Skip to content

Fix/use power user role in AWS account #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
eddiewebb wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix/use power user role in AWS account #2

eddiewebb wants to merge 2 commits into from

Conversation

@eddiewebb
Copy link
Collaborator

@eddiewebb eddiewebb commented Dec 10, 2025

This adds a little clarity to readme and switches the underlying IAM policy to allow assumption from the PowerUser role, not just AdminstratorAccess

@github-actions
Copy link

github-actions bot commented Dec 10, 2025

AWS Core

OpenTofu Format and Style 🖌success

OpenTofu Plan 📖 success

Show Plan 

aws_iam_openid_connect_provider.gha: Refreshing state... [id=arn:aws:iam::218691292270:oidc-provider/token.actions.githubusercontent.com]
aws_iam_policy.demo_policy: Refreshing state... [id=arn:aws:iam::218691292270:policy/sedemo-iac-operator-role-policy]
aws_iam_policy.demo_gha_policy: Refreshing state... [id=arn:aws:iam::218691292270:policy/sedemo-iac-pipeline-role-policy]
data.aws_caller_identity.current: Reading...
data.aws_region.current: Reading...
data.aws_region.current: Read complete after 0s [id=us-west-2]
data.aws_caller_identity.current: Read complete after 0s [id=218691292270]
aws_iam_role.demo_gha_role: Refreshing state... [id=sedemo-iac-pipeline-role]
aws_iam_role.demo_role: Refreshing state... [id=sedemo-iac-operator-role]
aws_iam_role_policy_attachment.gha_attachment: Refreshing state... [id=sedemo-iac-pipeline-role/arn:aws:iam::218691292270:policy/sedemo-iac-pipeline-role-policy]
aws_iam_role_policy_attachment.fe_eks: Refreshing state... [id=sedemo-iac-operator-role/arn:aws:iam::218691292270:policy/sedemo-iac-operator-role-policy]

OpenTofu used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place (current -> planned)

OpenTofu will perform the following actions:

  # aws_iam_role.demo_gha_role will be updated in-place
  ~ resource "aws_iam_role" "demo_gha_role" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                    {
                        Action    = "sts:AssumeRoleWithWebIdentity"
                        Condition = {
                            StringEquals = {
                                "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
                            }
                            StringLike   = {
                                "token.actions.githubusercontent.com:sub" = "repo:akuity/sedemo-infra-iac:*"
                            }
                        }
                        Effect    = "Allow"
                        Principal = {
                            Federated = "arn:aws:iam::218691292270:oidc-provider/token.actions.githubusercontent.com"
                        }
                    },
                  ~ {
                      ~ Principal = {
                          ~ AWS = [
                              - "arn:aws:sts::218691292270:assumed-role/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6/[email protected]",
                              - "arn:aws:sts::218691292270:assumed-role/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6/[email protected]",
                              - "arn:aws:sts::218691292270:assumed-role/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6/[email protected]",
                              + "arn:aws:sts::218691292270:assumed-role/AWSReservedSSO_PowerUserAccess_8de5f1934424d9c6/[email protected]",
                              + "arn:aws:sts::218691292270:assumed-role/AWSReservedSSO_PowerUserAccess_8de5f1934424d9c6/[email protected]",
                              + "arn:aws:sts::218691292270:assumed-role/AWSReservedSSO_PowerUserAccess_8de5f1934424d9c6/[email protected]",
                            ]
                        }
                        # (3 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        id                    = "sedemo-iac-pipeline-role"
        name                  = "sedemo-iac-pipeline-role"
        tags                  = {
            "Team"                = "Sales Engineering"
            "cost_center"         = "sales"
            "critical_until"      = "2035-12-31"
            "data_classification" = "low"
            "iac"                 = "true"
            "owner"               = "[email protected]"
            "purpose"             = "ARAD - Akuity Reference Architecture Demo"
        }
        # (9 unchanged attributes hidden)
    }

