Add flag to control CNI policy attachment

castai · Nov 27, 2024 · 49685cb · 49685cb
1 parent 2f835db
commit 49685cb
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -21,7 +21,7 @@ A module to create AWS IAM policies and a role to connect to CAST.AI
 Requires `castai/castai` and `hashicorp/aws` providers to be configured.
 
 ```hcl
-module "castai-eks-iam-role" {
+module "castai-eks-role-iam" {
   source = "castai/eks-role-iam/castai"
 
   aws_account_id     = var.aws_account_id

diff --git a/main.tf b/main.tf
@@ -6,6 +6,12 @@ locals {
   iam_role_policy_name       = "castai-user-policy-${substr(local.resource_name_postfix, 0, 45)}"
   instance_profile_role_name = "castai-eks-instance-${substr(local.resource_name_postfix, 0, 44)}"
   iam_policy_prefix          = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
+
+  castai_instance_profile_policy_list = flatten([
+    "${local.iam_policy_prefix}/AmazonEKSWorkerNodePolicy",
+    "${local.iam_policy_prefix}/AmazonEC2ContainerRegistryReadOnly",
+    var.attach_worker_cni_policy ? ["${local.iam_policy_prefix}/AmazonEKS_CNI_Policy"] : []
+  ])
 }
 
 data "aws_partition" "current" {}
@@ -56,13 +62,13 @@ resource "aws_iam_role_policy" "castai_role_iam_policy" {
 # iam - instance profile role
 
 resource "aws_iam_role" "instance_profile_role" {
-  name               = local.instance_profile_role_name
+  name = local.instance_profile_role_name
   assume_role_policy = jsonencode({
     Version : "2012-10-17"
     Statement : [
       {
-        Sid       = ""
-        Effect    = "Allow"
+        Sid    = ""
+        Effect = "Allow"
         Principal = {
           Service = "ec2.amazonaws.com"
         }
@@ -78,11 +84,7 @@ resource "aws_iam_instance_profile" "instance_profile" {
 }
 
 resource "aws_iam_role_policy_attachment" "castai_instance_profile_policy" {
-  for_each = toset([
-    "${local.iam_policy_prefix}/AmazonEKSWorkerNodePolicy",
-    "${local.iam_policy_prefix}/AmazonEC2ContainerRegistryReadOnly",
-    "${local.iam_policy_prefix}/AmazonEKS_CNI_Policy"
-  ])
+  for_each = toset(local.castai_instance_profile_policy_list)
 
   role       = aws_iam_instance_profile.instance_profile.role
   policy_arn = each.value

diff --git a/variables.tf b/variables.tf
@@ -29,3 +29,11 @@ variable "castai_user_arn" {
   description = "ARN of CAST AI user for which AssumeRole trust access should be granted"
   default     = ""
 }
+
+variable "attach_worker_cni_policy" {
+  type        = bool
+  description = "Whether to attach the Amazon managed `AmazonEKS_CNI_Policy` IAM policy to the default worker IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster."
+  default     = true
+}
+
+