Skip to content

Commit

Permalink
fix: Correct naming convention scheme for service account
Browse files Browse the repository at this point in the history
  • Loading branch information
bryantbiggs committed Nov 19, 2022
1 parent 6ef520e commit 78d6fcf
Show file tree
Hide file tree
Showing 29 changed files with 116 additions and 131 deletions.
10 changes: 5 additions & 5 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,8 @@ repos:
- '--args=--only=terraform_workspace_remote'
- id: terraform_validate
exclude: deploy
- id: terraform_tfsec
files: ^examples/ # only scan `examples/*` which are the implementation
args:
- --args=--config-file=__GIT_WORKING_DIR__/tfsec.yaml
- --args=--concise-output
# - id: terraform_tfsec
# files: ^examples/ # only scan `examples/*` which are the implementation
# args:
# - --args=--config-file=__GIT_WORKING_DIR__/tfsec.yaml
# - --args=--concise-output
7 changes: 3 additions & 4 deletions modules/kubernetes-addons/adot-collector-haproxy/main.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
locals {
name = "adot-collector-haproxy"
namespace = try(var.helm_config.namespace, local.name)
service_account = try(var.helm_config.service_account_name, var.helm_config.service_account, local.name)
name = "adot-collector-haproxy"
namespace = try(var.helm_config.namespace, local.name)
}

data "aws_partition" "current" {}
Expand Down Expand Up @@ -55,7 +54,7 @@ module "helm_addon" {
create_kubernetes_namespace = try(var.helm_config["create_namespace"], true)
kubernetes_namespace = local.namespace
create_kubernetes_service_account = true
kubernetes_service_account = local.service_account
kubernetes_service_account = try(var.helm_config.service_account, local.name)
irsa_iam_policies = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonPrometheusRemoteWriteAccess"]
}

Expand Down
7 changes: 3 additions & 4 deletions modules/kubernetes-addons/adot-collector-java/main.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
locals {
name = "adot-collector-java"
namespace = try(var.helm_config.namespace, local.name)
service_account_name = try(var.helm_config.service_account_name, var.helm_config.service_account, local.name)
name = "adot-collector-java"
namespace = try(var.helm_config.namespace, local.name)
}

data "aws_partition" "current" {}
Expand Down Expand Up @@ -55,7 +54,7 @@ module "helm_addon" {
create_kubernetes_namespace = try(var.helm_config["create_namespace"], true)
kubernetes_namespace = local.namespace
create_kubernetes_service_account = true
kubernetes_service_account = local.service_account_name
kubernetes_service_account = try(var.helm_config.service_account, local.name)
irsa_iam_policies = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonPrometheusRemoteWriteAccess"]
}

Expand Down
7 changes: 3 additions & 4 deletions modules/kubernetes-addons/adot-collector-memcached/main.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
locals {
name = "adot-collector-memcached"
namespace = try(var.helm_config.namespace, local.name)
service_account_name = try(var.helm_config.service_account_name, var.helm_config.service_account, local.name)
name = "adot-collector-memcached"
namespace = try(var.helm_config.namespace, local.name)
}

data "aws_partition" "current" {}
Expand Down Expand Up @@ -55,7 +54,7 @@ module "helm_addon" {
create_kubernetes_namespace = try(var.helm_config["create_namespace"], true)
kubernetes_namespace = local.namespace
create_kubernetes_service_account = true
kubernetes_service_account = local.service_account_name
kubernetes_service_account = try(var.helm_config.service_account, local.name)
irsa_iam_policies = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonPrometheusRemoteWriteAccess"]
}

Expand Down
4 changes: 1 addition & 3 deletions modules/kubernetes-addons/adot-collector-nginx/main.tf
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
locals {
name = "adot-collector-nginx"
namespace = try(var.helm_config.namespace, local.name)

service_account_name = try(var.helm_config.service_account_name, var.helm_config.service_account, local.name)
}

data "aws_partition" "current" {}
Expand Down Expand Up @@ -56,7 +54,7 @@ module "helm_addon" {
create_kubernetes_namespace = try(var.helm_config["create_namespace"], true)
kubernetes_namespace = local.namespace
create_kubernetes_service_account = true
kubernetes_service_account = local.service_account_name
kubernetes_service_account = try(var.helm_config.service_account, local.name)
irsa_iam_policies = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonPrometheusRemoteWriteAccess"]
}

