feat: Add conditional policy statement attachments for EKS IAM role module #184
Conversation
|
@bryantbiggs thx for drafting this ! it definitely goes into the right direction. from a -- as for the question of which policies make sense to be included, I for myself would name:
|
bryantbiggs
force-pushed
the
feat/eks-conditional-policies
branch
from
d2b54ac to
7122f7a
Compare
|
@max-rocket-internet curious to hear your thoughts on this if you have the time to spare 🙏🏽 |
bryantbiggs
force-pushed
the
feat/eks-conditional-policies
branch
from
c7a76de to
9590acb
Compare
modules/iam-eks-role/policies.tf
Outdated
| @@ -0,0 +1,454 @@ | |||
| data "aws_partition" "current" {} | |||
There was a problem hiding this comment.
Over all I like the idea of including the policies as it makes the module much more useful.
But it's quite a deviation from historical practice in the hashicorp module where they are generally kept VERY sparse and simple.
modules/iam-eks-role/main.tf
Outdated
| data "aws_eks_cluster" "main" { | ||
| for_each = var.cluster_service_accounts | ||
|
|
||
| name = each.key | ||
| } | ||
|
|
||
| data "aws_iam_policy_document" "assume_role_with_oidc" { | ||
| dynamic "statement" { | ||
| for_each = var.cluster_service_accounts | ||
|
|
||
| content { | ||
| effect = "Allow" | ||
|
|
||
| actions = ["sts:AssumeRoleWithWebIdentity"] | ||
|
|
||
| principals { | ||
| type = "Federated" | ||
|
|
||
| identifiers = [ | ||
| "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(data.aws_eks_cluster.main[statement.key].identity[0].oidc[0].issuer, "https://", "")}" | ||
| ] | ||
| } | ||
|
|
||
| condition { | ||
| test = "StringEquals" | ||
| variable = "${replace(data.aws_eks_cluster.main[statement.key].identity[0].oidc[0].issuer, "https://", "")}:sub" | ||
| values = [for s in statement.value : "system:serviceaccount:${s}"] | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Please don't remove all this! This is the whole reason why I wrote this module! To get a nice clean simple implementation, for example like this:
module "iam_eks_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-eks-role"
role_name = "my-app"
cluster_service_accounts = {
"cluster1" = ["default:my-app"]
}
}
In this case the user only needs to know the name of the cluster. That's it. By removing data.aws_eks_cluster.main you are then putting it on the user to get/find their OIDC provider ARN and URL. At which point the user needs to either have the EKS cluster in the same TF configuration (like you have in the examples now with provider=module.eks.oidc_provider) OR they have to use a data resource. If you rewrite it like this then it's basically the same as the iam-assumable-role-with-oidc module 😅
Furthermore, I already added var.provider_url_sa_pairs in case people really want to deal with the OIDC provider details or mix both.
There was a problem hiding this comment.
unfortunately, this is the crux of the issue with this sub-module however.
- its not clear to users that the cluster name should be the key of the maps
- it restricts users to creating a role in one region while roles are global - they will will have to figure out when to use
cluster_service_accountsand when to useprovider_url_sa_pairswhen its not quite clear what the difference is on the surface - most importantly is the lifecycle issue. you cannot specify this role and a cluster and create at the same time. the cluster has to exist first
There was a problem hiding this comment.
Maybe I'm missing some context here, is there a github issue talking about issues with the iam-eks-role module?
- How is it not clear? Do you have some example github issues where users can't work it out? There were examples where it was clear but it seems @antonbabenko has changed it with
random_pet🤔 But in the main readme there is an example where the key iscluster1, that's pretty clear, no? - But even with your change, it's not any different in this regard. If the difference between
cluster_service_accounts/provider_url_sa_pairsis not clear from the docs then let's fix the docs. Or just removeprovider_url_sa_pairsas this can be done in the moduleiam-assumable-role-with-oidcanyway. - Why does that matter? An IAM role could be created in a separate TF configuration by a separate team to an EKS cluster. You can't create an RDS instance with
terraform-aws-rdswithout a EC2 subnet existing but a subnet ID is just passed as a string, for example 🙂
There was a problem hiding this comment.
imho its not perfectly clear that the key of the map has to match the exact cluster name for functional reasons and isnt just meant to be an abbreviation to differentiate in the context of the map
There was a problem hiding this comment.
