Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,16 @@
# Changelog

## [6.0.0](https://github.com/nullplatform/tofu-modules/compare/v5.3.1...v6.0.0) (2026-07-01)


### ⚠ BREAKING CHANGES

* **iam/agent:** clusters that relied on the implicit permissions role must now pass it explicitly in assume_role_arns.

### Features

* **iam/agent:** require explicit assume_role_arns, drop implicit permissions role ([#421](https://github.com/nullplatform/tofu-modules/issues/421)) ([44b8fd6](https://github.com/nullplatform/tofu-modules/commit/44b8fd6d631c1fab3247383728a5d64efea5687f))

## [5.3.1](https://github.com/nullplatform/tofu-modules/compare/v5.3.0...v5.3.1) (2026-06-29)


Expand Down
2 changes: 1 addition & 1 deletion infrastructure/aws/acm/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ The module creates an aws_acm_certificate resource with DNS validation, which is

```hcl
module "acm" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/acm?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/acm?ref=v6.0.0"

domain_name = "your-domain-name"
zone_id = "your-zone-id"
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/aws/aws_load_balancer_controller/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ This module creates a helm_release resource to deploy the AWS Load Balancer Cont

```hcl
module "aws_load_balancer_controller" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/aws_load_balancer_controller?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/aws_load_balancer_controller?ref=v6.0.0"

cluster_name = "your-cluster-name"
vpc_id = "your-vpc-id"
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/aws/backend/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ This module creates an S3 bucket with versioning and server-side encryption enab

```hcl
module "backend" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/backend?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/backend?ref=v6.0.0"
}
```

Expand Down
2 changes: 1 addition & 1 deletion infrastructure/aws/dns/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ The module conditionally creates an aws_route53_zone resource for a public hoste

```hcl
module "dns" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/dns?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/dns?ref=v6.0.0"

domain_name = "your-domain-name"
vpc_id = "your-vpc-id"
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/aws/eks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ The module wraps terraform-aws-modules/eks to create the EKS cluster (aws_eks_cl

```hcl
module "eks" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/eks?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/eks?ref=v6.0.0"

aws_subnets_private_ids = "your-aws-subnets-private-ids"
aws_vpc_vpc_id = "your-aws-vpc-vpc-id"
Expand Down
44 changes: 18 additions & 26 deletions infrastructure/aws/iam/agent/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,37 +2,30 @@

## Description

Creates an IRSA (IAM Roles for Service Accounts) role for a nullplatform agent on EKS, with an assume-role policy allowing the agent to assume the roles explicitly provided by the caller (via assume_role_arns and/or permissions_roles)
Creates an IRSA (IAM Roles for Service Accounts) role for the nullplatform agent on EKS, with an sts:AssumeRole policy allowing the agent to assume additional permissions roles

## Architecture

The module uses the terraform-aws-modules/iam//modules/iam-role-for-service-accounts module to create an aws_iam_role with an OIDC trust policy scoped to a specific Kubernetes namespace and service account. An aws_iam_policy (nullplatform_assume_role_policy) is created and attached to the agent role, granting sts:AssumeRole only on the roles the caller supplies: any extra permissions roles created via var.permissions_roles plus any caller-supplied var.assume_role_arns. The module no longer injects any permissions role by naming convention; a lifecycle precondition requires at least one role to be provided. Optionally, one or more aws_iam_role resources (extra_permissions) are created via for_each from var.permissions_roles, each trusting only the agent role ARN, with aws_iam_role_policy_attachment resources wiring the provided policy ARNs to each extra role.
The module uses the terraform-aws-modules/iam//modules/iam-role-for-service-accounts module to create an aws_iam_role (via the submodule) that trusts the provided OIDC provider ARN scoped to a specific Kubernetes namespace and service account. An aws_iam_policy named nullplatform_assume_role_policy is created and attached to the agent role, granting sts:AssumeRole on all target role ARNs derived from var.assume_role_arns and var.permissions_roles. Optionally, additional aws_iam_role resources are created for each entry in var.permissions_roles, each trusting only the agent role ARN (computed deterministically to avoid circular dependencies), with aws_iam_role_policy_attachment resources binding the specified managed policy ARNs to those roles.

## Features

- Creates IRSA-enabled aws_iam_role scoped to a specific Kubernetes namespace and service account via OIDC provider trust
- Creates aws_iam_policy granting sts:AssumeRole only on the role ARNs explicitly supplied by the caller (no implicit permissions role by convention)
- Requires at least one assumable role (via assume_role_arns or permissions_roles) through a lifecycle precondition
- Creates optional extra aws_iam_role resources (permissions_roles) trusted exclusively by the agent role with configurable policy attachments
- Attaches additional caller-supplied policy ARNs directly to the agent role via var.additional_policies
- Outputs the agent role ARN and a map of extra permissions role ARNs for downstream consumption
- Derives deterministic role ARNs from account ID and name locals to avoid circular dependencies between role trust and assume policies
- Creates an IRSA-enabled IAM role scoped to a specific Kubernetes namespace and service account via OIDC provider trust
- Creates an sts:AssumeRole IAM policy attaching all target role ARNs from both var.assume_role_arns and var.permissions_roles to the agent role
- Creates additional aws_iam_role resources per var.permissions_roles entry, each trusting only the agent role with configurable managed policy attachments
- Attaches additional caller-supplied policy ARNs to the agent role via var.additional_policies
- Supports overriding the agent IAM role name and policy name prefix for multi-cluster deployments
- Enforces ARN format validation on assume_role_arns and permissions_roles policy ARNs via Terraform variable validations

