Added AWS service account and SQS module to ArmoniK.Infra

service-account/aws/main.tf

@@ -0,0 +1,111 @@
+
+
+locals {
+  prefix   = var.prefix
+  tags     = merge(var.tags, { module = "amazon-sqs" })
+  oidc_arn = var.oidc_provider_arn
+  oidc_url = trimprefix(var.oidc_issuer_url, "https://")
+}
+
+resource "aws_iam_role" "armonik" {
+  name = "${local.prefix}-eks-pod-identity-armonik"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Federated = local.oidc_arn
+        }
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition = {
+          StringEquals = {
+            "${local.oidc_url}:aud" = "sts.amazonaws.com"
+            "${local.oidc_url}:sub" = [
+              "system:serviceaccount:${var.namespace}:${var.service_account_name}",
+            ]
+          }
+        }
+      }
+    ]
+  })
+  tags = local.tags
+}
+
+resource "aws_iam_policy_attachment" "armonik_decrypt_object" {
+  name       = "${local.prefix}-s3-encrypt-decrypt-armonik"
+  roles      = [aws_iam_role.armonik.name]
+  policy_arn = var.decrypt_policy_arn
+}
+
+data "aws_iam_policy_document" "sqs" {
+  statement {
+    sid = "SqsAdmin"
+    actions = [
+      "sqs:CreateQueue",
+      "sqs:DeleteQueue",
+      "sqs:PurgeQueue",
+      "sqs:GetQueueUrl",
+      "sqs:ReceiveMessage",
+      "sqs:SendMessage"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "sqs" {
+  name_prefix = "${local.prefix}-sqs-admin"
+  description = "Policy for allowing SQS admin access"
+  policy      = data.aws_iam_policy_document.sqs.json
+  tags        = local.tags
+}
+
+resource "aws_iam_policy_attachment" "sqs" {
+  count      = length([for service in var.aws_services : service if service == "sqs"]) > 0 ? 1 : 0
+  name       = "${local.prefix}-sqs"
+  roles      = [aws_iam_role.armonik.name]
+  policy_arn = aws_iam_policy.sqs.arn
+}
+
+data "aws_iam_policy_document" "s3" {
+  statement {
+    sid = "S3Admin"
+    actions = [
+      "s3:CreateBucket",
+      "s3:DeleteBucket",
+      "s3:ListBucket",
+      "s3:PutBucketPolicy",
+      "s3:PutObject",
+      "s3:DeleteObject"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "s3" {
+  name_prefix = "${local.prefix}-s3-admin"
+  description = "Policy for allowing S3 admin access"
+  policy      = data.aws_iam_policy_document.s3.json
+  tags        = local.tags
+}
+
+resource "aws_iam_policy_attachment" "s3" {
+  count      = length([for service in var.aws_services : service if service == "s3"]) > 0 ? 1 : 0
+  name       = "${local.prefix}-s3"
+  roles      = [aws_iam_role.armonik.name]
+  policy_arn = aws_iam_policy.s3.arn
+}
+
+resource "kubernetes_service_account" "armonik" {
+  metadata {
+    name      = var.service_account_name
+    namespace = var.namespace
+
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.armonik.arn
+    }
+  }
+  automount_service_account_token = var.automount_service_account_token
+}

service-account/aws/variables.tf

@@ -0,0 +1,49 @@
+variable "prefix" {
+  description = "Prefix to use for service account related resources"
+  type        = string
+}
+
+# Tags
+variable "tags" {
+  description = "Tags for resource"
+  type        = map(string)
+  default     = {}
+}
+
+variable "namespace" {
+  description = "Namespace of ArmoniK service account related resources"
+  type        = string
+  default     = "armonik"
+}
+
+variable "service_account_name" {
+  description = "Name of the service account to create"
+  type        = string
+}
+
+variable "automount_service_account_token" {
+  description = "To enable automatic mounting of the Kubernetes service account token."
+  type        = bool
+  default     = true
+}
+
+variable "aws_services" {
+  description = "AWS services to enable for this service account (currently just S3 and SQS)"
+  type        = list(string)
+  default     = ["sqs", "s3"]
+}
+
+variable "oidc_provider_arn" {
+  description = "ARN of the OIDC provider"
+  type        = string
+}
+
+variable "decrypt_policy_arn" {
+  description = "ARN of the S3 encrypt/decrypt IAM policy"
+  type        = string
+}
+
+variable "oidc_issuer_url" {
+  description = "URL of the OIDC issuer"
+  type        = string
+}

service-account/aws/versions.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_version = ">= 1.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.61"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.7.1"
+    }
+  }
+}

storage/aws/sqs/main.tf

@@ -0,0 +1,4 @@
+locals {
+  prefix = var.prefix
+  region = var.region
+}

storage/aws/sqs/outputs.tf

@@ -0,0 +1,9 @@
+output "env" {
+  description = "Environment variables to pass to ArmoniK.Core"
+  value = {
+    "Components__QueueAdaptorSettings__ClassName"           = "ArmoniK.Core.Adapters.SQS.QueueBuilder"
+    "Components__QueueAdaptorSettings__AdapterAbsolutePath" = "/adapters/queue/sqs/ArmoniK.Core.Adapters.SQS.dll"
+    "SQS__ServiceURL"                                       = "https://sqs.${local.region}.amazonaws.com"
+    "SQS__Prefix"                                           = local.prefix
+  }
+}

storage/aws/sqs/variables.tf

@@ -0,0 +1,9 @@
+variable "region" {
+  description = "Region"
+  type        = string
+}
+
+variable "prefix" {
+  description = "Prefix to use for SQS queues"
+  type        = string
+}

storage/aws/sqs/versions.tf

@@ -0,0 +1,5 @@
+terraform {
+  required_version = ">= 1.0"
+  required_providers {
+  }
+}