feat(oidc): Add OIDC provider condition (#5)

* feat(oidc): Add OIDC provider condition * feat(oidc): Add OIDC provider condition * Update variables-addon-oidc.tf Co-authored-by: Martin Odstrčilík <[email protected]> * Update variables-addon-oidc.tf Co-authored-by: Martin Odstrčilík <[email protected]> * Update modules/addon-oidc/iam.tf Co-authored-by: Martin Odstrčilík <[email protected]> * Update modules/addon-oidc/outputs.tf Co-authored-by: Martin Odstrčilík <[email protected]> * Update modules/addon-oidc/outputs.tf Co-authored-by: Martin Odstrčilík <[email protected]> * feat(oidc): Add OIDC provider condition * feat(oidc): Add OIDC provider condition * Update variables-addon-oidc.tf Co-authored-by: Martin Odstrčilík <[email protected]> * Update variables-addon-oidc.tf Co-authored-by: Martin Odstrčilík <[email protected]> * Update variables-addon-oidc.tf Co-authored-by: Martin Odstrčilík <[email protected]> * Update variables-addon-oidc.tf Co-authored-by: Martin Odstrčilík <[email protected]> * Update variables-addon-oidc.tf Co-authored-by: Martin Odstrčilík <[email protected]> * feat(oidc): Add OIDC provider condition * feat(oidc): Add OIDC provider condition * fix(addons-oidc): Modify default value --------- Co-authored-by: Martin Odstrčilík <[email protected]>
lablabs · Dec 5, 2024 · ecdc1b9 · ecdc1b9
1 parent 62b5395
commit ecdc1b9
Show file tree

Hide file tree

Showing 8 changed files with 86 additions and 60 deletions.
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/README.md b/README.md
@@ -51,7 +51,7 @@ See [basic example](examples/basic) for further information.
 |------|--------|---------|
 | <a name="module_addon"></a> [addon](#module\_addon) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon | v0.0.6 |
 | <a name="module_addon-irsa"></a> [addon-irsa](#module\_addon-irsa) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa | v0.0.8 |
-| <a name="module_addon-oidc"></a> [addon-oidc](#module\_addon-oidc) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-oidc | v0.0.7 |
+| <a name="module_addon-oidc"></a> [addon-oidc](#module\_addon-oidc) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-oidc | v0.0.9 |
 ## Resources
 
