v2.2.0

🚀 Enhancements

add managed_policy_arns to eks iam role @finchr (#58)

what

Add support for adding managed policies to the eks iam role.

why

The module currently only allows a single policy json and we have multiple iam polices that we need to attach to the role.

references

• Closes #57
• Duplicate of #55
• Closes #41

🤖 Automatic Updates

Update release workflow to allow pull-requests: write @osterman (#56)

what

• Update workflow (.github/workflows/release.yaml) to have permission to comment on PR

why

• So we can support commenting on PRs with a link to the release

Update GitHub Workflows to use shared workflows from '.github' repo @osterman (#54)

what

• Update workflows (.github/workflows) to use shared workflows from .github repo

why

• Reduce nested levels of reusable workflows

Update GitHub Workflows to Fix ReviewDog TFLint Action @osterman (#52)

what

• Update workflows (.github/workflows) to add issue: write permission needed by ReviewDog tflint action

why

• The ReviewDog action will comment with line-level suggestions based on linting failures

Update GitHub workflows @osterman (#51)

what

• Update workflows (.github/workflows/settings.yaml)

why

• Support new readme generation workflow.
• Generate banners

Bump golang.org/x/net from 0.17.0 to 0.23.0 in /test/src @dependabot (#49)

Bumps golang.org/x/net from 0.17.0 to 0.23.0.

Commits

• c48da13 http2: fix TestServerContinuationFlood flakes
• 762b58d http2: fix tipos in comment
• ba87210 http2: close connections when receiving too many headers
• ebc8168 all: fix some typos
• 3678185 http2: make TestCanonicalHeaderCacheGrowth faster
• 448c44f http2: remove clientTester
• c7877ac http2: convert the remaining clientTester tests to testClientConn
• d8870b0 http2: use synthetic time in TestIdleConnTimeout
• d73acff http2: only set up deadline when Server.IdleTimeout is positive
• 89f602b http2: validate client/outgoing trailers
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Use GitHub Action Workflows from `cloudposse/.github` Repo @osterman (#48)

what

• Install latest GitHub Action Workflows

why

• Use shared workflows from cldouposse/.github repository
• Simplify management of workflows from centralized hub of configuration

Bump golang.org/x/net from 0.7.0 to 0.17.0 in /test/src @dependabot (#47)

Bumps golang.org/x/net from 0.7.0 to 0.17.0.

Commits

• b225e7c http2: limit maximum handler goroutines to MaxConcurrentStreams
• 88194ad go.mod: update golang.org/x dependencies
• 2b60a61 quic: fix several bugs in flow control accounting
• 73d82ef quic: handle DATA_BLOCKED frames
• 5d5a036 quic: handle streams moving from the data queue to the meta queue
• 350aad2 quic: correctly extend peer's flow control window after MAX_DATA
• 21814e7 quic: validate connection id transport parameters
• a600b35 quic: avoid redundant MAX_DATA updates
• ea63359 http2: check stream body is present on read timeout
• ddd8598 quic: version negotiation
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless...

v2.1.1

🚀 Enhancements

Do not validate inputs when disabled @Nuru (#37)

what

• Replace variable validations with precondition

why

• Variable validation cannot take other variables into account. With precondition, we can allow invalid inputs when the module is disabled.

references

• Supersedes and closes #35

v2.1.0

• No changes

v2.0.0 IRSA trust policy now checks OIDC Audience

Require correct OIDC Audience value to assume role @Nuru (#33)

Breaking Changes

• If namespace and service account are supplied only in service_account_namespace_name_list then the IAM Role name will be derived from the first entry in the list, instead of ending with "all@all"
• If one of service_account_namespace or service_account_name is supplied and the other is not or is empty (""), the missing element will be replaced with a wildcard (*)
• Either or both of service_account_namespace or service_account_name can now be explicitly set to "*" or contain wildcards
• Removed service_account_list_qualifier (invalid/unnecessary)

what

• Created IAM Role's trust policy now includes a check for OIDC aud
• If the generated service account IAM Role Name would be too long, it is now truncated by null-label
• See "Breaking Changes" above
• Terraform minimum version bumped to 1.0.0
• AWS Provider minimum version bumped to 3.0

why

• Extra security, preventing ODIC assertions for one audience being used for another
• Fix rather than break due to too-long IAM Role names
• Role names must be unique, and using "all@all" would limit the cluster to a single multi-namespace role
• "ForAllValues" and "ForAnyValues" are for multi-valued keys. The OIDC keys have single values.

