Merge pull request #6 from Perun-Engineering/chore/add-role-policy-support

babychm · web-flow · commit dbab816bb9ae · 2026-03-15T19:06:37.000+02:00
chore: Add role custom policy creation support
chore: Update modules
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.86.0
+    rev: v1.105.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
diff --git a/README.md b/README.md
@@ -10,13 +10,13 @@ This module was created to simplify deploying Gitlab into the EKS with storage o
 
 In the above diagram, you can see the components and their relations (PostgreSQL and Redis are not deployed with this module).
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | 5.36.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | 2.11.0 |
 | <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | ~> 2.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.20 |
@@ -26,16 +26,17 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.36.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.36.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.11.0 |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 3.0.1 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_gitlab_role"></a> [gitlab\_role](#module\_gitlab\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | v5.34.0 |
-| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 4.1.0 |
+| <a name="module_gitlab_policy"></a> [gitlab\_policy](#module\_gitlab\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | v6.4.0 |
+| <a name="module_gitlab_role"></a> [gitlab\_role](#module\_gitlab\_role) | terraform-aws-modules/iam/aws//modules/iam-role | v6.4.0 |
+| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 5.10.0 |
 
 ## Resources
 
@@ -51,9 +52,9 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 | [kubernetes_secret_v1.redis](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
 | [kubernetes_secret_v1.registry_postgres](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
 | [kubernetes_secret_v1.smtp](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
-| [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/5.36.0/docs/data-sources/eks_cluster) | data source |
-| [aws_iam_policy_document.s3_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/5.36.0/docs/data-sources/iam_policy_document) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/5.36.0/docs/data-sources/region) | data source |
+| [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_iam_policy_document.s3_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
@@ -73,12 +74,18 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 | <a name="input_release_max_history"></a> [release\_max\_history](#input\_release\_max\_history) | Maximum saved revisions per release | `number` | `10` | no |
 | <a name="input_release_name"></a> [release\_name](#input\_release\_name) | This is the name of the release which also used as a prefix or suffix for the resources | `string` | `"gitlab"` | no |
 | <a name="input_release_namespace"></a> [release\_namespace](#input\_release\_namespace) | Namespace name where you want to deploy the release. If empty, `release_name` will be used. | `string` | `""` | no |
+| <a name="input_role_policy"></a> [role\_policy](#input\_role\_policy) | Policy for GitLab role | `string` | `null` | no |
+| <a name="input_role_suffix"></a> [role\_suffix](#input\_role\_suffix) | Optional suffix for GitLab role | `string` | `"access-aws"` | no |
 | <a name="input_smtp_password"></a> [smtp\_password](#input\_smtp\_password) | SMTP Password | `string` | `""` | no |
 | <a name="input_smtp_user"></a> [smtp\_user](#input\_smtp\_user) | SMTP Username | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_values"></a> [values](#input\_values) | Custom values.yaml file for the Helm chart | `any` | `[]` | no |
 
 ## Outputs
 
-No outputs.
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+| Name | Description |
+|------|-------------|
+| <a name="output_buckets"></a> [buckets](#output\_buckets) | List of buckets created |
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | ARN of IAM role |
+| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | Name of IAM role |
+<!-- END_TF_DOCS -->
diff --git a/examples/README.md b/examples/README.md
@@ -1,9 +1,14 @@
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | 2.11.0 |
+| <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | ~> 2.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.20 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9 |
 
 ## Providers
 
@@ -26,4 +31,4 @@ No inputs.
 ## Outputs
 
 No outputs.
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
diff --git a/examples/main.tf b/examples/main.tf
@@ -40,7 +40,7 @@ module "gitlab" {
   "lifecycle_rule": [
     {
       "id": "log",
-      "enabled": true,
+      "status": "Enabled",
       "expiration": {
         "days": 30
       }
@@ -53,7 +53,7 @@ EOF
   "lifecycle_rule": [
     {
       "id": "log",
-      "enabled": true,
+      "status": "Enabled",
       "noncurrent_version_transition": [
         {
           "days": 30,
diff --git a/examples/versions.tf b/examples/versions.tf
@@ -1,3 +1,26 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "2.11.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.20"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9"
+    }
+    kubectl = {
+      source  = "alekc/kubectl"
+      version = "~> 2.0"
+    }
+  }
 }
diff --git a/main.tf b/main.tf
@@ -147,7 +147,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [module.gitlab_role.iam_role_arn]
+      identifiers = [module.gitlab_role.arn]
     }
     actions   = ["s3:ListBucket"]
     resources = ["arn:aws:s3:::${each.value}"]
@@ -158,7 +158,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [module.gitlab_role.iam_role_arn]
+      identifiers = [module.gitlab_role.arn]
     }
     actions   = ["s3:PutObject", "s3:GetObject"]
     resources = ["arn:aws:s3:::${each.value}/*"]
@@ -169,7 +169,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [module.gitlab_role.iam_role_arn]
+      identifiers = [module.gitlab_role.arn]
     }
     actions   = ["s3:DeleteObject"]
     resources = ["arn:aws:s3:::${each.value}/*"]
@@ -180,7 +180,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [module.gitlab_role.iam_role_arn]
+      identifiers = [module.gitlab_role.arn]
     }
     actions   = ["s3:PutObjectAcl"]
     resources = ["arn:aws:s3:::${each.value}/*"]
@@ -191,7 +191,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [module.gitlab_role.iam_role_arn]
+      identifiers = [module.gitlab_role.arn]
     }
     actions   = ["s3:GetObjectAcl"]
     resources = ["arn:aws:s3:::${each.value}/*"]
@@ -202,7 +202,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [module.gitlab_role.iam_role_arn]
+      identifiers = [module.gitlab_role.arn]
     }
     actions   = ["s3:ListBucketMultipartUploads"]
     resources = ["arn:aws:s3:::${each.value}"]
@@ -213,7 +213,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [module.gitlab_role.iam_role_arn]
+      identifiers = [module.gitlab_role.arn]
     }
     actions   = ["s3:ListMultipartUploadParts"]
     resources = ["arn:aws:s3:::${each.value}/*"]
@@ -223,10 +223,9 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
 module "s3_bucket" {
   for_each = local.buckets_list
   source   = "terraform-aws-modules/s3-bucket/aws"
-  version  = "4.1.0"
+  version  = "5.10.0"
 