 | Name | Type |
@@ -129,23 +129,24 @@ See [basic example](examples/basic) for further information.
 | <a name="input_irsa_role_name_prefix"></a> [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | IRSA role name prefix. Defaults to addon IRSA component name with `irsa` suffix. | `string` |
 | <a name="input_irsa_tags"></a> [irsa\_tags](#input\_irsa\_tags) | IRSA resources tags. Defaults to `{}`. | `map(string)` |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | The Kubernetes Namespace in which the Helm chart will be installed. Defaults to `local.addon.name`. | `string` |
-| <a name="input_oidc_additional_policies"></a> [oidc\_additional\_policies](#input\_oidc\_additional\_policies) | Map of the additional policies to be attached to oidc role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`. | `map(string)` |
-| <a name="input_oidc_assume_role_arns"></a> [oidc\_assume\_role\_arns](#input\_oidc\_assume\_role\_arns) | List of ARNs assumable by the oidc role. Applied only if `oidc_assume_role_enabled` is `true`. | `list(string)` |
-| <a name="input_oidc_assume_role_enabled"></a> [oidc\_assume\_role\_enabled](#input\_oidc\_assume\_role\_enabled) | Whether oidc is allowed to assume role defined by `oidc_assume_role_arn`. Mutually exclusive with `oidc_policy_enabled`. Defaults to `false`. | `bool` |
+| <a name="input_oidc_additional_policies"></a> [oidc\_additional\_policies](#input\_oidc\_additional\_policies) | Map of the additional policies to be attached to OIDC role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`. | `map(string)` |
+| <a name="input_oidc_assume_role_arns"></a> [oidc\_assume\_role\_arns](#input\_oidc\_assume\_role\_arns) | List of ARNs assumable by the OIDC role. Applied only if `oidc_assume_role_enabled` is `true`. Defaults to `[]`. | `list(string)` |
+| <a name="input_oidc_assume_role_enabled"></a> [oidc\_assume\_role\_enabled](#input\_oidc\_assume\_role\_enabled) | Whether OIDC is allowed to assume role defined by `oidc_assume_role_arn`. Mutually exclusive with `oidc_policy_enabled`. Defaults to `false`. | `bool` |
 | <a name="input_oidc_assume_role_policy_condition_test"></a> [oidc\_assume\_role\_policy\_condition\_test](#input\_oidc\_assume\_role\_policy\_condition\_test) | Specifies the condition test to use for the assume role trust policy. Defaults to `StringLike`. | `string` |
 | <a name="input_oidc_assume_role_policy_condition_values"></a> [oidc\_assume\_role\_policy\_condition\_values](#input\_oidc\_assume\_role\_policy\_condition\_values) | Specifies the values for the assume role trust policy condition. Defaults to `[]`. | `list(string)` |
 | <a name="input_oidc_assume_role_policy_condition_variable"></a> [oidc\_assume\_role\_policy\_condition\_variable](#input\_oidc\_assume\_role\_policy\_condition\_variable) | Specifies the variable to use for the assume role trust policy. Defaults to `""`. | `string` |
-| <a name="input_oidc_custom_provider_arn"></a> [oidc\_custom\_provider\_arn](#input\_oidc\_custom\_provider\_arn) | Specifies a custom OIDC provider ARN. If provided, the module will not create a default OIDC provider. Defaults to `""`. | `string` |
-| <a name="input_oidc_openid_client_ids"></a> [oidc\_openid\_client\_ids](#input\_oidc\_openid\_client\_ids) | List of client IDs that are allowed to authenticate. Defaults to `[]`. | `list(string)` |
-| <a name="input_oidc_openid_provider_url"></a> [oidc\_openid\_provider\_url](#input\_oidc\_openid\_provider\_url) | oidc provider url. Defaults to `""`. | `string` |
+| <a name="input_oidc_custom_provider_arn"></a> [oidc\_custom\_provider\_arn](#input\_oidc\_custom\_provider\_arn) | Specifies a custom OIDC provider ARN. If specified, overrides provider created by this module. If set, it is recommended to disable default OIDC provider creation by setting var.oidc\_provider\_create to false. Defaults to `""`. | `string` |
+| <a name="input_oidc_openid_client_ids"></a> [oidc\_openid\_client\_ids](#input\_oidc\_openid\_client\_ids) | List of OpenID Connect client IDs that are allowed to assume the OIDC provider. Defaults to `[]`. | `list(string)` |
+| <a name="input_oidc_openid_provider_url"></a> [oidc\_openid\_provider\_url](#input\_oidc\_openid\_provider\_url) | OIDC provider URL. Defaults to `""`. | `string` |
 | <a name="input_oidc_openid_thumbprints"></a> [oidc\_openid\_thumbprints](#input\_oidc\_openid\_thumbprints) | List of thumbprints of the OIDC provider's server certificate. Defaults to `[]`. | `list(string)` |
-| <a name="input_oidc_permissions_boundary"></a> [oidc\_permissions\_boundary](#input\_oidc\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the oidc role. Defaults to `""`. | `string` |
-| <a name="input_oidc_policy"></a> [oidc\_policy](#input\_oidc\_policy) | Policy to be attached to the oidc role. Applied only if `oidc_policy_enabled` is `true`. | `string` |
+| <a name="input_oidc_permissions_boundary"></a> [oidc\_permissions\_boundary](#input\_oidc\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the OIDC role. Defaults to `""`. | `string` |
+| <a name="input_oidc_policy"></a> [oidc\_policy](#input\_oidc\_policy) | Policy to be attached to the OIDC role. Applied only if `oidc_policy_enabled` is `true`. | `string` |
 | <a name="input_oidc_policy_enabled"></a> [oidc\_policy\_enabled](#input\_oidc\_policy\_enabled) | Whether to create IAM policy specified by `oidc_policy`. Mutually exclusive with `oidc_assume_role_enabled`. Defaults to `false`. | `bool` |
-| <a name="input_oidc_role_create"></a> [oidc\_role\_create](#input\_oidc\_role\_create) | Whether to create oidc role and annotate Service Account. Defaults to `true`. | `bool` |
-| <a name="input_oidc_role_name"></a> [oidc\_role\_name](#input\_oidc\_role\_name) | oidc role name. The value is prefixed by `var.oidc_role_name_prefix`. Defaults to addon Helm chart name. | `string` |
-| <a name="input_oidc_role_name_prefix"></a> [oidc\_role\_name\_prefix](#input\_oidc\_role\_name\_prefix) | oidc role name prefix. Defaults to addon oidc component name with `oidc` suffix. | `string` |
-| <a name="input_oidc_tags"></a> [oidc\_tags](#input\_oidc\_tags) | oidc resources tags. Defaults to `{}`. | `map(string)` |
+| <a name="input_oidc_provider_create"></a> [oidc\_provider\_create](#input\_oidc\_provider\_create) | Whether to create OIDC provider. Defaults to `true`. Set to false if you want to disable default OIDC provider when oidc\_custom\_provider\_arn is set. | `bool` |
+| <a name="input_oidc_role_create"></a> [oidc\_role\_create](#input\_oidc\_role\_create) | Whether to create OIDC role and annotate Service Account. Defaults to `true`. | `bool` |
+| <a name="input_oidc_role_name"></a> [oidc\_role\_name](#input\_oidc\_role\_name) | OIDC role name. The value is prefixed by `var.oidc_role_name_prefix`. Defaults to addon Helm chart name. | `string` |
+| <a name="input_oidc_role_name_prefix"></a> [oidc\_role\_name\_prefix](#input\_oidc\_role\_name\_prefix) | OIDC role name prefix. Defaults to addon OIDC component name with `oidc` suffix. | `string` |
+| <a name="input_oidc_tags"></a> [oidc\_tags](#input\_oidc\_tags) | OIDC resources tags. Defaults to `{}`. | `map(string)` |
 | <a name="input_rbac_create"></a> [rbac\_create](#input\_rbac\_create) | Whether to create and use RBAC resources. Defaults to `true`. | `bool` |
 | <a name="input_service_account_create"></a> [service\_account\_create](#input\_service\_account\_create) | Whether to create Service Account. Defaults to `true`. | `bool` |
 | <a name="input_service_account_name"></a> [service\_account\_name](#input\_service\_account\_name) | The Kubernetes Service Account name. Defaults to addon name. | `string` |

