From 934a1eab9d2a9de68d1094a634cdea0ddad48f9d Mon Sep 17 00:00:00 2001 From: Rodrigo Bersa Date: Thu, 27 Apr 2023 19:51:05 -0400 Subject: [PATCH] fix: Velero `serviceAccount` IRSA configuration and `resouces` Policy (#147) --- main.tf | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/main.tf b/main.tf index 38f6b7f7..47d1a57f 100644 --- a/main.tf +++ b/main.tf @@ -2742,10 +2742,11 @@ module "secrets_store_csi_driver_provider_aws" { ################################################################################ locals { - velero_service_account = try(var.velero.service_account_name, "velero-sa") + velero_name = "velero" + velero_service_account = try(var.velero.service_account_name, "${local.velero_name}-server") velero_backup_s3_bucket = split(":", var.velero.s3_backup_location) velero_backup_s3_bucket_arn = try(split("/", var.velero.s3_backup_location)[0], var.velero.s3_backup_location) - velero_backup_s3_bucket_name = try(split("/", local.velero_backup_s3_bucket[5])[1], local.velero_backup_s3_bucket[5]) + velero_backup_s3_bucket_name = try(split("/", local.velero_backup_s3_bucket[5])[0], local.velero_backup_s3_bucket[5]) velero_backup_s3_bucket_prefix = try(split("/", var.velero.s3_backup_location)[1], "") } @@ -2784,7 +2785,7 @@ data "aws_iam_policy_document" "velero" { "s3:ListMultipartUploadParts", "s3:PutObject", ] - resources = [local.velero_backup_s3_bucket_prefix == "" ? "${var.velero.s3_backup_location}/*" : var.velero.s3_backup_location] + resources = ["${var.velero.s3_backup_location}/*"] } statement { @@ -2849,7 +2850,7 @@ module "velero" { EOT }, { - name = "serviceAccount.name" + name = "serviceAccount.server.name" value = local.velero_service_account }, { @@ -2864,6 +2865,10 @@ module "velero" { name = "configuration.backupStorageLocation.bucket" value = local.velero_backup_s3_bucket_name }, + { + name = "configuration.backupStorageLocation.config.region" + value = local.region + }, { name = "configuration.volumeSnapshotLocation.config.region" value = local.region @@ -2877,7 +2882,7 @@ module "velero" { set_sensitive = try(var.velero.set_sensitive, []) # IAM role for service account (IRSA) - set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + set_irsa_names = ["serviceAccount.server.annotations.eks\\.amazonaws\\.com/role-arn"] create_role = try(var.velero.create_role, true) role_name = try(var.velero.role_name, "velero") role_name_use_prefix = try(var.velero.role_name_use_prefix, true)