Expand Down
9 changes: 4 additions & 5 deletions modules/kubernetes-addons/appmesh-controller/main.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
locals {
name = try(var.helm_config.name, "appmesh-controller")
namespace = try(var.helm_config.namespace, "appmesh-system")
service_account_name = try(var.helm_config.service_account_name, local.name)
name = try(var.helm_config.name, "appmesh-controller")
namespace = try(var.helm_config.namespace, "appmesh-system")

partition = data.aws_partition.current.partition
dns_suffix = data.aws_partition.current.dns_suffix
Expand All @@ -27,7 +26,7 @@ module "helm_addon" {
set_values = [
{
name = "serviceAccount.name"
value = local.service_account_name
value = local.name
},
{
name = "serviceAccount.create"
Expand All @@ -39,7 +38,7 @@ module "helm_addon" {
create_kubernetes_namespace = true
kubernetes_namespace = local.namespace
create_kubernetes_service_account = true
kubernetes_service_account = local.service_account_name
kubernetes_service_account = try(var.helm_config.service_account, local.name)
irsa_iam_policies = concat([aws_iam_policy.this.arn], var.irsa_policies)
}

Expand Down
12 changes: 6 additions & 6 deletions modules/kubernetes-addons/aws-cloudwatch-metrics/locals.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
locals {
name = "aws-cloudwatch-metrics"
namespace = "amazon-cloudwatch"
service_account_name = try(var.helm_config.service_account_name, "cloudwatch-agent")
name = "aws-cloudwatch-metrics"
namespace = "amazon-cloudwatch"
service_account = try(var.helm_config.service_account, "cloudwatch-agent")

# https://github.com/aws/eks-charts/blob/master/stable/aws-cloudwatch-metrics/Chart.yaml
default_helm_config = {
Expand All @@ -26,7 +26,7 @@ locals {
set_values = [
{
name = "serviceAccount.name"
value = local.service_account_name
value = local.service_account
},
{
name = "serviceAccount.create"
Expand All @@ -36,14 +36,14 @@ locals {

irsa_config = {
kubernetes_namespace = local.helm_config["namespace"]
kubernetes_service_account = local.service_account_name
kubernetes_service_account = local.service_account
create_kubernetes_namespace = try(local.helm_config["create_namespace"], true)
create_kubernetes_service_account = true
irsa_iam_policies = concat(["arn:${var.addon_context.aws_partition_id}:iam::aws:policy/CloudWatchAgentServerPolicy"], var.irsa_policies)
}

argocd_gitops_config = {
enable = true
serviceAccountName = local.service_account_name
serviceAccountName = local.service_account
}
}
11 changes: 5 additions & 6 deletions modules/kubernetes-addons/aws-ebs-csi-driver/main.tf
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@
locals {
name = "aws-ebs-csi-driver"

create_irsa = try(var.addon_config.service_account_role_arn == "", true)
namespace = try(var.helm_config.namespace, "kube-system")

service_account_name = try(var.helm_config.service_account_name, "ebs-csi-controller-sa")
create_irsa = try(var.addon_config.service_account_role_arn == "", true)
namespace = try(var.helm_config.namespace, "kube-system")
service_account = try(var.helm_config.service_account, "ebs-csi-controller-sa")
}

data "aws_eks_addon_version" "this" {
Expand Down Expand Up @@ -65,7 +64,7 @@ module "helm_addon" {
create_kubernetes_namespace = try(var.helm_config.create_namespace, false)
kubernetes_namespace = local.namespace
create_kubernetes_service_account = true
kubernetes_service_account = local.service_account_name
kubernetes_service_account = local.service_account
irsa_iam_policies = concat([aws_iam_policy.aws_ebs_csi_driver[0].arn], lookup(var.helm_config, "additional_iam_policies", []))
}

