From ddee442ad6cb15697a8df07c1deb1dd795a816b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Odstr=C4=8Dil=C3=ADk?=
 <martin.odstrcilik@lablabs.io>
Date: Wed, 26 Jun 2024 16:48:15 +0200
Subject: [PATCH] feat: update irsa module

---
 README.md               | 11 +++++------
 addon-irsa.tf           |  9 ++++-----
 addon.tf                |  2 +-
 main.tf                 |  6 +++---
 variables-addon-irsa.tf | 22 ++++++++--------------
 5 files changed, 21 insertions(+), 29 deletions(-)

diff --git a/README.md b/README.md
index 835ab4c..6ceeb3c 100644
--- a/README.md
+++ b/README.md
@@ -49,8 +49,8 @@ See [Basic example](examples/basic/README.md) for further information.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_addon"></a> [addon](#module\_addon) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon | v0.0.3 |
-| <a name="module_addon-irsa"></a> [addon-irsa](#module\_addon-irsa) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa | v0.0.3 |
+| <a name="module_addon"></a> [addon](#module\_addon) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon | v0.0.4 |
+| <a name="module_addon-irsa"></a> [addon-irsa](#module\_addon-irsa) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa | v0.0.4 |
 ## Resources
 
 | Name | Type |
@@ -117,11 +117,10 @@ See [Basic example](examples/basic/README.md) for further information.
 | <a name="input_helm_timeout"></a> [helm\_timeout](#input\_helm\_timeout) | Time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks). Defaults to `300`. | `number` |
 | <a name="input_helm_wait"></a> [helm\_wait](#input\_helm\_wait) | Will wait until all Helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout. Defaults to `false`. | `bool` |
 | <a name="input_helm_wait_for_jobs"></a> [helm\_wait\_for\_jobs](#input\_helm\_wait\_for\_jobs) | If wait is enabled, will wait until all Helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout. Defaults to `false`. | `bool` |
-| <a name="input_irsa_additional_policies"></a> [irsa\_additional\_policies](#input\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`. | `map(string)` |
+| <a name="input_irsa_additional_policies"></a> [irsa\_additional\_policies](#input\_irsa\_additional\_policies) | Map of the additional policies to be attached to IRSA role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`. | `map(string)` |
 | <a name="input_irsa_assume_role_arns"></a> [irsa\_assume\_role\_arns](#input\_irsa\_assume\_role\_arns) | List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `""`. | `list(string)` |
-| <a name="input_irsa_assume_role_enabled"></a> [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by `irsa_assume_role_arns`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`. | `bool` |
-| <a name="input_irsa_policy"></a> [irsa\_policy](#input\_irsa\_policy) | Policy to be attached to the default role. Applied only if `irsa_policy_enabled` is `true`. Defaults to `""`. | `string` |
-| <a name="input_irsa_policy_enabled"></a> [irsa\_policy\_enabled](#input\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `irsa_policy`. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`. | `bool` |
+| <a name="input_irsa_assume_role_enabled"></a> [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Defaults to `false`. | `bool` |
+| <a name="input_irsa_permissions_boundary"></a> [irsa\_permissions\_boundary](#input\_irsa\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `null`. | `string` |
 | <a name="input_irsa_role_create"></a> [irsa\_role\_create](#input\_irsa\_role\_create) | Whether to create IRSA role and annotate Service Account. Defaults to `true`. | `bool` |
 | <a name="input_irsa_role_name"></a> [irsa\_role\_name](#input\_irsa\_role\_name) | IRSA role name. The value is prefixed by `var.irsa_role_name_prefix`. Defaults to addon Helm chart name. | `string` |
 | <a name="input_irsa_role_name_prefix"></a> [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | IRSA role name prefix. Defaults to addon IRSA component name with `irsa` suffix. | `string` |
diff --git a/addon-irsa.tf b/addon-irsa.tf
index 7d0d845..39cf9bf 100644
--- a/addon-irsa.tf
+++ b/addon-irsa.tf
@@ -2,7 +2,7 @@
 module "addon-irsa" {
   for_each = local.addon_irsa
 
-  source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.3"
+  source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.4"
 
   enabled = var.enabled
 
@@ -21,9 +21,8 @@ module "addon-irsa" {
   irsa_assume_role_arns    = var.irsa_assume_role_arns != null ? var.irsa_assume_role_arns : try(each.value.irsa_assume_role_arns, "")
   irsa_assume_role_enabled = var.irsa_assume_role_enabled != null ? var.irsa_assume_role_enabled : try(each.value.irsa_assume_role_enabled, false)
 
