@@ -4,7 +4,7 @@ module "vpc" {
44
55 name = " ${ var . primary_cluster_name } -vpc"
66 cidr = " 10.0.0.0/16"
7- azs = formatlist (" ${ data . aws_region . current . name } %s" , [" a" , " b" ])
7+ azs = formatlist (" ${ data . aws_region . current . region } %s" , [" a" , " b" ])
88 # private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
99 public_subnets = [" 10.0.4.0/24" , " 10.0.5.0/24" ]
1010 # public_subnet_assign_
@@ -73,9 +73,14 @@ module "eks" {
7373 }
7474
7575 iam_role_attach_cni_policy = true
76+ # iam_role_use_name_prefix = false
77+ iam_role_additional_policies = {
78+ secrets = aws_iam_policy.irsa_policy_eso.arn
79+ }
80+ }
81+
7682
7783
78- }
7984 }
8085 # Allow kubectl access via AWS SSO credentials
8186 access_entries = {
@@ -212,7 +217,23 @@ resource "aws_route53_record" "records" {
212217# . TODO: use `output "secrets_policy_name"` to attach to the OIDC role created by irsa=true above.
213218#
214219
215- resource "aws_iam_role_policy_attachment" "s3_read_only" {
216- role = eks. module . oidc_provider_arn
217- policy_arn = data. terraform_remote_state . arad_aws_state . outputs . secrets_policy_arn
218- }
220+ resource "aws_iam_policy" "irsa_policy_eso" {
221+ name = " ${ var . primary_cluster_name } -irsa-policy-external-secrets"
222+
223+ description = " Policy allowing ServiceAccount access to ESO."
224+
225+ policy = templatefile (
226+ " ${ path . module } /templates/secrets_policy.json.tpl" ,
227+ {
228+ AWS_ACCOUNT_ID = data.aws_caller_identity.current.id,
229+ }
230+ )
231+
232+ tags = var. common_tags
233+
234+ }
235+
236+ # resource "aws_iam_role_policy_attachment" "s3_read_only" {
237+ # role = module.eks.oidc_provider_arn
238+ # policy_arn = data.terraform_remote_state.arad_aws_state.outputs.secrets_policy_arn
239+ # }
0 commit comments