HumanSignal
diff --git a/‎terraform/aws/TFSEC.md
+2 b/‎terraform/aws/TFSEC.md
+2
diff --git a/‎terraform/aws/env/.terraform.lock.hcl
+3 b/‎terraform/aws/env/.terraform.lock.hcl
+3
diff --git a/‎terraform/aws/env/README.md
+13-8 b/‎terraform/aws/env/README.md
+13-8
diff --git a/‎terraform/aws/env/main.tf
+28-9 b/‎terraform/aws/env/main.tf
+28-9
diff --git a/‎terraform/aws/env/output.tf
+1-1 b/‎terraform/aws/env/output.tf
+1-1
diff --git a/‎terraform/aws/env/variables.tf
+13 b/‎terraform/aws/env/variables.tf
+13
diff --git a/‎terraform/aws/modules/eks/README.md
+7-6 b/‎terraform/aws/modules/eks/README.md
+7-6
diff --git a/‎terraform/aws/modules/eks/addons.tf
-70 b/‎terraform/aws/modules/eks/addons.tf
-70
@@ -9,4 +9,6 @@ We use GitHub Actions and [tfsec](https://github.com/aquasecurity/tfsec) to chec
 | modules/vpc/main.tf                      | aws-ec2-no-public-egress-sgr               | Your port is egressing data to the internet                                                                                                   | By default worker nodes can access `0.0.0.0/0`.                                                                                                              |
 | modules/vpc/main.tf                      | aws-ec2-require-vpc-flow-logs-for-all-vpcs | Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues | By default it's disabled, it's possible to override using `var.enable_vpc_log`                                                                               |
 | modules/s3/main.tf                       | aws-s3-enable-bucket-logging               | There is no way to determine the access to this bucket                                                                                        | By default it's disabled since only the app is allowed to access this bucket, it's possible to override using `var.enable_log_bucket`                        |
+| modules/s3/main.tf                       | aws-s3-enable-versioning                   | Impossible to restore deleted files                                                                                                           | By default it's disabled since we don't want to store historical data, it's possible to override using `var.enable_bucket_versioning`                        |
+| modules/s3_role/main.tf                  | aws-iam-no-policy-wildcards                | False-positive warning by tfsec                                                                                                               | Ignore it, since it's a recommended way to define ARN policy for a bucket                                                                                    |
 | modules/load-balancer-controller/main.tf | aws-iam-no-policy-wildcards                | Load balancer controller has increased access to AWS resources                                                                                | By default it's disabled since we could not predict resources ARNs at this stage                                                                             |
@@ -3,19 +3,19 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.3.6 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | = 4.46.0 |
-| <a name="requirement_helm"></a> [helm](#requirement\_helm) | = 2.7.1 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.4.4 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | = 4.61.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | = 2.9.0 |
 | <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | = 1.14.0 |
-| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | = 2.16.1 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | = 2.19.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | = 3.4.3 |
 | <a name="requirement_tls"></a> [tls](#requirement\_tls) | = 4.0.4 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.46.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.61.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | 3.4.3 |
 
 ## Modules
@@ -33,6 +33,7 @@
 | <a name="module_rds"></a> [rds](#module\_rds) | ../modules/rds | n/a |
 | <a name="module_route53"></a> [route53](#module\_route53) | ../modules/route53 | n/a |
 | <a name="module_s3"></a> [s3](#module\_s3) | ../modules/s3 | n/a |
+| <a name="module_s3_role"></a> [s3\_role](#module\_s3\_role) | ../modules/s3_role | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | ../modules/vpc | n/a |
 
