The "terraform-aws-bucket" Terraform Module provisions and manages an S3 Bucket with IRSA (IAM Roles for Service Accounts). IRSA can be used to grant access to the S3 Bucket from within a Kubernetes cluster, without the need for long lived IAM user credentials.
This module was designed to be used in conjunction with the Appvia Terranetes Controller.
Provision this Terraform Module by creating a Configuration
resource in your Kubernetes cluster, as follows:
---
apiVersion: terraform.appvia.io/v1alpha1
kind: Configuration
metadata:
name: s3-bucket
namespace: apps
spec:
module: https://github.com/appvia/terraform-aws-bucket?ref=master
providerRef:
name: aws
valueFrom:
- context: default
key: eks_oidc_issuer_arn
name: eks_issuer_arn
- context: default
key: eks_name
name: cluster_name
variables:
bucket_name: my-test-s3-bucket
configuration: s3-bucket
namespace: apps
service_account_name: default
This has a dependency on a default
Terranetes Context being available within the Cluster, which contains an eks_oidc_issuer
and eks_name
. You can auto-generate the default
context by updating the aws Provider
resource in your Kubernetes cluster, as follows (set your aws eks cluster name as appropriate):
apiVersion: terraform.appvia.io/v1alpha1
kind: Provider
metadata:
name: aws
spec:
source: secret
provider: aws
preload:
enabled: true
cluster: aws-eks-cluster-name
region: eu-west-2
context: default
secretRef:
namespace: terraform-system
name: aws
The terraform-docs
utility is used to generate this README. Follow the below steps to update:
- Make changes to the
.terraform-docs.yml
file - Fetch the
terraform-docs
binary (https://terraform-docs.io/user-guide/installation/) - Run
terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .
Name | Description | Type | Default | Required |
---|---|---|---|---|
bucket_acl | The canned ACL to apply to the bucket | string |
"private" |
no |
bucket_control_object_ownership | Whether to manage S3 Bucket Ownership Controls on this bucket | bool |
true |
no |
bucket_name | The name of the S3 bucket | string |
n/a | yes |
bucket_object_ownership | The type of object ownership | string |
"ObjectWriter" |
no |
cluster_name | The name of the EKS cluster | string |
n/a | yes |
configuration | The name of the Terranetes Configuration resource (used in IAM resource names and tags) | string |
n/a | yes |
eks_issuer_arn | The ARN of the OIDC issuer for the EKS cluster | string |
n/a | yes |
enable_bucket_versioning | Whether to enable versioning for the S3 bucket | bool |
true |
no |
environment | The environment name | string |
"prod" |
no |
namespace | The Kubernetes Namespace that the Service Account resides in | string |
n/a | yes |
service_account_name | The name of the Kubernetes Service Account to grant permissions to | string |
n/a | yes |
Name | Description |
---|---|
bucket | The ARN of the bucket |