feat: add to foundation stack way to provision custom EKS access entr…

…ies (#80)
pelotech · Sep 17, 2024 · cc6a00b · cc6a00b
1 parent ac6e7b5
commit cc6a00b
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 1 deletion.
diff --git a/terraform/foundation-stack/main.tf b/terraform/foundation-stack/main.tf
@@ -36,6 +36,20 @@ locals {
       }
     }
   }
+  extra_access_entries = {
+    for index, item in var.extra_access_entries : "extra_${index}" => {
+      principal_arn = item.principal_arn
+      policy_associations = {
+        extra_association = {
+          policy_arn = item.policy_arn
+          access_scope = {
+            type       = item.access_scope_type
+            namespaces = item.access_scope_namespaces
+          }
+        }
+      }
+    }
+  }
   s3_csi_arns = compact(concat([module.s3_csi.s3_bucket_arn], var.s3_csi_driver_bucket_arns))
 }
 
@@ -111,7 +125,7 @@ module "eks" {
       taints = var.initial_node_taints
     }
   }
-  access_entries = merge(local.admin_access_entries, local.ro_access_entries)
+  access_entries = merge(local.admin_access_entries, local.ro_access_entries, local.extra_access_entries)
   tags = merge(var.stack_tags, {
     # NOTE - if creating multiple security groups with this module, only tag the
     # security group that Karpenter should utilize with the following tag

diff --git a/terraform/foundation-stack/variables.tf b/terraform/foundation-stack/variables.tf
@@ -33,6 +33,31 @@ variable "stack_vpc_block" {
   }
   description = "Variables for defining the vpc for the stack"
 }
+
+variable "extra_access_entries" {
+  type = list(object({
+    principal_arn           = string
+    policy_arn              = string
+    access_scope_type       = string
+    access_scope_namespaces = optional(list(string))
+  }))
+  description = "EKS access entries needed by IAM roles interacting with this cluster"
+
+  validation {
+    error_message = "Access scope type can only be 'namespace' or 'cluster'"
+    condition = alltrue([
+      for v in var.extra_access_entries : contains(["namespace", "cluster"], v.access_scope_type)
+    ])
+  }
+
+  validation {
+    error_message = "The access scope type 'namespace' requires 'access_scope_namespaces', namespaces can't be set otherwise."
+    condition = alltrue([
+      for v in var.extra_access_entries : ((v.access_scope_type == "namespace" && v.access_scope_namespaces != null) || (v.access_scope_type != "namespace" && v.access_scope_namespaces == null))
+    ])
+  }
+}
+
 variable "stack_ci_admin_arn" {
   type        = string
   description = "arn to the ci role"