 ## Resources
@@ -41,14 +42,17 @@
 |------|------|
 | [random_password.postgresql_password](https://registry.terraform.io/providers/hashicorp/random/3.4.3/docs/resources/password) | resource |
 | [random_password.redis_password](https://registry.terraform.io/providers/hashicorp/random/3.4.3/docs/resources/password) | resource |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/4.46.0/docs/data-sources/caller_identity) | data source |
-| [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/4.46.0/docs/data-sources/eks_cluster) | data source |
-| [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/4.46.0/docs/data-sources/eks_cluster_auth) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/4.61.0/docs/data-sources/caller_identity) | data source |
+| [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/4.61.0/docs/data-sources/eks_cluster) | data source |
+| [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/4.61.0/docs/data-sources/eks_cluster_auth) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_aws_auth_accounts"></a> [aws\_auth\_accounts](#input\_aws\_auth\_accounts) | List of account maps to add to the aws-auth configmap | `list(any)` | `[]` | no |
+| <a name="input_aws_auth_roles"></a> [aws\_auth\_roles](#input\_aws\_auth\_roles) | List of role maps to add to the aws-auth configmap | `list(any)` | `[]` | no |
+| <a name="input_aws_auth_users"></a> [aws\_auth\_users](#input\_aws\_auth\_users) | List of user maps to add to the aws-auth configmap | `list(any)` | `[]` | no |
 | <a name="input_cluster_endpoint_public_access_cidrs"></a> [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_create_acm_certificate"></a> [create\_acm\_certificate](#input\_create\_acm\_certificate) | Whether to create acm certificate or use existing | `bool` | `false` | no |
 | <a name="input_create_r53_zone"></a> [create\_r53\_zone](#input\_create\_r53\_zone) | Create R53 zone for main public domain | `bool` | `false` | no |
@@ -86,6 +90,7 @@
 | <a name="input_postgresql_tls_key_file"></a> [postgresql\_tls\_key\_file](#input\_postgresql\_tls\_key\_file) | n/a | `string` | `null` | no |
 | <a name="input_postgresql_type"></a> [postgresql\_type](#input\_postgresql\_type) | Postgresql type | `string` | `"internal"` | no |
 | <a name="input_postgresql_username"></a> [postgresql\_username](#input\_postgresql\_username) | Postgresql username | `string` | `"labelstudio"` | no |
+| <a name="input_predefined_s3_bucket"></a> [predefined\_s3\_bucket](#input\_predefined\_s3\_bucket) | Predefined S3 Bucket | <pre>object(<br>    {<br>      name : string<br>      region : string<br>      folder : string<br>      kms_arn : string<br>    }<br>  )</pre> | `null` | no |
 | <a name="input_predefined_vpc"></a> [predefined\_vpc](#input\_predefined\_vpc) | Predefined VPC | <pre>object(<br>    {<br>      id : string<br>      subnet_public_ids : list(string)<br>      subnet_private_ids : list(string)<br>      security_group_id : string<br>    }<br>  )</pre> | `null` | no |
 | <a name="input_private_cidr_block"></a> [private\_cidr\_block](#input\_private\_cidr\_block) | List of private subnet cidr blocks | `list(string)` | <pre>[<br>  "10.0.1.0/24",<br>  "10.0.2.0/24",<br>  "10.0.3.0/24"<br>]</pre> | no |
 | <a name="input_public_cidr_block"></a> [public\_cidr\_block](#input\_public\_cidr\_block) | List of public subnet cidr blocks | `list(string)` | <pre>[<br>  "10.0.101.0/24",<br>  "10.0.102.0/24",<br>  "10.0.103.0/24"<br>]</pre> | no |
 
@@ -39,16 +39,37 @@ module "iam" {
   region      = var.region
   environment = var.environment
   tags        = local.tags
-  bucket_id   = module.s3.bucket_id
+  bucket_id   = var.predefined_s3_bucket == null ? module.s3[0].bucket_name : var.predefined_s3_bucket.name
 }
 
 # Create S3 bucket
 module "s3" {
   source = "../modules/s3"
 
+  count = var.predefined_s3_bucket == null ? 1 : 0
+
   name        = local.name_prefix
   environment = var.environment
   tags        = local.tags
+
+  depends_on = [
+    module.eks,
+  ]
+}
+
+module "s3_role" {
+  source = "../modules/s3_role"
+
+  name                   = local.name_prefix
+  aws_s3_bucket_arn      = var.predefined_s3_bucket == null ? module.s3[0].bucket_arn : "arn:aws:s3:::${var.predefined_s3_bucket.name}"
+  aws_kms_key_bucket_arn = var.predefined_s3_bucket == null ? module.s3[0].kms_arn : var.predefined_s3_bucket.kms_arn
+  iam_oidc_provider_arn  = module.eks.iam_oidc_provider_arn
+  iam_oidc_provider_url  = module.eks.iam_oidc_provider_url
+
+  depends_on = [
+    module.eks,
+    module.s3,
+  ]
 }
 