diff --git a/addon-oidc.tf b/addon-oidc.tf
@@ -1,10 +1,12 @@
+# IMPORTANT: This file is synced with the "terraform-aws-eks-universal-addon" module. Any changes to this file might be overwritten upon the next release of that module.
 module "addon-oidc" {
   for_each = local.addon_oidc
 
-  source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-oidc?ref=v0.0.7"
+  source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-oidc?ref=v0.0.9"
 
   enabled = var.enabled
 
+  oidc_provider_create  = var.oidc_provider_create != null ? var.oidc_provider_create : try(each.value.oidc_provider_create, true)
   oidc_role_create      = var.oidc_role_create != null ? var.oidc_role_create : try(each.value.oidc_role_create, true)
   oidc_role_name_prefix = var.oidc_role_name_prefix != null ? var.oidc_role_name_prefix : try(each.value.oidc_role_name_prefix, "${each.key}-oidc")
   oidc_role_name        = var.oidc_role_name != null ? var.oidc_role_name : try(each.value.oidc_role_name, local.addon_helm_chart_name)
@@ -20,7 +22,7 @@ module "addon-oidc" {
   oidc_openid_thumbprints                    = var.oidc_openid_thumbprints != null ? var.oidc_openid_thumbprints : try(each.value.oidc_openid_thumbprints, [])
   oidc_assume_role_policy_condition_variable = var.oidc_assume_role_policy_condition_variable != null ? var.oidc_assume_role_policy_condition_variable : try(each.value.oidc_assume_role_policy_condition_variable, "")
   oidc_assume_role_policy_condition_values   = var.oidc_assume_role_policy_condition_values != null ? var.oidc_assume_role_policy_condition_values : try(each.value.oidc_assume_role_policy_condition_values, [])
-  oidc_assume_role_policy_condition_test     = var.oidc_assume_role_policy_condition_test != null ? var.oidc_assume_role_policy_condition_test : try(each.value.oidc_assume_role_policy_condition_test, "")
+  oidc_assume_role_policy_condition_test     = var.oidc_assume_role_policy_condition_test != null ? var.oidc_assume_role_policy_condition_test : try(each.value.oidc_assume_role_policy_condition_test, "StringLike")
   oidc_custom_provider_arn                   = var.oidc_custom_provider_arn != null ? var.oidc_custom_provider_arn : try(each.value.oidc_custom_provider_arn, "")
 