## Basic Usage

```hcl
module "agent" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/agent?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/agent?ref=v6.0.0"

agent_namespace = "your-agent-namespace"
aws_iam_openid_connect_provider_arn = "your-aws-iam-openid-connect-provider-arn"
cluster_name = "your-cluster-name"

# The agent no longer assumes any role by convention. Pass every role it must
# assume explicitly, e.g. the k8s permissions role created by the k8s scope module:
assume_role_arns = [
"arn:aws:iam::123456789012:role/nullplatform-your-cluster-name-agent-permissions-role",
]
}
```

Expand Down Expand Up @@ -93,16 +86,15 @@ resource "example_resource" "this" {
<!-- BEGIN_AI_METADATA
{
"name": "agent",
"description": "Creates an IRSA (IAM Roles for Service Accounts) role for a nullplatform agent on EKS, with an assume-role policy allowing the agent to assume the roles explicitly provided by the caller (via assume_role_arns and/or permissions_roles)",
"architecture": "The module uses the terraform-aws-modules/iam//modules/iam-role-for-service-accounts module to create an aws_iam_role with an OIDC trust policy scoped to a specific Kubernetes namespace and service account. An aws_iam_policy (nullplatform_assume_role_policy) is created and attached to the agent role, granting sts:AssumeRole only on the roles the caller supplies: any extra permissions roles created via var.permissions_roles plus any caller-supplied var.assume_role_arns. The module no longer injects any permissions role by naming convention; a lifecycle precondition requires at least one role to be provided. Optionally, one or more aws_iam_role resources (extra_permissions) are created via for_each from var.permissions_roles, each trusting only the agent role ARN, with aws_iam_role_policy_attachment resources wiring the provided policy ARNs to each extra role.",
"description": "Creates an IRSA (IAM Roles for Service Accounts) role for the nullplatform agent on EKS, with an sts:AssumeRole policy allowing the agent to assume additional permissions roles",
"architecture": "The module uses the terraform-aws-modules/iam//modules/iam-role-for-service-accounts module to create an aws_iam_role (via the submodule) that trusts the provided OIDC provider ARN scoped to a specific Kubernetes namespace and service account. An aws_iam_policy named nullplatform_assume_role_policy is created and attached to the agent role, granting sts:AssumeRole on all target role ARNs derived from var.assume_role_arns and var.permissions_roles. Optionally, additional aws_iam_role resources are created for each entry in var.permissions_roles, each trusting only the agent role ARN (computed deterministically to avoid circular dependencies), with aws_iam_role_policy_attachment resources binding the specified managed policy ARNs to those roles.",
"features": [
"Creates IRSA-enabled aws_iam_role scoped to a specific Kubernetes namespace and service account via OIDC provider trust",
"Creates aws_iam_policy granting sts:AssumeRole only on the role ARNs explicitly supplied by the caller (no implicit permissions role by convention)",
"Requires at least one assumable role (via assume_role_arns or permissions_roles) through a lifecycle precondition",
"Creates optional extra aws_iam_role resources (permissions_roles) trusted exclusively by the agent role with configurable policy attachments",
"Attaches additional caller-supplied policy ARNs directly to the agent role via var.additional_policies",
"Outputs the agent role ARN and a map of extra permissions role ARNs for downstream consumption",
"Derives deterministic role ARNs from account ID and name locals to avoid circular dependencies between role trust and assume policies"
"Creates an IRSA-enabled IAM role scoped to a specific Kubernetes namespace and service account via OIDC provider trust",
"Creates an sts:AssumeRole IAM policy attaching all target role ARNs from both var.assume_role_arns and var.permissions_roles to the agent role",
"Creates additional aws_iam_role resources per var.permissions_roles entry, each trusting only the agent role with configurable managed policy attachments",
"Attaches additional caller-supplied policy ARNs to the agent role via var.additional_policies",
"Supports overriding the agent IAM role name and policy name prefix for multi-cluster deployments",
"Enforces ARN format validation on assume_role_arns and permissions_roles policy ARNs via Terraform variable validations"
],
"inputs": [
{
Expand Down Expand Up @@ -155,6 +147,6 @@ resource "example_resource" "this" {
"nullplatform_agent_role_arn",
"nullplatform_agent_extra_permissions_role_arns"
],
"hash": "080cc2f1402698f5884c98e39f0ef01a"
"hash": "88704c22b8d9b0c8ffcd9d22b364c672"
}
END_AI_METADATA -->
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ This module creates an IAM role for the AWS Load Balancer Controller using the t

```hcl
module "aws_load_balancer_controller_iam" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/aws_load_balancer_controller_iam?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/aws_load_balancer_controller_iam?ref=v6.0.0"

aws_iam_openid_connect_provider_arn = "your-aws-iam-openid-connect-provider-arn"
cluster_name = "your-cluster-name"
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/aws/iam/cert_manager/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ An aws_iam_policy resource is always created granting route53:GetChange, route53

