From 2d258fb6a2f8cb1a35ec96003533aea7832e70d7 Mon Sep 17 00:00:00 2001 From: Lenny Consuegra Date: Wed, 7 Aug 2024 14:25:37 +0200 Subject: [PATCH] fix: change IAM role policy to allow dynamic volume provisioning (#34) * chore: change IAM role policy * docs(terraform-docs): generate docs and write to README.adoc --------- Co-authored-by: lconsuegra --- README.adoc | 16 ++++++++-------- main.tf | 44 +++----------------------------------------- 2 files changed, 11 insertions(+), 49 deletions(-) diff --git a/README.adoc b/README.adoc index 02918bb..03caa3f 100644 --- a/README.adoc +++ b/README.adoc @@ -121,12 +121,12 @@ The following providers are used by this module: - [[provider_null]] <> (>= 3) +- [[provider_argocd]] <> (>= 5) + - [[provider_utils]] <> (>= 1) - [[provider_aws]] <> -- [[provider_argocd]] <> (>= 5) - === Modules The following Modules are called: @@ -143,9 +143,9 @@ The following resources are used by this module: - https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/application[argocd_application.this] (resource) - https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/project[argocd_project.this] (resource) -- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy[aws_iam_policy.efs] (resource) - https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.dependencies] (resource) - https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.this] (resource) +- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy[aws_iam_policy.AmazonEFSCSIDriverPolicy] (data source) - https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml[utils_deep_merge_yaml.values] (data source) === Required Inputs @@ -206,7 +206,7 @@ Description: Override of target revision of the application chart. Type: `string` -Default: `"v3.1.0"` +Default: `"v3.2.0"` ==== [[input_helm_values]] <> @@ -332,10 +332,10 @@ Description: ID to pass other modules in order to refer to this module as a depe [cols="a,a",options="header,autowidth"] |=== |Name |Version +|[[provider_null]] <> |>= 3 +|[[provider_argocd]] <> |>= 5 |[[provider_utils]] <> |>= 1 |[[provider_aws]] <> |n/a -|[[provider_argocd]] <> |>= 5 -|[[provider_null]] <> |>= 3 |=== = Modules @@ -353,9 +353,9 @@ Description: ID to pass other modules in order to refer to this module as a depe |Name |Type |https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/application[argocd_application.this] |resource |https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/project[argocd_project.this] |resource -|https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy[aws_iam_policy.efs] |resource |https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.dependencies] |resource |https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.this] |resource +|https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy[aws_iam_policy.AmazonEFSCSIDriverPolicy] |data source |https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml[utils_deep_merge_yaml.values] |data source |=== @@ -391,7 +391,7 @@ Description: ID to pass other modules in order to refer to this module as a depe |[[input_target_revision]] <> |Override of target revision of the application chart. |`string` -|`"v3.1.0"` +|`"v3.2.0"` |no |[[input_helm_values]] <> diff --git a/main.tf b/main.tf index 85778dd..3bfd5af 100644 --- a/main.tf +++ b/main.tf @@ -34,46 +34,8 @@ data "utils_deep_merge_yaml" "values" { input = [for i in concat(local.helm_values, var.helm_values) : yamlencode(i)] } -resource "aws_iam_policy" "efs" { - name_prefix = "efs-csi-driver-" - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Action = [ - "elasticfilesystem:DescribeAccessPoints", - "elasticfilesystem:DescribeFileSystems", - "elasticfilesystem:DescribeMountTargets", - "ec2:DescribeAvailabilityZones" - ] - Resource = "*" - }, - { - Effect = "Allow" - Action = [ - "elasticfilesystem:CreateAccessPoint" - ] - Resource = "*" - Condition = { - StringLike = { - "aws:RequestTag/efs.csi.aws.com/cluster" = "true" - } - } - }, - { - Effect = "Allow" - Action = "elasticfilesystem:DeleteAccessPoint" - Resource = "*" - Condition = { - StringEquals = { - "aws:ResourceTag/efs.csi.aws.com/cluster" = "true" - } - } - } - ] - }) +data "aws_iam_policy" "AmazonEFSCSIDriverPolicy" { + arn = "arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy" } module "iam_assumable_role_efs" { @@ -83,7 +45,7 @@ module "iam_assumable_role_efs" { number_of_role_policy_arns = 1 role_name_prefix = format("efs-csi-driver-%s-", var.cluster_name) provider_url = replace(var.cluster_oidc_issuer_url, "https://", "") - role_policy_arns = [resource.aws_iam_policy.efs.arn] + role_policy_arns = [data.aws_iam_policy.AmazonEFSCSIDriverPolicy.arn] # List of ServiceAccounts that have permission to attach to this IAM role oidc_fully_qualified_subjects = [