github-mirrors/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/ysoftdevs/terraform-aws-eks.git synced 2026-01-16 16:47:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: Use IAM session context data source to resolve the identities role when using assumed_role (#2347)

Browse Source
This commit is contained in:
Bryant Biggs
2022-12-17 07:32:04 -05:00
committed by GitHub
parent 678cf7fa81
commit 71b8ecaa87
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -270,6 +270,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
| [aws_eks_addon_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_addon_version) | data source |
| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cni_ipv6_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_session_context.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_session_context) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
| [tls_certificate.this](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source |

10
main.tf
View File

@@ -1,6 +1,14 @@
data "aws_partition" "current" {}
data "aws_caller_identity" "current" {}
data "aws_iam_session_context" "current" {
# This data source provides information on the IAM source role of an STS assumed role
# For non-role ARNs, this data source simply passes the ARN through issuer ARN
# Ref https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2327#issuecomment-1355581682
# Ref https://github.com/hashicorp/terraform-provider-aws/issues/28381
arn = data.aws_caller_identity.current.arn
}
locals {
create = var.create && var.putin_khuylo
@@ -122,7 +130,7 @@ module "kms" {
# Policy
enable_default_policy = var.kms_key_enable_default_policy
key_owners = var.kms_key_owners
key_administrators = coalescelist(var.kms_key_administrators, [data.aws_caller_identity.current.arn])
key_administrators = coalescelist(var.kms_key_administrators, [data.aws_iam_session_context.current.issuer_arn])
key_users = concat([local.cluster_role], var.kms_key_users)
key_service_users = var.kms_key_service_users
source_policy_documents = var.kms_key_source_policy_documents