Updates to use custom-irsa-role module.

SCT-Engineering · Sep 14, 2023 · 5c76420 · 5c76420
1 parent 08fc205
commit 5c76420
Show file tree

Hide file tree

Showing 7 changed files with 59 additions and 117 deletions.
diff --git a/aws_data.tf b/aws_data.tf
diff --git a/main.tf b/main.tf
@@ -18,9 +18,43 @@ data "kubernetes_namespace" "existing-ns" {
 }
 
 locals {
+  base_tags = {
+    "eks-cluster-name"      = var.cluster_name
+    "boc:tf_module_name"    = local._module_name
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+    CostAllocation          = var.tag_costallocation
+  }
+
   ns = try(kubernetes_namespace.ns[0].metadata[0].name, data.kubernetes_namespace.existing-ns[0].metadata[0].name)
 }
 
+module "loki-irsa-role" {
+  #source = "git@github.it.census.gov:SOA/tfmod-custom-iam-role-for-service-account-eks.git/?ref=1.0.0"
+  source = "git@github.it.census.gov:SOA/tfmod-custom-iam-role-for-service-account-eks.git/"
+
+  role_name = "${var.cluster_name}-loki"
+
+  attach_s3_bucket_owner_policy          = true
+  attach_encrypted_object_manager_policy = true
+
+  s3_bucket_arns = [
+    module.loki-s3.s3_bucket_arn,
+    "${module.loki-s3.s3_bucket_arn}/*",
+  ]
+  kms_key_arns = [
+    "${module.loki-s3.kms_key_arn}"
+  ]
+
+  oidc_providers = {
+    main = {
+      provider_arn               = var.oidc_provider_arn
+      namespace_service_accounts = ["${var.namespace}:loki"]
+    }
+  }
+  tags = merge(local.base_tags, var.additional_tags)
+}
+
 resource "helm_release" "loki" {
   chart      = "loki"
   version    = var.loki_chart_version
@@ -211,7 +245,7 @@ resource "helm_release" "loki" {
 
   set {
     name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = format("r-eks-%v-irsa-loki-sa", var.cluster_name)
+    value = module.loki-irsa-role.iam_role_arn
   }
 
   set {
@@ -282,8 +316,4 @@ resource "helm_release" "loki" {
     name  = "gateway.image.tag"
     value = module.images.images[local.provisioner_key].tag
   }
-  # referencing vi /home/z/zawac002/eks-middleware-deployment/charts/loki-scalable/dev-values.yaml
-  # /home/z/zawac002/eks-middleware-deployment/charts/loki-scalable
-  # Using diff orig_values.yaml dev-values.yaml | less
-  # Up through:
 }
diff --git a/policies.tf b/policies.tf
diff --git a/roles.tf b/roles.tf
diff --git a/s3.tf b/s3.tf
@@ -1,3 +1,5 @@
+data "aws_caller_identity" "current" {}
+
 ## create bucket
 locals {
   account_id = data.aws_caller_identity.current.account_id
@@ -12,4 +14,8 @@ module "loki-s3" {
 
   bucket_name       = format("%v-loki", var.cluster_name)
   access_log_bucket = data.aws_s3_bucket.s3_server_access_logs.id
+
+  tags = {
+    "eks-cluster-name" = var.cluster_name
+  }
 }
diff --git a/variables.tf b/variables.tf
@@ -1,3 +1,14 @@
+variable "tag_costallocation" {
+  description = "Tag CostAllocation (default)"
+  type        = string
+}
+
+variable "additional_tags" {
+  description = "Additional tags to add to resources created in AWS (s3 bucket, ...)"
+  type        = map(string)
+  default     = {}
+}
+
 variable "region" {
   description = "The region holding these resources (for the s3 bucket.)"
   type        = string
@@ -26,9 +37,9 @@ variable "create_namespace" {
   default     = "true"
 }
 
-variable "cluster_oidc_issuer_url" {
-  description = "The URL in the EKS cluster for the OpenID Connect identity provider.  This is the full URL including https://"
-  type = string
+variable "oidc_provider_arn" {
+  description = "The ARN in the EKS cluster for the OpenID Connect identity provider."
+  type        = string
 }
 
 variable "rwo_storage_class" {

diff --git a/version.tf b/version.tf
@@ -0,0 +1,4 @@
+locals {
+  _module_name    = "tfmod-loki"
+  _module_version = "unknown"
+}