 # Create Elastic Kubernetes Service
@@ -70,13 +91,11 @@ module "eks" {
   instance_profile_name                = module.iam.iam_instance_profile
   tags                                 = local.tags
   capacity_type                        = var.eks_capacity_type
-  persistence_s3_bucket_arn            = module.s3.bucket_arn
-  persistence_s3_kms_arn               = module.s3.kms_arn
   monitoring_namespace                 = var.monitoring_namespace
   cluster_endpoint_public_access_cidrs = var.cluster_endpoint_public_access_cidrs
 
-  aws_auth_roles = var.aws_auth_roles
-  aws_auth_users = var.aws_auth_users
+  aws_auth_roles    = var.aws_auth_roles
+  aws_auth_users    = var.aws_auth_users
   aws_auth_accounts = var.aws_auth_accounts
 
   depends_on = [
@@ -205,10 +224,10 @@ module "label-studio" {
   enterprise               = var.enterprise
   cloud_provider           = "aws"
 
-  persistence_s3_bucket_name   = module.s3.bucket_name
-  persistence_s3_bucket_region = module.s3.bucket_region
-  persistence_s3_bucket_folder = ""
-  persistence_s3_role_arn      = module.eks.s3_persistence_role_arn
+  persistence_s3_bucket_name   = var.predefined_s3_bucket == null ? module.s3[0].bucket_name : var.predefined_s3_bucket.name
+  persistence_s3_bucket_region = var.predefined_s3_bucket == null ? module.s3[0].bucket_region : var.predefined_s3_bucket.region
+  persistence_s3_bucket_folder = var.predefined_s3_bucket == null ? module.s3[0].bucket_folder : var.predefined_s3_bucket.folder
+  persistence_s3_role_arn      = module.s3_role.s3_persistence_role_arn
 
   postgresql_type         = var.postgresql_type
   postgresql_host         = var.postgresql_type == "rds" ? module.rds[0].host : var.postgresql_host
 
@@ -15,7 +15,7 @@ output "cluster_endpoint" {
 
 output "bucket_id" {
   description = "Bucket Name (aka ID)"
-  value       = module.s3.bucket_id
+  value       = var.predefined_s3_bucket == null ? module.s3[0].bucket_name : var.predefined_s3_bucket.name
 }
 
 output "connect_cluster" {
 
@@ -332,3 +332,16 @@ variable "cluster_endpoint_public_access_cidrs" {
   type        = list(string)
   default     = ["0.0.0.0/0"]
 }
+
+# Predefined S3 Bucket
+variable "predefined_s3_bucket" {
+  type = object(
+    {
+      name : string
+      region : string
+      folder : string
+      kms_arn : string
+    }
+  )
+  default = null
+}
@@ -8,6 +8,7 @@ No requirements.
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | n/a |
 | <a name="provider_tls"></a> [tls](#provider\_tls) | n/a |
 
