search

terraform-aws-modules / terraform-aws-iam

Terraform module to create AWS IAM resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/iam/aws
Apache License 2.0
779 stars 985 forks source link

IAM roles supporting both SPIFFE (AWS Roles Anywhere) and OIDC #487

Closed kemv closed 2 months ago

kemv commented 3 months ago

Is your request related to a new offering from AWS?

N/A

Is your request related to a problem? Please describe.

I want to migrate my devs away from using OIDC clusters and over to using SPIFFE with AWS Roles Anywhere. I want to accomplish that in small steps, by offering them a solution which supports both methods, so their migration can be performed completely safely.

Describe the solution you'd like.

To help this migrating process i'd like a submodule which supports trusting a Roles Anywhere trust anchor. I also think it valuable if the submodule still supports OIDC to help migration, and i think the submodule should be opinionated towards SPIFFE to make life easier for the devs that have to use it.

Additional context

I've already written the code which implements this: https://github.com/kemv/terraform-aws-iam/tree/feature/spiffe-iam-role.

I am however opening an issue before creating a PR because the contributors guide seemed to prefer that.

About my implementation

The new submodule which i've created (iam-role-for-service-accounts-eks-with-spiffe) is a copy of the already existing iam-role-for-service-accounts-eks. The functionality i've implemented is purely new additions, and they could've been added to the original submodule. The reason i haven't done this is because:

  1. I'm assuming you don't want the module to be overloaded with lots of features.
  2. The solution is opinionated to use SPIFFE. I don't want a user to see the "Trust Anchor" feature, only to be disappointed when it can only be used towards the SPIFFE use case. By creating a new submodule, it's clearly stated in the submodule name what it can be used for.

As already mentioned, this submodule should be usable to help user migrate away from OIDC using iam-role-for-service-accounts-eks. It is for this reason that i've made sure that this new submodule is completely backwards compatible. Users can change the module and run terraform plan without nasty surprises.

Despite all this, i'd still be open to implement the feature in a different way depending on the discussion :)

Describe alternatives you've considered.

Hosting the forked module internally. Our devs would have to migrate not only submodule, but the entire repository. This is possible, but once again, i'd really like to make their migration as simple as possible.

github-actions[bot] commented 2 months ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] commented 2 months ago

This issue was automatically closed because of stale in 10 days

github-actions[bot] commented 1 month ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.