Skip to content

Commit

Permalink
fix: change IAM role policy to allow dynamic volume provisioning (#34)
Browse files Browse the repository at this point in the history
* chore: change IAM role policy

* docs(terraform-docs): generate docs and write to README.adoc

---------

Co-authored-by: lconsuegra <[email protected]>
  • Loading branch information
lconsuegra and lconsuegra authored Aug 7, 2024
1 parent d5727b6 commit 2d258fb
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 49 deletions.
16 changes: 8 additions & 8 deletions README.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -121,12 +121,12 @@ The following providers are used by this module:

- [[provider_null]] <<provider_null,null>> (>= 3)

- [[provider_argocd]] <<provider_argocd,argocd>> (>= 5)

- [[provider_utils]] <<provider_utils,utils>> (>= 1)

- [[provider_aws]] <<provider_aws,aws>>

- [[provider_argocd]] <<provider_argocd,argocd>> (>= 5)

=== Modules

The following Modules are called:
Expand All @@ -143,9 +143,9 @@ The following resources are used by this module:

- https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/application[argocd_application.this] (resource)
- https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/project[argocd_project.this] (resource)
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy[aws_iam_policy.efs] (resource)
- https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.dependencies] (resource)
- https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.this] (resource)
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy[aws_iam_policy.AmazonEFSCSIDriverPolicy] (data source)
- https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml[utils_deep_merge_yaml.values] (data source)

=== Required Inputs
Expand Down Expand Up @@ -206,7 +206,7 @@ Description: Override of target revision of the application chart.

Type: `string`

Default: `"v3.1.0"`
Default: `"v3.2.0"`

==== [[input_helm_values]] <<input_helm_values,helm_values>>

Expand Down Expand Up @@ -332,10 +332,10 @@ Description: ID to pass other modules in order to refer to this module as a depe
[cols="a,a",options="header,autowidth"]
|===
|Name |Version
|[[provider_null]] <<provider_null,null>> |>= 3
|[[provider_argocd]] <<provider_argocd,argocd>> |>= 5
|[[provider_utils]] <<provider_utils,utils>> |>= 1
|[[provider_aws]] <<provider_aws,aws>> |n/a
|[[provider_argocd]] <<provider_argocd,argocd>> |>= 5
|[[provider_null]] <<provider_null,null>> |>= 3
|===
= Modules
Expand All @@ -353,9 +353,9 @@ Description: ID to pass other modules in order to refer to this module as a depe
|Name |Type
|https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/application[argocd_application.this] |resource
|https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/project[argocd_project.this] |resource
|https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy[aws_iam_policy.efs] |resource
|https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.dependencies] |resource
|https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.this] |resource
|https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy[aws_iam_policy.AmazonEFSCSIDriverPolicy] |data source
|https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml[utils_deep_merge_yaml.values] |data source
|===
Expand Down Expand Up @@ -391,7 +391,7 @@ Description: ID to pass other modules in order to refer to this module as a depe
|[[input_target_revision]] <<input_target_revision,target_revision>>
|Override of target revision of the application chart.
|`string`
|`"v3.1.0"`
|`"v3.2.0"`
|no
|[[input_helm_values]] <<input_helm_values,helm_values>>
Expand Down
44 changes: 3 additions & 41 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -34,46 +34,8 @@ data "utils_deep_merge_yaml" "values" {
input = [for i in concat(local.helm_values, var.helm_values) : yamlencode(i)]
}

resource "aws_iam_policy" "efs" {
name_prefix = "efs-csi-driver-"

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"ec2:DescribeAvailabilityZones"
]
Resource = "*"
},
{
Effect = "Allow"
Action = [
"elasticfilesystem:CreateAccessPoint"
]
Resource = "*"
Condition = {
StringLike = {
"aws:RequestTag/efs.csi.aws.com/cluster" = "true"
}
}
},
{
Effect = "Allow"
Action = "elasticfilesystem:DeleteAccessPoint"
Resource = "*"
Condition = {
StringEquals = {
"aws:ResourceTag/efs.csi.aws.com/cluster" = "true"
}
}
}
]
})
data "aws_iam_policy" "AmazonEFSCSIDriverPolicy" {
arn = "arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy"
}

module "iam_assumable_role_efs" {
Expand All @@ -83,7 +45,7 @@ module "iam_assumable_role_efs" {
number_of_role_policy_arns = 1
role_name_prefix = format("efs-csi-driver-%s-", var.cluster_name)
provider_url = replace(var.cluster_oidc_issuer_url, "https://", "")
role_policy_arns = [resource.aws_iam_policy.efs.arn]
role_policy_arns = [data.aws_iam_policy.AmazonEFSCSIDriverPolicy.arn]

# List of ServiceAccounts that have permission to attach to this IAM role
oidc_fully_qualified_subjects = [
Expand Down

0 comments on commit 2d258fb

Please sign in to comment.