To give some context, this change came about from
- Add optional IRSA provisioning for most common EKS components ? terraform-aws-eks#1825
- VPC-CNI addon with managed IRSA terraform-aws-eks#1841
And I agree with the sentiments of those issues - these seem like common patterns many folks are repeating over and over and over (creating an IRSA role, specifying a policy, etc. - for common addons like VPC CNI, cluster autoscaler, etc.)
At first I thought something like this was being requested terraform-aws-modules/terraform-aws-eks#1827 but after clarifying, its really just the IRSA role w/ policy for common addons. Something where folks can just simply create an IRSA role and flip a flag to provide canned permissions for the use case of that role.
So with that I came here because of the iam-assumable-role-with-oidc module, but then saw and remembered you added something for EKS and thought it would make the most sense to add on to this role to allow users to opt in to various canned permissions for common addons. However, in testing that I came across the lifecycle issues and through testing cycles just reduced it down to the version you see now.
Thats the context bit.
Regarding a path forward, I do believe we have to fix the lifecycle issue. Unfortunately this is how a lot of people work, especially when testing/trying out modules, plus we are seeing a lot more use cases where users are creating and destroying resources quite frequently in a CI pipeline type setup. So the targetted apply of terraform apply -target module.vpc -target module.eks is not going to fly. It also won't fly when we start propagating the use of this module to other modules and documentation. Its just one of the core tenants people rely on with Terraform - that Terraform will manage the lifecycle dependencies and not them.
Outside of that, personally I don't see the benefit in having the data source embedded with the restrictions it provides over having users provide the details. They can use the data source on their end if they like. And this is the area where I say that the module has been designed with in conjunction with the EKS module. I have aligned the inputs of this module with the outputs of that module so its very clear what is expected. That said, it doesn't lock people into using the EKS module; it just shows the relationship since I suspect this will most likely be the most used case.
There was a problem hiding this comment.
All the context being given here is from the behemoth EKS module, used solely by EKS admins. Where the iam-eks-role module was written for regular users who have workloads on EKS who just want a simple IRSA role created.
modules/iam-eks-role/README.md
Outdated
| } | ||
| } | ||
| ``` | ||
|
|
||
| Note: the EKS clusters must in the current AWS region and account as they use the default AWS provider. | ||
| This module has been design in conjunction with the [`terraform-aws-eks`](https://github.com/terraform-aws-modules/terraform-aws-eks) module and easily integrates with it: |
There was a problem hiding this comment.
No it hasn't and shouldn't be related or reliant on this other module IMO
| This module has been design in conjunction with the [`terraform-aws-eks`](https://github.com/terraform-aws-modules/terraform-aws-eks) module and easily integrates with it: | |
| This module has been design in conjunction with the [`terraform-aws-eks`](https://github.com/terraform-aws-modules/terraform-aws-eks) module and easily integrates with it: |
There was a problem hiding this comment.
but it has and it should be - this module handles the IAM roles/policies while the EKS module handles the cluster resources. there are next steps to remove current pieces from the EKS module like https://github.com/bryantbiggs/terraform-aws-eks/blob/master/node_groups.tf#L9-L47
plus we have other teams that are looking for this integration as well to simplify their user experience - Karpenter being one of them with others interested as well
There was a problem hiding this comment.
likewise, we have made changes to make these more interoperable terraform-aws-modules/terraform-aws-eks#1870
There was a problem hiding this comment.
