diff --git a/modules/flyte/README.md b/modules/flyte/README.md
index f411c3488..7c0f22a1a 100644
--- a/modules/flyte/README.md
+++ b/modules/flyte/README.md
@@ -23,20 +23,25 @@ No modules.
| Name | Type |
|------|------|
+| [aws_iam_policy.flyte_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.flyte_controlplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.flyte_dataplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.flyte_controlplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.flyte_dataplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.flyte_controlplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.flyte_dataplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.flyte_node_role_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_s3_bucket.flyte_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket.flyte_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket_cors_configuration.flyte_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_cors_configuration) | resource |
| [aws_s3_bucket_policy.flyte_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_policy.flyte_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
-| [aws_s3_bucket_server_side_encryption_configuration.flye_metadata_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
| [aws_s3_bucket_server_side_encryption_configuration.flyte_data_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.flyte_metadata_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
| [aws_caller_identity.aws_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_eks_cluster.domino_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_iam_openid_connect_provider.domino_cluster_issuer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
+| [aws_iam_policy_document.flyte_combined_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.flyte_controlplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.flyte_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.flyte_dataplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -48,12 +53,14 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [compute\_namespace](#input\_compute\_namespace) | Name of Domino compute namespace for this deploy | `string` | n/a | yes |
-| [eks\_info](#input\_eks\_info) | cluster = {
specs {
name = Cluster name.
account\_id = AWS account id where the cluster resides.
}
oidc = {
arn = OIDC provider ARN.
url = OIDC provider url.
cert = {
thumbprint\_list = OIDC cert thumbprints.
url = OIDC cert URL.
}
} | object({
cluster = object({
specs = object({
name = string
account_id = string
})
oidc = object({
arn = string
url = string
cert = object({
thumbprint_list = list(string)
url = string
})
})
})
}) | n/a | yes |
+| [eks\_cluster\_name](#input\_eks\_cluster\_name) | Name of the EKS cluster running Domino workloads | `string` | n/a | yes |
+| [enable\_irsa](#input\_enable\_irsa) | Whether to assume AWS EKS IRSA is configured; if not, attach permissions to target\_iam\_role\_name. | `bool` | `false` | no |
| [force\_destroy\_on\_deletion](#input\_force\_destroy\_on\_deletion) | Whether to force destroy flyte s3 buckets on deletion | `bool` | `true` | no |
-| [kms\_info](#input\_kms\_info) | key\_id = KMS key id.
key\_arn = KMS key arn.
enabled = KMS key is enabled | object({
key_id = string
key_arn = string
enabled = bool
}) | n/a | yes |
+| [kms\_info](#input\_kms\_info) | key\_id = KMS key id.
key\_arn = KMS key arn.
enabled = KMS key is enabled | object({
key_id = string
key_arn = string
enabled = bool
}) | n/a | yes |
| [platform\_namespace](#input\_platform\_namespace) | Name of Domino platform namespace for this deploy | `string` | n/a | yes |
| [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
-| [serviceaccount\_names](#input\_serviceaccount\_names) | Service account names for Flyte | object({
datacatalog = optional(string, "datacatalog")
flyteadmin = optional(string, "flyteadmin")
flytepropeller = optional(string, "flytepropeller")
}) | `{}` | no |
+| [serviceaccount\_names](#input\_serviceaccount\_names) | Service account names for Flyte | object({
datacatalog = optional(string, "datacatalog")
flyteadmin = optional(string, "flyteadmin")
flytepropeller = optional(string, "flytepropeller")
}) | `{}` | no |
+| [target\_iam\_role\_name](#input\_target\_iam\_role\_name) | If not using IRSA, attach new policies to this AWS IAM role | `string` | `null` | no |
## Outputs
diff --git a/modules/flyte/iam.tf b/modules/flyte/iam.tf
index 8f11f26c6..90649f4ca 100644
--- a/modules/flyte/iam.tf
+++ b/modules/flyte/iam.tf
@@ -1,5 +1,6 @@
resource "aws_iam_role" "flyte_controlplane" {
- name = "${local.deploy_id}-flyte-controlplane"
+ count = var.enable_irsa == true ? 1 : 0
+ name = "${local.deploy_id}-flyte-controlplane"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
@@ -11,8 +12,8 @@ resource "aws_iam_role" "flyte_controlplane" {
}
Condition : {
StringEquals : {
- "${trimprefix(local.oidc_provider_url, "https://")}:aud" : "sts.amazonaws.com",
- "${trimprefix(local.oidc_provider_url, "https://")}:sub" : [
+ "${local.oidc_provider_url}:aud" : "sts.amazonaws.com",
+ "${local.oidc_provider_url}:sub" : [
