Reword why user-sa is special cased in role name

consideRatio · Apr 20, 2024 · 8fb7952 · 8fb7952
1 parent 4391e6c
commit 8fb7952
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/terraform/aws/irsa.tf b/terraform/aws/irsa.tf
@@ -16,8 +16,10 @@ locals {
   hub_role = flatten([
     for hub, hub_value in var.hub_cloud_permissions : [
       for role, role_value in hub_value : {
-        // id is conservatively adjusted to not change any previous resource
-        // name set to the hub's name when only "user-sa" roles were around
+        // Most hubs only use `user-sa`, so we use just the hub name for the IAM
+        // role for user-sa. `user-sa` was also the only service account supported
+        // for a long time, so this special casing reduces the amount of work
+        // we needed to do to introduce other service accounts.
         id   = role == "user-sa" ? hub : "${hub}-${role}"
         hub  = hub
         role = role