Merge pull request #5 from MaterializeInc/add-service-account-name-var

Add service account name var
MaterializeInc · Nov 20, 2024 · bf65664 · bf65664
2 parents 4d0bb24 + 232b9c4
commit bf65664
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -69,7 +69,11 @@ The module has been tested with:
 | <a name="input_enable_cluster_creator_admin_permissions"></a> [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | To add the current caller identity as an administrat | `bool` | `true` | no |
 | <a name="input_enable_monitoring"></a> [enable\_monitoring](#input\_enable\_monitoring) | Enable CloudWatch monitoring | `bool` | `true` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Environment name (e.g., prod, staging, dev) | `string` | `"dev"` | no |
+| <a name="input_log_group_name_prefix"></a> [log\_group\_name\_prefix](#input\_log\_group\_name\_prefix) | Prefix for the CloudWatch log group name (will be combined with environment name) | `string` | `"materialize"` | no |
 | <a name="input_metrics_retention_days"></a> [metrics\_retention\_days](#input\_metrics\_retention\_days) | Number of days to retain CloudWatch metrics | `number` | `7` | no |
+| <a name="input_mz_iam_policy_name"></a> [mz\_iam\_policy\_name](#input\_mz\_iam\_policy\_name) | Name of the IAM policy for Materialize S3 access | `string` | `"materialize-s3-access"` | no |
+| <a name="input_mz_iam_role_name"></a> [mz\_iam\_role\_name](#input\_mz\_iam\_role\_name) | Name of the IAM role for Materialize S3 access (will be prefixed with environment name) | `string` | `"materialize-s3-role"` | no |
+| <a name="input_mz_iam_service_account_name"></a> [mz\_iam\_service\_account\_name](#input\_mz\_iam\_service\_account\_name) | Name of the IAM user for Materialize service authentication (will be prefixed with environment name) | `string` | `"materialize-user"` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace for Materialize resources | `string` | `"materialize-environment"` | no |
 | <a name="input_node_group_capacity_type"></a> [node\_group\_capacity\_type](#input\_node\_group\_capacity\_type) | Capacity type for worker nodes (ON\_DEMAND or SPOT) | `string` | `"ON_DEMAND"` | no |
 | <a name="input_node_group_desired_size"></a> [node\_group\_desired\_size](#input\_node\_group\_desired\_size) | Desired number of worker nodes | `number` | `2` | no |
@@ -107,4 +111,4 @@ After successfully deploying the infrastructure with this module, you'll need to
 1. Deploy your first Materialize environment
 
 See our [Operator Installation Guide](docs/operator-setup.md) for instructions.
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->
diff --git a/examples/simple/main.tf b/examples/simple/main.tf
@@ -8,9 +8,10 @@ module "materialize_infrastructure" {
   source = "../../"
 
   # Basic settings
-  environment  = "dev"
-  vpc_name     = "materialize-simple"
-  cluster_name = "materialize-eks-simple"
+  environment                 = "dev"
+  vpc_name                    = "materialize-simple"
+  cluster_name                = "materialize-eks-simple"
+  mz_iam_service_account_name = "materialize-user"
 
   # VPC Configuration
   vpc_cidr             = "10.0.0.0/16"

diff --git a/main.tf b/main.tf
@@ -62,22 +62,22 @@ module "database" {
 resource "aws_cloudwatch_log_group" "materialize" {
   count = var.enable_monitoring ? 1 : 0
 
-  name              = "/aws/materialize/${var.environment}"
+  name              = "/aws/${var.log_group_name_prefix}/${var.cluster_name}/${var.environment}"
   retention_in_days = var.metrics_retention_days
 
   tags = var.tags
 }
 
 resource "aws_iam_user" "materialize" {
-  name = "${var.environment}-materialize-user"
+  name = "${var.environment}-${var.mz_iam_service_account_name}"
 }
 
 resource "aws_iam_access_key" "materialize_user" {
   user = aws_iam_user.materialize.name
 }
 
 resource "aws_iam_user_policy" "materialize_s3" {
-  name = "materialize-s3-access"
+  name = var.mz_iam_policy_name
   user = aws_iam_user.materialize.name
 
   policy = jsonencode({
@@ -101,7 +101,7 @@ resource "aws_iam_user_policy" "materialize_s3" {
 }
 
 resource "aws_iam_role" "materialize_s3" {
-  name = "${var.environment}-materialize-s3-role"
+  name = "${var.environment}-${var.mz_iam_role_name}"
 
   # Trust policy allowing EKS to assume this role
   assume_role_policy = jsonencode({
@@ -130,9 +130,8 @@ resource "aws_iam_role" "materialize_s3" {
   ]
 }
 
-# Attach S3 bucket policy to the role
 resource "aws_iam_role_policy" "materialize_s3" {
-  name = "materialize-s3-access"
+  name = var.mz_iam_policy_name
   role = aws_iam_role.materialize_s3.id
 
   policy = jsonencode({

diff --git a/variables.tf b/variables.tf
@@ -245,3 +245,27 @@ variable "bucket_prefix" {
   type        = string
   default     = "system"
 }
+
+variable "mz_iam_service_account_name" {
+  description = "Name of the IAM user for Materialize service authentication (will be prefixed with environment name)"
+  type        = string
+  default     = "materialize-user"
+}
+
+variable "mz_iam_role_name" {
+  description = "Name of the IAM role for Materialize S3 access (will be prefixed with environment name)"
+  type        = string
+  default     = "materialize-s3-role"
+}
+
+variable "mz_iam_policy_name" {
+  description = "Name of the IAM policy for Materialize S3 access"
+  type        = string
+  default     = "materialize-s3-access"
+}
+
+variable "log_group_name_prefix" {
+  description = "Prefix for the CloudWatch log group name (will be combined with environment name)"
+  type        = string
+  default     = "materialize"
+}