feat: Add SourceArn condition to Fargate profile trust policy (#3039)

feat: add `SourceArn` condition to fargate-profile assume_role_policy
2026-04-10 11:13:38 +02:00 · 2024-05-16 17:58:31 -04:00
parent 92fca6fcf9
commit a070d7b2bd
2 changed files with 11 additions and 0 deletions
--- a/modules/fargate-profile/main.tf
+++ b/modules/fargate-profile/main.tf
@@ -1,5 +1,6 @@
 data "aws_partition" "current" {}
 data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}

 locals {
  create_iam_role = var.create && var.create_iam_role
@@ -30,6 +31,15 @@ data "aws_iam_policy_document" "assume_role_policy" {
      type        = "Service"
      identifiers = ["eks-fargate-pods.amazonaws.com"]
    }
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+
+      values = [
+        "arn:${data.aws_partition.current.partition}:eks:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:fargateprofile/${var.cluster_name}/*",
+      ]
+    }
  }
 }