feat(agent): IAM assume-role support + multi-instance parametrization

infrastructure/aws/iam/agent/main.tf

@@ -1,17 +1,22 @@
+locals {
+  role_name            = var.role_name != "" ? var.role_name : "nullplatform-${var.cluster_name}-agent-role"
+  policies_name_prefix = var.policies_name_prefix != "" ? var.policies_name_prefix : "nullplatform_${var.cluster_name}"
+}
+
 ################################################################################
 # IAM role for nullplatform agent service account
 ################################################################################
 
 # Create IAM role with OIDC provider trust for Kubernetes service account
 module "nullplatform_agent_role" {
   source          = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
-  name            = "nullplatform-${var.cluster_name}-agent-role"
+  name            = local.role_name
   use_name_prefix = false
 
   oidc_providers = {
     main = {
       provider_arn               = var.aws_iam_openid_connect_provider_arn
-      namespace_service_accounts = ["${var.agent_namespace}:nullplatform-agent"]
+      namespace_service_accounts = ["${var.agent_namespace}:${var.service_account_name}"]
     }
   }
 
@@ -22,6 +27,9 @@ module "nullplatform_agent_role" {
       "nullplatform_elb_policy"     = aws_iam_policy.nullplatform_elb_policy.arn,
       "nullplatform_avp_policy"     = aws_iam_policy.nullplatform_avp_policy.arn
     },
+    length(var.assume_role_arns) > 0 ? {
+      "nullplatform_assume_role_policy" = aws_iam_policy.nullplatform_assume_role_policy[0].arn
+    } : {},
     var.additional_policies
   )
 }
@@ -32,7 +40,7 @@ module "nullplatform_agent_role" {
 
 # Grant permissions to manage Route 53 DNS records for service discovery
 resource "aws_iam_policy" "nullplatform_route53_policy" {
-  name        = "nullplatform_${var.cluster_name}_route53_policy"
+  name        = "${local.policies_name_prefix}_route53_policy"
   description = "Policy for managing Route 53 DNS records"
   policy = jsonencode({
     "Version" : "2012-10-17",
@@ -67,7 +75,7 @@ resource "aws_iam_policy" "nullplatform_route53_policy" {
 
 # Grant permissions to describe and monitor load balancers and target groups
 resource "aws_iam_policy" "nullplatform_elb_policy" {
-  name        = "nullplatform_${var.cluster_name}_elb_policy"
+  name        = "${local.policies_name_prefix}_elb_policy"
   description = "Policy for managing Elastic Load Balancing resources"
   policy = jsonencode(
     {
@@ -118,7 +126,7 @@ resource "aws_iam_policy" "nullplatform_elb_policy" {
 
 # Grant permissions to describe and list EKS cluster resources
 resource "aws_iam_policy" "nullplatform_eks_policy" {
-  name        = "nullplatform_${var.cluster_name}_eks_policy"
+  name        = "${local.policies_name_prefix}_eks_policy"
   description = "Policy for managing EKS cluster resources"
   policy = jsonencode({
     "Version" : "2012-10-17",
@@ -150,13 +158,32 @@ resource "aws_iam_policy" "nullplatform_eks_policy" {
   })
 }
 
+################################################################################
+# STS AssumeRole IAM policy
+################################################################################
+
+resource "aws_iam_policy" "nullplatform_assume_role_policy" {
+  count = length(var.assume_role_arns) > 0 ? 1 : 0
+
+  name        = "${local.policies_name_prefix}_assume_role_policy"
+  description = "Policy allowing the agent to assume specific IAM roles"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect   = "Allow"
+      Action   = "sts:AssumeRole"
+      Resource = var.assume_role_arns
+    }]
+  })
+}
+
 ################################################################################
 # AVP policy
 ################################################################################
 
 # Grant permissions to describe and list EKS cluster resources
 resource "aws_iam_policy" "nullplatform_avp_policy" {
-  name        = "nullplatform_${var.cluster_name}_avp_policy"
+  name        = "${local.policies_name_prefix}_avp_policy"
   description = "Policy for managing AVP resources"
   policy = jsonencode({
     "Version" : "2012-10-17",

infrastructure/aws/iam/agent/tests/agent.tftest.hcl

@@ -102,3 +102,42 @@ run "all_policies_valid_json" {
     error_message = "AVP policy should be valid JSON"
   }
 }
+
+run "assume_role_policy_not_created_by_default" {
+  command = plan
+
+  assert {
+    condition     = length(aws_iam_policy.nullplatform_assume_role_policy) == 0
+    error_message = "assume_role policy should not be created when assume_role_arns is empty"
+  }
+}
+
+run "assume_role_policy_created_when_arns_provided" {
+  command = plan
+
+  variables {
+    assume_role_arns = ["arn:aws:iam::123456789012:role/some-role"]
+  }
+
+  override_resource {
+    target = aws_iam_policy.nullplatform_assume_role_policy
+    values = {
+      arn = "arn:aws:iam::123456789012:policy/nullplatform_test-cluster_assume_role_policy"
+    }
+  }
+
+  assert {
+    condition     = length(aws_iam_policy.nullplatform_assume_role_policy) == 1
+    error_message = "assume_role policy should be created when assume_role_arns is non-empty"
+  }
+
+  assert {
+    condition     = aws_iam_policy.nullplatform_assume_role_policy[0].name == "nullplatform_test-cluster_assume_role_policy"
+    error_message = "assume_role policy name should follow naming convention"
+  }
+
+  assert {
+    condition     = can(jsondecode(aws_iam_policy.nullplatform_assume_role_policy[0].policy))
+    error_message = "assume_role policy should be valid JSON"
+  }
+}

