add irsa example

examples/irsa/.tf-control

@@ -0,0 +1,20 @@
+# .tf-control
+# allows for setting a specific command to be used for tf-* commands under this git repo
+# see tf-control.sh help for more info
+
+TFCONTROL_VERSION="1.0.5"
+
+TFCOMMAND="terraform_latest"
+# TF_CLI_CONFIG_FILE=PATH-TO-FILE/.tf-control.tfrc
+# TFARGS=""
+# TFNOLOG=""
+# TFNOCOLOR=""
+
+# use the following to force a specific version.  An upgrade of an existing 0.12.31 to 1.x
+# needs you to cycle through 0.13.17, 0.14.11, and then latest (0.15.5 not needed).  Other
+# steps in between.  See https://github.e.it.census.gov/terraform/support/tree/master/docs/how-to/terraform-upgrade for details
+#
+#TFCOMMAND="terraform_0.12.31"
+#TFCOMMAND="terraform_0.13.7"
+#TFCOMMAND="terraform_0.14.11"
+#TFCOMMAND="terraform_0.15.5"

examples/irsa/.tf-control.tfrc

@@ -0,0 +1,24 @@
+TFCONTROL_VERSION="1.0.5"
+
+# https://www.terraform.io/docs/cli/config/config-file.html
+plugin_cache_dir   = "/data/terraform/terraform.d/plugin-cache"
+#disable_checkpoint = true
+
+provider_installation {
+#  filesystem_mirror {
+#    path    = "/apps/terraform/terraform.d/providers"
+#    include = [ "*/*/*" ]
+#  }
+  filesystem_mirror {
+    path    = "/data/terraform/terraform.d/providers"
+    include = [ "*/*/*" ]
+  }
+#  filesystem_mirror {
+#    path    = "/apps/terraform/terraform.d/providers"
+#    include = [ "external.terraform.census.gov/*/*" ]
+#  }
+  direct {
+    include = [ "*/*/*" ]
+  }
+}
+

examples/irsa/irsa-role.tf

@@ -0,0 +1,51 @@
+data "aws_iam_policy" "policies" {
+  for_each = toset(var.iam_managed_policies)
+  name     = each.key
+}
+
+module "role" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+
+  role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.namespace}:${var.name}"
+  role_name        = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, var.name)
+
+  # also may create additional policies and include here
+  role_policy_arns = { for k, v in data.aws_iam_policy.policies : k => v.arn }
+  #    policy1 = data.aws_iam_policy.policy.arn
+  #    policy2 = aws_iam_policy.policy2.arn
+
+  oidc_providers = {
+    main = {
+      provider_arn               = local.oidc_provider_arn
+      namespace_service_accounts = [format("%v:%v", var.namespace, var.name)]
+    }
+  }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    {
+      "eks:namespace" = var.namespace
+      "eks:user"      = var.name
+    }
+  )
+}
+
+resource "kubernetes_namespace" "namespace" {
+  count = var.create_namespace ? 1 : 0
+  metadata {
+    name = var.namespace
+  }
+}
+
+resource "kubernetes_service_account" "sa" {
+  count = var.create_service_account ? 1 : 0
+  metadata {
+    namespace = var.namespace
+    name      = var.name
+    annotations = {
+      "eks.amazonaws.com/role-arn" = module.role.role_arn
+    }
+  }
+}

examples/irsa/locals.tf

@@ -0,0 +1,17 @@
+locals {
+  base_tags = {
+    "eks-cluster-name"      = var.cluster_name
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+# replace TF remote state accordingly in parent_rs with that from the parent directory, and be sure to make the link
+locals {
+  vpc_id               = local.parent_rs.cluster_vpc_id
+  subnet_ids           = local.parent_rs.cluster_subnet_ids
+  cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id
+
+  oidc_provider_url = local.parent_rs.oidc_provider_url
+  oidc_provider_arn = local.parent_rs.oidc_provider_arn
+}

examples/irsa/region.tf

@@ -0,0 +1,3 @@
+locals {
+  region = var.region
+}

examples/irsa/tf-run.data

@@ -0,0 +1,31 @@
+VERSION 1.4.2
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+
+LINKTOP init
+LINKTOP includes.d/variables.account_tags.tf
+LINKTOP includes.d/variables.account_tags.auto.tfvars
+LINKTOP includes.d/variables.infrastructure_tags.tf
+LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
+LINKTOP includes.d/variables.application_tags.tf
+# LINKTOP includes.d/variables.application_tags.auto.tfvars
+LINK variables.application_tags.auto.tfvars
+LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars
+LINKTOP provider_configs.d/provider.ldap_new.tf
+LINKTOP provider_configs.d/provider.ldap_new.variables.tf
+LINK settings.auto.tfvars
+LINK includes.d/parent_rs.tf
+LINK includes.d/data.eks-subdirectory.tf
+LINK includes.d/kubeconfig.eks-subdirectory.tf
+LINK variables.eks.tf
+LINK prefixes.tf
+LINK providers.tf
+LINK variables.addons.tf
+LINK versions.tf
+LINK version.tf
+LINK variables.vpc.tf
+LINK variables.vpc.auto.tfvars
+COMMAND tf-init 
+
+ALL

examples/irsa/tf-run.destroy.data

@@ -0,0 +1,6 @@
+VERSION 1.0.1
+BACKUP-STATE
+COMMAND tf-init
+COMMAND tf-state list
+
+ALL

examples/irsa/variables.auto.tfvars

@@ -0,0 +1,4 @@
+namespace              = "default"
+name                   = ""
+create_namespace       = false
+create_service_account = true

examples/irsa/variables.tf

@@ -0,0 +1,22 @@
+variable "namespace" {
+  description = "Service namespace"
+  type        = string
+  default     = "default"
+}
+
+variable "name" {
+  description = "Service account name"
+  type        = string
+}
+
+variable "create_namespace" {
+  description = "Create kubernetes namespace"
+  type        = bool
+  default     = false
+}
+
+variable "create_service_account" {
+  description = "Create kubernetes service account"
+  type        = bool
+  default     = true
+}