upd: aws-anyscale-iam - EKS Node S3 access

Changes to be committed: modified: modules/aws-anyscale-iam/README.md modified: modules/aws-anyscale-iam/eks-iam-main.tf modified: modules/aws-anyscale-iam/eks-node.tfpl
anyscale · Sep 5, 2024 · a272574 · a272574
1 parent 79ff892
commit a272574
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/modules/aws-anyscale-iam/README.md b/modules/aws-anyscale-iam/README.md
@@ -58,6 +58,7 @@ No modules.
 | [aws_iam_role_policy_attachment.anyscale_eks_node_amazonekscnipolicy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.anyscale_eks_node_amazoneksworkernodepolicy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.anyscale_eks_node_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.anyscale_eks_node_s3access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.anyscale_iam_role_container_registry_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.anyscale_iam_role_custom_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.anyscale_iam_role_servicesv2_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

diff --git a/modules/aws-anyscale-iam/eks-iam-main.tf b/modules/aws-anyscale-iam/eks-iam-main.tf
@@ -115,6 +115,12 @@ resource "aws_iam_role_policy_attachment" "anyscale_eks_node_amazonec2containerr
   role       = aws_iam_role.eks_node_role[0].name
 }
 
+resource "aws_iam_role_policy_attachment" "anyscale_eks_node_s3access" {
+  count = local.create_eks_node_role ? 1 : 0
+
+  policy_arn = aws_iam_policy.anyscale_s3_access_policy[0].arn
+  role       = aws_iam_role.eks_node_role[0].name
+}
 
 # ---------------------------
 # EKS EBS CSI Driver Role

diff --git a/modules/aws-anyscale-iam/eks-node.tfpl b/modules/aws-anyscale-iam/eks-node.tfpl
@@ -3,7 +3,7 @@
   "Statement" : [
 %{ if anyscale_efs_arn != "none" }
     {
-      "Sid": "S3BucketAccess",
+      "Sid": "EFSAccess",
       "Effect" : "Allow",
       "Action" : [
         "elasticfilesystem:ClientMount",