Enhance EKS addons module: add cluster OIDC provider ARN variable and update IAM role assumption

Author: BryanFauble

deployments/stacks/dpe-k8s-deployments/main.tf

@@ -13,11 +13,12 @@ module "sage-aws-eks-autoscaler" {
 }
 
 module "sage-aws-eks-addons" {
-  source             = "../../../modules/sage-aws-eks-addons"
-  cluster_name       = var.cluster_name
-  aws_account_id     = var.aws_account_id
-  vpc_id             = var.vpc_id
-  private_subnet_ids = var.private_subnet_ids_eks_worker_nodes
+  source                    = "../../../modules/sage-aws-eks-addons"
+  cluster_name              = var.cluster_name
+  aws_account_id            = var.aws_account_id
+  vpc_id                    = var.vpc_id
+  private_subnet_ids        = var.private_subnet_ids_eks_worker_nodes
+  cluster_oidc_provider_arn = var.cluster_oidc_provider_arn
 }
 
 module "argo-cd" {

modules/sage-aws-eks-addons/data.tf

@@ -31,7 +31,3 @@ data "aws_iam_policy_document" "restrict-vpc-endpoint-usage" {
 data "aws_eks_cluster" "cluster" {
   name = var.cluster_name
 }
-
-data "aws_iam_openid_connect_provider" "eks" {
-  url = data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer
-}

modules/sage-aws-eks-addons/main.tf

@@ -93,7 +93,7 @@ resource "aws_iam_role" "guardduty_agent_role" {
         Action = "sts:AssumeRoleWithWebIdentity"
         Effect = "Allow"
         Principal = {
-          Federated = data.aws_iam_openid_connect_provider.eks.arn
+          Federated = var.cluster_oidc_provider_arn
         }
         Condition = {
           StringEquals = {

modules/sage-aws-eks-addons/variables.tf

@@ -22,6 +22,11 @@ variable "vpc_id" {
   type        = string
 }
 
+variable "cluster_oidc_provider_arn" {
+  description = "EKS cluster ARN for the OIDC provider"
+  type        = string
+}
+
 variable "private_subnet_ids" {
   description = "Private subnet IDs"
   type        = list(string)