terraform, aws: rename local variable, role/data -> ksa_name/ksa_value

consideRatio · Apr 22, 2024 · 5429fd8 · 5429fd8
1 parent d72f591
commit 5429fd8
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/terraform/aws/irsa.tf b/terraform/aws/irsa.tf
@@ -15,15 +15,15 @@ data "aws_partition" "current" {}
 locals {
   hub_to_role_mapping = flatten([
     for hub, hub_value in var.hub_cloud_permissions : [
-      for role, role_value in hub_value : {
+      for ksa_name, ksa_value in hub_value : {
         // Most hubs only use `user-sa`, so we use just the hub name for the IAM
         // role for user-sa. `user-sa` was also the only service account supported
         // for a long time, so this special casing reduces the amount of work
         // we needed to do to introduce other service accounts.
-        iam_role_name = role == "user-sa" ? hub : "${hub}-${role}"
+        iam_role_name = ksa_name == "user-sa" ? hub : "${hub}-${ksa_name}"
         hub           = hub
-        role          = role
-        data          = role_value
+        ksa_name      = ksa_name
+        ksa_value     = ksa_value
       }
     ]
   ])
@@ -48,7 +48,7 @@ data "aws_iam_policy_document" "irsa_role_assume" {
       test     = "StringEquals"
       variable = "${replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:sub"
       values = [
-        "system:serviceaccount:${each.value.hub}:${each.value.role}"
+        "system:serviceaccount:${each.value.hub}:${each.value.ksa_name}"
       ]
     }
   }
@@ -64,15 +64,15 @@ resource "aws_iam_role" "irsa_role" {
 
 
 resource "aws_iam_policy" "extra_user_policy" {
-  for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr if hr.data.extra_iam_policy != "" }
+  for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr if hr.ksa_value.extra_iam_policy != "" }
   name     = "${var.cluster_name}-${each.key}-extra-user-policy"
 
   description = "Extra permissions granted to users on hub ${each.key} on ${var.cluster_name}"
-  policy      = each.value.data.extra_iam_policy
+  policy      = each.value.ksa_value.extra_iam_policy
 }
 
 resource "aws_iam_role_policy_attachment" "extra_user_policy" {
-  for_each   = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr if hr.data.extra_iam_policy != "" }
+  for_each   = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr if hr.ksa_value.extra_iam_policy != "" }
   role       = aws_iam_role.irsa_role[each.key].name
   policy_arn = aws_iam_policy.extra_user_policy[each.key].arn
 }