awslabs · satishbpatil · Jun 20, 2024 · Jun 20, 2024 · Jun 20, 2024 · Jun 20, 2024
@@ -16,3 +16,5 @@ fargateProfiles:
       - namespace: crossplane-system
 iam:
   withOIDC: true
+addons:
+  - name: eks-pod-identity-agent # required for `iam.podIdentityAssociations`
@@ -14,3 +14,5 @@ managedNodeGroups:
     maxSize: 3
 iam:
   withOIDC: true
+addons:
+  - name: eks-pod-identity-agent # required for `iam.podIdentityAssociations`
@@ -152,7 +152,7 @@ echo "$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.
 
 1. Remove crossplane providers by running
 ```bash
-terraform apply --var enable_upbound_aws_provider=false --var enable_aws_provider=false --var enable_kubernetes_provider=false --var enable_helm_provider=false
+terraform apply --var enable_upjet_aws_provider=false --var enable_aws_provider=false --var enable_kubernetes_provider=false --var enable_helm_provider=false
 ```
 
 1. Run `kubectl get providers` to validate all providers were removed. If any left, remove using `kubectl delete providers <provider>`

@@ -6,3 +6,6 @@ data:
   awsAccountID: "${awsAccountID}"
   eksOIDC: ${eksOIDC}
   vpcID: ${vpcID}
+  region: ${region}
+  clusterName: ${clusterName}
+
@@ -0,0 +1,5 @@
+terraform destroy -target="module.crossplane" -auto-approve
+terraform destroy -target="module.gatekeeper" -auto-approve
+terraform destroy -target="module.eks_blueprints_addons" -auto-approve
+terraform destroy -target="module.eks" -auto-approve
+terraform destroy -auto-approve
@@ -115,6 +115,9 @@ module "eks" {
     vpc-cni = {
       most_recent = true
     }
+    eks-pod-identity-agent = {
+      most_recent = true
+    }    
   }
 
   # for production cluster, add a node group for add-ons that should not be inerrupted such as coredns
@@ -220,6 +223,8 @@ resource "kubectl_manifest" "environmentconfig" {
     awsAccountID = data.aws_caller_identity.current.account_id
     eksOIDC      = module.eks.oidc_provider
     vpcID        = module.vpc.vpc_id
+    region       = local.region
+    clusterName  = local.name
   })
 
   depends_on = [module.crossplane]
@@ -250,7 +255,8 @@ locals {
       "vpc",
       "apigateway",
       "cloudwatch",
-      "cloudwatchlogs"
+      "cloudwatchlogs",
+      "eks"
     ]
   }
 

