diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 40db6c4..30490ea 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.86.0
+ rev: v1.105.0
hooks:
- id: terraform_fmt
- id: terraform_validate
diff --git a/README.md b/README.md
index 7462543..6e91499 100644
--- a/README.md
+++ b/README.md
@@ -10,13 +10,13 @@ This module was created to simplify deploying Gitlab into the EKS with storage o
In the above diagram, you can see the components and their relations (PostgreSQL and Redis are not deployed with this module).
-
+
## Requirements
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | 5.36.0 |
+| [terraform](#requirement\_terraform) | >= 1.5.7 |
+| [aws](#requirement\_aws) | >= 6.0 |
| [helm](#requirement\_helm) | 2.11.0 |
| [kubectl](#requirement\_kubectl) | ~> 2.0 |
| [kubernetes](#requirement\_kubernetes) | >= 2.20 |
@@ -26,7 +26,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 5.36.0 |
+| [aws](#provider\_aws) | 6.36.0 |
| [helm](#provider\_helm) | 2.11.0 |
| [kubernetes](#provider\_kubernetes) | 3.0.1 |
@@ -34,8 +34,9 @@ In the above diagram, you can see the components and their relations (PostgreSQL
| Name | Source | Version |
|------|--------|---------|
-| [gitlab\_role](#module\_gitlab\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | v5.34.0 |
-| [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 4.1.0 |
+| [gitlab\_policy](#module\_gitlab\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | v6.4.0 |
+| [gitlab\_role](#module\_gitlab\_role) | terraform-aws-modules/iam/aws//modules/iam-role | v6.4.0 |
+| [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 5.10.0 |
## Resources
@@ -51,9 +52,9 @@ In the above diagram, you can see the components and their relations (PostgreSQL
| [kubernetes_secret_v1.redis](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
| [kubernetes_secret_v1.registry_postgres](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
| [kubernetes_secret_v1.smtp](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
-| [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/5.36.0/docs/data-sources/eks_cluster) | data source |
-| [aws_iam_policy_document.s3_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/5.36.0/docs/data-sources/iam_policy_document) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/5.36.0/docs/data-sources/region) | data source |
+| [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_iam_policy_document.s3_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
@@ -73,6 +74,8 @@ In the above diagram, you can see the components and their relations (PostgreSQL
| [release\_max\_history](#input\_release\_max\_history) | Maximum saved revisions per release | `number` | `10` | no |
| [release\_name](#input\_release\_name) | This is the name of the release which also used as a prefix or suffix for the resources | `string` | `"gitlab"` | no |
| [release\_namespace](#input\_release\_namespace) | Namespace name where you want to deploy the release. If empty, `release_name` will be used. | `string` | `""` | no |
+| [role\_policy](#input\_role\_policy) | Policy for GitLab role | `string` | `null` | no |
+| [role\_suffix](#input\_role\_suffix) | Optional suffix for GitLab role | `string` | `"access-aws"` | no |
| [smtp\_password](#input\_smtp\_password) | SMTP Password | `string` | `""` | no |
| [smtp\_user](#input\_smtp\_user) | SMTP Username | `string` | `""` | no |
| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
@@ -80,5 +83,9 @@ In the above diagram, you can see the components and their relations (PostgreSQL
## Outputs
-No outputs.
-
+| Name | Description |
+|------|-------------|
+| [buckets](#output\_buckets) | List of buckets created |
+| [role\_arn](#output\_role\_arn) | ARN of IAM role |
+| [role\_name](#output\_role\_name) | Name of IAM role |
+
diff --git a/examples/README.md b/examples/README.md
index fc4890b..2de153a 100644
--- a/examples/README.md
+++ b/examples/README.md
@@ -1,9 +1,14 @@
-
+
## Requirements
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.0 |
+| [terraform](#requirement\_terraform) | >= 1.5.7 |
+| [aws](#requirement\_aws) | >= 6.0 |
+| [helm](#requirement\_helm) | 2.11.0 |
+| [kubectl](#requirement\_kubectl) | ~> 2.0 |
+| [kubernetes](#requirement\_kubernetes) | >= 2.20 |
+| [time](#requirement\_time) | >= 0.9 |
## Providers
@@ -26,4 +31,4 @@ No inputs.
## Outputs
No outputs.
