Merge pull request #20 from truefoundry/truefoundry-unified-account

Adding a unified truefoundry serviceaccount
truefoundry · Sep 30, 2024 · 2ae6ffc · 2ae6ffc
2 parents 27f98c5 + 85dd081
commit 2ae6ffc
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -98,13 +98,15 @@ Truefoundry AWS Control Plane Module
 | <a name="input_truefoundry_db_storage_type"></a> [truefoundry\_db\_storage\_type](#input\_truefoundry\_db\_storage\_type) | Storage type for truefoundry db | `string` | `"gp3"` | no |
 | <a name="input_truefoundry_db_subnet_ids"></a> [truefoundry\_db\_subnet\_ids](#input\_truefoundry\_db\_subnet\_ids) | List of subnets where the RDS database will be deployed | `list(string)` | n/a | yes |
 | <a name="input_truefoundry_iam_role_enabled"></a> [truefoundry\_iam\_role\_enabled](#input\_truefoundry\_iam\_role\_enabled) | variable to enable/disable truefoundry iam role creation | `bool` | `true` | no |
+| <a name="input_truefoundry_k8s_namespace"></a> [truefoundry\_k8s\_namespace](#input\_truefoundry\_k8s\_namespace) | Truefoundry k8s namespace | `string` | `"truefoundry"` | no |
 | <a name="input_truefoundry_s3_cors_origins"></a> [truefoundry\_s3\_cors\_origins](#input\_truefoundry\_s3\_cors\_origins) | List of CORS origins for Mlfoundry bucket | `list(string)` | <pre>[<br/>  "*"<br/>]</pre> | no |
 | <a name="input_truefoundry_s3_enable_override"></a> [truefoundry\_s3\_enable\_override](#input\_truefoundry\_s3\_enable\_override) | Enable override for s3 bucket name. You must pass truefoundry\_s3\_override\_name | `bool` | `false` | no |
 | <a name="input_truefoundry_s3_enabled"></a> [truefoundry\_s3\_enabled](#input\_truefoundry\_s3\_enabled) | variable to enable/disable truefoundry s3 bucket creation | `bool` | `true` | no |
 | <a name="input_truefoundry_s3_encryption_algorithm"></a> [truefoundry\_s3\_encryption\_algorithm](#input\_truefoundry\_s3\_encryption\_algorithm) | Algorithm used for encrypting the default bucket. | `string` | `"AES256"` | no |
 | <a name="input_truefoundry_s3_encryption_key_arn"></a> [truefoundry\_s3\_encryption\_key\_arn](#input\_truefoundry\_s3\_encryption\_key\_arn) | ARN of the key used to encrypt the bucket. Only needed if you set aws:kms as encryption algorithm. | `string` | `null` | no |
 | <a name="input_truefoundry_s3_force_destroy"></a> [truefoundry\_s3\_force\_destroy](#input\_truefoundry\_s3\_force\_destroy) | Force destroy for mlfoundry s3 bucket | `bool` | `false` | no |
 | <a name="input_truefoundry_s3_override_name"></a> [truefoundry\_s3\_override\_name](#input\_truefoundry\_s3\_override\_name) | Override name for s3 bucket. truefoundry\_s3\_enable\_override must be set true | `string` | `""` | no |
+| <a name="input_truefoundry_service_account"></a> [truefoundry\_service\_account](#input\_truefoundry\_service\_account) | Truefoundry k8s service name | `string` | `"truefoundry"` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | AWS VPC to deploy Truefoundry rds | `string` | n/a | yes |
 
 ## Outputs

diff --git a/iam-sa.tf b/iam-sa.tf
@@ -11,7 +11,8 @@ module "truefoundry_oidc_iam" {
   oidc_fully_qualified_subjects = [
     "system:serviceaccount:${var.svcfoundry_k8s_namespace}:${var.svcfoundry_k8s_service_account}",
     "system:serviceaccount:${var.mlfoundry_k8s_namespace}:${var.mlfoundry_k8s_service_account}",
-    "system:serviceaccount:${var.tfy_workflow_admin_k8s_namespace}:${var.tfy_workflow_admin_k8s_service_account}"
+    "system:serviceaccount:${var.tfy_workflow_admin_k8s_namespace}:${var.tfy_workflow_admin_k8s_service_account}",
+    "system:serviceaccount:${var.truefoundry_k8s_namespace}:${var.truefoundry_service_account}",
   ]
 
   role_description = "Truefoundry IAM role for ${var.svcfoundry_name}, ${var.mlfoundry_name} and ${var.tfy_workflow_admin_name} in cluster ${var.cluster_name}"

diff --git a/variables.tf b/variables.tf
@@ -314,6 +314,24 @@ variable "tfy_workflow_admin_k8s_namespace" {
   type        = string
 }
 
+##################################################################################
+## Truefoundry service account
+##################################################################################
+
+variable "truefoundry_service_account" {
+  description = "Truefoundry k8s service name"
+  type        = string
+  default     = "truefoundry"
+}
+
+
+variable "truefoundry_k8s_namespace" {
+  description = "Truefoundry k8s namespace"
+  type        = string
+  default     = "truefoundry"
+}
+
+
 ##################################################################################
 ## IAM role
 ##################################################################################