infrastructure/aws/iam/agent/variables.tf

@@ -18,3 +18,32 @@ variable "additional_policies" {
   type        = map(string)
   default     = {}
 }
+
+variable "assume_role_arns" {
+  description = "List of IAM role ARNs the agent is allowed to assume via sts:AssumeRole"
+  type        = list(string)
+  default     = []
+
+  validation {
+    condition     = alltrue([for arn in var.assume_role_arns : can(regex("^arn:aws:iam::[0-9]{12}:role/.+", arn))])
+    error_message = "Each ARN must match arn:aws:iam::<account-id>:role/<role-name>"
+  }
+}
+
+variable "service_account_name" {
+  description = "Kubernetes service account name trusted by the IRSA role"
+  type        = string
+  default     = "nullplatform-agent"
+}
+
+variable "role_name" {
+  description = "Override for the IAM role name. Defaults to nullplatform-{cluster_name}-agent-role"
+  type        = string
+  default     = ""
+}
+
+variable "policies_name_prefix" {
+  description = "Override for IAM policy name prefix. Defaults to nullplatform_{cluster_name}"
+  type        = string
+  default     = ""
+}

nullplatform/agent/locals.tf

@@ -97,10 +97,12 @@ locals {
 
   # Template único y simple
   nullplatform_agent_values = templatefile("${path.module}/templates/nullplatform_agent_values.tmpl.yaml", {
-    args             = local.all_args
-    config_values    = local.all_config
-    image_tag        = var.image_tag
-    aws_iam_role_arn = var.cloud_provider == "aws" ? var.aws_iam_role_arn : ""
-    init_scripts     = var.init_scripts
+    args                 = local.all_args
+    config_values        = local.all_config
+    image_tag            = var.image_tag
+    image_repository     = var.image_repository
+    aws_iam_role_arn     = var.cloud_provider == "aws" ? var.aws_iam_role_arn : ""
+    init_scripts         = var.init_scripts
+    service_account_name = var.service_account_name
   })
 }

nullplatform/agent/main.tf

@@ -49,7 +49,7 @@ resource "terraform_data" "cross_variable_validation" {
 
 # Deploy nullplatform agent to Kubernetes cluster via Helm chart
 resource "helm_release" "agent" {
-  name       = "nullplatform-agent"
+  name       = var.release_name
   chart      = "nullplatform-agent"
   repository = "https://nullplatform.github.io/helm-charts"
   namespace  = var.namespace

nullplatform/agent/templates/nullplatform_agent_values.tmpl.yaml

@@ -2,12 +2,19 @@ args:
   %{ for arg in args }
 - "${arg}"
   %{ endfor }
-  
-  %{ if aws_iam_role_arn != "" }
+
+  %{ if aws_iam_role_arn != "" || service_account_name != "" }
 serviceAccount:
+  create: true
+  automount: true
+  %{ if service_account_name != "" }
+  name: "${service_account_name}"
+  %{ endif }
+  %{ if aws_iam_role_arn != "" }
   annotations:
     eks.amazonaws.com/role-arn: "${aws_iam_role_arn}"
   %{ endif }
+  %{ endif }
 
 configuration:
   values:
@@ -17,6 +24,9 @@ configuration:
 
 image:
   tag: "${image_tag}"
+  %{ if image_repository != "" }
+  repository: "${image_repository}"
+  %{ endif }
 
   %{ if length(init_scripts) > 0 }
 initScripts:

nullplatform/agent/variables.tf

@@ -31,6 +31,20 @@ variable "tags_selectors" {
 # Agent configuration
 ################################################################################
 
+# Override for the Helm release name. Defaults to nullplatform-agent
+variable "release_name" {
+  description = "Override for the Helm release name. Defaults to nullplatform-agent"
+  type        = string
+  default     = "nullplatform-agent"
+}
+
+# Override for the Kubernetes ServiceAccount name. Defaults to the chart's default (nullplatform-agent)
+variable "service_account_name" {
+  description = "Override for the Kubernetes ServiceAccount name created by the Helm chart"
+  type        = string
+  default     = ""
+}
+
 # Version of the nullplatform agent Helm chart to deploy
 variable "nullplatform_agent_helm_version" {
   description = "Version of the nullplatform agent Helm chart to deploy"
@@ -72,6 +86,12 @@ variable "image_tag" {
   type        = string
 }
 
+variable "image_repository" {
+  description = "Container image repository for the agent. Defaults to the official nullplatform image."
+  type        = string
+  default     = ""
+}
+
 # ARN of the AWS IAM role assigned to the agent (required when cloud_provider is 'aws')
 variable "aws_iam_role_arn" {
   description = "ARN of the AWS IAM role assigned to the agent"