terraformだけでIAM Roles for Service Accountsを設定する際のメモ
AWSの設定(IAM Role)
data "aws_eks_cluster" "this" {
name = "my_cluster"
}
data "tls_certificate" "this" {
url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
}
resource "aws_iam_openid_connect_provider" "this" {
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = [data.tls_certificate.this.certificates[0].sha1_fingerprint]
url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
}
data "aws_iam_policy_document" "eks_pod" {
statement {
effect = "Allow"
principals {
identifiers = [aws_iam_openid_connect_provider.this.arn]
type = "Federated"
}
actions = ["sts:AssumeRoleWithWebIdentity"]
condition {
test = "StringEquals"
variable = "${aws_iam_openid_connect_provider.this.url}:aud"
values = ["sts.amazonaws.com"]
}
}
}
resource "aws_iam_role" "this" {
name = "iam-roles-for-service-accounts-role"
assume_role_policy = data.aws_iam_policy_document.eks_pod.json
}
resource "aws_iam_role_policy_attachment" "this" {
role = aws_iam_role.this.name
policy_arn = "arn:aws:iam::xxxxxxxxx:policy/policy-name-with-path"
}
K8Sの設定(service account)
resource "kubernetes_service_account" "default" {
metadata {
name = "my_service_account"
namespace = "default"
annotations = {
"eks.amazonaws.com/role-arn" = aws_iam_role.this.arn
}
}
automount_service_account_token = true
}
podからservice accountを指定
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: my_service_account
automountServiceAccountToken: false
...