Merge pull request #441 from alphagov/sengi/lb-controller-iam

sengi · web-flow · commit 6f43768236a8 · 2021-09-10T15:31:42.000+01:00
Use iam-assumable-role module in aws_lb_controller_iam.tf
diff --git a/terraform/deployments/cluster-infrastructure/aws_lb_controller_iam.tf b/terraform/deployments/cluster-infrastructure/aws_lb_controller_iam.tf
@@ -5,6 +5,21 @@
 # ../cluster-services/aws_lb_controller.tf. See
 # https://github.com/alphagov/govuk-infrastructure/blob/main/docs/architecture/decisions/0003-split-terraform-state-into-separate-aws-cluster-and-kubernetes-resource-phases.md#decision for rationale.
 
+locals {
+  aws_lb_controller_service_account_name = "aws-load-balancer-controller"
+}
+
+module "aws_lb_controller_iam_role" {
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "4.3.0"
+  create_role                   = true
+  role_name                     = "${local.aws_lb_controller_service_account_name}-${var.cluster_name}"
+  role_description              = "Role for the AWS Load Balancer Controller. Corresponds to ${local.aws_lb_controller_service_account_name} k8s ServiceAccount."
+  provider_url                  = local.cluster_oidc_issuer
+  role_policy_arns              = [aws_iam_policy.aws_lb_controller.arn]
+  oidc_fully_qualified_subjects = ["system:serviceaccount:${local.cluster_services_namespace}:${local.aws_lb_controller_service_account_name}"]
+}
+
 resource "aws_iam_policy" "aws_lb_controller" {
   name        = "AWSLoadBalancerController-${var.cluster_name}"
   description = "Allow AWS Load Balancer Controller to manage ALBs/NLBs etc."
@@ -220,41 +235,3 @@ resource "aws_iam_policy" "aws_lb_controller" {
     ]
   })
 }
-
-locals {
-  aws_lb_controller_service_account_name = "aws-load-balancer-controller"
-
-  # module.eks.cluster_oidc_issuer_url is a full URL, e.g.
-  # "https://oidc.eks.eu-west-1.amazonaws.com/id/B4378A8EBD334FEEFDF3BCB6D0E612C6"
-  # but the string to which IAM compares this lacks the protocol part, so we
-  # have to strip the "https://" when we construct the trust policy
-  # (assume-role policy).
-  cluster_oidc_issuer = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
-}
-
-resource "aws_iam_role" "aws_lb_controller" {
-  name        = "AWSLoadBalancerController-${var.cluster_name}"
-  description = "Role for the AWS Load Balancer Controller. Corresponds to ${local.aws_lb_controller_service_account_name} k8s ServiceAccount."
-  assume_role_policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Effect" : "Allow",
-        "Principal" : {
-          "Federated" : module.eks.oidc_provider_arn
-        },
-        "Action" : "sts:AssumeRoleWithWebIdentity",
-        "Condition" : {
-          "StringEquals" : {
-            "${local.cluster_oidc_issuer}:sub" : "system:serviceaccount:kube-system:${local.aws_lb_controller_service_account_name}"
-          }
-        }
-      }
-    ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "aws_lb_controller" {
-  role       = aws_iam_role.aws_lb_controller.name
-  policy_arn = aws_iam_policy.aws_lb_controller.arn
-}
diff --git a/terraform/deployments/cluster-infrastructure/main.tf b/terraform/deployments/cluster-infrastructure/main.tf
@@ -21,6 +21,14 @@ terraform {
 locals {
   cluster_services_namespace = "cluster-services"
   secrets_prefix             = "govuk"
+
+  # module.eks.cluster_oidc_issuer_url is a full URL, e.g.
+  # "https://oidc.eks.eu-west-1.amazonaws.com/id/B4378A8EBD334FEEFDF3BCB6D0E612C6"
+  # but the string to which IAM compares this lacks the protocol part, so we
+  # have to strip the "https://" when we construct the trust policy
+  # (assume-role policy).
+  cluster_oidc_issuer = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
+
   default_tags = {
     cluster              = var.cluster_name
     project              = "replatforming"
diff --git a/terraform/deployments/cluster-infrastructure/outputs.tf b/terraform/deployments/cluster-infrastructure/outputs.tf
@@ -65,7 +65,7 @@ output "external_secrets_role_arn" {
 
 output "aws_lb_controller_role_arn" {
   description = "IAM role ARN corresponding to the k8s service account for the AWS Load Balancer Controller."
-  value       = aws_iam_role.aws_lb_controller.arn
+  value       = module.aws_lb_controller_iam_role.iam_role_arn
 }
 
 output "aws_lb_controller_service_account_name" {
diff --git a/terraform/deployments/cluster-services/aws_lb_controller.tf b/terraform/deployments/cluster-services/aws_lb_controller.tf
@@ -10,7 +10,7 @@ resource "helm_release" "aws_lb_controller" {
   repository = "https://aws.github.io/eks-charts"
   chart      = "aws-load-balancer-controller"
   version    = "1.2.6" # TODO: Dependabot or equivalent so this doesn't get neglected.
-  namespace  = "kube-system"
+  namespace  = local.services_ns
   values = [yamlencode({
     clusterName = data.terraform_remote_state.cluster_infrastructure.outputs.cluster_id
     serviceAccount = {

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ output "external_secrets_role_arn" {`
`65`	`65`
`66`	`66`	`output "aws_lb_controller_role_arn" {`
`67`	`67`	`description = "IAM role ARN corresponding to the k8s service account for the AWS Load Balancer Controller."`
`68`		`- value = aws_iam_role.aws_lb_controller.arn`
	`68`	`+ value = module.aws_lb_controller_iam_role.iam_role_arn`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`output "aws_lb_controller_service_account_name" {`