IRSA module added to create Service accounts for k8s addons

kubernetes-addons.tf

@@ -150,9 +150,14 @@ module "argocd" {
 }
 
 module "keda" {
-  count           = var.create_eks && var.keda_enable ? 1 : 0
-  source          = "./kubernetes-addons/keda"
-  keda_helm_chart = var.keda_helm_chart
+  count              = var.create_eks && var.keda_enable ? 1 : 0
+  source             = "./kubernetes-addons/keda"
+  keda_helm_chart    = var.keda_helm_chart
+  eks_cluster_name   = module.aws_eks.cluster_id
+  keda_create_irsa   = var.keda_create_irsa
+  keda_irsa_policies = var.keda_irsa_policies
+  tags               = var.tags
 
   depends_on = [module.aws_eks]
+
 }

kubernetes-addons/irsa/README.md

+# IRSA module
+
+This module creates the following resources
+
+ 1. Kubernetes Namespace for Kubernetes Addon
+ 2. Service Account for Kubernetes Addon
+ 3. IAM Role for Service Account with OIDC assume role policy
+ 4. Creates default policy required for Addon
+ 5. Attaches the additional IAM policies provided by consumer module
+
+ <!--- BEGIN_TF_DOCS --->
+
+ <!--- END_TF_DOCS --->

kubernetes-addons/irsa/data.tf

+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: MIT-0
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this
+ * software and associated documentation files (the "Software"), to deal in the Software
+ * without restriction, including without limitation the rights to use, copy, modify,
+ * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+# Assume role policy for your service account
+data "aws_iam_policy_document" "irsa_with_oidc" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = [local.eks_oidc_provider_arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "${local.eks_oidc_issuer_url}:sub"
+      values   = ["system:serviceaccount:${var.kubernetes_namespace}:${var.kubernetes_service_account}"]
+    }
+  }
+}
+
+data "aws_eks_cluster" "eks_cluster" {
+  name = var.eks_cluster_name
+}
+
+data "aws_partition" "current" {}
+
+data "aws_caller_identity" "current" {}

kubernetes-addons/irsa/locals.tf

+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: MIT-0
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this
+ * software and associated documentation files (the "Software"), to deal in the Software
+ * without restriction, including without limitation the rights to use, copy, modify,
+ * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+locals {
+  eks_oidc_issuer_url   = replace(data.aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer, "https://", "")
+  eks_oidc_provider_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.eks_oidc_issuer_url}"
+}

kubernetes-addons/irsa/main.tf

+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: MIT-0
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this
+ * software and associated documentation files (the "Software"), to deal in the Software
+ * without restriction, including without limitation the rights to use, copy, modify,
+ * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+# Kubernetes Namesapce
+resource "kubernetes_namespace" "ns" {
+  metadata {
+    name = var.kubernetes_namespace
+
+    labels = {
+      "app.kubernetes.io/managed-by" = "terraform-aws-eks-accelerator"
+    }
+  }
+}
+
+# Kubernetes service account
+resource "kubernetes_service_account" "keda_sa" {
+  metadata {
+    name        = var.kubernetes_service_account
+    namespace   = kubernetes_namespace.ns.id
+    annotations = { "eks.amazonaws.com/role-arn" : aws_iam_role.irsa.arn }
+  }
+  automount_service_account_token = true
+}
+
+# IAM role and assume role policy for your service account
+resource "aws_iam_role" "irsa" {
+  name                  = "${var.eks_cluster_name}-${var.kubernetes_service_account}-irsa"
+  assume_role_policy    = join("", data.aws_iam_policy_document.irsa_with_oidc.*.json)
+  path                  = var.iam_role_path
+  force_detach_policies = true
+  tags                  = var.tags
+}
+
+# Attach IMA policies for IAM role
+resource "aws_iam_role_policy_attachment" "keda_irsa" {
+  count      = length(var.irsa_iam_policies)
+  policy_arn = var.irsa_iam_policies[count.index]
+  role       = aws_iam_role.irsa.name
+}

kubernetes-addons/irsa/outputs.tf

+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: MIT-0
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this
+ * software and associated documentation files (the "Software"), to deal in the Software
+ * without restriction, including without limitation the rights to use, copy, modify,
+ * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+output "irsa_iam_role_arn" {
+  description = "IAM role ARN for your service account"
+  value       = aws_iam_role.irsa.arn
+}
+
+output "irsa_iam_role_name" {
+  description = "IAM role name for your service account"
+  value       = aws_iam_role.irsa.name
+}

