Introduction
You are running Terraform Enterprise - FDO on EKS AWS Kubernetes and want to make sure that the workspace runs with an agent running a specific IAM role
Solutions
Option 1:
This might help in using the the assume_role option for AWS. Configure your AWS provider to assume the role:
provider "aws" {
region = "us-east-1"
assume_role {
role_arn = "arn:aws:iam::xxxx:role/test-run"
session_name = "TFE-Deployment"
}
}
Option 2:
Run the code directly as the role specified to the service account of the agent in which case you don't have to use the assume_role
provider "aws" {
region = "us-east-1"
}
Prerequisites
- Most importantly is to make sure you follow the prerequisites from AWS for the role and permissions as outlined in this document here
Use Case
If the prerequisites have been followed you should have the following
- Kubernetes environment has an OpenIdentity provider
- A role has been created
- The role has the correct policies to create the resources within AWS
Example steps on Kubernetes
- Have a service account created under the namespace
terraform-enterprise-agents. The namespace could be different from your own environment.
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::xxxxxx:role/test-run2
name: tfe-run
namespace: terraform-enterprise-agents
- Alter your helm chart to make sure that the agent start with using the above service account
agentWorkerPodTemplate:
metadata:
labels:
app: pod-template-app-patrick
spec:
serviceAccountName: tfe-run
- When you start a run it the pod will be running under this service account with the role attached in the annotations of the service account
Additional Information
- AWS Provider - Assuming an IAM Role
-
AWS documentation concerning the Kubernetes configuration can be found here.