But there is nothing currently in this module that is related to the EKS module? They weren't "designed in conjunction with" at all, they were written and are separate. You could create your EKS cluster with eksctl and still use this module? Maybe my beef is just with the wording..
|
Maybe just ignore my previous comments about specifics and focus on the bigger picture with this PR and the But then this functionality is also simply removing and replacing what I wrote this module for. It's now kind of an extension of the |
I don't follow - unless I am missing something, these changes aren't locking people into anything. The changes do lean towards some assumptions (module will most likely be used with EKS and the EKS module in this organization), but it doesn't lock them in to only those assumptions |
No they are not but you are removing the clean implementation that was available in
Exactly. The user that To give you context: we have about 50 EKS clusters managed by a "devops" team and about 400 developers who manage a whole bunch of apps across these clusters. In a large environment like this, EKS cluster TF resources can't be mixed in with application resources like in your docs, otherwise the TF state gets too big, blast radius etc. Developers need to create IRSA roles (we have 1000s of them) for their apps but have absolutely no knowledge of OIDC and very little of EKS. I didn't write the module for myself, I think there are others who want something clean and simple like this also. If you think outside of the bubble of EKS administration, there is a lot of general users, especially in larger orgs. But anyway, do as you wish, I don't really mind. I just wanted to make you aware of why the module was written like that and who it was for 🙂 |
|
as I spiked this addition in the eks-module and now seeing it being added here but having learned its origin from your convo, I can see both user-groups as stakeholders: those who want full flexibility and those who want some pre-canned policies. shouldnt it be possible to keep the module flexible and satisfy both use-cases and not introduce breaking-changes ? |
Yes. Just don't delete the block of code that I commented on in my review. But TBH if we are going to merge the rest of the changes to the Perhaps I should create a new module, called |
|
I wouldn't argue it's necessarily an extension of the EKS module. You could as well use it standalone and pass in the clustername or OIDC issuer url. No matter where it originates from. If you guys decide for keeping separate modules, it's probably more existing-user-friendly to keep this one as is and put the new stuff from this PR in a different and new module like "iam-eks-common" or such |
|
going with separate module for now I guess |
|
@bryantbiggs the implementation of the policy submodules looks really great so far 👍🏼 How do you feel about also adding aws-load-balancer-controller policy ? Btw I will also give the policies a 3rd pair of eyes if you don't mind. |
| @@ -0,0 +1,174 @@ | |||
| # IAM Role for Service Accounts in EKS | |||
There was a problem hiding this comment.
Update main README.md in the root of the module to include this new module&example into the lists there also.
There was a problem hiding this comment.
Done - also ordered them to match the sub-module/example directory
| private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] | ||
| public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] | ||
|
|
||
| enable_nat_gateway = true |
There was a problem hiding this comment.
If it is not critical for the example, can we disable NAT and VPC flow logs in the example to be able to spin up things faster&cheaper?
There was a problem hiding this comment.
ah, we actually do need the NAT gateway (or replace it with 3 private VPC endpoints which takes just as long to provision as a NAT gateway)
| tags = local.tags | ||
| } | ||
|
|
||
| module "karpenter_controller_irsa_role" { |
There was a problem hiding this comment.
Please add one module for a case where create_role = false because sometimes there can be some weird things we can't check in the happy path.
I don't remember the name of the module where this was a problem a few weeks/months ago.
There was a problem hiding this comment.
done! (and it was Atlantis w/ EFS 😅 )
There was a problem hiding this comment.
@bryantbiggs the implementation of the policy submodules looks really great so far 👍🏼 Happy to see these modules coming
How do you feel about also adding aws-load-balancer-controller policy ? It's quite common also and by now preferable over the in-tree one
Btw I will also give the policies a 3rd pair of eyes if you don't mind.
@philicious we'll add some more in a next PR, this one is getting big enough - hang tight
There was a problem hiding this comment.
done! (and it was Atlantis w/ EFS 😅 )
so it was so much recently :)
|
ok should be all set now @antonbabenko |
## [4.12.0](v4.11.0...v4.12.0) (2022-02-16) ### Features * Add conditional policy statement attachments for EKS IAM role module ([#184](#184)) ([e29b94f](e29b94f))
|
This PR is included in version 4.12.0 🎉 |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Description
try()Motivation and Context
Breaking Changes
How Has This Been Tested?
examples/*projects