terraform-aws-eks-blueprints-addons icon indicating copy to clipboard operation
terraform-aws-eks-blueprints-addons copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

Modify raw iam resources to terraform-aws-iam module

Open matheusmazzoni opened this issue 2 years ago • 1 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

The idea is to give less maintenance to code that already exists in another repository and create association with the work already done by the community. Furthermore, all code modifications in terms of iam will be implemented in the terraform-aws-iam/module/iam-role-for-service-accounts-eks module.

Describe the solution you would like

Instead of using pure Terraform resources and maintaining potentially duplicated code, we can utilize the terraform-aws-iam/module/iam-role-for-service-accounts-eks module to create pre-created roles and policies in policies.tf for various addons, such as:

Describe alternatives you have considered

Additional context

matheusmazzoni avatar Aug 01 '23 18:08 matheusmazzoni

Once IRSAv2 is released, we plan on revisiting the approach used for permissions. The current implementation here is a 1:1 of addon to IRSA, but IRSAv2 intends to provide better support for sharing roles (i.e. - you can create a VPC CNI IRSA and share that with n-number of clusters) which potentially makes the IRSA roles provided here less useful.

(Postulating) I suspect that with IRSAv2 that https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-role-for-service-accounts-eks will be more heavily used due to this improvement in role sharing. At that time it would make sense to use that module here and then users can simply opt in or out of this module creating the IRSA roles (if it creates it - its the 1:1 approach, if not, you can use the shared approach)

bryantbiggs avatar Aug 08 '23 15:08 bryantbiggs