  # aws_iam_role.demo_role will be updated in-place
  ~ resource "aws_iam_role" "demo_role" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ AWS = [
                              - "arn:aws:sts::218691292270:assumed-role/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6/[email protected]",
                              - "arn:aws:sts::218691292270:assumed-role/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6/[email protected]",
                              - "arn:aws:sts::218691292270:assumed-role/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6/[email protected]",
                              + "arn:aws:sts::218691292270:assumed-role/AWSReservedSSO_PowerUserAccess_8de5f1934424d9c6/[email protected]",
                              + "arn:aws:sts::218691292270:assumed-role/AWSReservedSSO_PowerUserAccess_8de5f1934424d9c6/[email protected]",
                              + "arn:aws:sts::218691292270:assumed-role/AWSReservedSSO_PowerUserAccess_8de5f1934424d9c6/[email protected]",
                            ]
                        }
                        # (3 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        id                    = "sedemo-iac-operator-role"
        name                  = "sedemo-iac-operator-role"
        tags                  = {
            "Team"                = "Sales Engineering"
            "cost_center"         = "sales"
            "critical_until"      = "2035-12-31"
            "data_classification" = "low"
            "iac"                 = "true"
            "owner"               = "[email protected]"
            "purpose"             = "ARAD - Akuity Reference Architecture Demo"
        }
        # (9 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

Changes to Outputs:
  ~ sso_iam_role           = "AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6" -> "AWSReservedSSO_PowerUserAccess_8de5f1934424d9c6"

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so OpenTofu can't
guarantee to take exactly these actions if you run "tofu apply" now.

