IRSA for multiple clusters

Quick and easy terraform

My old approach was to terraform my own assume role policies and do my own data lookups to find cluster OIDC. I thought “why depend on an external module for something so simple and risk update issues down the road.”

Well it turns out thats a bit unwieldy when you need to migrate an app across clusters or run the same app in blue and green clusters. So here is a better approach with a better user interface.

Start by defining our policy

In this example I’ll grant access to a secret in param store, but this could be anything.

data "aws_iam_policy_document" "my_app" {
  statement {
    effect    = "Allow"
    actions   = ["ssm:GetParameter"]
    resources = [
      "arn:aws:ssm:us-east-1:012345678901:parameter/mypath/myapp/mytoken"
    ]
  }
}

resource "aws_iam_policy" "my_app" {
  name        = "my-app"
  path        = "/"
  description = "Policy for my-app service"

  policy = data.aws_iam_policy_document.my_app.json
}

Then use the community module to create the role

The module will handle the data lookups for cluster OIDC as long the account/region stays the same AND you get the cluster names right.

module "my_app_role" {
  source = "terraform-aws-modules/iam/aws//modules/iam-eks-role"

  role_name = "my-app"

  cluster_service_accounts = {
    "my-cluster-blue"    = ["my-namespace:my-app"]
    "my-cluster-green"   = ["my-namespace:my-app"]
  }

  role_policy_arns = {
    policy = aws_iam_policy.my_app.arn
  }
}

Voila! Now you can use the same role in both clusters while keeping the IAM terraform in your application repository.