diff --git a/README.md b/README.md index 75bd8f3..9457326 100644 --- a/README.md +++ b/README.md @@ -81,6 +81,12 @@ kubectl apply -f examples/install.yaml Notice that in this example Provider resource is referencing ControllerConfig with debug enabled. +You can also setup the Terraform Provider using AWS +[IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). +For more information, check out the example [setup](./examples/aws-eks-irsa-seup.yaml), the process is +similar to what you would use for the +[provider-aws](https://github.com/crossplane-contrib/provider-aws/blob/master/AUTHENTICATION.md#using-iam-roles-for-serviceaccounts). + ## Private Git repository support To securely propagate git credentials create a `git-credentials` secret in [git credentials store] format. diff --git a/apis/v1alpha1/types.go b/apis/v1alpha1/types.go index ac01d77..b705167 100644 --- a/apis/v1alpha1/types.go +++ b/apis/v1alpha1/types.go @@ -41,7 +41,7 @@ type ProviderCredentials struct { Filename string `json:"filename"` // Source of the provider credentials. - // +kubebuilder:validation:Enum=None;Secret;InjectedIdentity;Environment;Filesystem + // +kubebuilder:validation:Enum=None;Secret;Environment;Filesystem Source xpv1.CredentialsSource `json:"source"` xpv1.CommonCredentialSelectors `json:",inline"` diff --git a/examples/aws-eks-irsa-seup.yaml b/examples/aws-eks-irsa-seup.yaml new file mode 100644 index 0000000..ee18f5c --- /dev/null +++ b/examples/aws-eks-irsa-seup.yaml @@ -0,0 +1,66 @@ +# NOTE: You need a trust policy associated with the role matching the Service Account and OIDC provider +# Something like the following: +# { +# "Version": "2012-10-17", +# "Statement": [ +# { +# "Effect": "Allow", +# "Principal": { +# "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}" +# }, +# "Action": "sts:AssumeRoleWithWebIdentity", +# "Condition": { +# "StringLike": { +# "${OIDC_PROVIDER}:sub": "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:provider-terraform-*" +# } +# } +# } +# ] +# } +# +# Where: +# OIDC_PROVIDER=$(aws eks describe-cluster --name "${CLUSTER_NAME}" --region "${AWS_REGION}" --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///") +--- +apiVersion: pkg.crossplane.io/v1alpha1 +kind: ControllerConfig +metadata: + name: terraform-config + labels: + app: crossplane-provider-terraform + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNTID:role/provider-terraform +spec: + image: crossplane/provider-terraform-controller:v0.2.0 + args: + - "--debug" + podSecurityContext: + fsGroup: 2000 +--- +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: crossplane-provider-terraform +spec: + package: crossplane/provider-terraform:v0.2.0 + controllerConfigRef: + name: terraform-config +--- +apiVersion: tf.crossplane.io/v1alpha1 +kind: ProviderConfig +metadata: + annotations: {} + name: aws-irsa +spec: + configuration: | + terraform { + backend "kubernetes" { + secret_suffix = "providerconfig-tf-aws" + namespace = "crossplane-system" + in_cluster_config = true + } + } + provider "aws" {} + credentials: + # Terraform natively supports IRSA auth so we can use None here + - filename: aws.json + source: None diff --git a/package/crds/tf.crossplane.io_providerconfigs.yaml b/package/crds/tf.crossplane.io_providerconfigs.yaml index 4bdfcfb..adb9512 100644 --- a/package/crds/tf.crossplane.io_providerconfigs.yaml +++ b/package/crds/tf.crossplane.io_providerconfigs.yaml @@ -89,7 +89,6 @@ spec: enum: - None - Secret - - InjectedIdentity - Environment - Filesystem type: string