allow specifying an IAM role for each worker group (#137)

* allow creating an IAM role for each worker group * moved change from 'changed' to 'added' * create multiple roles not just profiles * fix config_map_aws_auth generation * don't duplicate worker-role templating * specify ARNs for worker groups individually todo fix aws_auth configmap * fixed AWS auth * fix aws_iam_instance_profile.workers name fix iam_instance_profile fallback * fix outputs * fix iam_instance_profile calculation * hopefully fix aws auth configmap generation * manually fill out remainder of arn * remove depends_on in worker_role_arns template file this was causing resources to be recreated every time * fmt * fix typo, move iam_role_id default to defaults map
2026-03-28 12:11:48 +01:00 · 2018-09-24 07:08:35 -07:00
parent b6f6a82352
commit b623bc234a
8 changed files with 27 additions and 12 deletions
--- a/aws_auth.tf
+++ b/aws_auth.tf
@@ -16,11 +16,22 @@ resource "null_resource" "update_config_map_aws_auth" {
  count = "${var.manage_aws_auth ? 1 : 0}"
 }

+data "aws_caller_identity" "current" {}
+
+data "template_file" "worker_role_arns" {
+  count    = "${var.worker_group_count}"
+  template = "${file("${path.module}/templates/worker-role.tpl")}"
+
+  vars {
+    worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element(aws_iam_instance_profile.workers.*.role, count.index)}"
+  }
+}
+
 data "template_file" "config_map_aws_auth" {
  template = "${file("${path.module}/templates/config-map-aws-auth.yaml.tpl")}"

  vars {
-    worker_role_arn = "${aws_iam_role.workers.arn}"
+    worker_role_arn = "${join("", distinct(data.template_file.worker_role_arns.*.rendered))}"
    map_users       = "${join("", data.template_file.map_users.*.rendered)}"
    map_roles       = "${join("", data.template_file.map_roles.*.rendered)}"
    map_accounts    = "${join("", data.template_file.map_accounts.*.rendered)}"