feat(cert-manager): EKS Pod Identity

Signed-off-by: Nicolas Lamirault <[email protected]>
portefaix · Aug 28, 2024 · 43b3f9e · 43b3f9e
1 parent 5e49fbd
commit 43b3f9e
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 9 deletions.
diff --git a/terraform/aws/cert-manager/modules/cert-manager/cert_manager.tf b/terraform/aws/cert-manager/modules/cert-manager/cert_manager.tf
@@ -14,14 +14,42 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-module "cert_manager" {
-  source  = "nlamirault/cert-manager/aws"
-  version = "3.0.0"
+module "irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.42.0"
 
-  cluster_name = var.cluster_name
+  for_each = var.enable_irsa ? toset(["1"]) : toset([])
 
-  namespace       = var.namespace
-  service_account = var.service_account
+  role_name                  = var.role_name
+  attach_cert_manager_policy = true
+
+  oidc_providers = {
+    main = {
+      provider_arn = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
+      namespace_service_accounts = [
+        "${var.namespace}:${var.service_account}",
+      ]
+    }
+  }
+
+  tags = var.tags
+}
+
+module "pod_identity" {
+  source  = "terraform-aws-modules/eks-pod-identity/aws"
+  version = "1.4.0"
+
+  for_each = var.enable_pod_identity ? toset(["1"]) : toset([])
+
+  name = var.role_name
+
+  associations = {
+    main = {
+      cluster_name    = data.aws_eks_cluster.this.id
+      namespace       = var.namespace
+      service_account = var.service_account
+    }
+  }
 
   tags = var.tags
 }
diff --git a/terraform/aws/cert-manager/modules/cert-manager/data.tf b/terraform/aws/cert-manager/modules/cert-manager/data.tf
@@ -0,0 +1,17 @@
+# Copyright (C) 2021 Nicolas Lamirault <[email protected]>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+data "aws_eks_cluster" "this" {
+  name = var.cluster_name
+}
diff --git a/terraform/aws/cert-manager/modules/cert-manager/variables.tf b/terraform/aws/cert-manager/modules/cert-manager/variables.tf
@@ -22,6 +22,12 @@ variable "cluster_name" {
   description = "Name of the EKS cluster"
 }
 
+variable "role_name" {
+  description = "The name of the External DNS IAM role"
+  type        = string
+  default     = "cert-manager"
+}
+
 variable "namespace" {
   type        = string
   description = "The Kubernetes namespace"
@@ -32,6 +38,16 @@ variable "service_account" {
   description = "The Kubernetes service account"
 }
 
+variable "enable_irsa" {
+  type        = bool
+  description = "Enable IRSA resources"
+}
+
+variable "enable_pod_identity" {
+  type        = bool
+  description = "Enable EKS Pod Identity resources"
+}
+
 variable "tags" {
   type        = map(string)
   description = "Tags for VPC"

diff --git a/terraform/aws/cert-manager/staging/cert-manager.tf b/terraform/aws/cert-manager/staging/cert-manager.tf
@@ -19,7 +19,9 @@ module "cert_manager" {
 
   cluster_name = var.cluster_name
 
-  namespace       = var.namespace
-  service_account = var.service_account
-  tags            = var.tags
+  namespace           = var.namespace
+  service_account     = var.service_account
+  enable_irsa         = false
+  enable_pod_identity = true
+  tags                = var.tags
 }