dominodatalab · gusmann · Jan 15, 2025
@@ -23,20 +23,25 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_iam_policy.flyte_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.flyte_controlplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.flyte_dataplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.flyte_controlplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.flyte_dataplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.flyte_controlplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.flyte_dataplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.flyte_node_role_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_s3_bucket.flyte_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.flyte_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_cors_configuration.flyte_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_cors_configuration) | resource |
 | [aws_s3_bucket_policy.flyte_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_policy.flyte_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
-| [aws_s3_bucket_server_side_encryption_configuration.flye_metadata_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.flyte_data_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.flyte_metadata_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_caller_identity.aws_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_eks_cluster.domino_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_iam_openid_connect_provider.domino_cluster_issuer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
+| [aws_iam_policy_document.flyte_combined_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.flyte_controlplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.flyte_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.flyte_dataplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -48,12 +53,14 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_compute_namespace"></a> [compute\_namespace](#input\_compute\_namespace) | Name of Domino compute namespace for this deploy | `string` | n/a | yes |
-| <a name="input_eks_info"></a> [eks\_info](#input\_eks\_info) | cluster = {<br>      specs {<br>        name            = Cluster name.<br>        account\_id      = AWS account id where the cluster resides.<br>      }<br>      oidc = {<br>        arn = OIDC provider ARN.<br>        url = OIDC provider url.<br>        cert = {<br>          thumbprint\_list = OIDC cert thumbprints.<br>          url             = OIDC cert URL.<br>      }<br>    } | <pre>object({<br>    cluster = object({<br>      specs = object({<br>        name       = string<br>        account_id = string<br>      })<br>      oidc = object({<br>        arn = string<br>        url = string<br>        cert = object({<br>          thumbprint_list = list(string)<br>          url             = string<br>        })<br>      })<br>    })<br>  })</pre> | n/a | yes |
+| <a name="input_eks_cluster_name"></a> [eks\_cluster\_name](#input\_eks\_cluster\_name) | Name of the EKS cluster running Domino workloads | `string` | n/a | yes |
+| <a name="input_enable_irsa"></a> [enable\_irsa](#input\_enable\_irsa) | Whether to assume AWS EKS IRSA is configured; if not, attach permissions to target\_iam\_role\_name. | `bool` | `false` | no |
 | <a name="input_force_destroy_on_deletion"></a> [force\_destroy\_on\_deletion](#input\_force\_destroy\_on\_deletion) | Whether to force destroy flyte s3 buckets on deletion | `bool` | `true` | no |
-| <a name="input_kms_info"></a> [kms\_info](#input\_kms\_info) | key\_id  = KMS key id.<br>    key\_arn = KMS key arn.<br>    enabled = KMS key is enabled | <pre>object({<br>    key_id  = string<br>    key_arn = string<br>    enabled = bool<br>  })</pre> | n/a | yes |
+| <a name="input_kms_info"></a> [kms\_info](#input\_kms\_info) | key\_id  = KMS key id.<br/>    key\_arn = KMS key arn.<br/>    enabled = KMS key is enabled | <pre>object({<br/>    key_id  = string<br/>    key_arn = string<br/>    enabled = bool<br/>  })</pre> | n/a | yes |
 | <a name="input_platform_namespace"></a> [platform\_namespace](#input\_platform\_namespace) | Name of Domino platform namespace for this deploy | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
-| <a name="input_serviceaccount_names"></a> [serviceaccount\_names](#input\_serviceaccount\_names) | Service account names for Flyte | <pre>object({<br>    datacatalog    = optional(string, "datacatalog")<br>    flyteadmin     = optional(string, "flyteadmin")<br>    flytepropeller = optional(string, "flytepropeller")<br>  })</pre> | `{}` | no |
+| <a name="input_serviceaccount_names"></a> [serviceaccount\_names](#input\_serviceaccount\_names) | Service account names for Flyte | <pre>object({<br/>    datacatalog    = optional(string, "datacatalog")<br/>    flyteadmin     = optional(string, "flyteadmin")<br/>    flytepropeller = optional(string, "flytepropeller")<br/>  })</pre> | `{}` | no |
+| <a name="input_target_iam_role_name"></a> [target\_iam\_role\_name](#input\_target\_iam\_role\_name) | If not using IRSA, attach new policies to this AWS IAM role | `string` | `null` | no |
 
