Parameterize IAM role/policy creation

unity-sds · Mar 1, 2024 · 6bcc572 · 6bcc572
1 parent ad1d15e
commit 6bcc572
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 21 deletions.
diff --git a/terraform-unity/modules/terraform-unity-sps-airflow/.terraform.lock.hcl b/terraform-unity/modules/terraform-unity-sps-airflow/.terraform.lock.hcl
diff --git a/terraform-unity/modules/terraform-unity-sps-airflow/README.md b/terraform-unity/modules/terraform-unity-sps-airflow/README.md
@@ -16,7 +16,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.36.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.35.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.12.1 |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.25.2 |
 | <a name="provider_null"></a> [null](#provider\_null) | 3.2.2 |

diff --git a/terraform-unity/modules/terraform-unity-sps-airflow/locals.tf b/terraform-unity/modules/terraform-unity-sps-airflow/locals.tf
@@ -13,4 +13,5 @@ locals {
     mission     = var.project
     Stack       = ""
   }
+  oidc_provider_url = replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")
 }
diff --git a/terraform-unity/modules/terraform-unity-sps-airflow/main.tf b/terraform-unity/modules/terraform-unity-sps-airflow/main.tf
@@ -371,7 +371,7 @@ resource "kubernetes_ingress_v1" "ogc_processes_api_ingress" {
 }
 
 resource "aws_iam_policy" "airflow_worker_policy" {
-  name        = "AirflowWorkerPolicy"
+  name        = "${var.project}-${var.venue}-${var.service_area}-AirflowWorkerPolicy-${local.counter}"
   description = "Policy for Airflow Workers to access AWS services"
   policy = jsonencode(
     {
@@ -402,20 +402,20 @@ resource "aws_iam_policy" "airflow_worker_policy" {
 }
 
 resource "aws_iam_role" "airflow_worker_role" {
-  name = "AirflowWorkerRole"
+  name = "${var.project}-${var.venue}-${var.service_area}-AirflowWorker-${local.counter}"
   assume_role_policy = jsonencode(
     {
       "Version" : "2012-10-17",
       "Statement" : [
         {
           "Effect" : "Allow",
           "Principal" : {
-            "Federated" : "arn:aws:iam::429178552491:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/7E914336E4CD991EA4B403BA606CB778"
+            "Federated" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.oidc_provider_url}"
           },
           "Action" : "sts:AssumeRoleWithWebIdentity",
           "Condition" : {
             "StringEquals" : {
-              "oidc.eks.us-west-2.amazonaws.com/id/7E914336E4CD991EA4B403BA606CB778:sub" : "system:serviceaccount:airflow:airflow-worker"
+              "${local.oidc_provider_url}:sub" : "system:serviceaccount:${kubernetes_namespace.airflow.metadata[0].name}:airflow-worker"
             }
           }
         }