From 9d05ff53ed0f62a35466b401c89697e82ac05cbb Mon Sep 17 00:00:00 2001
From: Joaquin Lopez <joaquin.lopez@dominodatalab.com>
Date: Tue, 3 Dec 2024 12:36:38 -0800
Subject: [PATCH 1/4] Just testing an irsa thing

---
 modules/irsa/nucleus.tf | 78 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 modules/irsa/nucleus.tf

diff --git a/modules/irsa/nucleus.tf b/modules/irsa/nucleus.tf
new file mode 100644
index 00000000..cab048a5
--- /dev/null
+++ b/modules/irsa/nucleus.tf
@@ -0,0 +1,78 @@
+variable "node_iam_policies" {
+  description = "Additional IAM Policy Arns for Nodes"
+  type        = list(string)
+}
+
+variable "nucleus" {
+  description = "Config to enable irsa for external-dns"
+
+  type = object({
+    namespace           = optional(string, "domino-platform")
+    serviceaccount_name = optional(string, "nucleus")
+  })
+
+  default = {}
+}
+
+resource "aws_iam_policy" "custom_eks_node_policy" {
+  name   = "${var.deploy_id}-nodes-custom"
+  path   = "/"
+  policy = data.aws_iam_policy_document.custom_eks_node_policy.json
+}
+
+locals {
+  eks_aws_node_iam_policies = [
+    "AmazonEKSWorkerNodePolicy",
+    "AmazonEKS_CNI_Policy",
+    "AmazonEC2ContainerRegistryReadOnly",
+    "AmazonSSMManagedInstanceCore",
+    "AmazonElasticFileSystemReadOnlyAccess",
+  ]
+
+  custom_node_policies = concat([aws_iam_policy.custom_eks_node_policy.arn], var.node_iam_policies)
+}
+
+data "aws_iam_policy_document" "eks_nodes" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.${local.dns_suffix}"]
+    }
+  }
+}
+
+resource "aws_iam_role" "eks_nodes" {
+  name               = "${local.eks_cluster_name}-node-role-but-not"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Federated = local.oidc_provider_arn
+        }
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition : {
+          StringEquals : {
+            "${trimprefix(local.oidc_provider_url, "https://")}:aud" : "sts.amazonaws.com"
+            "${trimprefix(local.oidc_provider_url, "https://")}:sub" : "system:serviceaccount:${var.nucleus.namespace}:${var.nucleus.serviceaccount_name}"
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "aws_eks_nodes" {
+  for_each   = toset(local.eks_aws_node_iam_policies)
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/${each.key}"
+  role       = aws_iam_role.eks_nodes.name
+}
+
+resource "aws_iam_role_policy_attachment" "custom_eks_nodes" {
+  count      = length(local.custom_node_policies)
+  policy_arn = element(local.custom_node_policies, count.index)
+  role       = aws_iam_role.eks_nodes.name
+}

From 3415c9b621120514cc58a0015ccfba18a010a5c5 Mon Sep 17 00:00:00 2001
From: Joaquin Lopez <joaquin.lopez@dominodatalab.com>
Date: Tue, 3 Dec 2024 12:49:19 -0800
Subject: [PATCH 2/4] Universal defaults for every deployment!

---
 modules/irsa/nucleus.tf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/irsa/nucleus.tf b/modules/irsa/nucleus.tf
index cab048a5..20b710f1 100644
--- a/modules/irsa/nucleus.tf
+++ b/modules/irsa/nucleus.tf
@@ -1,6 +1,10 @@
 variable "node_iam_policies" {
   description = "Additional IAM Policy Arns for Nodes"
   type        = list(string)
+  default = [
+    "arn:aws:iam::890728157128:policy/ashtesteks628-S3",
+    "arn:aws:iam::890728157128:policy/ashtesteks628-ECR"
+  ]
 }
 
 variable "nucleus" {

From 99f9a3cf2bd39d3d836c833111414b2474957cfc Mon Sep 17 00:00:00 2001
From: Joaquin Lopez <joaquin.lopez@dominodatalab.com>
Date: Tue, 3 Dec 2024 13:10:54 -0800
Subject: [PATCH 3/4] Make the nucleus role in the eks module

---
 modules/eks/node-group.tf | 50 ++++++++++++++++++++++++
 modules/irsa/nucleus.tf   | 82 ---------------------------------------
 2 files changed, 50 insertions(+), 82 deletions(-)
 delete mode 100644 modules/irsa/nucleus.tf

diff --git a/modules/eks/node-group.tf b/modules/eks/node-group.tf
index 15e2083e..f8f1d30d 100644
--- a/modules/eks/node-group.tf
+++ b/modules/eks/node-group.tf
@@ -15,6 +15,56 @@ resource "aws_iam_role" "eks_nodes" {
   assume_role_policy = data.aws_iam_policy_document.eks_nodes.json
 }
 