"system:serviceaccount:${var.platform_namespace}:${var.serviceaccount_names.datacatalog}",
"system:serviceaccount:${var.platform_namespace}:${var.serviceaccount_names.flytepropeller}",
]
@@ -51,13 +52,16 @@ resource "aws_iam_policy" "flyte_controlplane" {
policy = data.aws_iam_policy_document.flyte_controlplane.json
}
+
resource "aws_iam_role_policy_attachment" "flyte_controlplane" {
- role = aws_iam_role.flyte_controlplane.name
+ count = var.enable_irsa == true ? 1 : 0
+ role = aws_iam_role.flyte_controlplane.0.name
policy_arn = aws_iam_policy.flyte_controlplane.arn
}
resource "aws_iam_role" "flyte_dataplane" {
- name = "${local.deploy_id}-flyte-dataplane"
+ count = var.enable_irsa == true ? 1 : 0
+ name = "${local.deploy_id}-flyte-dataplane"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
@@ -69,8 +73,8 @@ resource "aws_iam_role" "flyte_dataplane" {
}
Condition : {
StringLike : {
- "${trimprefix(local.oidc_provider_url, "https://")}:aud" : "sts.amazonaws.com",
- "${trimprefix(local.oidc_provider_url, "https://")}:sub" : [
+ "${local.oidc_provider_url}:aud" : "sts.amazonaws.com",
+ "${local.oidc_provider_url}:sub" : [
"system:serviceaccount:${var.compute_namespace}:run-*"
]
}
@@ -84,8 +88,8 @@ resource "aws_iam_role" "flyte_dataplane" {
}
Condition : {
StringEquals : {
- "${trimprefix(local.oidc_provider_url, "https://")}:aud" : "sts.amazonaws.com",
- "${trimprefix(local.oidc_provider_url, "https://")}:sub" : [
+ "${local.oidc_provider_url}:aud" : "sts.amazonaws.com",
+ "${local.oidc_provider_url}:sub" : [
"system:serviceaccount:${var.platform_namespace}:${var.serviceaccount_names.flyteadmin}",
]
}
@@ -127,6 +131,26 @@ resource "aws_iam_policy" "flyte_dataplane" {
}
resource "aws_iam_role_policy_attachment" "flyte_dataplane" {
- role = aws_iam_role.flyte_dataplane.name
+ count = var.enable_irsa == true ? 1 : 0
+ role = aws_iam_role.flyte_dataplane.0.name
policy_arn = aws_iam_policy.flyte_dataplane.arn
}
+
+
+data "aws_iam_policy_document" "flyte_combined_policy" {
+ source_policy_documents = [
+ data.aws_iam_policy_document.flyte_controlplane.json,
+ data.aws_iam_policy_document.flyte_dataplane.json
+ ]
+}
+
+resource "aws_iam_policy" "flyte_combined" {
+ name = "${local.deploy_id}-flyte-combined"
+ policy = data.aws_iam_policy_document.flyte_combined_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "flyte_node_role_attachment" {
+ count = var.enable_irsa == true ? 0 : 1
+ role = var.target_iam_role_name
+ policy_arn = aws_iam_policy.flyte_combined.arn
+}
diff --git a/modules/flyte/main.tf b/modules/flyte/main.tf
index 50dca0e13..5ce20cf28 100644
--- a/modules/flyte/main.tf
+++ b/modules/flyte/main.tf
@@ -1,8 +1,16 @@
data "aws_partition" "current" {}
data "aws_caller_identity" "aws_account" {}
+data "aws_eks_cluster" "domino_cluster" {
+ name = var.eks_cluster_name
+}
+
+data "aws_iam_openid_connect_provider" "domino_cluster_issuer" {
+ count = var.enable_irsa ? 1 : 0
+ url = local.oidc_provider_url
+}
locals {
- deploy_id = var.eks_info.cluster.specs.name
- oidc_provider_arn = var.eks_info.cluster.oidc.arn
- oidc_provider_url = var.eks_info.cluster.oidc.cert.url
+ deploy_id = lower(var.eks_cluster_name)
+ oidc_provider_arn = var.enable_irsa ? data.aws_iam_openid_connect_provider.domino_cluster_issuer.0.arn : ""
+ oidc_provider_url = try(trimprefix(data.aws_eks_cluster.domino_cluster.identity[0].oidc[0].issuer, "https://"), null)
}
diff --git a/modules/flyte/migrations.tf b/modules/flyte/migrations.tf
new file mode 100644
index 000000000..5cd1c3d90
--- /dev/null
+++ b/modules/flyte/migrations.tf
@@ -0,0 +1,4 @@
+moved {
+ from = aws_s3_bucket_server_side_encryption_configuration.flye_metadata_encryption
+ to = aws_s3_bucket_server_side_encryption_configuration.flyte_metadata_encryption
+}
diff --git a/modules/flyte/outputs.tf b/modules/flyte/outputs.tf
index 55071212b..b7d604fb0 100644
--- a/modules/flyte/outputs.tf
+++ b/modules/flyte/outputs.tf
@@ -3,7 +3,7 @@ output "eks" {
value = {
metadata_bucket = aws_s3_bucket.flyte_metadata.bucket
data_bucket = aws_s3_bucket.flyte_data.bucket
- controlplane_role_arn = aws_iam_role.flyte_controlplane.arn
- dataplane_role_arn = aws_iam_role.flyte_dataplane.arn
+ controlplane_role_arn = one(aws_iam_role.flyte_controlplane[*].arn)
+ dataplane_role_arn = one(aws_iam_role.flyte_dataplane[*].arn)
}
}
diff --git a/modules/flyte/s3.tf b/modules/flyte/s3.tf
index 04f446209..6df60b766 100644
--- a/modules/flyte/s3.tf
+++ b/modules/flyte/s3.tf
@@ -38,7 +38,7 @@ resource "aws_s3_bucket_policy" "flyte_metadata" {
policy = data.aws_iam_policy_document.flyte_metadata.json
}
-resource "aws_s3_bucket_server_side_encryption_configuration" "flye_metadata_encryption" {
+resource "aws_s3_bucket_server_side_encryption_configuration" "flyte_metadata_encryption" {
bucket = aws_s3_bucket.flyte_metadata.bucket
rule {
apply_server_side_encryption_by_default {
diff --git a/modules/flyte/variables.tf b/modules/flyte/variables.tf
index 9536a8316..3b181fc5f 100644
--- a/modules/flyte/variables.tf
+++ b/modules/flyte/variables.tf
@@ -4,38 +4,21 @@ variable "force_destroy_on_deletion" {
default = true
}
-variable "eks_info" {
- description = <