fix auth iam

camunda · Oct 18, 2024 · 95a2196 · 95a2196
1 parent a73f494
commit 95a2196
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 18 deletions.
diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf
@@ -42,6 +42,7 @@ module "postgresql" {
   instance_class = "db.t3.medium"
 
   # IAM IRSA
+  iam_auth_enabled          = true
   iam_roles_with_policies   = [
     {
       role_name = "${local.camunda_keycloak_role_name}"
@@ -57,9 +58,7 @@ module "postgresql" {
                 "Action": "sts:AssumeRoleWithWebIdentity",
                 "Condition": {
                   "StringEquals": {
-                    "${module.eks_cluster.oidc_provider_id}:sub": [
-                      "system:serviceaccount:${local.camunda_namespace}:${local.camunda_keycloak_service_account}"
-                    ]
+                    "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_keycloak_service_account}"
                   }
                 }
               }
@@ -76,9 +75,7 @@ EOF
                   "Action": [
                     "rds-db:connect"
                   ],
-                  "Resource": [
-                    "arn:aws:rds-db:${local.eks_cluster_region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.camunda_keycloak_db_username}"
-                  ]
+                  "Resource": "arn:aws:rds-db:${local.eks_cluster_region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.camunda_keycloak_db_username}"
                 }
               ]
             }
@@ -99,9 +96,7 @@ EOF
                 "Action": "sts:AssumeRoleWithWebIdentity",
                 "Condition": {
                   "StringEquals": {
-                    "${module.eks_cluster.oidc_provider_id}:sub": [
-                      "system:serviceaccount:${local.camunda_namespace}:${local.camunda_identity_service_account}"
-                    ]
+                    "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_identity_service_account}"
                   }
                 }
               }
@@ -140,9 +135,7 @@ EOF
                 "Action": "sts:AssumeRoleWithWebIdentity",
                 "Condition": {
                   "StringEquals": {
-                    "${module.eks_cluster.oidc_provider_id}:sub": [
-                      "system:serviceaccount:${local.camunda_namespace}:${local.camunda_webmodeler_service_account}"
-                    ]
+                    "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_webmodeler_service_account}"
                   }
                 }
               }

diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml
@@ -15,7 +15,7 @@ identityKeycloak:
 
     extraEnvVars:
         - name: KEYCLOAK_EXTRA_ARGS
-          value: --db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=FINER,software.amazon.jdbc:FINER
+          value: --db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO
         - name: KEYCLOAK_JDBC_PARAMS
           value: wrapperPlugins=iam&ssl=true&sslmode=require
         - name: KEYCLOAK_JDBC_DRIVER

diff --git a/examples/camunda-8.6-irsa/procedure/export-helm-values.sh b/examples/camunda-8.6-irsa/procedure/export-helm-values.sh
@@ -17,16 +17,16 @@ export CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME="$(terraform console <<<local.cam
 
 export DB_HOST="$(terraform output -raw postgres_endpoint)"
 export DB_ROLE_KEYCLOAK_NAME="$(terraform console <<<local.camunda_keycloak_role_name | jq -r)"
-export DB_ROLE_KEYCLOAK_ARN="$(terraform output -raw aurora_iam_role_arns | jq -r ."$DB_ROLE_KEYCLOAK_NAME")"
+export DB_ROLE_KEYCLOAK_ARN=$(terraform output -json aurora_iam_role_arns | jq -r ".[\"$DB_ROLE_KEYCLOAK_NAME\"]")
 export DB_ROLE_IDENTITY_NAME="$(terraform console <<<local.camunda_identity_role_name | jq -r)"
-export DB_ROLE_IDENTITY_ARN="$(terraform output -raw aurora_iam_role_arns | jq -r ."$DB_ROLE_IDENTITY_NAME")"
+export DB_ROLE_IDENTITY_ARN=$(terraform output -json aurora_iam_role_arns | jq -r ".[\"$DB_ROLE_IDENTITY_NAME\"]")
 export DB_ROLE_WEBMODELER_NAME="$(terraform console <<<local.camunda_webmodeler_role_name | jq -r)"
-export DB_ROLE_WEBMODELER_ARN="$(terraform output -raw aurora_iam_role_arns | jq -r ."$DB_ROLE_WEBMODELER_NAME")"
+export DB_ROLE_WEBMODELER_ARN=$(terraform output -json aurora_iam_role_arns | jq -r ".[\"$DB_ROLE_WEBMODELER_NAME\"]")
 
 # OpenSearch
 export OPENSEARCH_HOST="$(terraform output -raw opensearch_endpoint)"
 export OPENSEARCH_ROLE_NAME="$(terraform console <<<local.opensearch_iam_role_name | jq -r)"
-export OPENSEARCH_ROLE_ARN="$(terraform output -raw opensearch_role_arns | jq -r ."$OPENSEARCH_ROLE_NAME")"
+export OPENSEARCH_ROLE_ARN=$(terraform output -json opensearch_iam_role_arns | jq -r ".[\"$OPENSEARCH_ROLE_NAME\"]")
 export CAMUNDA_ZEEBE_SERVICE_ACCOUNT_NAME="$(terraform console <<<local.camunda_zeebe_service_account | jq -r)"
 export CAMUNDA_OPERATE_SERVICE_ACCOUNT_NAME="$(terraform console <<<local.camunda_operate_service_account | jq -r)"
 export CAMUNDA_TASKLIST_SERVICE_ACCOUNT_NAME="$(terraform console <<<local.camunda_tasklist_service_account | jq -r)"

diff --git a/modules/fixtures/postgres-client.yml b/modules/fixtures/postgres-client.yml
@@ -23,7 +23,7 @@ spec:
                         set -o pipefail
 
                         echo "Installing dependencies..."
-                        yum install -y postgresql15 unzip awscli-2
+                        yum install -y postgresql15 awscli-2
 
                         echo "Creating IRSA db user using admin user"
                         psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \