Skip to content

Commit

Permalink
chore: Unify AWS WebIdentity trusted relations (#140)
Browse files Browse the repository at this point in the history 
* chore: Unify AWS WebIdentity trusted relations

Signed-off-by: Jorge Turrado <[email protected]>

* .

Signed-off-by: Jorge Turrado <[email protected]>

* fix typo

Signed-off-by: Jorge Turrado <[email protected]>

* rename resource

Signed-off-by: Jorge Turrado <[email protected]>

---------

Signed-off-by: Jorge Turrado <[email protected]>
  • Loading branch information
@JorTurFer
JorTurFer committed Jan 1, 2024
1 parent 3a25e29 commit c324877
Show file tree
Hide file tree
Showing 3 changed files with 67 additions and 34 deletions.
9 changes: 9 additions & 0 deletions terraform/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -340,13 +340,22 @@ module "github_secrets" {
value = data.aws_region.current.name
},
{
// TO REMOVE AFTER MERGING https://github.com/kedacore/keda/pull/5061
name = "TF_AWS_ACCOUNT_ID"
value = data.aws_caller_identity.current.account_id
},
{
name = "TF_AWS_KEDA_ROLE"
value = module.aws_iam.keda_role_arn
},
{
name = "TF_AWS_WORKLOAD1_ROLE"
value = module.aws_iam.workload1_role_arn
},
{
name = "TF_AWS_WORKLOAD2_ROLE"
value = module.aws_iam.workload2_role_arn
},
{
name = "TF_GCP_SA_CREDENTIALS"
value = module.gcp_iam.e2e_user_credentials
Expand Down
84 changes: 50 additions & 34 deletions terraform/modules/aws/iam/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,24 @@

locals {
workload1_role_name = "keda-workload-1"
workload2_role_prefix = "workload-2"
workload_trust_relations = jsonencode(
[for role in aws_iam_role.roles :
keda_role_name = "keda-operator"
workload1_role_name = "keda-workload-1"
workload2_role_name = "keda-workload-2"
keda_clusters_trusted_relations = jsonencode(
[for index, provider in aws_iam_openid_connect_provider.oidc_providers :
{
Sid : "",
Effect : "Allow"
Action : "sts:AssumeRole",
Effect : "Allow",
Principal : {
"AWS" : role.arn
"Federated" : "${provider.arn}"
},
Action : "sts:AssumeRoleWithWebIdentity",
Condition : {
StringEquals : {
"${replace(var.identity_providers[index].oidc_issuer_url, "https://", "")}:sub" : "system:serviceaccount:keda:keda-operator",
"${replace(var.identity_providers[index].oidc_issuer_url, "https://", "")}:aud" : "sts.amazonaws.com"
}
}
}]
}
]
)
}

Expand Down Expand Up @@ -47,7 +54,24 @@ resource "aws_iam_openid_connect_provider" "oidc_providers" {
tags = var.tags
}

resource "aws_iam_role" "keda_role" {
name = local.keda_role_name
tags = var.tags

assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": ${local.keda_clusters_trusted_relations}
}
EOF
}

resource "aws_iam_role_policy_attachment" "keda_role_assignement" {
role = aws_iam_role.keda_role.name
policy_arn = aws_iam_policy.policy.arn
}

// TO REMOVE AFTER MERGING https://github.com/kedacore/keda/pull/5061
resource "aws_iam_role" "roles" {
count = length(aws_iam_openid_connect_provider.oidc_providers)
name = var.identity_providers[count.index].role_name
Expand Down Expand Up @@ -80,6 +104,7 @@ resource "aws_iam_role_policy_attachment" "role_assignements" {
role = aws_iam_role.roles[count.index].name
policy_arn = aws_iam_policy.policy.arn
}
// END TO REMOVE

resource "aws_iam_policy" "policy" {
name = "e2e-test-policy"
Expand Down Expand Up @@ -202,34 +227,26 @@ resource "aws_iam_role" "workload1_role" {
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": ${local.workload_trust_relations}
"Statement": {
"Sid" : "",
"Effect" : "Allow"
"Action" : "sts:AssumeRole",
"Principal" : {
"AWS" : ${aws_iam_role.keda_role.arn}
}
}
}
EOF
}

resource "aws_iam_role" "workload2_roles" {
count = length(aws_iam_openid_connect_provider.oidc_providers)
name = "${local.workload2_role_prefix}-${var.identity_providers[count.index].role_name}"
tags = var.tags
resource "aws_iam_role" "workload2_role" {
name = local.workload2_role_name
tags = var.tags

assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "${aws_iam_openid_connect_provider.oidc_providers[count.index].arn}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${replace(var.identity_providers[count.index].oidc_issuer_url, "https://", "")}:sub": "system:serviceaccount:keda:keda-operator",
"${replace(var.identity_providers[count.index].oidc_issuer_url, "https://", "")}:aud": "sts.amazonaws.com"
}
}
}
]
"Version": "2012-10-17",
"Statement": ${local.keda_clusters_trusted_relations}
}
EOF
}
Expand Down Expand Up @@ -270,13 +287,12 @@ resource "aws_iam_policy" "workload2_role_policy" {
EOF
}

resource "aws_iam_role_policy_attachment" "workload1_role_assignements" {
resource "aws_iam_role_policy_attachment" "workload1_role_assignement" {
role = aws_iam_role.workload1_role.name
policy_arn = aws_iam_policy.workload1_role_policy.arn
}

resource "aws_iam_role_policy_attachment" "workload2_role_assignements" {
count = length(aws_iam_openid_connect_provider.oidc_providers)
role = aws_iam_role.workload2_roles[count.index].name
resource "aws_iam_role_policy_attachment" "workload2_role_assignement" {
role = aws_iam_role.workload2_role.name
policy_arn = aws_iam_policy.workload2_role_policy.arn
}
8 changes: 8 additions & 0 deletions terraform/modules/aws/iam/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,14 @@ output "e2e_user_secret_key" {
value = aws_iam_access_key.e2e_test.secret
}

output "keda_role_arn" {
value = aws_iam_role.keda_role.arn
}

output "workload1_role_arn" {
value = aws_iam_role.workload1_role.arn
}

output "workload2_role_arn" {
value = aws_iam_role.workload2_role.arn
}

0 comments on commit c324877

Please sign in to comment.