   oidc_tags = var.oidc_tags != null ? var.oidc_tags : try(each.value.oidc_tags, tomap({}))

diff --git a/modules/addon-oidc/.terraform.lock.hcl b/modules/addon-oidc/.terraform.lock.hcl
diff --git a/modules/addon-oidc/iam.tf b/modules/addon-oidc/iam.tf
@@ -1,14 +1,14 @@
 locals {
+  oidc_provider_create     = var.enabled == true && var.oidc_provider_create == true
   oidc_role_create         = var.enabled == true && var.oidc_role_create == true
   oidc_role_name_prefix    = try(coalesce(var.oidc_role_name_prefix), "")
   oidc_role_name           = try(trim("${local.oidc_role_name_prefix}-${var.oidc_role_name}", "-"), "")
   oidc_policy_enabled      = var.oidc_policy_enabled == true && try(length(var.oidc_policy) > 0, false)
   oidc_assume_role_enabled = var.oidc_assume_role_enabled == true && try(length(var.oidc_assume_role_arns) > 0, false)
-  oidc_provider_create     = try(length(var.oidc_custom_provider_arn), 0) == 0
 }
 
 resource "aws_iam_openid_connect_provider" "this" {
-  count = local.oidc_role_create && local.oidc_provider_create ? 1 : 0
+  count = local.oidc_provider_create ? 1 : 0
 
   url             = "https://${var.oidc_openid_provider_url}"
   client_id_list  = var.oidc_openid_client_ids
@@ -47,7 +47,7 @@ data "aws_iam_policy_document" "this_oidc" {
 
     principals {
       type        = "Federated"
-      identifiers = [try(aws_iam_openid_connect_provider.this[0].arn, var.oidc_custom_provider_arn)]
+      identifiers = [coalesce(var.oidc_custom_provider_arn, one(aws_iam_openid_connect_provider.this[*].arn))]
     }
 
     condition {

diff --git a/modules/addon-oidc/outputs.tf b/modules/addon-oidc/outputs.tf
@@ -1,5 +1,10 @@
+output "oidc_provider_enabled" {
+  description = "Whether OIDC provider is enabled"
+  value       = local.oidc_provider_create
+}
+
 output "oidc_role_enabled" {
-  description = "Whether is oidc role enabled"
+  description = "Whether OIDC role is enabled"
   value       = local.oidc_role_create
 }
 

diff --git a/modules/addon-oidc/variables.tf b/modules/addon-oidc/variables.tf
@@ -6,22 +6,28 @@ variable "enabled" {
 
 # ================ oidc variables (optional) ================
 
+variable "oidc_provider_create" {
+  type        = bool
+  default     = null
+  description = "Whether to create OIDC provider. Defaults to `true`. Set to false if you want to disable default OIDC provider when oidc_custom_provider_arn is set."
+}
+
 variable "oidc_role_create" {
   type        = bool
   default     = null
-  description = "Whether to create oidc role and annotate Service Account. Defaults to `true`."
+  description = "Whether to create OIDC role and annotate Service Account. Defaults to `true`."
 }
 