 ## Outputs
 

@@ -1,5 +1,6 @@
 resource "aws_iam_role" "flyte_controlplane" {
-  name = "${local.deploy_id}-flyte-controlplane"
+  count = var.enable_irsa == true ? 1 : 0
+  name  = "${local.deploy_id}-flyte-controlplane"
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
@@ -11,8 +12,8 @@ resource "aws_iam_role" "flyte_controlplane" {
         }
         Condition : {
           StringEquals : {
-            "${trimprefix(local.oidc_provider_url, "https://")}:aud" : "sts.amazonaws.com",
-            "${trimprefix(local.oidc_provider_url, "https://")}:sub" : [
+            "${local.oidc_provider_url}:aud" : "sts.amazonaws.com",
+            "${local.oidc_provider_url}:sub" : [
               "system:serviceaccount:${var.platform_namespace}:${var.serviceaccount_names.datacatalog}",
               "system:serviceaccount:${var.platform_namespace}:${var.serviceaccount_names.flytepropeller}",
             ]
@@ -51,13 +52,16 @@ resource "aws_iam_policy" "flyte_controlplane" {
   policy = data.aws_iam_policy_document.flyte_controlplane.json
 }
 
+
 resource "aws_iam_role_policy_attachment" "flyte_controlplane" {
-  role       = aws_iam_role.flyte_controlplane.name
+  count      = var.enable_irsa == true ? 1 : 0
+  role       = aws_iam_role.flyte_controlplane.0.name
   policy_arn = aws_iam_policy.flyte_controlplane.arn
 }
 
 resource "aws_iam_role" "flyte_dataplane" {
-  name = "${local.deploy_id}-flyte-dataplane"
+  count = var.enable_irsa == true ? 1 : 0
+  name  = "${local.deploy_id}-flyte-dataplane"
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
@@ -69,8 +73,8 @@ resource "aws_iam_role" "flyte_dataplane" {
         }
         Condition : {
           StringLike : {
-            "${trimprefix(local.oidc_provider_url, "https://")}:aud" : "sts.amazonaws.com",
-            "${trimprefix(local.oidc_provider_url, "https://")}:sub" : [
+            "${local.oidc_provider_url}:aud" : "sts.amazonaws.com",
+            "${local.oidc_provider_url}:sub" : [
               "system:serviceaccount:${var.compute_namespace}:run-*"
             ]
           }
@@ -84,8 +88,8 @@ resource "aws_iam_role" "flyte_dataplane" {
         }
         Condition : {
           StringEquals : {
-            "${trimprefix(local.oidc_provider_url, "https://")}:aud" : "sts.amazonaws.com",
-            "${trimprefix(local.oidc_provider_url, "https://")}:sub" : [
+            "${local.oidc_provider_url}:aud" : "sts.amazonaws.com",
+            "${local.oidc_provider_url}:sub" : [
               "system:serviceaccount:${var.platform_namespace}:${var.serviceaccount_names.flyteadmin}",
             ]
           }
@@ -127,6 +131,26 @@ resource "aws_iam_policy" "flyte_dataplane" {
 }
 
