From af7eb614a60ed82407cdebbcc61a92f0d4bfc2b1 Mon Sep 17 00:00:00 2001 From: Dipo Ajayi Date: Wed, 20 Nov 2024 11:58:56 +0100 Subject: [PATCH 1/4] Add Flyte Propeller Config --- iam.tf | 41 +++++++++++++++++++++++++++++++---------- locals.tf | 2 ++ variables.tf | 15 +++++++++++++++ 3 files changed, 48 insertions(+), 10 deletions(-) diff --git a/iam.tf b/iam.tf index 1bb25fc..69fe442 100644 --- a/iam.tf +++ b/iam.tf @@ -1,3 +1,7 @@ +data "aws_eks_cluster" "cluster" { + name = var.cluster_name +} + data "aws_iam_policy_document" "truefoundry_platform_feature_s3_policy_document" { count = var.feature_blob_storage_enabled ? 1 : 0 statement { @@ -188,20 +192,37 @@ resource "aws_iam_policy" "truefoundry_platform_feature_cluster_integration_poli resource "aws_iam_role" "truefoundry_platform_feature_iam_role" { count = var.platform_user_enabled ? 0 : 1 name = var.platform_role_enable_override ? var.platform_role_override_name : null - description = "IAM role for TrueFoundry platform to access S3 bucket, SSM, ECR and EKS" + description = "IAM role for TrueFoundry platform to access S3 bucket, SSM, ECR, and EKS" name_prefix = var.platform_role_enable_override ? null : "${local.truefoundry_unique_name}-iam-role-" force_detach_policies = true + assume_role_policy = jsonencode({ Version = "2012-10-17" - Statement = [for role in var.control_plane_roles : { - Action = "sts:AssumeRole" - Effect = "Allow" - Sid = "" - Principal = { - AWS = role - } - } - ] + Statement = concat( + [for role in var.control_plane_roles : { + Sid = "" + Effect = "Allow" + Action = "sts:AssumeRole" + Principal = { + AWS = role + } + }], + [ + { + Effect = "Allow" + Action = "sts:AssumeRoleWithWebIdentity" + Principal = { + Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/${local.oidc_provider_url}" + } + Condition = { + StringEquals = { + "${local.oidc_provider_url}:aud" = "sts.amazonaws.com" + "${local.oidc_provider_url}:sub" = "system:serviceaccount:${var.flyte_propeller_serviceaccount_namespace}:${var.flyte_propeller_serviceaccount_name}" + } + } + } + ] + ) }) tags = local.tags diff --git a/locals.tf b/locals.tf index e57c517..e04d34f 100644 --- a/locals.tf +++ b/locals.tf @@ -16,4 +16,6 @@ locals { var.feature_docker_registry_enabled ? aws_iam_policy.truefoundry_platform_feature_ecr_policy[0].arn : null, ] truefoundry_platform_policy_arns = [for arn in local.policy_arns : tostring(arn) if arn != null] + + oidc_provider_url = replace(data.aws_eks_cluster.cluster.identity.0.oidc.0.issuer, "https://", "") } diff --git a/variables.tf b/variables.tf index 3a47e0e..c6fd9f9 100644 --- a/variables.tf +++ b/variables.tf @@ -153,6 +153,21 @@ variable "feature_cluster_integration_enabled" { default = true } +################################################################################ +## Flyte Propeller +################################################################################ +variable "flyte_propeller_serviceaccount_namespace" { + description = "Namespace for the Flyte Propeller service account" + type = string + default = "tfy-workflow-propeller" +} + +variable "flyte_propeller_serviceaccount_name" { + description = "Name for the Flyte Propeller service account" + type = string + default = "flytepropeller" +} + ################################################################################## ## Other variables ################################################################################## From af6b173e7616e8c4ec1f2e899559297c8cfb23c8 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 20 Nov 2024 10:59:52 +0000 Subject: [PATCH 2/4] terraform-docs: automated action --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index c37f2bb..642f10c 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,7 @@ Truefoundry AWS platform features | [aws_iam_user_policy_attachment.truefoundry_platform_user_parameter_store_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource | | [aws_iam_user_policy_attachment.truefoundry_platform_user_s3_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource | | [aws_iam_user_policy_attachment.truefoundry_platform_user_secrets_manager_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource | +| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | | [aws_iam_policy_document.truefoundry_platform_feature_cluster_integration_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.truefoundry_platform_feature_ecr_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.truefoundry_platform_feature_parameter_store_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -68,6 +69,8 @@ Truefoundry AWS platform features | [feature\_docker\_registry\_enabled](#input\_feature\_docker\_registry\_enabled) | Enable docker registry feature in the platform | `bool` | `true` | no | | [feature\_parameter\_store\_enabled](#input\_feature\_parameter\_store\_enabled) | Enable parameter store feature in the platform | `bool` | `true` | no | | [feature\_secrets\_manager\_enabled](#input\_feature\_secrets\_manager\_enabled) | Enable secrets manager feature in the platform | `bool` | `false` | no | +| [flyte\_propeller\_serviceaccount\_name](#input\_flyte\_propeller\_serviceaccount\_name) | Name for the Flyte Propeller service account | `string` | `"flytepropeller"` | no | +| [flyte\_propeller\_serviceaccount\_namespace](#input\_flyte\_propeller\_serviceaccount\_namespace) | Namespace for the Flyte Propeller service account | `string` | `"tfy-workflow-propeller"` | no | | [platform\_role\_enable\_override](#input\_platform\_role\_enable\_override) | Enable overriding the platform role name. You need to pass blob\_storage\_override\_name to pass the bucket name | `bool` | `false` | no | | [platform\_role\_override\_name](#input\_platform\_role\_override\_name) | Platform IAM role name which will have access to S3 bucket, SSM and ECR | `string` | `""` | no | | [platform\_user\_enabled](#input\_platform\_user\_enabled) | Enable creation of a platform feature user | `bool` | `false` | no | From ed8fe0564dc9da810c54307d8153bb5e8955b533 Mon Sep 17 00:00:00 2001 From: Dipo Ajayi Date: Wed, 20 Nov 2024 12:07:00 +0100 Subject: [PATCH 3/4] remove extr comma --- iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iam.tf b/iam.tf index 69fe442..f2a4488 100644 --- a/iam.tf +++ b/iam.tf @@ -192,7 +192,7 @@ resource "aws_iam_policy" "truefoundry_platform_feature_cluster_integration_poli resource "aws_iam_role" "truefoundry_platform_feature_iam_role" { count = var.platform_user_enabled ? 0 : 1 name = var.platform_role_enable_override ? var.platform_role_override_name : null - description = "IAM role for TrueFoundry platform to access S3 bucket, SSM, ECR, and EKS" + description = "IAM role for TrueFoundry platform to access S3 bucket, SSM, ECR and EKS" name_prefix = var.platform_role_enable_override ? null : "${local.truefoundry_unique_name}-iam-role-" force_detach_policies = true From 9580410c7c39e2737fc4dab6eb099ff09488b1a4 Mon Sep 17 00:00:00 2001 From: Dipo Ajayi Date: Wed, 20 Nov 2024 12:20:15 +0100 Subject: [PATCH 4/4] fix lint error --- locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/locals.tf b/locals.tf index e04d34f..8d09504 100644 --- a/locals.tf +++ b/locals.tf @@ -17,5 +17,5 @@ locals { ] truefoundry_platform_policy_arns = [for arn in local.policy_arns : tostring(arn) if arn != null] - oidc_provider_url = replace(data.aws_eks_cluster.cluster.identity.0.oidc.0.issuer, "https://", "") + oidc_provider_url = replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "") }