open-edge-platform · pankajgoyal2 · Sep 23, 2025 · Sep 25, 2025 · Sep 26, 2025 · Sep 24, 2025
@@ -9,6 +9,13 @@ global:
   {{- end }}
 
 server:
+  # Configure service account for IRSA
+  serviceAccount:
+    create: false
+    name: "vault-service-account"
+    annotations:
+      eks.amazonaws.com/role-arn: "arn:aws:iam::{{.Values.argo.aws.accountId}}:role/{{.Values.argo.clusterName}}-vault-kms-role"
+
   {{- if .Values.argo.vault.ha}}
   # Run Vault in "HA" mode. There are no storage requirements unless the audit log
   # persistence is required.  In HA mode Vault will configure itself to use Consul
@@ -39,7 +46,10 @@ server:
         cluster_address = "[::]:8201"
       }
   {{- if and .Values.argo.vault.autoUnseal (ne .Values.argo.namespace "onprem")}}
-      seal "awskms" {}
+      seal "awskms" {
+         region     = "{{.Values.argo.aws.region}}"
+         kms_key_id = "alias/vault-kms-unseal-{{.Values.argo.clusterName}}"
+      }
 
   # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
   # used to include variables required for auto-unseal.
@@ -51,16 +61,6 @@ server:
     AWS_REGION: {{.Values.argo.aws.region}}
     VAULT_AWSKMS_SEAL_KEY_ID: alias/vault-kms-unseal-{{.Values.argo.clusterName}}
 
-  # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set.
-  # These variables take value from existing Secret objects.
-  extraSecretEnvironmentVars:
-    - envName: AWS_ACCESS_KEY_ID
-      secretName: vault-kms-unseal
-      secretKey: AWS_ACCESS_KEY_ID
-    - envName: AWS_SECRET_ACCESS_KEY
-      secretName: vault-kms-unseal
-      secretKey: AWS_SECRET_ACCESS_KEY
-
   # https://jira.devtools.intel.com/browse/NEXENPL-1126
   # enable liveness probe such that pod is restarted when auto-unseal failed
   livenessProbe:

diff --git a/pod-configs/module/ec2log/save-log.tf b/pod-configs/module/ec2log/save-log.tf
@@ -225,6 +225,7 @@ resource "aws_iam_role" "lambda" {
     ]
   })
 
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
   tags = {
     tag-key = "orch-ec2log-lambda-${var.cluster_name}"
   }

diff --git a/pod-configs/module/ec2log/variable.tf b/pod-configs/module/ec2log/variable.tf
@@ -35,4 +35,10 @@ variable "cloudwatch_expire" {
 variable "s3_prefix" {
   type    = string
   default = ""
+}
+
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
 }
diff --git a/pod-configs/module/efs/main.tf b/pod-configs/module/efs/main.tf
@@ -52,6 +52,7 @@ resource "aws_iam_role" "efs_role" {
   name                = "${var.cluster_name}-${var.role_name}"
   assume_role_policy  = data.aws_iam_policy_document.efs_assume_role_policy.json
   managed_policy_arns = var.generate_eks_policy ? [aws_iam_policy.efs_policy[0].arn] : []
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 # Create Security Group

diff --git a/pod-configs/module/efs/variable.tf b/pod-configs/module/efs/variable.tf
@@ -76,4 +76,10 @@ variable "access_points" {
 variable "throughput_mode" {
   type    = string
   default = "bursting"
+}
+
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
 }
diff --git a/pod-configs/module/eks/main.tf b/pod-configs/module/eks/main.tf
@@ -22,6 +22,7 @@ resource "aws_iam_role" "iam_role_eks_cluster" {
   ]
  }
 EOF
+permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 resource "aws_iam_role_policy_attachment" "eks_cluster_AmazonEKSClusterPolicy" {
@@ -149,6 +150,7 @@ resource "aws_iam_role" "eks_nodes" {
   ]
 }
 EOF
+permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 resource "aws_iam_role_policy_attachment" "AmazonEKSWorkerNodePolicy" {
@@ -464,6 +466,7 @@ resource "aws_iam_role" "cas_controller" {
     ]
 }
   EOF
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 resource "aws_iam_role_policy_attachment" "cas_controller" {
@@ -496,6 +499,7 @@ resource "aws_iam_role" "certmgr" {
   ]
 }
 EOF
+permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 resource "aws_iam_role_policy_attachment" "certmgr_AmazonSSMManagedInstanceCore" {

diff --git a/pod-configs/module/eks/variable.tf b/pod-configs/module/eks/variable.tf
@@ -174,3 +174,9 @@ variable "eks_cluster_dns_ip" {
   default = ""
   description = "IP address of the DNS server for the cluster, leave empty to use the default DNS server"
 }
+
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
+}
diff --git a/pod-configs/module/kms/main.tf b/pod-configs/module/kms/main.tf
@@ -2,42 +2,27 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-# Set up IAM user for Vault to access KMS
-resource "aws_iam_user" "vault" {
-  name = "vault-${var.cluster_name}"
+# Get OIDC from EKS cluster
+data "aws_eks_cluster" "eks" {
+  name = var.cluster_name
 }
 