Expand All @@ -81,7 +80,7 @@ module "irsa_addon" {
create_kubernetes_namespace = false
create_kubernetes_service_account = false
kubernetes_namespace = local.namespace
kubernetes_service_account = local.service_account_name
kubernetes_service_account = local.service_account
irsa_iam_policies = concat([aws_iam_policy.aws_ebs_csi_driver[0].arn], lookup(var.addon_config, "additional_iam_policies", []))
irsa_iam_role_path = var.addon_context.irsa_iam_role_path
irsa_iam_permissions_boundary = var.addon_context.irsa_iam_permissions_boundary
Expand Down
12 changes: 6 additions & 6 deletions modules/kubernetes-addons/aws-efs-csi-driver/main.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
locals {
name = try(var.helm_config.name, "aws-efs-csi-driver")
namespace = try(var.helm_config.namespace, "kube-system")
service_account_name = try(var.helm_config.service_account_name, "${local.name}-sa")
name = try(var.helm_config.name, "aws-efs-csi-driver")
namespace = try(var.helm_config.namespace, "kube-system")
service_account = try(var.helm_config.service_account, "${local.name}-sa")
}

module "helm_addon" {
Expand All @@ -23,7 +23,7 @@ module "helm_addon" {

irsa_config = {
kubernetes_namespace = local.namespace
kubernetes_service_account = local.service_account_name
kubernetes_service_account = local.service_account
create_kubernetes_namespace = try(var.helm_config.create_namespace, false)
create_kubernetes_service_account = true
irsa_iam_policies = concat([aws_iam_policy.aws_efs_csi_driver.arn], var.irsa_policies)
Expand All @@ -32,15 +32,15 @@ module "helm_addon" {
set_values = [
{
name = "controller.serviceAccount.name"
value = local.service_account_name
value = local.service_account
},
{
name = "controller.serviceAccount.create"
value = false
},
{
name = "node.serviceAccount.name"
value = local.service_account_name
value = local.service_account
},
{
name = "node.serviceAccount.create"
Expand Down
2 changes: 1 addition & 1 deletion modules/kubernetes-addons/aws-efs-csi-driver/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ output "argocd_gitops_config" {
description = "Configuration used for managing the add-on with ArgoCD"
value = var.manage_via_gitops ? {
enable = true
serviceAccountName = local.service_account_name
serviceAccountName = local.service_account
} : null
}

Expand Down
18 changes: 9 additions & 9 deletions modules/kubernetes-addons/aws-for-fluentbit/locals.tf
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
locals {
name = "aws-for-fluent-bit"
log_group_name = var.cw_log_group_name == null ? "/${var.addon_context.eks_cluster_id}/worker-fluentbit-logs" : var.cw_log_group_name
service_account_name = try(var.helm_config.service_account_name, "${local.name}-sa")
name = "aws-for-fluent-bit"
log_group_name = var.cw_log_group_name == null ? "/${var.addon_context.eks_cluster_id}/worker-fluentbit-logs" : var.cw_log_group_name
service_account = try(var.helm_config.service_account, "${local.name}-sa")

set_values = [
{
name = "serviceAccount.name"
value = local.service_account_name
value = local.service_account
},
{
name = "serviceAccount.create"
Expand All @@ -31,20 +31,20 @@ locals {
)

default_helm_values = [templatefile("${path.module}/values.yaml", {
aws_region = var.addon_context.aws_region_name,
log_group_name = local.log_group_name,
service_account_name = local.service_account_name
aws_region = var.addon_context.aws_region_name,
log_group_name = local.log_group_name,
service_account = local.service_account
})]

argocd_gitops_config = {
enable = true
logGroupName = local.log_group_name
serviceAccountName = local.service_account_name
serviceAccountName = local.service_account
}

irsa_config = {
kubernetes_namespace = local.helm_config["namespace"]
kubernetes_service_account = local.service_account_name
kubernetes_service_account = local.service_account
create_kubernetes_namespace = try(local.helm_config["create_namespace"], true)
create_kubernetes_service_account = true
irsa_iam_policies = concat([aws_iam_policy.aws_for_fluent_bit.arn], var.irsa_policies)
Expand Down
2 changes: 1 addition & 1 deletion modules/kubernetes-addons/aws-for-fluentbit/values.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
serviceAccount:
create: false
name: ${service_account_name}
name: ${service_account}

cloudWatch:
enabled: true
Expand Down
14 changes: 7 additions & 7 deletions modules/kubernetes-addons/aws-fsx-csi-driver/locals.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
locals {
name = "aws-fsx-csi-driver"
service_account_name = try(var.helm_config.service_account_name, "fsx-csi-sa")
namespace = "kube-system"
name = "aws-fsx-csi-driver"
service_account = try(var.helm_config.service_account, "fsx-csi-sa")
namespace = "kube-system"