kubernetes-addons/irsa/variables.tf

+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: MIT-0
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this
+ * software and associated documentation files (the "Software"), to deal in the Software
+ * without restriction, including without limitation the rights to use, copy, modify,
+ * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+variable "kubernetes_namespace" {
+  description = "Kubernetes Namespace name"
+}
+
+variable "kubernetes_service_account" {
+  description = "Kubernetes Service Account Name"
+}
+
+variable "eks_cluster_name" {
+  type        = string
+  description = "EKS Cluster Id"
+}
+
+variable "iam_role_path" {
+  type        = string
+  default     = "/"
+  description = "IAM Role path"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Common tags for AWS resources"
+}
+
+variable "irsa_iam_policies" {
+  type        = list(string)
+  description = "IAM Policies for IRSA IAM role"
+}

kubernetes-addons/keda/keda-values.yaml

-
-image:
-  keda:
-    repository: ghcr.io/kedacore/keda
-    # Allows people to override tag if they don't want to use the app version
-    tag:
-  metricsApiServer:
-    repository: ghcr.io/kedacore/keda-metrics-apiserver
-    # Allows people to override tag if they don't want to use the app version
-    tag:
-  pullPolicy: Always
-
-operator:
-  name: keda-operator
+serviceAccount:
+  name: ${keda-sa-name}
 
 resources:
   limits:

kubernetes-addons/keda/locals.tf

-data "aws_region" "current" {}
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: MIT-0
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this
+ * software and associated documentation files (the "Software"), to deal in the Software
+ * without restriction, including without limitation the rights to use, copy, modify,
+ * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
 
 locals {
+  keda_service_account_name = "keda-operator"
+  keda_namespace            = "keda-ns"
+
+  irsa_set_values = [{
+    name  = "serviceAccount.create"
+    value = "false"
+    },
+    {
+      name  = "serviceAccount.name"
+      value = local.keda_service_account_name
+  }]
 
   default_keda_helm_app = {
     name                       = "keda"
@@ -9,15 +36,12 @@ locals {
     version                    = "2.4.0"
     namespace                  = "keda"
     timeout                    = "1200"
-    create_namespace           = true
+    create_namespace           = false
     description                = "Keda Event-based autoscaler for workloads on Kubernetes"
     lint                       = false
-    values                     = local.default_keda_helm_values
     wait                       = true
     wait_for_jobs              = false
     verify                     = false
-    set                        = null
-    set_sensitive              = null
     keyring                    = ""
     repository_key_file        = ""
     repository_cert_file       = ""
@@ -38,14 +62,18 @@ locals {
     dependency_update          = false
     replace                    = false
     postrender                 = ""
-    gameserver_minport         = 7000
-    gameserver_maxport         = 8000
+    set                        = []
+    set_sensitive              = []
+    values                     = local.default_keda_helm_values
   }
   keda_helm_app = merge(
     local.default_keda_helm_app,
     var.keda_helm_chart
   )
 
-  default_keda_helm_values = [templatefile("${path.module}/keda-values.yaml", {})]
+  default_keda_helm_values = [templatefile("${path.module}/keda-values.yaml", {
+    keda-sa-name = local.keda_service_account_name
+  })]
+
 
 }

kubernetes-addons/keda/main.tf

@@ -16,15 +16,17 @@
  * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
 
+data "aws_caller_identity" "current" {}
+
 resource "helm_release" "keda" {
   name                       = local.keda_helm_app["name"]
   repository                 = local.keda_helm_app["repository"]
   chart                      = local.keda_helm_app["chart"]
   version                    = local.keda_helm_app["version"]
-  namespace                  = local.keda_helm_app["namespace"]
   timeout                    = local.keda_helm_app["timeout"]
   values                     = local.keda_helm_app["values"]
-  create_namespace           = local.keda_helm_app["create_namespace"]
+  create_namespace           = var.keda_create_irsa ? false : local.keda_helm_app["create_namespace"]
+  namespace                  = var.keda_create_irsa ? local.keda_namespace : local.keda_helm_app["namespace"]
   lint                       = local.keda_helm_app["lint"]
   description                = local.keda_helm_app["description"]
   repository_key_file        = local.keda_helm_app["repository_key_file"]
@@ -56,7 +58,7 @@ resource "helm_release" "keda" {
 
