feat: create iam roles for cluster and node group

7SOATSquad30 · Sep 28, 2024 · c299dee · c299dee
1 parent c94d8c2
commit c299dee
Showing 1 changed file with 59 additions and 5 deletions.
diff --git a/cluster.tf b/cluster.tf
@@ -61,14 +61,68 @@ resource "aws_route_table_association" "public_rt_assoc_3" {
   route_table_id = aws_route_table.eks_public_rt.id
 }
 
-locals {
-  eks_cluster_role_arn = "arn:aws:iam::691714441051:role/AWSServiceRoleForAmazonEKS"
-  eks_node_group_role_arn = "arn:aws:iam::691714441051:role/AWSServiceRoleForAmazonEKSNodegroup"
+resource "aws_iam_role" "eks_cluster_role" {
+  name = "eks-cluster-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Service = "eks.amazonaws.com"
+        },
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "eks_cluster_policy" {
+  role       = aws_iam_role.eks_cluster_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+}
+
+resource "aws_iam_role_policy_attachment" "eks_vpc_resource_controller_policy" {
+  role       = aws_iam_role.eks_cluster_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
+}
+
+resource "aws_iam_role" "eks_node_group_role" {
+  name = "eks-node-group-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        },
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "eks_worker_node_policy" {
+  role       = aws_iam_role.eks_node_group_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+}
+
+resource "aws_iam_role_policy_attachment" "eks_cni_policy" {
+  role       = aws_iam_role.eks_node_group_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+}
+
+resource "aws_iam_role_policy_attachment" "eks_ec2_container_registry_readonly_policy" {
+  role       = aws_iam_role.eks_node_group_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
 }
 
 resource "aws_eks_cluster" "eks_cluster" {
   name     = "basic-eks-cluster"
-  role_arn = local.eks_cluster_role_arn
+  role_arn = aws_iam_role.eks_cluster_role.arn
   version  = "1.25"
 
   vpc_config {
@@ -79,7 +133,7 @@ resource "aws_eks_cluster" "eks_cluster" {
 resource "aws_eks_node_group" "eks_node_group" {
   cluster_name    = aws_eks_cluster.eks_cluster.name
   node_group_name = "eks-node-group"
-  node_role_arn   = local.eks_node_group_role_arn
+  node_role_arn   = aws_iam_role.eks_node_group_role.arn
   subnet_ids      = [data.aws_ssm_parameter.subnet_1.value, data.aws_ssm_parameter.subnet_2.value, data.aws_ssm_parameter.subnet_3.value]
 
   scaling_config {