54 lines
1.7 KiB
HCL
54 lines
1.7 KiB
HCL
include "root" {
|
|
path = find_in_parent_folders()
|
|
}
|
|
|
|
terraform {
|
|
source = "${get_repo_root()}//modules/aws-iam"
|
|
}
|
|
|
|
dependency "eks" {
|
|
config_path = "../eks"
|
|
|
|
mock_outputs_allowed_terraform_commands = ["validate", "plan"]
|
|
mock_outputs = {
|
|
cluster_oidc_issuer_url = "https://oidc.eks.us-east-2.amazonaws.com/id/FAKEIDENTIFIERXXXXXXXXXXXXXXXXXX"
|
|
}
|
|
}
|
|
|
|
locals {
|
|
config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))
|
|
|
|
env = local.config_vars.locals.environment
|
|
service_account_name = local.config_vars.locals.aws_load_balancer_service_account_name
|
|
namespace = local.config_vars.locals.aws_load_balancer_namespace
|
|
iam_role_prefix = local.config_vars.locals.aws_load_balancer_iam_role_prefix
|
|
}
|
|
|
|
generate = local.config_vars.generate
|
|
|
|
inputs = {
|
|
iam_roles = {
|
|
"${local.iam_role_prefix}${title(local.env)}" = {
|
|
assume_role_policy = {
|
|
Version = "2012-10-17",
|
|
Statement = [
|
|
{
|
|
Effect = "Allow",
|
|
Principal = {
|
|
Federated = "arn:aws:iam::${get_aws_account_id()}:oidc-provider/${replace("${dependency.eks.outputs.cluster_oidc_issuer_url}", "https://", "")}"
|
|
},
|
|
Action = "sts:AssumeRoleWithWebIdentity",
|
|
Condition = {
|
|
StringEquals = {
|
|
"${replace("${dependency.eks.outputs.cluster_oidc_issuer_url}", "https://", "")}:aud" : "sts.amazonaws.com",
|
|
"${replace("${dependency.eks.outputs.cluster_oidc_issuer_url}", "https://", "")}:sub" : "system:serviceaccount:${local.namespace}:${local.service_account_name}"
|
|
}
|
|
}
|
|
}]
|
|
}
|
|
policy = jsondecode(file("policy.json"))
|
|
tags = {}
|
|
}
|
|
}
|
|
}
|