fix: update s3_csi refs to mountpoint_s3_csi, example service account…

… name to match docs, coalescelist with defaults incl partion for defaults to support gov-cloud and other aws partitions, split bucket vs path permissions
terraform-aws-modules · Feb 22, 2024 · 573c5f0 · 573c5f0
1 parent 845ba76
commit 573c5f0
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 25 deletions.
diff --git a/examples/iam-role-for-service-accounts-eks/README.md b/examples/iam-role-for-service-accounts-eks/README.md
@@ -52,8 +52,8 @@ Run `terraform destroy` when you don't need these resources.
 | <a name="module_karpenter_controller_irsa_role"></a> [karpenter\_controller\_irsa\_role](#module\_karpenter\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_load_balancer_controller_irsa_role"></a> [load\_balancer\_controller\_irsa\_role](#module\_load\_balancer\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_load_balancer_controller_targetgroup_binding_only_irsa_role"></a> [load\_balancer\_controller\_targetgroup\_binding\_only\_irsa\_role](#module\_load\_balancer\_controller\_targetgroup\_binding\_only\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
+| <a name="module_mountpoint_s3_csi_irsa_role"></a> [mountpoint\_s3\_csi\_irsa\_role](#module\_mountpoint\_s3\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_node_termination_handler_irsa_role"></a> [node\_termination\_handler\_irsa\_role](#module\_node\_termination\_handler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_s3_csi_irsa_role"></a> [s3\_csi\_irsa\_role](#module\_s3\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_velero_irsa_role"></a> [velero\_irsa\_role](#module\_velero\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
 | <a name="module_vpc_cni_ipv4_irsa_role"></a> [vpc\_cni\_ipv4\_irsa\_role](#module\_vpc\_cni\_ipv4\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |

diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf
@@ -136,16 +136,16 @@ module "efs_csi_irsa_role" {
   tags = local.tags
 }
 
-module "s3_csi_irsa_role" {
+module "mountpoint_s3_csi_irsa_role" {
   source = "../../modules/iam-role-for-service-accounts-eks"
 
-  role_name            = "s3-csi"
-  attach_s3_csi_policy = true
+  role_name                       = "s3-csi"
+  attach_mountpoint_s3_csi_policy = true
 
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["kube-system:s3-csi-controller-sa"]
+      namespace_service_accounts = ["kube-system:s3-csi-driver-sa"]
     }
   }
 

diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md
@@ -135,8 +135,8 @@ No modules.
 | [aws_iam_policy.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.mountpoint_s3_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.s3_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -155,8 +155,8 @@ No modules.
 | [aws_iam_role_policy_attachment.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.mountpoint_s3_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.s3_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -175,8 +175,8 @@ No modules.
 | [aws_iam_policy_document.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.mountpoint_s3_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.s3_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -205,8 +205,8 @@ No modules.
 | <a name="input_attach_karpenter_controller_policy"></a> [attach\_karpenter\_controller\_policy](#input\_attach\_karpenter\_controller\_policy) | Determines whether to attach the Karpenter Controller policy to the role | `bool` | `false` | no |
 | <a name="input_attach_load_balancer_controller_policy"></a> [attach\_load\_balancer\_controller\_policy](#input\_attach\_load\_balancer\_controller\_policy) | Determines whether to attach the Load Balancer Controller policy to the role | `bool` | `false` | no |
 | <a name="input_attach_load_balancer_controller_targetgroup_binding_only_policy"></a> [attach\_load\_balancer\_controller\_targetgroup\_binding\_only\_policy](#input\_attach\_load\_balancer\_controller\_targetgroup\_binding\_only\_policy) | Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only | `bool` | `false` | no |
+| <a name="input_attach_mountpoint_s3_csi_policy"></a> [attach\_mountpoint\_s3\_csi\_policy](#input\_attach\_mountpoint\_s3\_csi\_policy) | Determines whether to attach the S3 CSI IAM policy to the role | `bool` | `false` | no |
 | <a name="input_attach_node_termination_handler_policy"></a> [attach\_node\_termination\_handler\_policy](#input\_attach\_node\_termination\_handler\_policy) | Determines whether to attach the Node Termination Handler policy to the role | `bool` | `false` | no |
-| <a name="input_attach_s3_csi_policy"></a> [attach\_s3\_csi\_policy](#input\_attach\_s3\_csi\_policy) | Determines whether to attach the S3 CSI IAM policy to the role | `bool` | `false` | no |
 | <a name="input_attach_velero_policy"></a> [attach\_velero\_policy](#input\_attach\_velero\_policy) | Determines whether to attach the Velero IAM policy to the role | `bool` | `false` | no |
 | <a name="input_attach_vpc_cni_policy"></a> [attach\_vpc\_cni\_policy](#input\_attach\_vpc\_cni\_policy) | Determines whether to attach the VPC CNI IAM policy to the role | `bool` | `false` | no |
 | <a name="input_cert_manager_hosted_zone_arns"></a> [cert\_manager\_hosted\_zone\_arns](#input\_cert\_manager\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow Cert manager to manage records | `list(string)` | <pre>[<br>  "arn:aws:route53:::hostedzone/*"<br>]</pre> | no |
@@ -231,6 +231,8 @@ No modules.
 | <a name="input_karpenter_tag_key"></a> [karpenter\_tag\_key](#input\_karpenter\_tag\_key) | Tag key (`{key = value}`) applied to resources launched by Karpenter through the Karpenter provisioner | `string` | `"karpenter.sh/discovery"` | no |
 | <a name="input_load_balancer_controller_targetgroup_arns"></a> [load\_balancer\_controller\_targetgroup\_arns](#input\_load\_balancer\_controller\_targetgroup\_arns) | List of Target groups ARNs using Load Balancer Controller | `list(string)` | <pre>[<br>  "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"<br>]</pre> | no |
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no |
+| <a name="input_mountpoint_s3_csi_bucket_arns"></a> [mountpoint\_s3\_csi\_bucket\_arns](#input\_mountpoint\_s3\_csi\_bucket\_arns) | S3 bucket ARNs to allow S3 CSI to manage buckets | `list(string)` | `[]` | no |
+| <a name="input_mountpoint_s3_csi_path_arns"></a> [mountpoint\_s3\_csi\_path\_arns](#input\_mountpoint\_s3\_csi\_path\_arns) | S3 path ARNs to allow S3 CSI to manage items at the path | `list(string)` | `[]` | no |
 | <a name="input_node_termination_handler_sqs_queue_arns"></a> [node\_termination\_handler\_sqs\_queue\_arns](#input\_node\_termination\_handler\_sqs\_queue\_arns) | List of SQS ARNs that contain node termination events | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_oidc_providers"></a> [oidc\_providers](#input\_oidc\_providers) | Map of OIDC providers where each provider map should contain the `provider_arn` and `namespace_service_accounts` | `any` | `{}` | no |
 | <a name="input_policy_name_prefix"></a> [policy\_name\_prefix](#input\_policy\_name\_prefix) | IAM policy name prefix | `string` | `"AmazonEKS_"` | no |
@@ -240,7 +242,6 @@ No modules.
 | <a name="input_role_path"></a> [role\_path](#input\_role\_path) | Path of IAM role | `string` | `"/"` | no |
 | <a name="input_role_permissions_boundary_arn"></a> [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no |
 | <a name="input_role_policy_arns"></a> [role\_policy\_arns](#input\_role\_policy\_arns) | ARNs of any policies to attach to the IAM role | `map(string)` | `{}` | no |
-| <a name="input_s3_csi_bucket_arns"></a> [s3\_csi\_bucket\_arns](#input\_s3\_csi\_bucket\_arns) | S3 bucket ARNs to allow S3 CSI to manage buckets | `list(string)` | <pre>[<br>  "arn:aws:s3:::*"<br>]</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add the the IAM role | `map(any)` | `{}` | no |
 | <a name="input_velero_s3_bucket_arns"></a> [velero\_s3\_bucket\_arns](#input\_velero\_s3\_bucket\_arns) | List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_vpc_cni_enable_ipv4"></a> [vpc\_cni\_enable\_ipv4](#input\_vpc\_cni\_enable\_ipv4) | Determines whether to enable IPv4 permissions for VPC CNI policy | `bool` | `false` | no |

diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -427,13 +427,13 @@ resource "aws_iam_role_policy_attachment" "efs_csi" {
 ################################################################################
 
 #https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#iam-permissions
-data "aws_iam_policy_document" "s3_csi" {
-  count = var.create_role && var.attach_s3_csi_policy ? 1 : 0
+data "aws_iam_policy_document" "mountpoint_s3_csi" {
+  count = var.create_role && var.attach_mountpoint_s3_csi_policy ? 1 : 0
 
   statement {
     sid       = "MountpointFullBucketAccess"
     actions   = ["s3:ListBucket"]
-    resources = var.s3_csi_bucket_arns
+    resources = coalescelist(var.mountpoint_s3_csi_bucket_arns, ["arn:${local.partition}:s3:::*"])
   }
 
   statement {
@@ -444,26 +444,26 @@ data "aws_iam_policy_document" "s3_csi" {
       "s3:AbortMultipartUpload",
       "s3:DeleteObject"
     ]
-    resources = formatlist("%s/*", var.s3_csi_bucket_arns)
+    resources = coalescelist(var.mountpoint_s3_csi_path_arns, ["arn:${local.partition}:s3:::*/*"])
   }
 }
 
-resource "aws_iam_policy" "s3_csi" {
-  count = var.create_role && var.attach_s3_csi_policy ? 1 : 0
+resource "aws_iam_policy" "mountpoint_s3_csi" {
+  count = var.create_role && var.attach_mountpoint_s3_csi_policy ? 1 : 0
 
   name_prefix = "${var.policy_name_prefix}S3_CSI_Policy-"
   path        = var.role_path
   description = "S3 CSI policy to allow management of S3"
-  policy      = data.aws_iam_policy_document.s3_csi[0].json
+  policy      = data.aws_iam_policy_document.mountpoint_s3_csi[0].json
 
   tags = var.tags
 }
 
-resource "aws_iam_role_policy_attachment" "s3_csi" {
-  count = var.create_role && var.attach_s3_csi_policy ? 1 : 0
+resource "aws_iam_role_policy_attachment" "mountpoint_s3_csi" {
+  count = var.create_role && var.attach_mountpoint_s3_csi_policy ? 1 : 0
 
   role       = aws_iam_role.this[0].name
-  policy_arn = aws_iam_policy.s3_csi[0].arn
+  policy_arn = aws_iam_policy.mountpoint_s3_csi[0].arn
 }
 
 ################################################################################

diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf
@@ -146,16 +146,22 @@ variable "attach_efs_csi_policy" {
 }
 
 # S3 CSI
-variable "attach_s3_csi_policy" {
+variable "attach_mountpoint_s3_csi_policy" {
   description = "Determines whether to attach the S3 CSI IAM policy to the role"
   type        = bool
   default     = false
 }
 
-variable "s3_csi_bucket_arns" {
+variable "mountpoint_s3_csi_bucket_arns" {
   description = "S3 bucket ARNs to allow S3 CSI to manage buckets"
   type        = list(string)
-  default     = ["arn:aws:s3:::*"]
+  default     = []
+}
+
+variable "mountpoint_s3_csi_path_arns" {
+  description = "S3 path ARNs to allow S3 CSI to manage items at the path"
+  type        = list(string)
+  default     = []
 }
 