   dynamic "set" {
     iterator = each_item
-    for_each = local.keda_helm_app["set"] == null ? [] : local.keda_helm_app["set"]
+    for_each = var.keda_create_irsa ? distinct(concat(local.irsa_set_values, local.keda_helm_app["set"])) : local.keda_helm_app["set"]
 
     content {
       name  = each_item.value.name
@@ -73,4 +75,70 @@ resource "helm_release" "keda" {
       value = each_item.value.value
     }
   }
+
+  depends_on = [module.irsa]
+}
+
+module "irsa" {
+  count = var.keda_create_irsa ? 1 : 0
+
+  source                     = "../irsa"
+  eks_cluster_name           = var.eks_cluster_name
+  kubernetes_namespace       = local.keda_namespace
+  kubernetes_service_account = local.keda_service_account_name
+  irsa_iam_policies          = concat([aws_iam_policy.keda_irsa[0].arn], var.keda_irsa_policies)
+  tags                       = var.tags
+}
+
+resource "aws_iam_policy" "keda_irsa" {
+  count = var.keda_create_irsa ? 1 : 0
+
+  name        = "${var.eks_cluster_name}-${local.keda_helm_app["name"]}-irsa"
+  path        = var.iam_role_path
+  description = "KEDA IAM role policy for SQS and CloudWatch"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "sqs:GetQueueUrl",
+        "sqs:ListDeadLetterSourceQueues",
+        "sqs:ReceiveMessage",
+        "sqs:GetQueueAttributes",
+        "sqs:ListQueueTags",
+        "cloudwatch:DescribeAlarmHistory",
+        "cloudwatch:GetDashboard",
+        "cloudwatch:GetInsightRuleReport",
+        "cloudwatch:ListTagsForResource",
+        "cloudwatch:DescribeAlarms",
+        "cloudwatch:GetMetricStream"
+      ],
+      "Resource": [
+        "arn:aws:cloudwatch:*:${data.aws_caller_identity.current.account_id}:metric-stream/*",
+        "arn:aws:sqs:*:${data.aws_caller_identity.current.account_id}:*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "cloudwatch:DescribeInsightRules",
+        "sqs:ListQueues",
+        "cloudwatch:GetMetricData",
+        "cloudwatch:ListMetricStreams",
+        "cloudwatch:DescribeAlarmsForMetric",
+        "cloudwatch:ListDashboards",
+        "cloudwatch:GetMetricStatistics",
+        "cloudwatch:GetMetricWidgetImage",
+        "cloudwatch:ListMetrics",
+        "cloudwatch:DescribeAnomalyDetectors"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+
 }

kubernetes-addons/keda/variables.tf

@@ -21,3 +21,29 @@ variable "keda_helm_chart" {
   default     = {}
   description = "Keda Event-based autoscaler for workloads on Kubernetes Helm chart config"
 }
+
+variable "eks_cluster_name" {
+  type        = string
+  description = "EKS Cluster Id"
+}
+
+variable "iam_role_path" {
+  type        = string
+  default     = "/"
+  description = "IAM role path"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Common Tags for AWS resources"
+}
+
+variable "keda_create_irsa" {
+  type        = bool
+  description = "Indicates if the add-on should create a IAM role + service account"
+}
+
+variable "keda_irsa_policies" {
+  type        = list(string)
+  description = "Additional IAM policies for a IAM role for service accounts"
+}

kubernetes-addons/lb-ingress-controller/variables.tf

@@ -21,10 +21,12 @@ variable "lb_ingress_controller_helm_app" {
   description = "Helm chart definition for lb_ingress_controller."
   default     = {}
 }
+
 variable "eks_cluster_id" {
   type        = string
   description = "EKS cluster Id"
 }
+
 variable "eks_oidc_issuer_url" {
   type        = string
   description = "The URL on the EKS cluster OIDC Issuer"
@@ -33,5 +35,4 @@ variable "eks_oidc_issuer_url" {
 variable "eks_oidc_provider_arn" {
   type        = string
   description = "The ARN of the OIDC Provider if `enable_irsa = true`."
-
 }

variables.tf

@@ -387,3 +387,13 @@ variable "keda_helm_chart" {
   default     = {}
   description = "KEDA Event-based autoscaler Kubernetes Addon Configuration"
 }
+variable "keda_create_irsa" {
+  type        = bool
+  description = "Indicates if the add-on should create a IAM role + service account"
+  default     = true
+}
+variable "keda_irsa_policies" {
+  type        = list(string)
+  description = "Additional IAM policies for a IAM role for service accounts"
+  default     = []
+}