EKS Primary Cluster

OpenTofu Format and Style 🖌success

OpenTofu Plan 📖 success

Show Plan 

data.terraform_remote_state.arad_aws_state: Reading...
module.eks.data.aws_iam_policy_document.assume_role_policy[0]: Reading...
data.aws_availability_zones.available: Reading...
module.eks.module.eks_managed_node_group["default"].data.aws_iam_policy_document.assume_role_policy[0]: Reading...
module.eks.module.kms.data.aws_partition.current[0]: Reading...
data.aws_region.current: Reading...
module.eks.data.aws_caller_identity.current[0]: Reading...
module.eks.data.aws_partition.current[0]: Reading...
module.eks.module.kms.data.aws_caller_identity.current[0]: Reading...
module.eks.aws_cloudwatch_log_group.this[0]: Refreshing state... [id=/aws/eks/sedemo-primary/cluster]
data.aws_region.current: Read complete after 0s [id=us-west-2]
module.eks.module.kms.data.aws_partition.current[0]: Read complete after 0s [id=aws]
module.eks.data.aws_iam_policy_document.assume_role_policy[0]: Read complete after 0s [id=2830595799]
module.eks.module.eks_managed_node_group["default"].data.aws_iam_policy_document.assume_role_policy[0]: Read complete after 0s [id=2560088296]
module.eks.data.aws_partition.current[0]: Read complete after 0s [id=aws]
data.aws_route53_zone.root_demo_domain_zone: Reading...
data.aws_caller_identity.current: Reading...
module.vpc.aws_vpc.this[0]: Refreshing state... [id=vpc-0fbf91497bbb443b6]
module.eks.module.eks_managed_node_group["default"].aws_iam_role.this[0]: Refreshing state... [id=default-eks-node-group-20251111192150921200000002]
module.eks.aws_iam_role.this[0]: Refreshing state... [id=sedemo-primary-cluster-20251111192150921000000001]
module.eks.module.kms.data.aws_caller_identity.current[0]: Read complete after 0s [id=218691292270]
module.eks.data.aws_caller_identity.current[0]: Read complete after 0s [id=218691292270]
module.eks.data.aws_iam_session_context.current[0]: Reading...
data.terraform_remote_state.arad_aws_state: Read complete after 1s
data.aws_caller_identity.current: Read complete after 0s [id=218691292270]
aws_iam_policy.irsa_policy_eso: Refreshing state... [id=arn:aws:iam::218691292270:policy/sedemo-primary-irsa-policy-external-secrets]
data.aws_availability_zones.available: Read complete after 0s [id=us-west-2]
module.eks.data.aws_iam_session_context.current[0]: Read complete after 0s [id=arn:aws:sts::218691292270:assumed-role/sedemo-iac-pipeline-role/GitHubActions]
module.eks.module.eks_managed_node_group["default"].aws_iam_role_policy_attachment.this["AmazonEC2ContainerRegistryReadOnly"]: Refreshing state... [id=default-eks-node-group-20251111192150921200000002/arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly]
module.eks.module.eks_managed_node_group["default"].aws_iam_role_policy_attachment.this["AmazonEKS_CNI_Policy"]: Refreshing state... [id=default-eks-node-group-20251111192150921200000002/arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy]
module.eks.module.eks_managed_node_group["default"].aws_iam_role_policy_attachment.this["AmazonEKSWorkerNodePolicy"]: Refreshing state... [id=default-eks-node-group-20251111192150921200000002/arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy]
module.eks.aws_iam_role_policy_attachment.this["AmazonEKSClusterPolicy"]: Refreshing state... [id=sedemo-primary-cluster-20251111192150921000000001/arn:aws:iam::aws:policy/AmazonEKSClusterPolicy]
module.eks.module.kms.data.aws_iam_policy_document.this[0]: Reading...
module.eks.module.kms.data.aws_iam_policy_document.this[0]: Read complete after 0s [id=1682338805]
module.eks.module.kms.aws_kms_key.this[0]: Refreshing state... [id=baf78981-bbd2-4ed3-a92a-9e108d662aff]
data.aws_route53_zone.root_demo_domain_zone: Read complete after 0s [id=Z06080061D8PFBX2D8WN4]
module.eks.module.kms.aws_kms_alias.this["cluster"]: Refreshing state... [id=alias/eks/sedemo-primary]
module.eks.aws_iam_policy.cluster_encryption[0]: Refreshing state... [id=arn:aws:iam::218691292270:policy/sedemo-primary-cluster-ClusterEncryption20251111192222740700000006]
module.vpc.aws_default_route_table.default[0]: Refreshing state... [id=rtb-08fead377724c72f4]
module.vpc.aws_default_security_group.this[0]: Refreshing state... [id=sg-00bc5fcc757caa567]
module.vpc.aws_default_network_acl.this[0]: Refreshing state... [id=acl-084eb75bc9f14e5b2]
