Merge pull request #132 from Ensono/feat/eks-extra-iam-policy

feat: Expose the Additional IAM roles for the EKS
Ensono · Jul 17, 2024 · 9afe9fb · 9afe9fb
2 parents f354004 + 594f688
commit 9afe9fb
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 7 deletions.
diff --git a/aws/modules/infrastructure_modules/eks/data.tf b/aws/modules/infrastructure_modules/eks/data.tf
@@ -1,13 +1,7 @@
-# Current account ID
 data "aws_caller_identity" "this" {}
 
 data "aws_availability_zones" "available" {}
 
-locals {
-
-  trusted_key_identities = var.trusted_role_arn == "" ? ["arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"] : ["arn:aws:iam::${data.aws_caller_identity.this.account_id}:root", "${var.trusted_role_arn}"]
-}
-
 ## EKS
 data "aws_iam_policy_document" "eks_secret_encryption_kms_key_policy" {
   statement {

diff --git a/aws/modules/infrastructure_modules/eks/eks-cluster.tf b/aws/modules/infrastructure_modules/eks/eks-cluster.tf
@@ -17,7 +17,7 @@ module "eks_kms_key" {
 #############
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 20.17"
+  version = "~> 20.19"
 
   vpc_id                          = var.vpc_id
   subnet_ids                      = var.vpc_private_subnets
@@ -32,6 +32,8 @@ module "eks" {
   node_security_group_additional_rules         = var.node_security_group_additional_rules
   node_security_group_enable_recommended_rules = var.node_security_group_enable_recommended_rules
 
+  iam_role_additional_policies = var.cluster_iam_role_additional_policies
+
   cluster_enabled_log_types = var.cluster_enabled_log_types
 
   create_kms_key         = var.create_kms_key

diff --git a/aws/modules/infrastructure_modules/eks/examples/main.tf b/aws/modules/infrastructure_modules/eks/examples/main.tf
@@ -1,3 +1,7 @@
+data "aws_iam_policy" "cloudwatch_agent_server_policy" {
+  name = "CloudWatchAgentServerPolicy"
+}
+
 module "vpc" {
   source = "../../vpc"
 
@@ -27,6 +31,10 @@ module "eks" {
   cluster_endpoint_private_access = true
   cluster_single_az               = false
 
+  cluster_iam_role_additional_policies = {
+    cloudwatch_agent_server_policy = data.aws_iam_policy.cloudwatch_agent_server_policy.arn
+  }
+
   vpc_id              = module.vpc.id
   vpc_private_subnets = module.vpc.private_subnet_ids
 

diff --git a/aws/modules/infrastructure_modules/eks/locals.tf b/aws/modules/infrastructure_modules/eks/locals.tf
@@ -84,6 +84,8 @@ locals {
     })
   )
 
+  trusted_key_identities = var.trusted_role_arn == "" ? ["arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"] : ["arn:aws:iam::${data.aws_caller_identity.this.account_id}:root", "${var.trusted_role_arn}"]
+
   logging_bucket_kms_key_name                    = "alias/cmk-${lower(var.cluster_name)}-logging-bucket"
   logging_bucket_kms_key_description             = "Secret Encryption Key for the Flow Log Bucket"
   logging_bucket_kms_key_deletion_window_in_days = "7"

diff --git a/aws/modules/infrastructure_modules/eks/variables.tf b/aws/modules/infrastructure_modules/eks/variables.tf
@@ -58,6 +58,13 @@ variable "cluster_enabled_log_types" {
   default = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
 }
 
+variable "cluster_iam_role_additional_policies" {
+  type        = map(string)
+  description = "Additional policies to be added to the IAM role for the EKS Cluster"
+
+  default = {}
+}
+
 variable "eks_minimum_nodes" {
   type        = string
   description = "The minimum number of nodes in the cluster, per AZ if 'cluster_single_az' is false"