-  irsa_policy_enabled = var.irsa_policy_enabled != null ? var.irsa_policy_enabled : try(each.value.irsa_policy_enabled, false)
-  irsa_policy         = var.irsa_policy != null ? var.irsa_policy : try(each.value.irsa_policy, "")
+  irsa_permissions_boundary = var.irsa_permissions_boundary != null ? var.irsa_permissions_boundary : try(each.value.irsa_permissions_boundary, null)
+  irsa_additional_policies  = var.irsa_additional_policies != null ? var.irsa_additional_policies : try(each.value.irsa_additional_policies, tomap({}))
 
-  irsa_additional_policies = var.irsa_additional_policies != null ? var.irsa_additional_policies : try(each.value.irsa_additional_policies, tomap({}))
-  irsa_tags                = var.irsa_tags != null ? var.irsa_tags : try(each.value.irsa_tags, tomap({}))
+  irsa_tags = var.irsa_tags != null ? var.irsa_tags : try(each.value.irsa_tags, tomap({}))
 }
diff --git a/addon.tf b/addon.tf
index 7a3cf5e..0da1f20 100644
--- a/addon.tf
+++ b/addon.tf
@@ -6,7 +6,7 @@ locals {
 }
 
 module "addon" {
-  source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.3"
+  source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.4"
 
   enabled = var.enabled
 
diff --git a/main.tf b/main.tf
index bd548a7..ea41e1b 100644
--- a/main.tf
+++ b/main.tf
@@ -59,21 +59,21 @@ locals {
       operator = {
         create = var.keda_operator_service_account_create
         name   = var.keda_operator_service_account_name
-        annotations = length(module.addon-irsa["operator"].iam_role_attributes) > 0 ? {
+        annotations = module.addon-irsa["operator"].irsa_role_enabled ? {
           "eks.amazonaws.com/role-arn" = module.addon-irsa["operator"].iam_role_attributes.arn
         } : tomap({})
       }
       metricServer = {
         create = var.keda_metric_server_service_account_create
         name   = var.keda_metric_server_service_account_name
-        annotations = length(module.addon-irsa["metricServer"].iam_role_attributes) > 0 ? {
+        annotations = module.addon-irsa["metricServer"].irsa_role_enabled ? {
           "eks.amazonaws.com/role-arn" = module.addon-irsa["metricServer"].iam_role_attributes.arn
         } : tomap({})
       }
       webhooks = {
         create = var.keda_webhooks_service_account_create
         name   = var.keda_webhooks_service_account_name
-        annotations = length(module.addon-irsa["webhooks"].iam_role_attributes) > 0 ? {
+        annotations = module.addon-irsa["webhooks"].irsa_role_enabled ? {
           "eks.amazonaws.com/role-arn" = module.addon-irsa["webhooks"].iam_role_attributes.arn
         } : tomap({})
       }
diff --git a/variables-addon-irsa.tf b/variables-addon-irsa.tf
index 79d31cc..9fc5d01 100644
--- a/variables-addon-irsa.tf
+++ b/variables-addon-irsa.tf
@@ -56,22 +56,10 @@ variable "irsa_role_name" {
   description = "IRSA role name. The value is prefixed by `var.irsa_role_name_prefix`. Defaults to addon Helm chart name."
 }
 
-variable "irsa_policy_enabled" {
-  type        = bool
-  default     = null
-  description = "Whether to create IAM policy specified by `irsa_policy`. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`."
-}
-
-variable "irsa_policy" {
-  type        = string
-  default     = null
-  description = "Policy to be attached to the default role. Applied only if `irsa_policy_enabled` is `true`. Defaults to `\"\"`."
-}
-
 variable "irsa_assume_role_enabled" {
   type        = bool
   default     = null
-  description = "Whether IRSA is allowed to assume role defined by `irsa_assume_role_arns`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`."
+  description = "Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Defaults to `false`."
 }
 
 variable "irsa_assume_role_arns" {
@@ -80,10 +68,16 @@ variable "irsa_assume_role_arns" {
   description = "List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `\"\"`."
 }
 
+variable "irsa_permissions_boundary" {
+  type        = string
+  default     = null
+  description = "ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `null`."
+}
+
 variable "irsa_additional_policies" {
   type        = map(string)
   default     = null
-  description = "Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`."
+  description = "Map of the additional policies to be attached to IRSA role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`."
 }
 
 variable "irsa_tags" {