adding openid connect provider to enable irsa feature (nebari-dev#1903)

Co-authored-by: Scott Blair <sblair@metrostar.com> Co-authored-by: Ken Foster <kfoster@metrostar.com>
MetroStar · Aug 30, 2023 · 0a0e988 · 0a0e988
1 parent 40cfb49
commit 0a0e988
Show file tree

Hide file tree

Showing 6 changed files with 45 additions and 12 deletions.
diff --git a/src/_nebari/stages/infrastructure/template/aws/main.tf b/src/_nebari/stages/infrastructure/template/aws/main.tf
@@ -81,7 +81,6 @@ module "kubernetes" {
   name               = local.cluster_name
   tags               = local.additional_tags
   region             = var.region
-  partition          = local.partition
   kubernetes_version = var.kubernetes_version
 
   cluster_subnets         = local.subnet_ids

diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/locals.tf b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/locals.tf
@@ -1,16 +1,18 @@
 locals {
   cluster_policies = concat([
-    "arn:${var.partition}:iam::aws:policy/AmazonEKSClusterPolicy",
-    "arn:${var.partition}:iam::aws:policy/AmazonEKSServicePolicy",
-    "arn:${var.partition}:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy",
+    "arn:${local.partition}:iam::aws:policy/AmazonEKSClusterPolicy",
+    "arn:${local.partition}:iam::aws:policy/AmazonEKSServicePolicy",
+    "arn:${local.partition}:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy",
   ], var.cluster_additional_policies)
 
   node_group_policies = concat([
-    "arn:${var.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy",
-    "arn:${var.partition}:iam::aws:policy/AmazonEKS_CNI_Policy",
-    "arn:${var.partition}:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy",
+    "arn:${local.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy",
+    "arn:${local.partition}:iam::aws:policy/AmazonEKS_CNI_Policy",
+    "arn:${local.partition}:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy",
     aws_iam_policy.worker_autoscaling.arn
   ], var.node_group_additional_policies)
 
   gpu_node_group_names = [for node_group in var.node_groups : node_group.name if node_group.gpu == true]
+
+  partition = data.aws_partition.current.partition
 }
diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf
@@ -1,3 +1,5 @@
+data "aws_partition" "current" {}
+
 resource "aws_eks_cluster" "main" {
   name     = var.name
   role_arn = aws_iam_role.cluster.arn
@@ -70,3 +72,18 @@ resource "aws_eks_addon" "aws-ebs-csi-driver" {
     aws_eks_node_group.main,
   ]
 }
+
+data "tls_certificate" "this" {
+  url = aws_eks_cluster.main.identity[0].oidc[0].issuer
+}
+
+resource "aws_iam_openid_connect_provider" "oidc_provider" {
+  client_id_list  = ["sts.${data.aws_partition.current.dns_suffix}"]
+  thumbprint_list = data.tls_certificate.this.certificates[*].sha1_fingerprint
+  url             = aws_eks_cluster.main.identity[0].oidc[0].issuer
+
+  tags = merge(
+    { Name = "${var.name}-eks-irsa" },
+    var.tags
+  )
+}
diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/outputs.tf b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/outputs.tf
@@ -13,6 +13,16 @@ output "node_groups_arn" {
   value = aws_eks_node_group.main[*].arn
 }
 
+output "cluster_oidc_issuer_url" {
+  description = "The URL on the EKS cluster for the OpenID Connect identity provider"
+  value       = aws_eks_cluster.main.identity[0].oidc[0].issuer
+}
+
+output "oidc_provider_arn" {
+  description = "The ARN of the OIDC Provider"
+  value       = aws_iam_openid_connect_provider.oidc_provider.arn
+}
+
 # https://github.com/terraform-aws-modules/terraform-aws-eks/blob/16f46db94b7158fd762d9133119206aaa7cf6d63/examples/self_managed_node_group/main.tf
 output "kubeconfig" {
   description = "Kubernetes connection configuration kubeconfig"

diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/variables.tf b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/variables.tf
@@ -19,11 +19,6 @@ variable "region" {
   type        = string
 }
 
-variable "partition" {
-  description = "AWS partition for EKS cluster"
-  type        = string
-}
-
 variable "kubernetes_version" {
   description = "AWS kubernetes version for EKS cluster"
   type        = string

diff --git a/src/_nebari/stages/infrastructure/template/aws/outputs.tf b/src/_nebari/stages/infrastructure/template/aws/outputs.tf
@@ -24,3 +24,13 @@ output "nfs_endpoint" {
   description = "Endpoint for nfs server"
   value       = module.efs.credentials.dns_name
 }
+
+output "cluster_oidc_issuer_url" {
+  description = "The URL on the EKS cluster for the OpenID Connect identity provider"
+  value       = module.kubernetes.cluster_oidc_issuer_url
+}
+
+output "oidc_provider_arn" {
+  description = "The ARN of the OIDC Provider"
+  value       = module.kubernetes.oidc_provider_arn
+}