Skip to content

feat(k8s/tofu): add IAM agent-permissions OpenTofu module#193

Merged
fedemaleh merged 5 commits into
betafrom
feat/opentofu
Jun 29, 2026
Merged

feat(k8s/tofu): add IAM agent-permissions OpenTofu module#193
fedemaleh merged 5 commits into
betafrom
feat/opentofu

Conversation

@davidf-null

Copy link
Copy Markdown
Collaborator

Qué

Agrega el primer módulo de OpenTofu al scope de k8s, en k8s/scope/tofu/iam/modules/, siguiendo la estructura del scope de lambda (lambda/scope/tofu/iam/modules/).

El módulo crea únicamente el rol de permisos (con las policies workload: Route53, EKS, ELB, AVP) cuya trust policy permite que el rol IRSA del agente lo asuma vía sts:AssumeRole. Es la mitad nullplatform_agent_permissions del módulo tofu-modules/infrastructure/aws/iam/agent, portada verbatim. El rol IRSA del agente se sigue creando en el setup del cluster y queda fuera de alcance.

Por qué

Separa la responsabilidad: el módulo agent de tofu-modules deja de crear el rol de permisos (ver PR en ese repo) y pasa a ser provisionado por-cluster desde el scope de k8s. El wiring se mantiene por convención de nombre (nullplatform-{cluster}-agent-permissions-role), que la assume policy del agente ya autoriza.

Archivos

  • k8s/scope/tofu/iam/modules/{data,locals,variables,main,outputs,versions}.tf

Verificación

  • tofu fmt -check
  • tofu validate ✓ (Success)
  • Probado end-to-end en un root real (agent-asumme-rol): migración de state del rol + 4 policies desde el módulo agent al módulo nuevo → tofu plan no-op, sin destruir ni recrear infra.

Notas de despliegue

Coordinar con el refactor del módulo agent en tofu-modules: el scope debe crear el rol de permisos con el nombre convencional antes/junto con el apply que lo remueve del módulo agent.

🤖 Generated with Claude Code

Port the permissions-role half of tofu-modules .../aws/iam/agent into the
k8s scope as a reusable module, mirroring lambda/scope/tofu/iam/modules.

Creates an IAM role holding the agent workload policies (Route53, EKS, ELB,
AVP) whose trust policy allows only the agent IRSA role (agent_role_arn) to
assume it via sts:AssumeRole. The IRSA agent role itself is provisioned at
cluster setup and stays out of scope.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Comment thread k8s/scope/tofu/iam/modules/main.tf Outdated
Drop the verifiedpermissions:* policy and its role attachment from the
agent permissions role. The role keeps only the Route53, EKS and ELB
workload policies.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@davidf-null davidf-null requested a review from fedemaleh June 24, 2026 18:23
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Comment thread k8s/specs/tofu/locals.tf
Comment thread k8s/specs/tofu/locals.tf Outdated
Comment thread k8s/specs/tofu/main.tf
Comment thread k8s/specs/tofu/main.tf
davidf-null and others added 2 commits June 26, 2026 10:09
update locals
Make agent_role_arn optional (defaults to the conventional
nullplatform-<cluster>-agent-role) and add additional_agent_role_arns so
extra roles can be appended to the trust policy alongside the primary one.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@fedemaleh fedemaleh merged commit 8e421b9 into beta Jun 29, 2026
3 checks passed
@fedemaleh fedemaleh deleted the feat/opentofu branch June 29, 2026 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants