Merge pull request #70 from datafold/gerard-eng-1941-set-up-aws-bedrock-as-an-llm-provider-for-claude-on-pods

gtoonstra · web-flow · commit 0e4f08001502 · 2025-09-18T13:03:43.000+02:00
fix: Add role for DMA
diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf
@@ -138,6 +138,16 @@ output "storage_worker_service_account_name" {
   description = "The name of the service account for storage_worker"
 }
 
+# dma
+output "dma_role_arn" {
+  value       = module.dma_role[0].arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "dma_service_account_name" {
+  value       = var.dma_service_account_name
+  description = "The name of the service account for dma"
+}
+
 # Clickhouse backup
 output "clickhouse_backup_role_name" {
   value       = module.clickhouse_backup_role.arn
diff --git a/modules/eks/roles.tf b/modules/eks/roles.tf
@@ -255,6 +255,21 @@ module "clickhouse_backup_role" {
   }
 }
 
+# storage_worker
+module "dma_role" {
+  count   = 1
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  name    = "${var.deployment_name}-${var.dma_service_account_name}"
+  version = "6.2.1"
+
+  oidc_providers = {
+    ex = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["${var.deployment_name}:${var.dma_service_account_name}"]
+    }
+  }
+}
+
 # Policy Attachments
 resource "aws_iam_role_policy_attachment" "bedrock_dfshell_attachment" {
   count      = var.k8s_access_bedrock ? 1 : 0
@@ -285,3 +300,8 @@ resource "aws_iam_role_policy_attachment" "clickhouse_backup_attachment" {
   policy_arn = aws_iam_policy.clickhouse_backup_policy.arn
 }
 
+resource "aws_iam_role_policy_attachment" "bedrock_dma_attachment" {
+  count      = var.k8s_access_bedrock ? 1 : 0
+  role       = module.dma_role[0].name
+  policy_arn = aws_iam_policy.bedrock_access_policy[0].arn
+}
diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf
@@ -189,3 +189,9 @@ variable "storage_worker_service_account_name" {
   default     = "storage-worker"
   description = "Name of the service account for storage_worker"
 }
+
+variable "dma_service_account_name" {
+  type        = string
+  default     = "dma"
+  description = "Name of the service account for dma"
+}
diff --git a/outputs.tf b/outputs.tf
@@ -282,3 +282,12 @@ output "storage_worker_service_account_name" {
   value = module.eks.storage_worker_service_account_name
   description = "The name of the service account for storage_worker"
 }
+
+output "dma_role_arn" {
+  value       = module.eks.dma_role_arn
+  description = "The ARN of the AWS Bedrock role"
+}
+output "dma_service_account_name" {
+  value       = module.eks.dma_service_account_name
+  description = "The name of the service account for dma"
+}
