Closed matandomuertos closed 1 month ago
just because other modules support, that isn't a valid reason to support it here. we have gone a few years without it so I am inclined to keep pushing for not using inline policies
Hey @bryantbiggs, I’m wondering if there are any plans to deprecate inline policies entirely. When using Terragrunt, we often have to rely on workarounds and dependencies to create custom policies for iam-eks-role, and inline policies could simplify this process.
For example, right now, a common workaround is to use iam-assumable-role-with-oidc, but iam-eks-role is more straightforward because it only requires the cluster name rather than the OIDC ARN. Integrating inline policies into iam-eks-role could effectively combine these approaches.
While this might be less of an issue with raw Terraform, it would be quite helpful with third-party tools like Terragrunt. It would also help maintain consistency across modules. Currently, I’ve only added it to one module where it was needed, but it might be worth discussing the possibility of including it in all IAM modules to ensure uniformity.
Looking forward to your thoughts!
inline policies sort of defeat the purpose of this sub-module. I would be interested to learn more about the need for inline policies
Hi, @bryantbiggs, based on my understanding, this sub-module is designed to create IAM roles that can be assumed by service accounts in EKS clusters. It functions similarly to iam-role-for-service-accounts-eks
, but with a key difference: it configures OIDC assumptions without requiring the exact OIDC ARN, using only the cluster name instead. This approach simplifies the setup, reducing the need for extensive configuration and variables.
Currently, the only way to create roles that service accounts can assume without knowing the OIDC ARN is through iam-eks-role
. Attaching policies to these roles necessitates creating an additional resource for policy management, which can add unnecessary lines of code and dependencies. Inline policies could streamline this process.
Here’s a breakdown of how I see the usage of these sub-modules:
iam-role-for-service-accounts-eks
: Best for creating IAM roles for service accounts used by commonly employed controllers or custom resources.iam-eks-role
: Suitable for creating roles that service accounts will assume with custom policies when the OIDC ARN is unknown.iam-assumable-role-with-oidc
: Ideal for fully custom roles with specific OIDC configurations.I hope this clarifies things. Thanks!
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Description
This PR extends the inline policy support to
iam-eks-role
module. Original PR: https://github.com/terraform-aws-modules/terraform-aws-iam/pull/479Motivation and Context
Inline policy is supported only by
iam-assumable-role-with-oidc
andiam-assumable-role
modules, this PR extends the support toiam-eks-roles
.Breaking Changes
None
How Has This Been Tested?
examples/*
to demonstrate and validate my change(s)examples/*
projectspre-commit run -a
on my pull request