+variable "nucleus" {
+  description = "Config to enable irsa for external-dns"
+
+  type = object({
+    namespace           = optional(string, "domino-platform")
+    serviceaccount_name = optional(string, "nucleus")
+  })
+
+  default = {}
+}
+
+locals {
+  oidc_provider_url = local.eks_info.cluster.oidc.cert.url
+  oidc_provider_arn = local.eks_info.cluster.oidc.arn
+}
+
+resource "aws_iam_role" "nucleus" {
+  name               = "${local.eks_cluster_name}-nucleus"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Federated = local.oidc_provider_arn
+        }
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition : {
+          StringEquals : {
+            "${trimprefix(local.oidc_provider_url, "https://")}:aud" : "sts.amazonaws.com"
+            "${trimprefix(local.oidc_provider_url, "https://")}:sub" : "system:serviceaccount:${var.nucleus.namespace}:${var.nucleus.serviceaccount_name}"
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "aws_eks_nodes" {
+  for_each   = toset(local.eks_aws_node_iam_policies)
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/${each.key}"
+  role       = aws_iam_role.nucleus.name
+}
+
+resource "aws_iam_role_policy_attachment" "custom_eks_nodes" {
+  count      = length(local.custom_node_policies)
+  policy_arn = element(local.custom_node_policies, count.index)
+  role       = aws_iam_role.nucleus.name
+}
+
 resource "aws_security_group" "eks_nodes" {
   name        = "${local.eks_cluster_name}-nodes"
   description = "EKS cluster Nodes security group"
diff --git a/modules/irsa/nucleus.tf b/modules/irsa/nucleus.tf
deleted file mode 100644
index 20b710f1..00000000
--- a/modules/irsa/nucleus.tf
+++ /dev/null
@@ -1,82 +0,0 @@
-variable "node_iam_policies" {
-  description = "Additional IAM Policy Arns for Nodes"
-  type        = list(string)
-  default = [
-    "arn:aws:iam::890728157128:policy/ashtesteks628-S3",
-    "arn:aws:iam::890728157128:policy/ashtesteks628-ECR"
-  ]
-}
-
-variable "nucleus" {
-  description = "Config to enable irsa for external-dns"
-
-  type = object({
-    namespace           = optional(string, "domino-platform")
-    serviceaccount_name = optional(string, "nucleus")
-  })
-
-  default = {}
-}
-
-resource "aws_iam_policy" "custom_eks_node_policy" {
-  name   = "${var.deploy_id}-nodes-custom"
-  path   = "/"
-  policy = data.aws_iam_policy_document.custom_eks_node_policy.json
-}
-
-locals {
-  eks_aws_node_iam_policies = [
-    "AmazonEKSWorkerNodePolicy",
-    "AmazonEKS_CNI_Policy",
-    "AmazonEC2ContainerRegistryReadOnly",
-    "AmazonSSMManagedInstanceCore",
-    "AmazonElasticFileSystemReadOnlyAccess",
-  ]
-
-  custom_node_policies = concat([aws_iam_policy.custom_eks_node_policy.arn], var.node_iam_policies)
-}
-
-data "aws_iam_policy_document" "eks_nodes" {
-  statement {
-    actions = ["sts:AssumeRole"]
-
-    principals {
-      type        = "Service"
-      identifiers = ["ec2.${local.dns_suffix}"]
-    }
-  }
-}
-
-resource "aws_iam_role" "eks_nodes" {
-  name               = "${local.eks_cluster_name}-node-role-but-not"
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Principal = {
-          Federated = local.oidc_provider_arn
-        }
-        Action = "sts:AssumeRoleWithWebIdentity"
-        Condition : {
-          StringEquals : {
-            "${trimprefix(local.oidc_provider_url, "https://")}:aud" : "sts.amazonaws.com"
-            "${trimprefix(local.oidc_provider_url, "https://")}:sub" : "system:serviceaccount:${var.nucleus.namespace}:${var.nucleus.serviceaccount_name}"
-          }
-        }
-      }
-    ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "aws_eks_nodes" {
-  for_each   = toset(local.eks_aws_node_iam_policies)
-  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/${each.key}"
-  role       = aws_iam_role.eks_nodes.name
-}
-
-resource "aws_iam_role_policy_attachment" "custom_eks_nodes" {
-  count      = length(local.custom_node_policies)
-  policy_arn = element(local.custom_node_policies, count.index)
-  role       = aws_iam_role.eks_nodes.name
-}

From 6b45f267ea23671be9c6fc42fb8e91f797ee1264 Mon Sep 17 00:00:00 2001
From: Joaquin Lopez <joaquin.lopez@dominodatalab.com>
Date: Tue, 3 Dec 2024 13:13:23 -0800
Subject: [PATCH 4/4] Rename some stuff

---
 modules/eks/node-group.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/eks/node-group.tf b/modules/eks/node-group.tf
index f8f1d30d..c410e0d5 100644
--- a/modules/eks/node-group.tf
+++ b/modules/eks/node-group.tf
@@ -53,13 +53,13 @@ resource "aws_iam_role" "nucleus" {
   })
 }
 
-resource "aws_iam_role_policy_attachment" "aws_eks_nodes" {
+resource "aws_iam_role_policy_attachment" "nucleus_eks_attach" {
   for_each   = toset(local.eks_aws_node_iam_policies)
   policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/${each.key}"
   role       = aws_iam_role.nucleus.name
 }
 
-resource "aws_iam_role_policy_attachment" "custom_eks_nodes" {
+resource "aws_iam_role_policy_attachment" "nucleus_custom_attach" {
   count      = length(local.custom_node_policies)
   policy_arn = element(local.custom_node_policies, count.index)
   role       = aws_iam_role.nucleus.name