+1

nest000 avatar Jan 03 '23 18:01 nest000

@askulkarni2 this is the ticket you asked me to create a few weeks ago. Please comment when you get a chance. I believe the PR i submitted will resolve this issue.

@nest000 feel free to describe your use case too to help encourage the maintainers to pull in my PR.

nitrocode avatar Jan 03 '23 20:01 nitrocode

my usecase may differ a bit. we have a company wide restriction which doesnt allow us to create an aws_iam_role, instead we use an own provider which delegates such creations to a specific service using a own resource. what i need is the following, maybe it matches the same request: so we can create irsa roles with our service. what we need is to disable the irsa role creation in favor of attaching the arn of our own role. But additionally to the possibility to add a given arn to the irsa module it is also necessary to pass it through the addons on the top usage layer, like for the amazon eks addons:

this works:

amazon_eks_aws_ebs_csi_driver_config = {
  service_account_role_arn = my_role_arn
}

this not:

cluster_autoscaler_helm_config = {
  service_account_role_arn = my_role_arn
}

@nitrocode can you add this to your pr for the addons?

nest000 avatar Jan 04 '23 14:01 nest000

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] avatar Feb 04 '23 00:02 github-actions[bot]

Unstale

@nest000 sure i can add this when i get a chance :)

nitrocode avatar Feb 04 '23 01:02 nitrocode

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] avatar Mar 07 '23 00:03 github-actions[bot]

Unstale

nitrocode avatar Mar 07 '23 00:03 nitrocode

thank you but this is not something that will be added to the addons at this time. if you require this type of pattern for users, you can check out the new teams module here https://github.com/aws-ia/terraform-aws-eks-blueprints-teams

bryantbiggs avatar Mar 17 '23 13:03 bryantbiggs

@bryantbiggs - I dont see how the teams module helps here? In release v4.32.1 it looks like 5 addons support service_account_role_arn from a quick search:

terraform-aws-eks-blueprints $ grep -r 'service_account_role_arn' modules
modules/kubernetes-addons/aws-ebs-csi-driver/main.tf:  create_irsa     = try(var.addon_config.service_account_role_arn == "", true)
modules/kubernetes-addons/aws-ebs-csi-driver/main.tf:  service_account_role_arn = local.create_irsa ? module.irsa_addon[0].irsa_iam_role_arn : try(var.addon_config.service_account_role_arn, null)
modules/kubernetes-addons/aws-coredns/main.tf:  service_account_role_arn = try(var.addon_config.service_account_role_arn, null)
modules/kubernetes-addons/aws-kube-proxy/main.tf:  service_account_role_arn = try(var.addon_config.service_account_role_arn, null)
modules/kubernetes-addons/opentelemetry-operator/main.tf:  service_account_role_arn = try(var.addon_config.service_account_role_arn, null)
modules/kubernetes-addons/aws-vpc-cni/main.tf:  create_irsa     = try(var.addon_config.service_account_role_arn == "", true)
modules/kubernetes-addons/aws-vpc-cni/main.tf:  service_account_role_arn = local.create_irsa ? module.irsa_addon[0].irsa_iam_role_arn : try(var.addon_config.service_account_role_arn, null)

Example usage from here https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/v4.32.1/docs/add-ons/managed-add-ons.md

  enable_amazon_eks_vpc_cni = true # default is false
  amazon_eks_vpc_cni_config = {
    service_account_role_arn = ""
    # ...
  }

I think this issue is requesting wider support for this attribute? Can service_account_role_arn be added in one module as a new attribute and made available for all addons? In an organization I work with, IAM roles can only be created by cluster admins if the iam role includes 1) an IAM permissions boundary 2) a specific role name prefix (which is referenced from a Service Control Policy).

atheiman avatar Jun 20 '23 17:06 atheiman

whoops, maybe that was a typo that was mean to be addons, not teams

In the new addons module, this pattern is supported. You can disable the IRSA IAM role creation, and you'll need to pass in the annotation to map to the IRSA role created externally https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/c5f51610e469e741eceb1c4cb185d317cbe6ddd2/main.tf#L295-L296

bryantbiggs avatar Jun 20 '23 18:06 bryantbiggs