```hcl
module "cert_manager" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/cert_manager?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/cert_manager?ref=v6.0.0"

cluster_name = "your-cluster-name"
}
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/aws/iam/ci-build-workflow-user/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ The module creates an aws_iam_user named with the cluster_name prefix and genera

```hcl
module "ci-build-workflow-user" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/ci-build-workflow-user?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/ci-build-workflow-user?ref=v6.0.0"

cluster_name = "your-cluster-name"
}
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/aws/iam/ecr/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ The module creates an aws_iam_role named nullplatform-{cluster_name}-application

```hcl
module "ecr" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/ecr?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/ecr?ref=v6.0.0"

build_workflow_group_name = "your-build-workflow-group-name"
cluster_name = "your-cluster-name"
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/aws/iam/external_dns/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ An aws_iam_policy resource named nullplatform_external_dns_policy is always crea

```hcl
module "external_dns" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/external_dns?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/external_dns?ref=v6.0.0"

cluster_name = "your-cluster-name"
}
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/aws/iam/s3-assets/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ This module creates an aws_iam_policy resource named with the cluster_name prefi

```hcl
module "s3-assets" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/s3-assets?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/s3-assets?ref=v6.0.0"

assets_bucket = "your-assets-bucket"
build_workflow_group_name = "your-build-workflow-group-name"
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/aws/ingress/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ The module creates up to two kubernetes_ingress_v1 resources — one for an inte

```hcl
module "ingress" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/ingress?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/ingress?ref=v6.0.0"

certificate_arn = "your-certificate-arn"
}
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/aws/security/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ The module uses data sources (aws_eks_cluster, aws_vpc) to derive VPC ID and CID

```hcl
module "security" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/security?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/security?ref=v6.0.0"

cluster_name = "your-cluster-name"
}
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/aws/vpc/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ This module creates a terraform-aws-modules/vpc/aws module resource with DNS hos

```hcl
module "vpc" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/vpc?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/vpc?ref=v6.0.0"

account = "your-account"
organization = "your-organization"
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/azure/acr/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ The module uses the azurerm_container_registry resource to create the container

```hcl
module "acr" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/acr?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/acr?ref=v6.0.0"

containerregistry_name = "your-containerregistry-name"
location = "your-location"
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/azure/aks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ The module wraps the Azure/aks/azurerm community module (version 11.0.0) and use

```hcl
module "aks" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/aks?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/aks?ref=v6.0.0"

cluster_name = "your-cluster-name"
location = "your-location"
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/azure/aks_route_table/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ The module uses an azurerm_resources data source to discover the route table cre

```hcl
module "aks_route_table" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/aks_route_table?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/aks_route_table?ref=v6.0.0"

node_resource_group = "your-node-resource-group"
subnet_id = "your-subnet-id"
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/azure/dns/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ This module creates an azurerm_dns_zone resource and configures it with the prov

```hcl
module "dns" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/dns?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/dns?ref=v6.0.0"

domain_name = "your-domain-name"
resource_group_name = "your-resource-group-name"
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/azure/iam/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ The module creates an azurerm_user_assigned_identity resource in the specified r

```hcl
module "iam" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/iam?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/iam?ref=v6.0.0"

location = "your-location"
name = "your-name"
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/azure/private_dns/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ This module creates an azurerm_private_dns_zone resource and optionally multiple

```hcl
module "private_dns" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/private_dns?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/private_dns?ref=v6.0.0"

domain_name = "your-domain-name"
resource_group_name = "your-resource-group-name"
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/azure/resource_group/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ This module creates an azurerm_resource_group resource and outputs its name and

```hcl
module "resource_group" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/resource_group?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/resource_group?ref=v6.0.0"

location = "your-location"
resource_group_name = "your-resource-group-name"
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/azure/security/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ The module uses azurerm_kubernetes_cluster and azurerm_virtual_network data sour

```hcl
module "security" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/security?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/security?ref=v6.0.0"

cluster_name = "your-cluster-name"
resource_group_name = "your-resource-group-name"
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/azure/vnet/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ This module creates an Azure virtual network using the azurerm provider and conf

```hcl
module "vnet" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/vnet?ref=v5.3.1"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/vnet?ref=v6.0.0"

address_space = "your-address-space"
location = "your-location"
Expand Down
Loading