feat!: allow specifying multiple OIDC issuer URLs #63
Conversation
|
Sorry, didn't mean to post this quite so soon. Couple more fixes on the way. |
|
Okay, this seems to be working for me. I'm open to any improvements, of course. |
There was a problem hiding this comment.
Instead of just introducing a new variable for backwards compatibility, I'm more of the mind that we create the breaking change and update eks_cluster_oidc_issuer_url to eks_cluster_oidc_issuer_urls and we'll rev the major version. Keeps things simple and this is why we have versioning.
Mind updating?
Gowiem
changed the title
|
/terratest |
There was a problem hiding this comment.
@philchristensen 3 things:
- Please run
terraform formatlocally. - Run
make initandmake readmeand then commit the result. - We need to update tests due to the below issue. Please check that out in
examples/completeand fix the issue there and then re-request review from me.
Thanks!
=== NAME TestExamplesComplete
destroy.go:11:
Error Trace: /go/pkg/mod/github.com/gruntwork-io/terratest@v0.41.16/modules/terraform/destroy.go:11
/__w/terraform-aws-eks-iam-role/terraform-aws-eks-iam-role/test/src/examples_complete_test.go:15
/usr/local/go/src/runtime/panic.go:523
/usr/local/go/src/testing/testing.go:999
/go/pkg/mod/github.com/gruntwork-io/terratest@v0.41.16/modules/terraform/apply.go:15
/__w/terraform-aws-eks-iam-role/terraform-aws-eks-iam-role/test/src/examples_complete_test.go:46
Error: Received unexpected error:
FatalError{Underlying: error while running command: exit status 1; ╷
│ Error: Missing required argument
│
│ on main.tf line 13, in module "autoscaler_role":
│ 13: module "autoscaler_role" {
│
│ The argument "eks_cluster_oidc_issuer_urls" is required, but no definition
│ was found.
╵
╷
│ Error: Unsupported argument
│
│ on main.tf line 23, in module "autoscaler_role":
│ 23: eks_cluster_oidc_issuer_url = "https://oidc.eks.us-west-2.amazonaws.com/id/FEDCBA9876543210FEDCBA9876543210"
│
│ An argument named "eks_cluster_oidc_issuer_url" is not expected here. Did
│ you mean "eks_cluster_oidc_issuer_urls"?
╵}
Test: TestExamplesComplete
|
🤦🏽 whoops. thanks for the review! BTW, is /terratest something I can run locally? |
|
/terratest |
There was a problem hiding this comment.
@philchristensen tests are failing again (format on examples) + bats tests. Check them out + fix + re-request review -- Thanks!
|
I guess I never realized |
|
/terratest |
|
@philchristensen I'm getting a 2nd set of eyes on this before we do the major rev -- we'll hopefully be able to merge soon 👍 |
|
Sorry, @philchristensen, but I completely disagree with @Gowiem. I do not want a breaking change because of the upstream effects. This module is used by other Cloud Posse modules, which would have to be modified, and all for no benefit to them. We do not have this feature already because we create a separate role for each cluster rather than trying to reuse roles across clusters. Have you considered that approach? Because given the limitation on the size of the IAM trust policy, you can add only 4 OIDC providers with the default size limit and 8 with the max size limit. Alternately, you can use Pod Identities (very much supported by AWS, but not currently supported by Cloud Posse) which only need a single trust policy for all clusters. Also |
Nuru
added
do not merge
|
Important Cloud Posse Engineering Team Review RequiredThis pull request modifies files that require Cloud Posse's review. Please be patient, and a core maintainer will review your changes. To expedite this process, reach out to us on Slack in the |
There was a problem hiding this comment.
See other comments. I'm generally opposed to adding this feature, and recommend either creating a separate role per cluster or using Pod Identities which do not need separate trust policies per cluster. However, even if we want this feature, I believe this code is wrong.
| dynamic "condition" { | ||
| for_each = local.eks_cluster_oidc_issuers | ||
| content { | ||
| test = "StringLike" | ||
| values = formatlist("system:serviceaccount:%s", local.service_account_namespace_name_list) | ||
| variable = format("%s:sub", condition.value) | ||
| } | ||
| } | ||
| condition { | ||
| test = "StringEquals" | ||
| values = ["sts.amazonaws.com"] | ||
| variable = format("%s:aud", local.eks_cluster_oidc_issuer) | ||
|
|
||
| dynamic "condition" { | ||
| for_each = local.eks_cluster_oidc_issuers | ||
| content { | ||
| test = "StringEquals" | ||
| values = ["sts.amazonaws.com"] | ||
| variable = format("%s:aud", condition.value) | ||
| } | ||
| } |
There was a problem hiding this comment.
I'm leaning against adding this feature altogether, but if we do add it, I'm pretty sure this is wrong. By adding a separate condition for each OIDC issuer, you are requiring all the ODICs to validate the role, when only one will. See Condition Logic for details.
I believe the correct solution is to loop over statement rather than conditions, and have on statement for each OIDC provider.
|
I know the policy limit you're referring to; this is actually a common problem for me. I support large Kubernetes for large organizations and it's common for me to have multiple clusters (say, per team or delivery area) in a single account. To greatly reduce the size of the trust policy, I don't add IAM restrictions to the roles by namespace (only by cluster). Instead I use Kyverno on the cluster to validate whether a provided IAM role is allowed for a given namespace. I need this capability quite substantially, so I'm glad to make the other changes @Nuru mentioned in hopes that we can come to some agreement on this feature. Thanks again for the help on this PR. |
|
I'll also confirm whether I can use Pod Identities for this purpose instead. I thought I had confirmed this already but I really can't remember for sure... |
|
@Nuru thanks for mentioning Pod Identities. It is definitely a better fit for this purpose; I wish I could remember why I didn't use it from the beginning. I'd rather use those for this purpose, so I'm going to close this PR. Thanks again for everyone's help! |
what
Allow specifying multiple OIDC issuer URLs to create a role to be used on two EKS clusters in the same account.
why
I needed this, and I couldn't figure out a way to do it with this module, which I've really liked using.
BREAKING CHANGE
This changes the
eks_cluster_oidc_issuer_urlvariable toeks_cluster_oidc_issuer_urlsenabling module consumers to supply multiple OIDC Issuer URLs. If you are migrating to this version and using the previouseks_cluster_oidc_issuer_urlvariable, please update your usage of this module to pass your single URL like so: