EKSのIAM Roles for Service Accountsをterraformで設定する

terraformだけでIAM Roles for Service Accountsを設定する際のメモ

AWSの設定(IAM Role)

data "aws_eks_cluster" "this" {
  name = "my_cluster"
}

data "tls_certificate" "this" {
  url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
}

resource "aws_iam_openid_connect_provider" "this" {
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = [data.tls_certificate.this.certificates[0].sha1_fingerprint]
  url             = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
}

data "aws_iam_policy_document" "eks_pod" {
  statement {
    effect = "Allow"
    principals {
      identifiers = [aws_iam_openid_connect_provider.this.arn]
      type        = "Federated"
    }
    actions = ["sts:AssumeRoleWithWebIdentity"]
    condition {
      test     = "StringEquals"
      variable = "${aws_iam_openid_connect_provider.this.url}:aud"
      values   = ["sts.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "this" {
  name               = "iam-roles-for-service-accounts-role"
  assume_role_policy = data.aws_iam_policy_document.eks_pod.json
}

resource "aws_iam_role_policy_attachment" "this" {
  role       = aws_iam_role.this.name
  policy_arn = "arn:aws:iam::xxxxxxxxx:policy/policy-name-with-path"
}

K8Sの設定(service account)

resource "kubernetes_service_account" "default" {
  metadata {
    name      = "my_service_account"
    namespace = "default"
    annotations = {
      "eks.amazonaws.com/role-arn" = aws_iam_role.this.arn
    }
  }

  automount_service_account_token = true
}

podからservice accountを指定

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  serviceAccountName: my_service_account
  automountServiceAccountToken: false
...