From 4ecba3854b843388089ad6d31342158c1e704153 Mon Sep 17 00:00:00 2001 From: Drew Meyers Date: Fri, 1 Mar 2024 13:52:35 -0800 Subject: [PATCH] IAM support for airflow worker --- .../modules/terraform-eks-cluster/README.md | 2 +- .../terraform-eks-cluster/variables.tf | 20 ++++-- .../terraform-unity-sps-airflow/README.md | 5 +- .../terraform-unity-sps-airflow/data.tf | 5 -- .../terraform-unity-sps-airflow/main.tf | 65 ++++++++++++++++++- 5 files changed, 85 insertions(+), 12 deletions(-) diff --git a/terraform-unity/modules/terraform-eks-cluster/README.md b/terraform-unity/modules/terraform-eks-cluster/README.md index 1c7ccf7..d59116a 100644 --- a/terraform-unity/modules/terraform-eks-cluster/README.md +++ b/terraform-unity/modules/terraform-eks-cluster/README.md @@ -35,7 +35,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [cluster\_name](#input\_cluster\_name) | n/a | `string` | n/a | yes | -| [nodegroups](#input\_nodegroups) | A map of node group configurations | 
map(object({
    instance_types = list(string)
    min_size       = number
    max_size       = number
    desired_size   = number
  }))
| 
{
  "defaultGroup": {
    "desired_size": 1,
    "instance_types": [
      "m5.xlarge"
    ],
    "max_size": 1,
    "min_size": 1
  }
}
| no | +| [nodegroups](#input\_nodegroups) | A map of node group configurations | 
map(object({
    create_iam_role            = optional(bool)
    iam_role_arn               = optional(string)
    ami_id                     = optional(string)
    min_size                   = optional(number)
    max_size                   = optional(number)
    desired_size               = optional(number)
    instance_types             = optional(list(string))
    capacity_type              = optional(string)
    enable_bootstrap_user_data = optional(bool)
    metadata_options           = optional(map(any))
  }))
| 
{
  "defaultGroup": {
    "desired_size": 1,
    "instance_types": [
      "m5.xlarge"
    ],
    "max_size": 1,
    "metadata_options": {
      "http_endpoint": "enabled",
      "http_put_response_hop_limit": 3
    },
    "min_size": 1
  }
}
| no | ## Outputs diff --git a/terraform-unity/modules/terraform-eks-cluster/variables.tf b/terraform-unity/modules/terraform-eks-cluster/variables.tf index 9eb338e..a47859f 100644 --- a/terraform-unity/modules/terraform-eks-cluster/variables.tf +++ b/terraform-unity/modules/terraform-eks-cluster/variables.tf @@ -4,18 +4,30 @@ variable "cluster_name" { variable "nodegroups" { description = "A map of node group configurations" + type = map(object({ - instance_types = list(string) - min_size = number - max_size = number - desired_size = number + create_iam_role = optional(bool) + iam_role_arn = optional(string) + ami_id = optional(string) + min_size = optional(number) + max_size = optional(number) + desired_size = optional(number) + instance_types = optional(list(string)) + capacity_type = optional(string) + enable_bootstrap_user_data = optional(bool) + metadata_options = optional(map(any)) })) + default = { defaultGroup = { instance_types = ["m5.xlarge"] min_size = 1 max_size = 1 desired_size = 1 + metadata_options = { + "http_endpoint" : "enabled", + "http_put_response_hop_limit" : 3, + } } } } diff --git a/terraform-unity/modules/terraform-unity-sps-airflow/README.md b/terraform-unity/modules/terraform-unity-sps-airflow/README.md index d9bb68a..0e73479 100644 --- a/terraform-unity/modules/terraform-unity-sps-airflow/README.md +++ b/terraform-unity/modules/terraform-unity-sps-airflow/README.md @@ -32,6 +32,9 @@ No modules. |------|------| | [aws_db_instance.airflow_db](https://registry.terraform.io/providers/hashicorp/aws/5.35.0/docs/resources/db_instance) | resource | | [aws_db_subnet_group.airflow_db](https://registry.terraform.io/providers/hashicorp/aws/5.35.0/docs/resources/db_subnet_group) | resource | +| [aws_iam_policy.airflow_worker_policy](https://registry.terraform.io/providers/hashicorp/aws/5.35.0/docs/resources/iam_policy) | resource | +| [aws_iam_role.airflow_worker_role](https://registry.terraform.io/providers/hashicorp/aws/5.35.0/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.airflow_worker_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.35.