   bucket        = each.value
-  acl           = null
   force_destroy = false
 
   versioning = {
@@ -265,7 +264,7 @@ resource "helm_release" "gitlab" {
 
   set {
     name  = "global.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = module.gitlab_role.iam_role_arn
+    value = module.gitlab_role.arn
   }
 
   depends_on = [
@@ -276,15 +275,37 @@ resource "helm_release" "gitlab" {
   ]
 }
 
-module "gitlab_role" {
-  source                         = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version                        = "v5.34.0"
-  create_role                    = true
-  allow_self_assume_role         = false
-  role_description               = "Gitlab Role to access S3"
-  role_name                      = "${var.release_name}-access-s3"
-  provider_url                   = data.aws_eks_cluster.eks.identity[0].oidc[0].issuer
-  oidc_subjects_with_wildcards   = ["system:serviceaccount:${local.release_namespace}:gitlab*"]
-  oidc_fully_qualified_audiences = ["sts.amazonaws.com"]
-  tags                           = var.tags
+module "gitlab_policy" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "v6.4.0"
+
+  name        = "gitlab-role-policy"
+  description = "Policy for GitLab role"
+  policy      = var.role_policy
+
+  tags = var.tags
 }
+
+module "gitlab_role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role"
+  version = "v6.4.0"
+
+  enable_oidc     = true
+  name            = "${var.release_name}-${var.role_suffix}"
+  use_name_prefix = false
+  description     = "Gitlab Role to access AWS resources"
+
+  oidc_provider_urls     = [data.aws_eks_cluster.eks.identity[0].oidc[0].issuer]
+  oidc_wildcard_subjects = ["system:serviceaccount:${local.release_namespace}:gitlab*"]
+  oidc_audiences         = ["sts.amazonaws.com"]
+
+  policies = {
+    gitlab-role-policy = module.gitlab_policy.arn
+  }
+
+  tags = var.tags
+
+  depends_on = [
+    module.gitlab_policy
+  ]
+}
diff --git a/outputs.tf b/outputs.tf
@@ -1 +1,17 @@
+output "role_name" {
+  description = "Name of IAM role"
+  value       = module.gitlab_role.arn
+}
 
+output "role_arn" {
+  description = "ARN of IAM role"
+  value       = module.gitlab_role.arn
+
+}
+
+output "buckets" {
+  description = "List of buckets created"
+  value = tomap({
+    for k, v in module.s3_bucket : k => v.s3_bucket_arn
+  })
+}
diff --git a/variables.tf b/variables.tf
@@ -106,3 +106,16 @@ variable "tags" {
   type        = map(string)
   default     = {}
 }
+
+variable "role_policy" {
+  type        = string
+  description = "Policy for GitLab role"
+  sensitive   = true
+  default     = null
+}
+
+variable "role_suffix" {
+  type        = string
+  description = "Optional suffix for GitLab role"
+  default     = "access-aws"
+}
diff --git a/versions.tf b/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "5.36.0"
+      version = ">= 6.0"
     }
     helm = {
       source  = "hashicorp/helm"

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ module "gitlab" {`
`40`	`40`	`"lifecycle_rule": [`
`41`	`41`	`{`
`42`	`42`	`"id": "log",`
`43`		`- "enabled": true,`
	`43`	`+ "status": "Enabled",`
`44`	`44`	`"expiration": {`
`45`	`45`	`"days": 30`
`46`	`46`	`}`
`@@ -53,7 +53,7 @@ EOF`
`53`	`53`	`"lifecycle_rule": [`
`54`	`54`	`{`
`55`	`55`	`"id": "log",`
`56`		`- "enabled": true,`
	`56`	`+ "status": "Enabled",`
`57`	`57`	`"noncurrent_version_transition": [`
`58`	`58`	`{`
`59`	`59`	`"days": 30,`