@@ -0,0 +1,58 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: apiextensions.crossplane.io/v1
+kind: CompositeResourceDefinition
+metadata:
+  name: xpodidentityroles.awsblueprints.io
+spec:
+  claimNames:
+    kind: PodIdentityRole
+    plural: podidentityroles
+  group: awsblueprints.io
+  names:
+    kind: xPodIdentityRole
+    plural: xpodidentityroles
+  versions:
+    - name: v1alpha1
+      served: true
+      referenceable: true
+      schema:
+        openAPIV3Schema:
+          description: Schema for the podidentity role API
+          properties:
+            spec:
+              description: defines the desired state of PodIdentityRole
+              properties:
+                managedPolicyArns:
+                  items:
+                    type: string
+                  type: array
+                inlinePolicy:
+                  type: string
+                inlinePolicyName:
+                  type: string
+                  default: default
+                permissionsBoundaryArn:
+                  type: string
+                resourceConfig:
+                  description: ResourceConfig defines general properties of this AWS
+                    resource.
+                  properties:
+                    providerConfigName:
+                      type: string
+                    region:
+                      type: string
+                  required:
+                  - providerConfigName
+                  type: object
+              required:
+              - resourceConfig
+              type: object
+            status:
+              description:  Status defines the observed state of PodIdentityRole
+              properties:
+                roleArn:
+                  type: string
+              type: object
+          type: object
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- definition.yaml
+- podidentity-role.yaml
+
@@ -0,0 +1,60 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: apiextensions.crossplane.io/v1
+kind: Composition
+metadata:
+  name: xpodidentityrole-composition
+spec:
+  compositeTypeRef:
+    apiVersion: awsblueprints.io/v1alpha1
+    kind: xPodIdentityRole
+  patchSets:
+    - name: common-fields-composition
+      patches:
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.resourceConfig.providerConfigName
+          toFieldPath: spec.providerConfigRef.name
+  resources:
+    - name: iam-role
+      base:
+        apiVersion: iam.aws.upbound.io/v1beta1
+        kind: Role
+        spec:
+          forProvider: 
+            assumeRolePolicy: |
+              {
+                  "Version": "2012-10-17",
+                  "Statement": [
+                      {
+                          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
+                          "Effect": "Allow",
+                          "Principal": {
+                              "Service": "pods.eks.amazonaws.com"
+                          },
+                          "Action": [
+                              "sts:AssumeRole",
+                              "sts:TagSession"
+                          ]
+                      }
+                  ]
+              }
+      patches:
+        - type: PatchSet
+          patchSetName: common-fields-composition
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.inlinePolicy
+          toFieldPath: spec.forProvider.inlinePolicy[0].policy
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.inlinePolicyName
+          toFieldPath: spec.forProvider.inlinePolicy[0].name
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.managedPolicyArns
+          toFieldPath: spec.forProvider.managedPolicyArns          
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.permissionsBoundaryArn
+          toFieldPath: spec.forProvider.permissionsBoundary
+        - type: ToCompositeFieldPath
+          fromFieldPath: status.atProvider.arn
+          toFieldPath: status.roleArn      
+
@@ -52,7 +52,7 @@ spec:
                       type: object
                   required:
                   - providerConfigName
-                  - region
+                  # - region
                   type: object
                 serviceAccountName:
                   type: string

@@ -12,6 +12,16 @@ metadata:
     awsblueprints.io/provider: aws
     awsblueprints.io/environment: dev
 spec:
+  environment:
+    environmentConfigs:
+      - type: Reference
+        ref:
+          name: cluster
+    patches:
+      - type: ToCompositeFieldPath
+        fromFieldPath: region
+        toFieldPath: spec.resourceConfig.region   
+
   writeConnectionSecretsToNamespace: crossplane-system
   compositeTypeRef:
     apiVersion: awsblueprints.io/v1alpha1

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./podidentity/definition.yaml
+- ./podidentity/s3-podidentity.yaml
+- ./irsa/definition.yaml
+- ./irsa/s3-irsa.yaml
+
+
@@ -0,0 +1,71 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: apiextensions.crossplane.io/v1
+kind: CompositeResourceDefinition
+metadata:
+  name: xs3podidentities.awsblueprints.io
+spec:
+  claimNames:
+    kind: S3PodIdentityclaim
+    plural: s3prodidentityclaims
+  group: awsblueprints.io
+  names:
+    kind: xS3PodIdentity
+    plural: xs3podidentities
+  versions:
+    - name: v1alpha1
+      served: true
+      referenceable: true
+      schema:
+        openAPIV3Schema:
+          description: S3PODIDENTITY is the Schema for the s3podidentity API
+          properties:
+            spec:
+              description: S3PODIDENTITYSpec defines the desired state of S3PODIDENTITY
+              properties:
+                policyArns:
+                  items:
+                    type: string
+                  type: array
+                resourceConfig:
+                  description: ResourceConfig defines general properties of this AWS
+                    resource.
+                  properties:
+                    region:
+                      type: string                  
+                    deletionPolicy:
+                      description: Defaults to Delete
+                      enum:
+                      - Delete
+                      - Orphan
+                      type: string
+                    name:
+                      description: Set the name of this resource in AWS to the value
+                        provided by this field.
+                      type: string
+                    providerConfigName:
+                      type: string
+                    tags:
+                      additionalProperties:
+                        type: string
+                      type: object
+                  required:
+                  - providerConfigName
+                  type: object
+              required:
+              - resourceConfig
+              type: object
+            status:
+              description:  defines the observed state of S3 PodIdentity
+              properties:
+                serviceAccountName:
+                  type: string
+                bucketArn:
+                  type: string
+                roleName:
+                  type: string
+                roleArn:
+                  type: string
+              type: object
+          type: object
@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - definition.yaml
-- s3-irsa.yaml
+- s3-podidentity.yaml
+
+