 ## Modules
@@ -27,21 +28,22 @@ No requirements.
 | [aws_eks_cluster.eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster) | resource |
 | [aws_eks_node_group.eks_node_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group) | resource |
 | [aws_iam_openid_connect_provider.aws_iam_openid_connect_provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
-| [aws_iam_policy.persistence](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.cni_irsa_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.ebs_csi_irsa_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role.persistence](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.cni_irsa_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ebs_csi_irsa_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.persistence](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_kms_key.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [kubernetes_config_map.aws_auth](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
 | [aws_iam_policy.ebs_csi_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [tls_certificate.cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_aws_auth_accounts"></a> [aws\_auth\_accounts](#input\_aws\_auth\_accounts) | List of account maps to add to the aws-auth configmap | `list(any)` | `[]` | no |
+| <a name="input_aws_auth_roles"></a> [aws\_auth\_roles](#input\_aws\_auth\_roles) | List of role maps to add to the aws-auth configmap | `list(any)` | `[]` | no |
+| <a name="input_aws_auth_users"></a> [aws\_auth\_users](#input\_aws\_auth\_users) | List of user maps to add to the aws-auth configmap | `list(any)` | `[]` | no |
 | <a name="input_capacity_type"></a> [capacity\_type](#input\_capacity\_type) | Type of capacity associated with the EKS Node Group | `string` | `"ON_DEMAND"` | no |
 | <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled | `bool` | `true` | no |
 | <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled | `bool` | `true` | no |
@@ -57,8 +59,6 @@ No requirements.
 | <a name="input_min_size"></a> [min\_size](#input\_min\_size) | Minimum number of the instances in autoscaling group | `number` | n/a | yes |
 | <a name="input_monitoring_namespace"></a> [monitoring\_namespace](#input\_monitoring\_namespace) | Namespace for monitoring | `string` | `"monitoring"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name is the prefix to use for resources that needs to be created | `string` | n/a | yes |
-| <a name="input_persistence_s3_bucket_arn"></a> [persistence\_s3\_bucket\_arn](#input\_persistence\_s3\_bucket\_arn) | n/a | `any` | n/a | yes |
-| <a name="input_persistence_s3_kms_arn"></a> [persistence\_s3\_kms\_arn](#input\_persistence\_s3\_kms\_arn) | n/a | `any` | n/a | yes |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | List of public subnets to create the resources | `any` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS region where terraform builds resources | `string` | n/a | yes |
 | <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | IAM role arn to attach the EKS cluster | `string` | n/a | yes |
@@ -75,5 +75,6 @@ No requirements.
 | <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | Name of the EKS cluster |
 | <a name="output_cluster_version"></a> [cluster\_version](#output\_cluster\_version) | Version of the EKS cluster |
 | <a name="output_iam_oidc_provider"></a> [iam\_oidc\_provider](#output\_iam\_oidc\_provider) | AWS EKS IRSA id |
-| <a name="output_s3_persistence_role_arn"></a> [s3\_persistence\_role\_arn](#output\_s3\_persistence\_role\_arn) | n/a |
+| <a name="output_iam_oidc_provider_arn"></a> [iam\_oidc\_provider\_arn](#output\_iam\_oidc\_provider\_arn) | AWS EKS IRSA arn |
+| <a name="output_iam_oidc_provider_url"></a> [iam\_oidc\_provider\_url](#output\_iam\_oidc\_provider\_url) | AWS EKS IRSA url |
 <!-- END_TF_DOCS -->
@@ -119,73 +119,3 @@ resource "aws_iam_role_policy_attachment" "ebs_csi_irsa_policy" {
   role       = aws_iam_role.ebs_csi_irsa_role.name
   policy_arn = data.aws_iam_policy.ebs_csi_policy.arn
 }
-
-resource "aws_iam_role" "persistence" {
-  name        = "${var.name}-s3-persistence"
-  description = "s3 persistence role for EKS cluster ${var.name}"
-
-  assume_role_policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Federated": "${aws_iam_openid_connect_provider.aws_iam_openid_connect_provider.arn}"
-      },
-      "Action": "sts:AssumeRoleWithWebIdentity",
-      "Condition": {
-        "StringEquals": {
-          "${replace(aws_iam_openid_connect_provider.aws_iam_openid_connect_provider.url, "https://", "")}:aud": "sts.amazonaws.com"
-        }
-      }
-    }
-  ]
-}
-POLICY
-}
-
-resource "aws_iam_policy" "persistence" {
-  name        = "${var.name}-s3-persistence"
-  description = "Permissions for s3 bucket ${var.name}"
-  policy      = jsonencode({
-    "Version"   = "2012-10-17"
-    "Statement" = [
-      {
-        "Effect" = "Allow"
-        "Action" = [
-          "s3:ListBucket"
-        ],
-        "Resource" = [
-          var.persistence_s3_bucket_arn
-        ]
-      },
-      {
-        "Effect" : "Allow"
-        "Action" : [
-          "s3:PutObject",
-          "s3:GetObject",
-          "s3:DeleteObject"
-        ],
-        "Resource" : [
-          "${var.persistence_s3_bucket_arn}/*"
-        ]
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "kms:GenerateDataKey",
-          "kms:Decrypt"
-        ],
-        "Resource" : [
-          var.persistence_s3_kms_arn
-        ]
-      }
-    ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "persistence" {
-  role       = aws_iam_role.persistence.name
-  policy_arn = aws_iam_policy.persistence.arn
-}
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ output "cluster_endpoint" {`
`15`	`15`
`16`	`16`	`output "bucket_id" {`
`17`	`17`	`description = "Bucket Name (aka ID)"`
`18`		`- value = module.s3.bucket_id`
	`18`	`+ value = var.predefined_s3_bucket == null ? module.s3[0].bucket_name : var.predefined_s3_bucket.name`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`output "connect_cluster" {`