From 50a3ecf284e7b172f35d872f333f68769e718e6c Mon Sep 17 00:00:00 2001 From: xshot9011 <40098197+xshot9011@users.noreply.github.com> Date: Sat, 25 Nov 2023 20:54:21 +0700 Subject: [PATCH 1/4] chore: change iam sa trust policy --- modules/openid_connect_provider/iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/openid_connect_provider/iam.tf b/modules/openid_connect_provider/iam.tf index 793b36c..437a01d 100644 --- a/modules/openid_connect_provider/iam.tf +++ b/modules/openid_connect_provider/iam.tf @@ -261,14 +261,14 @@ data "aws_iam_policy_document" "aws_sa_assume_role_policy" { actions = ["sts:AssumeRoleWithWebIdentity"] effect = "Allow" condition { - test = "StringEquals" + test = "StringLike" variable = "${replace(aws_iam_openid_connect_provider.this.url, "https://", "")}:sub" values = [ format("system:serviceaccount:%s:%s", local.service_accounts[count.index].namespace, local.service_accounts[count.index].name) ] } condition { - test = "StringEquals" + test = "StringLike" variable = "${replace(aws_iam_openid_connect_provider.this.url, "https://", "")}:aud" values = [ "sts.amazonaws.com" From 59ec0fb6acd806fb53fab3db619f71519c43532b Mon Sep 17 00:00:00 2001 From: xshot9011 <40098197+xshot9011@users.noreply.github.com> Date: Fri, 26 Jan 2024 16:39:51 +0700 Subject: [PATCH 2/4] chore: add defualt policy for workernode abt efs --- iam.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/iam.tf b/iam.tf index dcdbb29..470c880 100644 --- a/iam.tf +++ b/iam.tf @@ -77,6 +77,11 @@ resource "aws_iam_role_policy_attachment" "amazon_ec2_ssm" { role = aws_iam_role.node_group_role.name } +resource "aws_iam_role_policy_attachment" "amazon_efs_csi" { + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy" + role = aws_iam_role.node_group_role.name +} + # Additional policies data "aws_iam_policy_document" "combined_policy" { count = length(var.additional_worker_polices) > 0 ? 1 : 0 From 8b88ef7dfbb3269ab94929c1313222b7d1f2d202 Mon Sep 17 00:00:00 2001 From: xshot9011 <40098197+xshot9011@users.noreply.github.com> Date: Fri, 26 Jan 2024 16:57:08 +0700 Subject: [PATCH 3/4] chore: update CHANGELOG --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 90e2153..885f569 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,16 @@ All notable changes to this module will be documented in this file. +## [1.1.1] - 2024-01-26 + +### Added + +- Default policy for worker node's role allowing efs addon to work + +### Changed + +- Update `data.aws_iam_policy_document.aws_sa_assume_role_policy`'s condition to use `StringLike` instead of `StringEquals` + ## [1.1.0] - 2023-08-12 ### Added From 5a124996e5cf32d57be00d385d8d4d40cf86c95f Mon Sep 17 00:00:00 2001 From: xshot9011 <40098197+xshot9011@users.noreply.github.com> Date: Wed, 8 May 2024 17:35:32 +0700 Subject: [PATCH 4/4] fix: ingress creation tagging permission doc bug --- modules/openid_connect_provider/iam.tf | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/modules/openid_connect_provider/iam.tf b/modules/openid_connect_provider/iam.tf index 437a01d..7200492 100644 --- a/modules/openid_connect_provider/iam.tf +++ b/modules/openid_connect_provider/iam.tf @@ -149,16 +149,17 @@ data "aws_iam_policy_document" "aws_lb_controller_policy" { "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" ] - condition { - test = "Null" - variable = "aws:RequestTag/elbv2.k8s.aws/cluster" - values = ["true"] - } - condition { - test = "Null" - variable = "aws:ResourceTag/elbv2.k8s.aws/cluster" - values = ["false"] - } + # https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/2692 + # condition { + # test = "Null" + # variable = "aws:RequestTag/elbv2.k8s.aws/cluster" + # values = ["true"] + # } + # condition { + # test = "Null" + # variable = "aws:ResourceTag/elbv2.k8s.aws/cluster" + # values = ["false"] + # } } statement { actions = [