# https://github.com/kubernetes-sigs/aws-fsx-csi-driver/blob/master/charts/aws-fsx-csi-driver/Chart.yaml
default_helm_config = {
Expand All @@ -18,15 +18,15 @@ locals {
set_values = [
{
name = "controller.serviceAccount.name"
value = local.service_account_name
value = local.service_account
},
{
name = "controller.serviceAccount.create"
value = false
},
{
name = "node.serviceAccount.name"
value = local.service_account_name
value = local.service_account
},
{
name = "node.serviceAccount.create"
Expand All @@ -36,7 +36,7 @@ locals {

irsa_config = {
kubernetes_namespace = local.helm_config["namespace"]
kubernetes_service_account = local.service_account_name
kubernetes_service_account = local.service_account
create_kubernetes_namespace = try(local.helm_config["create_namespace"], true)
create_kubernetes_service_account = true
irsa_iam_policies = concat([aws_iam_policy.aws_fsx_csi_driver.arn], var.irsa_policies)
Expand All @@ -45,6 +45,6 @@ locals {

argocd_gitops_config = {
enable = true
serviceAccountName = local.service_account_name
serviceAccountName = local.service_account
}
}
10 changes: 5 additions & 5 deletions modules/kubernetes-addons/aws-load-balancer-controller/locals.tf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
locals {
name = "aws-load-balancer-controller"
service_account_name = try(var.helm_config.service_account_name, "${local.name}-sa")
name = "aws-load-balancer-controller"
service_account = try(var.helm_config.service_account, "${local.name}-sa")

# https://github.com/aws/eks-charts/blob/master/stable/aws-load-balancer-controller/Chart.yaml
default_helm_config = {
Expand Down Expand Up @@ -28,7 +28,7 @@ locals {
[
{
name = "serviceAccount.name"
value = local.service_account_name
value = local.service_account
},
{
name = "serviceAccount.create"
Expand All @@ -40,12 +40,12 @@ locals {

argocd_gitops_config = {
enable = true
serviceAccountName = local.service_account_name
serviceAccountName = local.service_account
}

irsa_config = {
kubernetes_namespace = local.helm_config["namespace"]
kubernetes_service_account = local.service_account_name
kubernetes_service_account = local.service_account
create_kubernetes_namespace = try(local.helm_config["create_namespace"], true)
create_kubernetes_service_account = true
irsa_iam_policies = [aws_iam_policy.aws_load_balancer_controller.arn]
Expand Down
10 changes: 5 additions & 5 deletions modules/kubernetes-addons/aws-node-termination-handler/locals.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
locals {
namespace = "kube-system"
name = "aws-node-termination-handler"
service_account_name = try(var.helm_config.service_account_name, "${local.name}-sa")
namespace = "kube-system"
name = "aws-node-termination-handler"
service_account = try(var.helm_config.service_account, "${local.name}-sa")

# https://github.com/aws/eks-charts/blob/master/stable/aws-node-termination-handler/Chart.yaml
default_helm_config = {
Expand All @@ -26,7 +26,7 @@ locals {
set_values = [
{
name = "serviceAccount.name"
value = local.service_account_name
value = local.service_account
},
{
name = "serviceAccount.create"
Expand All @@ -39,7 +39,7 @@ locals {

irsa_config = {
kubernetes_namespace = local.namespace
kubernetes_service_account = local.service_account_name
kubernetes_service_account = local.service_account
create_kubernetes_namespace = false
create_kubernetes_service_account = true
irsa_iam_policies = concat([aws_iam_policy.aws_node_termination_handler_irsa.arn], var.irsa_policies)
Expand Down
Loading

0 comments on commit 78d6fcf

Please sign in to comment.