Feature/fix data island (#202)

* fix service account in s3 inventory job * s3 inventory service account * fix * update cronjob name * update changelog * Update CHANGELOG.md Co-authored-by: Raj Poluri <[email protected]> Co-authored-by: Patrick Duin <[email protected]>
ExpediaGroup · Sep 21, 2021 · 3627828 · 3627828
1 parent 9f45ae6
commit 3627828
Show file tree

Hide file tree

Showing 4 changed files with 99 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,11 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [6.10.4] - 2021-09-21
+### Changed
+- Attach service account to s3_inventory job when using IRSA.
+- Rename s3_inventory cronjob to match service account name, required on new internal clusters.
+
 ## [6.10.3] - 2021-08-30
 ### Fixed
 - Fixed problem with s3_inventory_repair cronjob when apiary instance_name is not empty.

diff --git a/iam.tf b/iam.tf
@@ -132,3 +132,77 @@ EOF
     create_before_destroy = true
   }
 }
+
+resource "aws_iam_role" "apiary_s3_inventory" {
+  name = "${local.instance_alias}-s3-inventory-${var.aws_region}"
+
+  assume_role_policy = <<EOF
+{
+   "Version": "2012-10-17",
+   "Statement": [
+%{if var.kiam_arn != ""}
+     {
+       "Sid": "",
+       "Effect": "Allow",
+       "Principal": {
+         "AWS": "${var.kiam_arn}"
+       },
+       "Action": "sts:AssumeRole"
+     },
+%{endif}
+%{if var.oidc_provider != ""}
+     {
+       "Effect": "Allow",
+       "Principal": {
+         "Federated": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${var.oidc_provider}"
+       },
+       "Action": "sts:AssumeRoleWithWebIdentity",
+       "Condition": {
+         "StringEquals": {
+           "${var.oidc_provider}:sub": "system:serviceaccount:${var.metastore_namespace}:${local.instance_alias}-s3-inventory"
+         }
+       }
+     },
+%{endif}
+     {
+       "Sid": "",
+       "Effect": "Allow",
+       "Principal": {
+         "Service": "ecs-tasks.amazonaws.com"
+       },
+       "Action": "sts:AssumeRole"
+     }
+   ]
+}
+EOF
+
+  tags = var.apiary_tags
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_iam_role_policy" "s3_data_for_s3_inventory" {
+  name = "s3"
+  role = aws_iam_role.apiary_s3_inventory.id
+
+  policy = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Action": [
+                              "s3:Get*",
+                              "s3:List*"
+                            ],
+                  "Resource": [
+                                "arn:aws:s3:::${local.s3_inventory_bucket}",
+                                "arn:aws:s3:::${local.s3_inventory_bucket}/*"
+                              ]
+                }
+              ]
+}
+EOF
+}
diff --git a/k8s-cronjobs.tf b/k8s-cronjobs.tf
@@ -4,14 +4,14 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  */
 
-resource "kubernetes_cron_job" "apiary_inventory_repair" {
+resource "kubernetes_cron_job" "apiary_inventory" {
   count = (var.s3_enable_inventory && var.hms_instance_type == "k8s") ? 1 : 0
   metadata {
-    name      = "${local.instance_alias}-s3-inventory-repair"
+    name      = "${local.instance_alias}-s3-inventory"
     namespace = var.metastore_namespace
 
     labels = {
-      name = "${local.instance_alias}-s3-inventory-repair"
+      name = "${local.instance_alias}-s3-inventory"
     }
   }
 
@@ -26,17 +26,19 @@ resource "kubernetes_cron_job" "apiary_inventory_repair" {
         template {
           metadata {
             labels = {
-              name = "${local.instance_alias}-s3-inventory-repair"
+              name = "${local.instance_alias}-s3-inventory"
             }
             annotations = {
-              "iam.amazonaws.com/role" = aws_iam_role.apiary_hms_readonly.name
+              "iam.amazonaws.com/role" = aws_iam_role.apiary_s3_inventory.name
             }
           }
 
           spec {
+            service_account_name            = kubernetes_service_account.s3_inventory[0].metadata.0.name
+            automount_service_account_token = true
             container {
               image   = "${var.hms_docker_image}:${var.hms_docker_version}"
-              name    = "${local.instance_alias}-s3-inventory-repair"
+              name    = "${local.instance_alias}-s3-inventory"
               command = ["/s3_inventory_repair.sh"]
               env {
                 name  = "AWS_REGION"

diff --git a/k8s-service-accounts.tf b/k8s-service-accounts.tf
@@ -21,3 +21,15 @@ resource "kubernetes_service_account" "hms_readonly" {
   }
   automount_service_account_token = true
 }
+
+resource "kubernetes_service_account" "s3_inventory" {
+  count = var.hms_instance_type == "k8s" ? 1 : 0
+  metadata {
+    name      = "${local.instance_alias}-s3-inventory"
+    namespace = var.metastore_namespace
+    annotations = {
+      "eks.amazonaws.com/role-arn" = var.oidc_provider == "" ? "" : aws_iam_role.apiary_s3_inventory.arn
+    }
+  }
+  automount_service_account_token = true
+}