-resource "aws_iam_access_key" "vault" {
-  user = aws_iam_user.vault.name
+# Define service accounts for Vault
+locals {
+  vault_service_accounts = [
+    "system:serviceaccount:orch-platform:vault-service-account",
+    "system:serviceaccount:orch-platform:vault"
+  ]
 }
 
-# Set up KMS key with alias
-resource "aws_kms_key" "vault" {
-  description             = "Vault unseal key"
-  deletion_window_in_days = 10
-}
-
-resource "aws_kms_alias" "vault" {
-  name          = "alias/vault-kms-unseal-${var.cluster_name}"
-  target_key_id = aws_kms_key.vault.key_id
-}
-
-resource "aws_kms_key_policy" "vault" {
-  key_id = aws_kms_key.vault.id
+# Create KMS policy
+resource "aws_iam_policy" "vault_kms_policy" {
+  description = "Policy that allows Vault access to KMS in ${var.cluster_name} cluster"
+  name        = "${var.cluster_name}-vault-kms-policy"
   policy = jsonencode({
-    Id = "vault"
+    Version = "2012-10-17"
     Statement = [
       {
-          "Sid": "Enable IAM User Permissions",
-          "Effect": "Allow",
-          "Principal": {
-              "AWS": "arn:aws:iam::${var.aws_account_number}:root"
-          },
-          "Action": "kms:*",
-          "Resource": "*"
-      },
-      {
-        "Sid": "Allow use of the key"
         "Action": [
           "kms:Encrypt",
           "kms:Decrypt",
@@ -46,23 +31,76 @@
           "kms:DescribeKey"
         ]
         "Effect": "Allow"
-        "Principal": {
-          "AWS": "arn:aws:iam::${var.aws_account_number}:user/${aws_iam_user.vault.name}"
-        }
-        "Resource": "*"
-      },
+        Resource = aws_kms_key.vault.arn
+      }
     ]
-    Version = "2012-10-17"
   })
 }
 
+# Create trust policy using OIDC
+data "aws_iam_policy_document" "vault_trust_policy" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(data.aws_eks_cluster.eks.identity[0].oidc[0].issuer, "https://", "")}:sub"
+      values   = local.vault_service_accounts
+    }
+    principals {
+      identifiers = ["arn:aws:iam::${var.aws_account_number}:oidc-provider/${replace(data.aws_eks_cluster.eks.identity[0].oidc[0].issuer, "https://", "")}"]
+      type        = "Federated"
+    }
+  }
+}
+
+# Create role
+resource "aws_iam_role" "vault_kms" {
+  description         = "Role that allows Vault to access KMS in ${var.cluster_name} cluster"
+  name                = "${var.cluster_name}-vault-kms-role"
+  assume_role_policy  = data.aws_iam_policy_document.vault_trust_policy.json
+  managed_policy_arns = [aws_iam_policy.vault_kms_policy.arn]
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
+}
+
+# Create service account with role annotation
+resource "kubernetes_service_account" "vault" {
+  metadata {
+    name      = "vault-service-account"
+    namespace = "orch-platform"
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.vault_kms.arn
+    }
+  }
+}
+
+# KMS Key
+resource "aws_kms_key" "vault" {
+  description             = "Vault unseal key for ${var.cluster_name}"
+  deletion_window_in_days = 10
+
+  tags = {
+    Name        = "vault-kms-unseal-${var.cluster_name}"
+    Cluster     = var.cluster_name
+    Purpose     = "vault-unseal"
+    Application = "vault"
+  }
+}
+
+resource "aws_kms_alias" "vault" {
+  name          = "alias/vault-kms-unseal-${var.cluster_name}"
+  target_key_id = aws_kms_key.vault.key_id
+}
+
 resource "kubernetes_secret" "vault_kms_unseal" {
   metadata {
     name      = "vault-kms-unseal"
     namespace = "orch-platform"
   }
   data = {
-    "AWS_ACCESS_KEY_ID" = aws_iam_access_key.vault.id
-    "AWS_SECRET_ACCESS_KEY" = aws_iam_access_key.vault.secret
+    # Configuration values
+    "AWS_ROLE_ARN"  = aws_iam_role.vault_kms.arn
+    "KMS_KEY_ID"    = aws_kms_key.vault.key_id
+    "AWS_REGION"    = var.region
   }
 }
diff --git a/pod-configs/module/kms/variable.tf b/pod-configs/module/kms/variable.tf
@@ -9,3 +9,14 @@ variable "cluster_name" {
 variable "aws_account_number" {
   type = string
 }
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
+
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
+}
diff --git a/pod-configs/module/pull-through-cache-proxy/ecs.tf b/pod-configs/module/pull-through-cache-proxy/ecs.tf
@@ -42,6 +42,7 @@ data "aws_iam_policy_document" "ecs_task_execution_role" {
 resource "aws_iam_role" "ecs_task_execution_role" {
   name               = "${var.name}-ecs-execution-role"
   assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_role.json
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_task_execution_role" {
@@ -90,6 +91,7 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution_secrets_policy_att
 resource "aws_iam_role" "ecs_task_role" {
   name               = "${var.name}-ecs-task"
   assume_role_policy = data.aws_iam_policy_document.ecs_task_role.json
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 resource "aws_iam_policy" "ecs_task_ecr_policy" {