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_s3_bucket.airflow_logs](https://registry.terraform.io/providers/hashicorp/aws/5.35.0/docs/resources/s3_bucket) | resource | | [aws_secretsmanager_secret.airflow_db](https://registry.terraform.io/providers/hashicorp/aws/5.35.0/docs/resources/secretsmanager_secret) | resource | | [aws_secretsmanager_secret_version.airflow_db](https://registry.terraform.io/providers/hashicorp/aws/5.35.0/docs/resources/secretsmanager_secret_version) | resource | @@ -54,9 +57,9 @@ No modules. | [random_id.airflow_webserver_secret](https://registry.terraform.io/providers/hashicorp/random/3.6.0/docs/resources/id) | resource | | [random_id.counter](https://registry.terraform.io/providers/hashicorp/random/3.6.0/docs/resources/id) | resource | | [random_password.airflow_db](https://registry.terraform.io/providers/hashicorp/random/3.6.0/docs/resources/password) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/5.35.0/docs/data-sources/caller_identity) | data source | | [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/5.35.0/docs/data-sources/eks_cluster) | data source | | [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/5.35.0/docs/data-sources/eks_cluster_auth) | data source | -| [aws_eks_node_group.default](https://registry.terraform.io/providers/hashicorp/aws/5.35.0/docs/data-sources/eks_node_group) | data source | | [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/5.35.0/docs/data-sources/security_group) | data source | | [aws_ssm_parameter.subnet_ids](https://registry.terraform.io/providers/hashicorp/aws/5.35.0/docs/data-sources/ssm_parameter) | data source | | [kubernetes_ingress_v1.airflow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/2.25.2/docs/data-sources/ingress_v1) | data source | diff --git a/terraform-unity/modules/terraform-unity-sps-airflow/data.tf b/terraform-unity/modules/terraform-unity-sps-airflow/data.tf index 668217f..cdbf7a3 100644 --- a/terraform-unity/modules/terraform-unity-sps-airflow/data.tf +++ b/terraform-unity/modules/terraform-unity-sps-airflow/data.tf @@ -23,8 +23,3 @@ data "kubernetes_ingress_v1" "ogc_processes_api_ingress" { namespace = kubernetes_namespace.airflow.metadata[0].name } } - -data "aws_eks_node_group" "default" { - cluster_name = var.eks_cluster_name - node_group_name = "defaultGroup" -} diff --git a/terraform-unity/modules/terraform-unity-sps-airflow/main.tf b/terraform-unity/modules/terraform-unity-sps-airflow/main.tf index d9022fb..1c8cb0e 100644 --- a/terraform-unity/modules/terraform-unity-sps-airflow/main.tf +++ b/terraform-unity/modules/terraform-unity-sps-airflow/main.tf @@ -228,7 +228,7 @@ resource "helm_release" "airflow" { metadata_secret_name = "airflow-metadata-secret" webserver_secret_name = "airflow-webserver-secret" airflow_logs_s3_location = "s3://${aws_s3_bucket.airflow_logs.id}" - airflow_worker_role_arn = data.aws_eks_node_group.default.node_role_arn + airflow_worker_role_arn = aws_iam_role.airflow_worker_role.arn }) ] set_sensitive { @@ -369,3 +369,66 @@ resource "kubernetes_ingress_v1" "ogc_processes_api_ingress" { } wait_for_load_balancer = true } + +data "aws_caller_identity" "current" {} + + +resource "aws_iam_policy" "airflow_worker_policy" { + name = "AirflowWorkerPolicy" + description = "Policy for Airflow Workers to access AWS services" + policy = jsonencode( + { + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:CreateLogGroup", + "s3:ListBucket", + "s3:GetObject", + "s3:PutObject", + "sqs:SendMessage", + "sqs:ReceiveMessage", + "sns:Publish", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "secretsmanager:GetSecretValue", + "ssm:GetParameters" + ], + "Resource" : "*" + } + ] + } + ) +} + +resource "aws_iam_role" "airflow_worker_role" { + name = "AirflowWorkerRole" + assume_role_policy = jsonencode( + { + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Federated" : "arn:aws:iam::429178552491:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/7E914336E4CD991EA4B403BA606CB778" + }, + "Action" : "sts:AssumeRoleWithWebIdentity", + "Condition" : { + "StringEquals" : { + "oidc.eks.us-west-2.amazonaws.com/id/7E914336E4CD991EA4B403BA606CB778:sub" : "system:serviceaccount:airflow:airflow-worker" + } + } + } + ] + } + ) + permissions_boundary = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/mcp-tenantOperator-AMI-APIG" +} + +resource "aws_iam_role_policy_attachment" "airflow_worker_policy_attachment" { + role = aws_iam_role.airflow_worker_role.name + policy_arn = aws_iam_policy.airflow_worker_policy.arn +}