 resource "aws_iam_role_policy_attachment" "flyte_dataplane" {
-  role       = aws_iam_role.flyte_dataplane.name
+  count      = var.enable_irsa == true ? 1 : 0
+  role       = aws_iam_role.flyte_dataplane.0.name
   policy_arn = aws_iam_policy.flyte_dataplane.arn
 }
+
+
+data "aws_iam_policy_document" "flyte_combined_policy" {
+  source_policy_documents = [
+    data.aws_iam_policy_document.flyte_controlplane.json,
+    data.aws_iam_policy_document.flyte_dataplane.json
+  ]
+}
+
+resource "aws_iam_policy" "flyte_combined" {
+  name   = "${local.deploy_id}-flyte-combined"
+  policy = data.aws_iam_policy_document.flyte_combined_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "flyte_node_role_attachment" {
+  count      = var.enable_irsa == true ? 0 : 1
+  role       = var.target_iam_role_name
+  policy_arn = aws_iam_policy.flyte_combined.arn
+}
@@ -1,8 +1,16 @@
 data "aws_partition" "current" {}
 data "aws_caller_identity" "aws_account" {}
+data "aws_eks_cluster" "domino_cluster" {
+  name = var.eks_cluster_name
+}
+
+data "aws_iam_openid_connect_provider" "domino_cluster_issuer" {
+  count = var.enable_irsa ? 1 : 0
+  url   = local.oidc_provider_url
+}
 
 locals {
-  deploy_id         = var.eks_info.cluster.specs.name
-  oidc_provider_arn = var.eks_info.cluster.oidc.arn
-  oidc_provider_url = var.eks_info.cluster.oidc.cert.url
+  deploy_id         = lower(var.eks_cluster_name)
+  oidc_provider_arn = var.enable_irsa ? data.aws_iam_openid_connect_provider.domino_cluster_issuer.0.arn : ""
+  oidc_provider_url = try(trimprefix(data.aws_eks_cluster.domino_cluster.identity[0].oidc[0].issuer, "https://"), null)
 }
@@ -0,0 +1,4 @@
+moved {
+  from = aws_s3_bucket_server_side_encryption_configuration.flye_metadata_encryption
+  to   = aws_s3_bucket_server_side_encryption_configuration.flyte_metadata_encryption
+}
@@ -3,7 +3,7 @@ output "eks" {
   value = {
     metadata_bucket       = aws_s3_bucket.flyte_metadata.bucket
     data_bucket           = aws_s3_bucket.flyte_data.bucket
-    controlplane_role_arn = aws_iam_role.flyte_controlplane.arn
-    dataplane_role_arn    = aws_iam_role.flyte_dataplane.arn
+    controlplane_role_arn = one(aws_iam_role.flyte_controlplane[*].arn)
+    dataplane_role_arn    = one(aws_iam_role.flyte_dataplane[*].arn)
   }
 }
@@ -38,7 +38,7 @@ resource "aws_s3_bucket_policy" "flyte_metadata" {
   policy = data.aws_iam_policy_document.flyte_metadata.json
 }
 
-resource "aws_s3_bucket_server_side_encryption_configuration" "flye_metadata_encryption" {
+resource "aws_s3_bucket_server_side_encryption_configuration" "flyte_metadata_encryption" {
   bucket = aws_s3_bucket.flyte_metadata.bucket
   rule {
     apply_server_side_encryption_by_default {

@@ -4,38 +4,21 @@ variable "force_destroy_on_deletion" {
   default     = true
 }
 
-variable "eks_info" {
-  description = <<EOF
-    cluster = {
-      specs {
-        name            = Cluster name.
-        account_id      = AWS account id where the cluster resides.
-      }
-      oidc = {
-        arn = OIDC provider ARN.
-        url = OIDC provider url.
-        cert = {
-          thumbprint_list = OIDC cert thumbprints.
-          url             = OIDC cert URL.
-      }
-    }
-  EOF
-  type = object({
-    cluster = object({
-      specs = object({
-        name       = string
-        account_id = string
-      })
-      oidc = object({
-        arn = string
-        url = string
-        cert = object({
-          thumbprint_list = list(string)
-          url             = string
-        })
-      })
-    })
-  })
+variable "enable_irsa" {
+  default     = false
+  description = "Whether to assume AWS EKS IRSA is configured; if not, attach permissions to target_iam_role_name."
+  type        = bool
+}
+
+variable "target_iam_role_name" {
+  default     = null
+  description = "If not using IRSA, attach new policies to this AWS IAM role"
+  type        = string
+}
+
+variable "eks_cluster_name" {
+  type        = string
+  description = "Name of the EKS cluster running Domino workloads"
 }
 
 variable "platform_namespace" {