-
+
diff --git a/examples/main.tf b/examples/main.tf
index 0a54ede..23aff72 100644
--- a/examples/main.tf
+++ b/examples/main.tf
@@ -40,7 +40,7 @@ module "gitlab" {
"lifecycle_rule": [
{
"id": "log",
- "enabled": true,
+ "status": "Enabled",
"expiration": {
"days": 30
}
@@ -53,7 +53,7 @@ EOF
"lifecycle_rule": [
{
"id": "log",
- "enabled": true,
+ "status": "Enabled",
"noncurrent_version_transition": [
{
"days": 30,
diff --git a/examples/versions.tf b/examples/versions.tf
index 7117131..1e6cd2a 100644
--- a/examples/versions.tf
+++ b/examples/versions.tf
@@ -1,3 +1,26 @@
terraform {
- required_version = ">= 1.0"
+ required_version = ">= 1.5.7"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 6.0"
+ }
+ helm = {
+ source = "hashicorp/helm"
+ version = "2.11.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ version = ">= 2.20"
+ }
+ time = {
+ source = "hashicorp/time"
+ version = ">= 0.9"
+ }
+ kubectl = {
+ source = "alekc/kubectl"
+ version = "~> 2.0"
+ }
+ }
}
diff --git a/main.tf b/main.tf
index af20b16..d6c8317 100644
--- a/main.tf
+++ b/main.tf
@@ -147,7 +147,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
effect = "Allow"
principals {
type = "AWS"
- identifiers = [module.gitlab_role.iam_role_arn]
+ identifiers = [module.gitlab_role.arn]
}
actions = ["s3:ListBucket"]
resources = ["arn:aws:s3:::${each.value}"]
@@ -158,7 +158,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
effect = "Allow"
principals {
type = "AWS"
- identifiers = [module.gitlab_role.iam_role_arn]
+ identifiers = [module.gitlab_role.arn]
}
actions = ["s3:PutObject", "s3:GetObject"]
resources = ["arn:aws:s3:::${each.value}/*"]
@@ -169,7 +169,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
effect = "Allow"
principals {
type = "AWS"
- identifiers = [module.gitlab_role.iam_role_arn]
+ identifiers = [module.gitlab_role.arn]
}
actions = ["s3:DeleteObject"]
resources = ["arn:aws:s3:::${each.value}/*"]
@@ -180,7 +180,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
effect = "Allow"
principals {
type = "AWS"
- identifiers = [module.gitlab_role.iam_role_arn]
+ identifiers = [module.gitlab_role.arn]
}
actions = ["s3:PutObjectAcl"]
resources = ["arn:aws:s3:::${each.value}/*"]
@@ -191,7 +191,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
effect = "Allow"
principals {
type = "AWS"
- identifiers = [module.gitlab_role.iam_role_arn]
+ identifiers = [module.gitlab_role.arn]
}
actions = ["s3:GetObjectAcl"]
resources = ["arn:aws:s3:::${each.value}/*"]
@@ -202,7 +202,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
effect = "Allow"
principals {
type = "AWS"
- identifiers = [module.gitlab_role.iam_role_arn]
+ identifiers = [module.gitlab_role.arn]
}
actions = ["s3:ListBucketMultipartUploads"]
resources = ["arn:aws:s3:::${each.value}"]
@@ -213,7 +213,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
effect = "Allow"
principals {
type = "AWS"
- identifiers = [module.gitlab_role.iam_role_arn]
+ identifiers = [module.gitlab_role.arn]
}
actions = ["s3:ListMultipartUploadParts"]
resources = ["arn:aws:s3:::${each.value}/*"]
@@ -223,10 +223,9 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
module "s3_bucket" {
for_each = local.buckets_list
source = "terraform-aws-modules/s3-bucket/aws"
- version = "4.1.0"
+ version = "5.10.0"
bucket = each.value
- acl = null
force_destroy = false
versioning = {
@@ -265,7 +264,7 @@ resource "helm_release" "gitlab" {
set {
name = "global.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
- value = module.gitlab_role.iam_role_arn
+ value = module.gitlab_role.arn
}
depends_on = [
@@ -276,15 +275,37 @@ resource "helm_release" "gitlab" {
]
}
-module "gitlab_role" {
- source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
- version = "v5.34.0"
- create_role = true
- allow_self_assume_role = false
- role_description = "Gitlab Role to access S3"
- role_name = "${var.release_name}-access-s3"
- provider_url = data.aws_eks_cluster.eks.identity[0].oidc[0].issuer
- oidc_subjects_with_wildcards = ["system:serviceaccount:${local.release_namespace}:gitlab*"]
- oidc_fully_qualified_audiences = ["sts.amazonaws.com"]
- tags = var.tags
+module "gitlab_policy" {
+ source = "terraform-aws-modules/iam/aws//modules/iam-policy"
+ version = "v6.4.0"
+
+ name = "gitlab-role-policy"
+ description = "Policy for GitLab role"
+ policy = var.role_policy
+
+ tags = var.tags
}
+
+module "gitlab_role" {
+ source = "terraform-aws-modules/iam/aws//modules/iam-role"
+ version = "v6.4.0"
+
+ enable_oidc = true
+ name = "${var.release_name}-${var.role_suffix}"
+ use_name_prefix = false
+ description = "Gitlab Role to access AWS resources"
+
+ oidc_provider_urls = [data.aws_eks_cluster.eks.identity[0].oidc[0].issuer]
+ oidc_wildcard_subjects = ["system:serviceaccount:${local.release_namespace}:gitlab*"]
+ oidc_audiences = ["sts.amazonaws.com"]
+
+ policies = {
+ gitlab-role-policy = module.gitlab_policy.arn
+ }
+
+ tags = var.tags
+
+ depends_on = [
+ module.gitlab_policy
+ ]
+}
\ No newline at end of file
diff --git a/outputs.tf b/outputs.tf
index 8b13789..a8ea634 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1 +1,17 @@
+output "role_name" {
+ description = "Name of IAM role"
+ value = module.gitlab_role.arn
+}
+output "role_arn" {
+ description = "ARN of IAM role"
+ value = module.gitlab_role.arn
+
+}
+
+output "buckets" {
+ description = "List of buckets created"
+ value = tomap({
+ for k, v in module.s3_bucket : k => v.s3_bucket_arn
+ })
+}
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 71611b1..bee8099 100644
--- a/variables.tf
+++ b/variables.tf
@@ -106,3 +106,16 @@ variable "tags" {
type = map(string)
default = {}
}
+
+variable "role_policy" {
+ type = string
+ description = "Policy for GitLab role"
+ sensitive = true
+ default = null
+}
+
+variable "role_suffix" {
+ type = string
+ description = "Optional suffix for GitLab role"
+ default = "access-aws"
+}
\ No newline at end of file
diff --git a/versions.tf b/versions.tf
index 20bdfb8..1e6cd2a 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 1.0"
+ required_version = ">= 1.5.7"
required_providers {
aws = {
source = "hashicorp/aws"
- version = "5.36.0"
+ version = ">= 6.0"
}
helm = {
source = "hashicorp/helm"