 # External DNS

diff --git a/wrappers/iam-role-for-service-accounts-eks/main.tf b/wrappers/iam-role-for-service-accounts-eks/main.tf
@@ -21,8 +21,8 @@ module "wrapper" {
   attach_karpenter_controller_policy                              = try(each.value.attach_karpenter_controller_policy, var.defaults.attach_karpenter_controller_policy, false)
   attach_load_balancer_controller_policy                          = try(each.value.attach_load_balancer_controller_policy, var.defaults.attach_load_balancer_controller_policy, false)
   attach_load_balancer_controller_targetgroup_binding_only_policy = try(each.value.attach_load_balancer_controller_targetgroup_binding_only_policy, var.defaults.attach_load_balancer_controller_targetgroup_binding_only_policy, false)
+  attach_mountpoint_s3_csi_policy                                 = try(each.value.attach_mountpoint_s3_csi_policy, var.defaults.attach_mountpoint_s3_csi_policy, false)
   attach_node_termination_handler_policy                          = try(each.value.attach_node_termination_handler_policy, var.defaults.attach_node_termination_handler_policy, false)
-  attach_s3_csi_policy                                            = try(each.value.attach_s3_csi_policy, var.defaults.attach_s3_csi_policy, false)
   attach_velero_policy                                            = try(each.value.attach_velero_policy, var.defaults.attach_velero_policy, false)
   attach_vpc_cni_policy                                           = try(each.value.attach_vpc_cni_policy, var.defaults.attach_vpc_cni_policy, false)
   cert_manager_hosted_zone_arns                                   = try(each.value.cert_manager_hosted_zone_arns, var.defaults.cert_manager_hosted_zone_arns, ["arn:aws:route53:::hostedzone/*"])
@@ -47,6 +47,8 @@ module "wrapper" {
   karpenter_tag_key                                               = try(each.value.karpenter_tag_key, var.defaults.karpenter_tag_key, "karpenter.sh/discovery")
   load_balancer_controller_targetgroup_arns                       = try(each.value.load_balancer_controller_targetgroup_arns, var.defaults.load_balancer_controller_targetgroup_arns, ["arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"])
   max_session_duration                                            = try(each.value.max_session_duration, var.defaults.max_session_duration, null)
+  mountpoint_s3_csi_bucket_arns                                   = try(each.value.mountpoint_s3_csi_bucket_arns, var.defaults.mountpoint_s3_csi_bucket_arns, [])
+  mountpoint_s3_csi_path_arns                                     = try(each.value.mountpoint_s3_csi_path_arns, var.defaults.mountpoint_s3_csi_path_arns, [])
   node_termination_handler_sqs_queue_arns                         = try(each.value.node_termination_handler_sqs_queue_arns, var.defaults.node_termination_handler_sqs_queue_arns, ["*"])
   oidc_providers                                                  = try(each.value.oidc_providers, var.defaults.oidc_providers, {})
   policy_name_prefix                                              = try(each.value.policy_name_prefix, var.defaults.policy_name_prefix, "AmazonEKS_")
@@ -56,7 +58,6 @@ module "wrapper" {
   role_path                                                       = try(each.value.role_path, var.defaults.role_path, "/")
   role_permissions_boundary_arn                                   = try(each.value.role_permissions_boundary_arn, var.defaults.role_permissions_boundary_arn, null)
   role_policy_arns                                                = try(each.value.role_policy_arns, var.defaults.role_policy_arns, {})
-  s3_csi_bucket_arns                                              = try(each.value.s3_csi_bucket_arns, var.defaults.s3_csi_bucket_arns, ["arn:aws:s3:::*"])
   tags                                                            = try(each.value.tags, var.defaults.tags, {})
   velero_s3_bucket_arns                                           = try(each.value.velero_s3_bucket_arns, var.defaults.velero_s3_bucket_arns, ["*"])
   vpc_cni_enable_ipv4                                             = try(each.value.vpc_cni_enable_ipv4, var.defaults.vpc_cni_enable_ipv4, false)