Skip to content

Commit

Permalink
terraform, aws: rename local variable, ksa_value -> cloud_permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
consideRatio committed Apr 22, 2024
1 parent add4e85 commit 5e6f22a
Showing 1 changed file with 8 additions and 8 deletions.
16 changes: 8 additions & 8 deletions terraform/aws/irsa.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,15 @@ data "aws_partition" "current" {}
locals {
hub_to_role_mapping = flatten([
for hub, hub_value in var.hub_cloud_permissions : [
for ksa_name, ksa_value in hub_value : {
for ksa_name, cloud_permissions in hub_value : {
// Most hubs only use `user-sa`, so we use just the hub name for the IAM
// role for user-sa. `user-sa` was also the only service account supported
// for a long time, so this special casing reduces the amount of work
// we needed to do to introduce other service accounts.
iam_role_name = ksa_name == "user-sa" ? hub : "${hub}-${ksa_name}"
hub = hub
ksa_name = ksa_name
ksa_value = ksa_value
iam_role_name = ksa_name == "user-sa" ? hub : "${hub}-${ksa_name}"
hub = hub
ksa_name = ksa_name
cloud_permissions = cloud_permissions
}
]
])
Expand Down Expand Up @@ -64,15 +64,15 @@ resource "aws_iam_role" "irsa_role" {


resource "aws_iam_policy" "extra_user_policy" {
for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr if hr.ksa_value.extra_iam_policy != "" }
for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr if hr.cloud_permissions.extra_iam_policy != "" }
name = "${var.cluster_name}-${each.key}-extra-user-policy"

description = "Extra permissions granted to users on hub ${each.key} on ${var.cluster_name}"
policy = each.value.ksa_value.extra_iam_policy
policy = each.value.cloud_permissions.extra_iam_policy
}

resource "aws_iam_role_policy_attachment" "extra_user_policy" {
for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr if hr.ksa_value.extra_iam_policy != "" }
for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr if hr.cloud_permissions.extra_iam_policy != "" }
role = aws_iam_role.irsa_role[each.key].name
policy_arn = aws_iam_policy.extra_user_policy[each.key].arn
}
Expand Down

0 comments on commit 5e6f22a

Please sign in to comment.