references

• Troubleshooting OIDC and IRSA
• IAM conditions with multiple values

Sync github @max-lobur (#32)

Rebuild github dir from the template

v1.3.0

• No changes

v1.2.0

Feature: Namespace and Name List @Benbentwo (#31)

what

• supports a list of any or all value list

why

• Allows multiple various namespace and name patterns that couldn't be matched except with a singular *:*

v1.1.0

feat(aws-eks-iam-role): add permissions_boundary to eks-iam-role @topikachu (#29)

what

• add permissions_boundary to aws_iam_role

why

• Our org requires all IAM role has permissions_boundary

references

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role#permissions_boundary

git.io->cloudposse.tools update @dylanbannon (#28)

what and why

Change all references to git.io/build-harness into cloudposse.tools/build-harness, since git.io redirects will stop working on April 29th, 2022.

References

• DEV-143

v1.0.0 Disruptive change

This is the first release with production Semantic Versioning, part of Cloud Posse's general policy to convert to production versioning as we make updates to relatively mature modules.

It contains a disruptive change. See #27 for details, but the short story is that applying this update will likely cause Terraform to delete and re-create the EKS IAM role. This may cause a transient disruption in service, but it should be within the normal tolerance for delays in recovering from an expired session.

More significantly, if you have attached additional policies to the role created by this module, those policies will need to be re-attached to the re-created role. (We expect that very few people are actually doing this.)

Refactor enable logic to use counts instead of `for_each` @elventear (#27)

what

Use count instead of for_each to manage if a resource is enabled or disabled.

why

If any element of the service account name is not known at plan time, for_each would cause the plan to fail.

The main advantage of for_each over count is stability when an item in a list is added or removed or the order of elements in a list changes. With for_each, only the changed item is affected, while with count other items can be affected by being moved to a different position in the list. This advantage is not applicable to this module because there is always only one item.

note

This change will cause the IAM role to be deleted and recreated. If you have attached policies to the role outside of this module, you will need to reattach them.

v0.11.1

🚀 Enhancements

Add validation to oidc issuer url @nitrocode (#24)

what

• Add validation to oidc issuer url

why

• Make sure the value of the eks oidc issuer url is non null. This prevents creation of an unadsumable eks iam role.

references

• https://github.com/cloudposse/terraform-aws-helm-release is affected if the iam role is enabled but the eks oidc url is left with the default null value

v0.11.0

Use `list(string)` for iam policy document @nitrocode (#23)

what

• Use list(string) for iam policy document

why

This module runs into the dreaded for_each error

│ The "for_each" value depends on resource attributes that cannot be determined until apply, so Terraform
│ cannot predict how many instances will be created. To work around this, use the -target argument to
│ first apply only the resources that the for_each depends on.

The way it is triggered is if the var.aws_iam_policy_document supplied contains a JSON document that requires another submodule to be applied.

This was seen in a teleport cluster component which provisioned

1. teleport-backend submodule which returns DynamoDB and S3 resource arns
2. Raw policy document json is constructed with the DynamoDB and S3 resource arns
3. helm-release module takes input of the policy document
   • iam-policy module takes statements from the policy document
   • eks-iam-role module takes input from iam-module and throws an error because (1) isn't applied

This fix was tested locally using a forked module of terraform-aws-helm-release which uses this feature branch

references

• https://github.com/cloudposse/terraform-aws-iam-policy
• https://github.com/cloudposse/terraform-aws-helm-release
• The list(string) method is used in the new version of the Security Group module to avoid this same situation

commands

# Use current tests where the iam policy doc is a string
terraform plan -var-file=fixtures.us-east-2.tfvars > stdout.string.plan 2>&1

# Modify test inputs where the iam policy doc is a list(string)
terraform plan -var-file=fixtures.us-east-2.tfvars > stdout.list.plan 2>&1

# no diff between
diff stdout.string.plan stdout.list.plan