fix: Removed inline policies from eks_app (#106)

* wip * wip * wip * chore(dev): Role policies to attachments * removed inline policies --------- Co-authored-by: elaina <ehodgkin9418@gmail.com>
wandb · Jul 13, 2023 · bb34c7b · bb34c7b
1 parent 841044c
commit bb34c7b
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 27 deletions.
diff --git a/modules/app_eks/iam-policies.tf b/modules/app_eks/iam-policies.tf
@@ -1,24 +1,43 @@
-resource "aws_iam_policy" "node_cloudwatch_policy" {
+resource "aws_iam_policy" "node_cloudwatch" {
   name   = "${var.namespace}-node-cloudwatch"
-  policy = data.aws_iam_policy_document.node_cloudwatch_policy.json
+  policy = data.aws_iam_policy_document.node_cloudwatch.json
+  lifecycle {
+    create_before_destroy = false
+  }
+
 }
 
-resource "aws_iam_policy" "node_IMDSv2_policy" {
+resource "aws_iam_policy" "node_IMDSv2" {
   name   = "${var.namespace}-node-IMDSv2"
-  policy = data.aws_iam_policy_document.node_IMDSv2_policy.json
+  policy = data.aws_iam_policy_document.node_IMDSv2.json
+  lifecycle {
+    create_before_destroy = false
+  }
+
 }
 
-resource "aws_iam_policy" "node_kms_policy" {
+resource "aws_iam_policy" "node_kms" {
   name   = "${var.namespace}-node-kms"
-  policy = data.aws_iam_policy_document.node_kms_policy.json
+  policy = data.aws_iam_policy_document.node_kms.json
+  lifecycle {
+    create_before_destroy = false
+  }
+
 }
 
-resource "aws_iam_policy" "node_sqs_policy" {
+resource "aws_iam_policy" "node_sqs" {
   name   = "${var.namespace}-node-sqs"
-  policy = data.aws_iam_policy_document.node_sqs_policy.json
+  policy = data.aws_iam_policy_document.node_sqs.json
+  lifecycle {
+    create_before_destroy = false
+  }
+
 }
 
-resource "aws_iam_policy" "node_s3_policy" {
+resource "aws_iam_policy" "node_s3" {
   name   = "${var.namespace}-node-s3"
-  policy = data.aws_iam_policy_document.node_s3_policy.json
+  policy = data.aws_iam_policy_document.node_s3.json
+  lifecycle {
+    create_before_destroy = false
+  }
 }
diff --git a/modules/app_eks/iam-policy-docs.tf b/modules/app_eks/iam-policy-docs.tf
@@ -1,4 +1,4 @@
-data "aws_iam_policy_document" "node_cloudwatch_policy" {
+data "aws_iam_policy_document" "node_cloudwatch" {
   statement {
     sid       = "bb2"
     actions   = ["cloudwatch:PutMetricData"]
@@ -8,7 +8,7 @@ data "aws_iam_policy_document" "node_cloudwatch_policy" {
 }
 
 
-data "aws_iam_policy_document" "node_IMDSv2_policy" {
+data "aws_iam_policy_document" "node_IMDSv2" {
   statement {
     sid       = "cc3"
     actions   = ["ec2:DescribeInstanceAttribute"]
@@ -18,7 +18,7 @@ data "aws_iam_policy_document" "node_IMDSv2_policy" {
 }
 
 
-data "aws_iam_policy_document" "node_kms_policy" {
+data "aws_iam_policy_document" "node_kms" {
   statement {
     sid = "dd4"
     actions = [
@@ -36,11 +36,11 @@ data "aws_iam_policy_document" "node_kms_policy" {
 
 //////////////////////////////////////////////////
 // because terraform vomits when we send a policy
-// doucment with noe resources defined, i'm 
+// doucment with noe resources defined, so 
 // fudging and using the arn of the caller id
 // if var.bucket_sqs_queue_arn is empty
 //////////////////////////////////////////////////
-data "aws_iam_policy_document" "node_sqs_policy" {
+data "aws_iam_policy_document" "node_sqs" {
   statement {
     sid       = "ee5"
     actions   = ["sqs:*"]
@@ -50,7 +50,7 @@ data "aws_iam_policy_document" "node_sqs_policy" {
 }
 
 
-data "aws_iam_policy_document" "node_s3_policy" {
+data "aws_iam_policy_document" "node_s3" {
   statement {
     sid     = "ff6"
     actions = ["s3:*"]

diff --git a/modules/app_eks/iam-role-attachments.tf b/modules/app_eks/iam-role-attachments.tf
@@ -1,24 +1,24 @@
 resource "aws_iam_role_policy_attachment" "node_cloudwatch" {
   role       = aws_iam_role.node.name
-  policy_arn = aws_iam_policy.node_cloudwatch_policy.arn
+  policy_arn = aws_iam_policy.node_cloudwatch.arn
 }
 
-resource "aws_iam_role_policy_attachment" "node_IMDSv2_policy" {
+resource "aws_iam_role_policy_attachment" "node_IMDSv2" {
   role       = aws_iam_role.node.name
-  policy_arn = aws_iam_policy.node_IMDSv2_policy.arn
+  policy_arn = aws_iam_policy.node_IMDSv2.arn
 }
 
-resource "aws_iam_role_policy_attachment" "node_kms_policy" {
+resource "aws_iam_role_policy_attachment" "node_kms" {
   role       = aws_iam_role.node.name
-  policy_arn = aws_iam_policy.node_kms_policy.arn
+  policy_arn = aws_iam_policy.node_kms.arn
 }
 
-resource "aws_iam_role_policy_attachment" "node_sqs_policy" {
+resource "aws_iam_role_policy_attachment" "node_sqs" {
   role       = aws_iam_role.node.name
-  policy_arn = aws_iam_policy.node_sqs_policy.arn
+  policy_arn = aws_iam_policy.node_sqs.arn
 }
 
-resource "aws_iam_role_policy_attachment" "node_s3_policy" {
+resource "aws_iam_role_policy_attachment" "node_s3" {
   role       = aws_iam_role.node.name
-  policy_arn = aws_iam_policy.node_s3_policy.arn
+  policy_arn = aws_iam_policy.node_s3.arn
 }
diff --git a/modules/app_eks/iam-role-policies.tf b/modules/app_eks/iam-role-policies.tf
@@ -1,5 +1,5 @@
 
-data "aws_iam_policy_document" "node_assume_role_policy" {
+data "aws_iam_policy_document" "node_assume" {
   statement {
     sid     = "aa1"
     actions = ["sts:AssumeRole"]

diff --git a/modules/app_eks/iam-roles.tf b/modules/app_eks/iam-roles.tf
@@ -1,5 +1,8 @@
 resource "aws_iam_role" "node" {
   name               = "${var.namespace}-node"
-  assume_role_policy = data.aws_iam_policy_document.node_assume_role_policy.json
+  assume_role_policy = data.aws_iam_policy_document.node_assume.json
+
+  inline_policy {}
+
 }