Skip to content

Commit

Permalink
refactor: IAM Policy improvements on External DNS Add-on for TFSec co…
Browse files Browse the repository at this point in the history
…mpliance rules compliance. (#1368)

Co-authored-by: Rodrigo Bersa <bersr@amazon.com>
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
resolves undefined
  • Loading branch information
rodrigobersa authored and vara-bonthu committed Feb 2, 2023
1 parent 998d364 commit 7c0da3a
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 21 deletions.
2 changes: 1 addition & 1 deletion modules/kubernetes-addons/external-dns/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ For complete project documentation, please visit the [ExternalDNS Github reposit
| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br> aws_caller_identity_account_id = string<br> aws_caller_identity_arn = string<br> aws_eks_cluster_endpoint = string<br> aws_partition_id = string<br> aws_region_name = string<br> eks_cluster_id = string<br> eks_oidc_issuer_url = string<br> eks_oidc_provider_arn = string<br> tags = map(string)<br> irsa_iam_role_path = string<br> irsa_iam_permissions_boundary = string<br> })</pre> | n/a | yes |
| <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | [Deprecated - use `route53_zone_arns`] Domain name of the Route53 hosted zone to use with External DNS. | `string` | n/a | yes |
| <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | External DNS Helm Configuration | `any` | `{}` | no |
| <a name="input_irsa_policies"></a> [irsa\_policies](#input\_irsa\_policies) | Additional IAM policies used for the add-on service account. | `list(string)` | n/a | yes |
| <a name="input_irsa_policies"></a> [irsa\_policies](#input\_irsa\_policies) | Additional IAM policies used for the add-on service account. | `list(string)` | `[]` | no |
| <a name="input_manage_via_gitops"></a> [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no |
| <a name="input_private_zone"></a> [private\_zone](#input\_private\_zone) | [Deprecated - use `route53_zone_arns`] Determines if referenced Route53 hosted zone is private. | `bool` | `false` | no |
| <a name="input_route53_zone_arns"></a> [route53\_zone\_arns](#input\_route53\_zone\_arns) | List of Route53 zones ARNs which external-dns will have access to create/manage records | `list(string)` | `[]` | no |
Expand Down
19 changes: 19 additions & 0 deletions modules/kubernetes-addons/external-dns/data.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
data "aws_iam_policy_document" "external_dns_iam_policy_document" {
statement {
effect = "Allow"
resources = distinct(concat(
[data.aws_route53_zone.selected.arn],
var.route53_zone_arns
))
actions = [
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
]
}

statement {
effect = "Allow"
resources = ["*"]
actions = ["route53:ListHostedZones"]
}
}
20 changes: 0 additions & 20 deletions modules/kubernetes-addons/external-dns/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -78,23 +78,3 @@ data "aws_route53_zone" "selected" {
name = var.domain_name
private_zone = var.private_zone
}

data "aws_iam_policy_document" "external_dns_iam_policy_document" {
statement {
effect = "Allow"
resources = distinct(concat(
[data.aws_route53_zone.selected.arn],
var.route53_zone_arns
))
actions = ["route53:ChangeResourceRecordSets"]
}

statement {
effect = "Allow"
resources = ["*"]
actions = [
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
]
}
}
1 change: 1 addition & 0 deletions modules/kubernetes-addons/external-dns/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ variable "manage_via_gitops" {
variable "irsa_policies" {
description = "Additional IAM policies used for the add-on service account."
type = list(string)
default = []
}

variable "domain_name" {
Expand Down

0 comments on commit 7c0da3a

Please sign in to comment.