From 04f0d475658f689b314d639d8a5acb95e6420551 Mon Sep 17 00:00:00 2001 From: Bryce Lowe Date: Mon, 10 Feb 2025 13:24:40 -0800 Subject: [PATCH 1/4] fix: allow empty kms and ssm arns I'd like the option to remove access to KMS and SSM permissions on my IRSA roles while still providing the ability to use this module with the default encryption key provided by AWS. When I attempt to provide an empty list, the IAM policy is invalid because a resource definition is required. --- .../policies.tf | 25 ++++++++++++------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index 14c2fb43..51a1f9e1 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -539,12 +539,16 @@ data "aws_iam_policy_document" "external_secrets" { resources = ["*"] } - statement { - actions = [ - "ssm:GetParameter", - "ssm:GetParameters", - ] - resources = var.external_secrets_ssm_parameter_arns + dynamic "statement" { + for_each = length(var.external_secrets_ssm_parameter_arns) > 0 ? [1] : [] + content { + actions = [ + "ssm:GetParameter", + "ssm:GetParameters", + ] + + resources = var.external_secrets_ssm_parameter_arns + } } statement { @@ -562,9 +566,12 @@ data "aws_iam_policy_document" "external_secrets" { resources = var.external_secrets_secrets_manager_arns } - statement { - actions = ["kms:Decrypt"] - resources = var.external_secrets_kms_key_arns + dynamic "statement" { + for_each = length(var.external_secrets_kms_key_arns) > 0 ? [1] : [] + content { + actions = ["kms:Decrypt"] + resources = var.external_secrets_kms_key_arns + } } dynamic "statement" { From 08141c7575007f2430be3419a1cde3a67dfd4aa0 Mon Sep 17 00:00:00 2001 From: Bryce Lowe Date: Mon, 10 Feb 2025 13:36:58 -0800 Subject: [PATCH 2/4] fix: linters --- modules/iam-role-for-service-accounts-eks/policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index 51a1f9e1..b7a2f45e 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -546,7 +546,7 @@ data "aws_iam_policy_document" "external_secrets" { "ssm:GetParameter", "ssm:GetParameters", ] - + resources = var.external_secrets_ssm_parameter_arns } } From c454025111ffd8dc4835915f5cf4c8e19cadef1c Mon Sep 17 00:00:00 2001 From: Bryce Lowe Date: Mon, 10 Feb 2025 13:39:59 -0800 Subject: [PATCH 3/4] fix: include examples --- .../iam-role-for-service-accounts-eks/main.tf | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf index a38319a7..303a579a 100644 --- a/examples/iam-role-for-service-accounts-eks/main.tf +++ b/examples/iam-role-for-service-accounts-eks/main.tf @@ -191,6 +191,26 @@ module "external_secrets_irsa_role" { tags = local.tags } +module "external_secrets_without_kms_or_ssm_irsa_role" { + source = "../../modules/iam-role-for-service-accounts-eks" + + role_name = "external-secrets" + attach_external_secrets_policy = true + external_secrets_ssm_parameter_arns = [] + external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:*:*:secret:bar"] + external_secrets_kms_key_arns = [] + external_secrets_secrets_manager_create_permission = false + + oidc_providers = { + ex = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["default:kubernetes-external-secrets"] + } + } + + tags = local.tags +} + module "fsx_lustre_csi_irsa_role" { source = "../../modules/iam-role-for-service-accounts-eks" From 549ea3117e9b7bbff3af5d320228a6436a9510f0 Mon Sep 17 00:00:00 2001 From: Bryce Lowe Date: Mon, 10 Feb 2025 13:51:58 -0800 Subject: [PATCH 4/4] fix: pre-commit --- examples/iam-role-for-service-accounts-eks/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/iam-role-for-service-accounts-eks/README.md b/examples/iam-role-for-service-accounts-eks/README.md index 224389f0..84b83982 100644 --- a/examples/iam-role-for-service-accounts-eks/README.md +++ b/examples/iam-role-for-service-accounts-eks/README.md @@ -45,6 +45,7 @@ Run `terraform destroy` when you don't need these resources. | [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.21 | | [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [external\_secrets\_irsa\_role](#module\_external\_secrets\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | +| [external\_secrets\_without\_kms\_or\_ssm\_irsa\_role](#module\_external\_secrets\_without\_kms\_or\_ssm\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [fsx\_lustre\_csi\_irsa\_role](#module\_fsx\_lustre\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a | | [iam\_eks\_role](#module\_iam\_eks\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [iam\_policy](#module\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | n/a |