 variable "oidc_role_name_prefix" {
   type        = string
   default     = null
-  description = "oidc role name prefix. Defaults to addon oidc component name with `oidc` suffix."
+  description = "OIDC role name prefix. Defaults to addon OIDC component name with `oidc` suffix."
 }
 
 variable "oidc_role_name" {
   type        = string
   default     = null
-  description = "oidc role name. The value is prefixed by `var.oidc_role_name_prefix`. Defaults to addon Helm chart name."
+  description = "OIDC role name. The value is prefixed by `var.oidc_role_name_prefix`. Defaults to addon Helm chart name."
 }
 
 variable "oidc_policy_enabled" {
@@ -33,43 +39,43 @@ variable "oidc_policy_enabled" {
 variable "oidc_policy" {
   type        = string
   default     = null
-  description = "Policy to be attached to the oidc role. Applied only if `oidc_policy_enabled` is `true`."
+  description = "Policy to be attached to the OIDC role. Applied only if `oidc_policy_enabled` is `true`."
 }
 
 variable "oidc_assume_role_enabled" {
   type        = bool
   default     = null
-  description = "Whether oidc is allowed to assume role defined by `oidc_assume_role_arn`. Mutually exclusive with `oidc_policy_enabled`. Defaults to `false`."
+  description = "Whether OIDC is allowed to assume role defined by `oidc_assume_role_arn`. Mutually exclusive with `oidc_policy_enabled`. Defaults to `false`."
 }
 
 variable "oidc_assume_role_arns" {
   type        = list(string)
   default     = null
-  description = "List of ARNs assumable by the oidc role. Applied only if `oidc_assume_role_enabled` is `true`. Defaults to `[]`."
+  description = "List of ARNs assumable by the OIDC role. Applied only if `oidc_assume_role_enabled` is `true`. Defaults to `[]`."
 }
 
 variable "oidc_permissions_boundary" {
   type        = string
   default     = null
-  description = "ARN of the policy that is used to set the permissions boundary for the oidc role. Defaults to `\"\"`."
+  description = "ARN of the policy that is used to set the permissions boundary for the OIDC role. Defaults to `\"\"`."
 }
 
 variable "oidc_additional_policies" {
   type        = map(string)
   default     = null
-  description = "Map of the additional policies to be attached to oidc role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`."
+  description = "Map of the additional policies to be attached to OIDC role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`."
 }
 
 variable "oidc_tags" {
   type        = map(string)
   default     = null
-  description = "oidc resources tags. Defaults to `{}`."
+  description = "OIDC resources tags. Defaults to `{}`."
 }
 
 variable "oidc_assume_role_policy_condition_test" {
   type        = string
   default     = "StringLike"
-  description = "Specifies the condition test to use for the assume role trust policy. Defaults to `StringEquals`."
+  description = "Specifies the condition test to use for the assume role trust policy. Defaults to `StringLike`."
 }
 
 variable "oidc_assume_role_policy_condition_values" {
@@ -87,13 +93,13 @@ variable "oidc_assume_role_policy_condition_variable" {
 variable "oidc_openid_client_ids" {
   type        = list(string)
   default     = []
-  description = "List of OpenID Connect client IDs that are allowed to assume the oidc provider. Defaults to `[]`."
+  description = "List of OpenID Connect client IDs that are allowed to assume the OIDC provider. Defaults to `[]`."
 }
 
 variable "oidc_openid_provider_url" {
   type        = string
   default     = null
-  description = "oidc provider url. Defaults to `\"\"`."
+  description = "OIDC provider URL. Defaults to `\"\"`."
 }
 
 variable "oidc_openid_thumbprints" {
@@ -105,5 +111,5 @@ variable "oidc_openid_thumbprints" {
 variable "oidc_custom_provider_arn" {
   type        = string
   default     = null
-  description = "Specifies a custom OIDC provider ARN. If provided, the module will not create a default OIDC provider. Defaults to `\"\"`."
+  description = "Specifies a custom OIDC provider ARN. If specified, overrides provider created by this module. If set, it is recommended to disable default OIDC provider creation by setting var.oidc_provider_create to false. Defaults to `\"\"`."
 }