From 36278286811d0d07dfab88d552094ff79c188228 Mon Sep 17 00:00:00 2001
From: rpoluri <38321430+rpoluri@users.noreply.github.com>
Date: Tue, 21 Sep 2021 10:19:56 -0500
Subject: [PATCH] Feature/fix data island (#202)

* fix service account in s3 inventory job

* s3 inventory service account

* fix

* update cronjob name

* update changelog

* Update CHANGELOG.md

Co-authored-by: Raj Poluri <rpoluri@expediagroup.com>
Co-authored-by: Patrick Duin <pduin@expedia.com>
---
 CHANGELOG.md            |  5 +++
 iam.tf                  | 74 +++++++++++++++++++++++++++++++++++++++++
 k8s-cronjobs.tf         | 14 ++++----
 k8s-service-accounts.tf | 12 +++++++
 4 files changed, 99 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f1122bb..90c112d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,11 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [6.10.4] - 2021-09-21
+### Changed
+- Attach service account to s3_inventory job when using IRSA.
+- Rename s3_inventory cronjob to match service account name, required on new internal clusters.
+
 ## [6.10.3] - 2021-08-30
 ### Fixed
 - Fixed problem with s3_inventory_repair cronjob when apiary instance_name is not empty.
diff --git a/iam.tf b/iam.tf
index f04db2c..9f0c1db 100644
--- a/iam.tf
+++ b/iam.tf
@@ -132,3 +132,77 @@ EOF
     create_before_destroy = true
   }
 }
+
+resource "aws_iam_role" "apiary_s3_inventory" {
+  name = "${local.instance_alias}-s3-inventory-${var.aws_region}"
+
+  assume_role_policy = <<EOF
+{
+   "Version": "2012-10-17",
+   "Statement": [
+%{if var.kiam_arn != ""}
+     {
+       "Sid": "",
+       "Effect": "Allow",
+       "Principal": {
+         "AWS": "${var.kiam_arn}"
+       },
+       "Action": "sts:AssumeRole"
+     },
+%{endif}
+%{if var.oidc_provider != ""}
+     {
+       "Effect": "Allow",
+       "Principal": {
+         "Federated": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${var.oidc_provider}"
+       },
+       "Action": "sts:AssumeRoleWithWebIdentity",
+       "Condition": {
+         "StringEquals": {
+           "${var.oidc_provider}:sub": "system:serviceaccount:${var.metastore_namespace}:${local.instance_alias}-s3-inventory"
+         }
+       }
+     },
+%{endif}
+     {
+       "Sid": "",
+       "Effect": "Allow",
+       "Principal": {
+         "Service": "ecs-tasks.amazonaws.com"
+       },
+       "Action": "sts:AssumeRole"
+     }
+   ]
+}
+EOF
+
+  tags = var.apiary_tags
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_iam_role_policy" "s3_data_for_s3_inventory" {
+  name = "s3"
+  role = aws_iam_role.apiary_s3_inventory.id
+
+  policy = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Action": [
+                              "s3:Get*",
+                              "s3:List*"
+                            ],
+                  "Resource": [
+                                "arn:aws:s3:::${local.s3_inventory_bucket}",
+                                "arn:aws:s3:::${local.s3_inventory_bucket}/*"
+                              ]
+                }
+              ]
+}
+EOF
+}
diff --git a/k8s-cronjobs.tf b/k8s-cronjobs.tf
index d556d2a..dfc9fee 100644
--- a/k8s-cronjobs.tf
+++ b/k8s-cronjobs.tf
@@ -4,14 +4,14 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  */
 
-resource "kubernetes_cron_job" "apiary_inventory_repair" {
+resource "kubernetes_cron_job" "apiary_inventory" {
   count = (var.s3_enable_inventory && var.hms_instance_type == "k8s") ? 1 : 0
   metadata {
-    name      = "${local.instance_alias}-s3-inventory-repair"
+    name      = "${local.instance_alias}-s3-inventory"
     namespace = var.metastore_namespace
 
     labels = {
-      name = "${local.instance_alias}-s3-inventory-repair"
+      name = "${local.instance_alias}-s3-inventory"
     }
   }
 
@@ -26,17 +26,19 @@ resource "kubernetes_cron_job" "apiary_inventory_repair" {
         template {
           metadata {
             labels = {
-              name = "${local.instance_alias}-s3-inventory-repair"
+              name = "${local.instance_alias}-s3-inventory"
             }
             annotations = {
-              "iam.amazonaws.com/role" = aws_iam_role.apiary_hms_readonly.name
+              "iam.amazonaws.com/role" = aws_iam_role.apiary_s3_inventory.name
             }
           }
 
           spec {
+            service_account_name            = kubernetes_service_account.s3_inventory[0].metadata.0.name
+            automount_service_account_token = true
             container {
               image   = "${var.hms_docker_image}:${var.hms_docker_version}"
-              name    = "${local.instance_alias}-s3-inventory-repair"
+              name    = "${local.instance_alias}-s3-inventory"
               command = ["/s3_inventory_repair.sh"]
               env {
                 name  = "AWS_REGION"
diff --git a/k8s-service-accounts.tf b/k8s-service-accounts.tf
index e128379..4921e9b 100644
--- a/k8s-service-accounts.tf
+++ b/k8s-service-accounts.tf
@@ -21,3 +21,15 @@ resource "kubernetes_service_account" "hms_readonly" {
   }
   automount_service_account_token = true
 }
+
+resource "kubernetes_service_account" "s3_inventory" {
+  count = var.hms_instance_type == "k8s" ? 1 : 0
+  metadata {
+    name      = "${local.instance_alias}-s3-inventory"
+    namespace = var.metastore_namespace
+    annotations = {
+      "eks.amazonaws.com/role-arn" = var.oidc_provider == "" ? "" : aws_iam_role.apiary_s3_inventory.arn
+    }
+  }
+  automount_service_account_token = true
+}