Merge pull request #2 from lablabs/feat-addon-irsa-dynamic-policy

feat(modules/addon-irsa): add variable assume policy
lablabs · Aug 2, 2024 · 571943b · 571943b
2 parents 22170ef + 57416b9
commit 571943b
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 9 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -16,6 +16,12 @@ repos:
       - id: terraform_tflint
         args:
           - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
+      - id: terraform_providers_lock
+        args:
+          - --hook-config=--mode=only-check-is-current-lockfile-cross-platform
+          - --args=-platform=darwin_amd64
+          - --args=-platform=darwin_arm64
+          - --args=-platform=linux_amd64
       - id: terraform_validate
       - id: terraform_checkov
         args:

diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/examples/basic/.terraform.lock.hcl b/examples/basic/.terraform.lock.hcl
diff --git a/modules/addon-irsa/.terraform.lock.hcl b/modules/addon-irsa/.terraform.lock.hcl
diff --git a/modules/addon-irsa/iam.tf b/modules/addon-irsa/iam.tf
@@ -4,6 +4,10 @@ locals {
   irsa_role_name           = try(trim("${local.irsa_role_name_prefix}-${var.irsa_role_name}", "-"), "")
   irsa_policy_enabled      = var.irsa_policy_enabled == true && try(length(var.irsa_policy) > 0, false)
   irsa_assume_role_enabled = var.irsa_assume_role_enabled == true && try(length(var.irsa_assume_role_arns) > 0, false)
+
+  irsa_assume_role_policy_condition_values_default = [
+    format("system:serviceaccount:%s:%s", var.service_account_namespace != null ? var.service_account_namespace : "", var.service_account_name != null ? var.service_account_name : "")
+  ]
 }
 
 data "aws_iam_policy_document" "this_assume" {
@@ -41,12 +45,10 @@ data "aws_iam_policy_document" "this_irsa" {
     }
 
     condition {
-      test     = "StringEquals"
+      test     = var.irsa_assume_role_policy_condition_test
       variable = "${replace(var.cluster_identity_oidc_issuer, "https://", "")}:sub"
 
-      values = [
-        "system:serviceaccount:${var.service_account_namespace}:${var.service_account_name}",
-      ]
+      values = coalesce(var.irsa_assume_role_policy_condition_values, local.irsa_assume_role_policy_condition_values_default)
     }
   }
 }

diff --git a/modules/addon-irsa/variables.tf b/modules/addon-irsa/variables.tf
@@ -101,3 +101,15 @@ variable "irsa_tags" {
   default     = null
   description = "IRSA resources tags. Defaults to `{}`."
 }
+
+variable "irsa_assume_role_policy_condition_test" {
+  type        = string
+  default     = "StringEquals"
+  description = "Specifies the condition test to use for the assume role trust policy. Defaults to `StringEquals`."
+}
+
+variable "irsa_assume_role_policy_condition_values" {
+  type        = list(string)
+  default     = []
+  description = "Specifies the values for the assume role trust policy condition. Each entry in this list must follow the required format `system:serviceaccount:$service_account_namespace:$service_account_name`. If this variable is left as the default, `local.irsa_assume_role_policy_condition_values_default` is used instead, which is a list containing a single value. Note that if this list is defined, the `service_account_name` and `service_account_namespace` variables are ignored."
+}
diff --git a/modules/addon/.terraform.lock.hcl b/modules/addon/.terraform.lock.hcl