Merge pull request #19 from dfds-data/bug/irsa-kiam

Migrate from KIAM to IRSA

CHANGELOG.md

@@ -0,0 +1,14 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [4.0.0] - 2022-08-24
+### Changed
+- BREAKING: Changed from KIAM auth to IRSA. 
+  See https://wiki.dfds.cloud/en/teams/devex/operations/guides/kiam-to-irsa-migration.
+  KIAM is deprecated and will be removed in the future. We are now using IRSA and ServiceAccounts to assume roles in 
+  AWS. 

mlflow-terraform/README.md

@@ -1,7 +1,8 @@
-This is an opinionated collection of resouces to be used for the mlflow service. Assuming a database
+This is an opinionated collection of resources to be used for the mlflow service. Assuming a database
 is provisioned centrally in this case.
 
 # Variables
 
-- kubernetes_account_number: The account number to trust to assume your role (ie. account number of
-  KIAM)
+- kubernetes_account_number: The account number of your kubernetes namespace. 
+- kubernetes_namespace: The name of the kubernetes namespace.
+- service_account: OPTIONAL. The name of the service account used in the kubernetes deployment.

mlflow-terraform/main.tf

@@ -15,21 +15,24 @@ resource "aws_s3_bucket" "mlflow_bucket" {
 }
 // Create the IAM role to be used by MLFlow to connect to the S3 backend
 resource "aws_iam_role" "mlflow_server_role" {
-  assume_role_policy = data.aws_iam_policy_document.kiam_trust_policy.json
+  assume_role_policy = data.aws_iam_policy_document.irsa_trust_policy.json
+  name = "mlflow-server-role"
 }
-data "aws_iam_policy_document" "kiam_trust_policy" {
-  statement {
-    sid = ""
 
-    effect = "Allow"
+data "aws_iam_policy_document" "irsa_trust_policy" {
+  statement {
+    sid     = ""
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
     principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.kubernetes_account_number}:role/eks-hellman-kiam-server"]
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::${var.kubernetes_account_number}:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/B182759F93D251942CB146063F57036B"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "oidc.eks.eu-west-1.amazonaws.com/id/B182759F93D251942CB146063F57036B:sub"
+      values   = ["system:serviceaccount:${var.kubernetes_namespace}:${var.service_account}"]
     }
-
-    actions = [
-      "sts:AssumeRole"
-    ]
   }
 }
 resource "aws_iam_role_policy_attachment" "mlflow_policy_attachment" {
@@ -52,7 +55,8 @@ data "aws_iam_policy_document" "mlflow_server_policy" {
   }
 }
 resource "aws_iam_policy" "mlflow_server_policy" {
-  description = "allows mlflow access to S3"
+  name        = "mlflow-server-policy"
+  description = "Allows mlflow access to S3"
   policy      = data.aws_iam_policy_document.mlflow_server_policy.json
 }
 // Create a random password to be used for the mlflow webserver

mlflow-terraform/variables.tf

@@ -1,5 +1,16 @@
 // Declare input variables
 variable "kubernetes_account_number" {
   type        = string
-  description = "The account number of the kubernetes cluster that has to assume a role in your capability"
+  description = "The account number of the kubernetes capability. E.g. '123456789012'"
 }
+
+variable "kubernetes_namespace" {
+  type = string
+  description = "The namespace of the kubernetes capability. E.g. 'my-capability-jpoxj'."
+}
+
+variable "service_account" {
+  type = string
+  default = "mlflow"
+  description = "The service account that assumes the mlflow-server-role Role. E.g. 'mlflow'."
+}