diff --git a/pod-configs/module/pull-through-cache-proxy/variable.tf b/pod-configs/module/pull-through-cache-proxy/variable.tf
@@ -77,3 +77,9 @@ variable "with_public_ip" {
   type        = bool
   default     = false
 }
+
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
+}
diff --git a/pod-configs/module/s3/main.tf b/pod-configs/module/s3/main.tf
@@ -64,6 +64,7 @@ resource "aws_iam_role" "s3_role" {
   name                = "${var.cluster_name}-s3-role"
   assume_role_policy  = data.aws_iam_policy_document.s3_policy.json
   managed_policy_arns = [aws_iam_policy.s3_policy.arn]
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 # S3

diff --git a/pod-configs/module/s3/variable.tf b/pod-configs/module/s3/variable.tf
@@ -26,4 +26,10 @@ variable "create_tracing" {
 variable "import_buckets" {
   type    = bool
   default = false
+}
+
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
 }
diff --git a/pod-configs/module/vpc-jumphost/main.tf b/pod-configs/module/vpc-jumphost/main.tf
@@ -23,6 +23,7 @@ resource "aws_iam_role" "ec2" {
   ]
 }
 EOF
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
   tags = {
     Creator = "terraform"
     Module  = path.module

diff --git a/pod-configs/module/vpc-jumphost/variable.tf b/pod-configs/module/vpc-jumphost/variable.tf
@@ -47,3 +47,9 @@ variable "production" {
   description = "Whether it is a production environment, this will disable the metadata service and login shell"
   default = true
 }
+
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
+}
diff --git a/pod-configs/orchestrator/cluster/main.tf b/pod-configs/orchestrator/cluster/main.tf
@@ -50,6 +50,7 @@ module "eks" {
   https_proxy                 = var.eks_https_proxy
   no_proxy                    = var.eks_no_proxy
   eks_cluster_dns_ip          = var.eks_cluster_dns_ip
+  permissions_boundary        = var.permissions_boundary
 }
 
 resource "time_sleep" "wait_eks" {
@@ -70,6 +71,7 @@ module "s3" {
   cluster_name   = var.eks_cluster_name
   create_tracing = var.s3_create_tracing
   import_buckets = var.import_s3_buckets
+  permissions_boundary = var.permissions_boundary
 }
 
 module "efs" {
@@ -87,6 +89,7 @@ module "efs" {
   cluster_name                        = var.eks_cluster_name
   vpc_id                              = local.vpc_id
   throughput_mode                     = var.efs_throughput_mode
+  permissions_boundary                = var.permissions_boundary
 }
 
 module "aurora" {
@@ -149,10 +152,12 @@ module "aurora_import" {
 
 module "kms" {
   # kms module creates K8s secrets, which depends on the namespaces created in orch_init
-  depends_on         = [module.orch_init]
+  depends_on         = [module.orch_init, time_sleep.wait_eks]
   source             = "../../module/kms"
   cluster_name       = var.eks_cluster_name
   aws_account_number = var.aws_account_number
+  region             = var.aws_region
+  permissions_boundary = var.permissions_boundary
 }
 
 module "orch_init" {
@@ -204,6 +209,7 @@ module "ec2log" {
   s3_expire         = var.ec2log_s3_expire
   cloudwatch_expire = var.ec2log_cw_expire
   s3_prefix         = var.s3_prefix
+  permissions_boundary = var.permissions_boundary
 }
 
 module "aws_lb_controller" {
-Original file line number
+Diff line change
@@ Expand Up / @@ -225,6 +225,7 @@ resource "aws_iam_role" "lambda" { @@
         ]
       })
+      permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
       tags = {
         tag-key = "orch-ec2log-lambda-${var.cluster_name}"
       }
@@ Expand Down @@