module.eks.aws_security_group.cluster[0]: Refreshing state... [id=sg-0227a2cd27eca4855]
module.eks.aws_security_group.node[0]: Refreshing state... [id=sg-0dbcf967188bd3683]
module.vpc.aws_internet_gateway.this[0]: Refreshing state... [id=igw-014d59df50b2e06c5]
module.vpc.aws_route_table.public[0]: Refreshing state... [id=rtb-0572ed744e9398a50]
module.vpc.aws_subnet.public[0]: Refreshing state... [id=subnet-07ecc6a49ba22a686]
module.vpc.aws_subnet.public[1]: Refreshing state... [id=subnet-08a6c091f2dbe3a60]
module.eks.aws_iam_role_policy_attachment.cluster_encryption[0]: Refreshing state... [id=sedemo-primary-cluster-20251111192150921000000001/arn:aws:iam::218691292270:policy/sedemo-primary-cluster-ClusterEncryption20251111192222740700000006]
module.vpc.aws_route.public_internet_gateway[0]: Refreshing state... [id=r-rtb-0572ed744e9398a501080289494]
module.eks.aws_security_group_rule.node["ingress_cluster_6443_webhook"]: Refreshing state... [id=sgrule-2780874341]
module.eks.aws_security_group_rule.node["ingress_cluster_10251_webhook"]: Refreshing state... [id=sgrule-3802785280]
module.eks.aws_security_group_rule.node["ingress_nodes_ephemeral"]: Refreshing state... [id=sgrule-2725958526]
module.eks.aws_security_group_rule.node["ingress_cluster_443"]: Refreshing state... [id=sgrule-3178046303]
module.eks.aws_security_group_rule.node["ingress_self_coredns_udp"]: Refreshing state... [id=sgrule-3716668753]
module.eks.aws_security_group_rule.node["ingress_cluster_8443_webhook"]: Refreshing state... [id=sgrule-3063740996]
module.eks.aws_security_group_rule.node["ingress_cluster_kubelet"]: Refreshing state... [id=sgrule-3605051003]
module.eks.aws_security_group_rule.node["ingress_cluster_4443_webhook"]: Refreshing state... [id=sgrule-1820500467]
module.eks.aws_security_group_rule.node["egress_all"]: Refreshing state... [id=sgrule-629314194]
module.eks.aws_security_group_rule.node["ingress_cluster_9443_webhook"]: Refreshing state... [id=sgrule-3527264655]
module.eks.aws_security_group_rule.node["ingress_self_coredns_tcp"]: Refreshing state... [id=sgrule-2044231358]
module.eks.aws_security_group_rule.cluster["ingress_nodes_443"]: Refreshing state... [id=sgrule-2240607105]
module.vpc.aws_route_table_association.public[1]: Refreshing state... [id=rtbassoc-06b3a2a2bec249324]
module.vpc.aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-0bf2709ef97d1f762]
module.eks.aws_eks_cluster.this[0]: Refreshing state... [id=sedemo-primary]
module.eks.aws_eks_access_entry.this["sso_admin_access"]: Refreshing state... [id=sedemo-primary:arn:aws:iam::218691292270:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6]
module.eks.aws_eks_access_entry.this["pipeline_eks_access"]: Refreshing state... [id=sedemo-primary:arn:aws:iam::218691292270:role/sedemo-iac-pipeline-role]
module.eks.aws_eks_access_entry.this["fieldeng_eks_access"]: Refreshing state... [id=sedemo-primary:arn:aws:iam::218691292270:role/sedemo-iac-operator-role]
module.eks.data.aws_eks_addon_version.this["coredns"]: Reading...
module.eks.data.aws_eks_addon_version.this["kube-proxy"]: Reading...
module.eks.time_sleep.this[0]: Refreshing state... [id=2025-11-11T19:33:05Z]
module.eks.aws_ec2_tag.cluster_primary_security_group["Team"]: Refreshing state... [id=sg-017102217399269b0,Team]
aws_iam_role.eks_service_account_role: Refreshing state... [id=sedemo-primary-irsa-role-external-secrets]
module.eks.aws_ec2_tag.cluster_primary_security_group["cost_center"]: Refreshing state... [id=sg-017102217399269b0,cost_center]
module.eks.aws_ec2_tag.cluster_primary_security_group["data_classification"]: Refreshing state... [id=sg-017102217399269b0,data_classification]
module.eks.data.aws_eks_addon_version.this["vpc-cni"]: Reading...
module.eks.data.aws_eks_addon_version.this["coredns"]: Read complete after 1s [id=coredns]
module.eks.aws_ec2_tag.cluster_primary_security_group["iac"]: Refreshing state... [id=sg-017102217399269b0,iac]
module.eks.aws_ec2_tag.cluster_primary_security_group["owner"]: Refreshing state... [id=sg-017102217399269b0,owner]
module.eks.aws_ec2_tag.cluster_primary_security_group["critical_until"]: Refreshing state... [id=sg-017102217399269b0,critical_until]
module.eks.aws_ec2_tag.cluster_primary_security_group["purpose"]: Refreshing state... [id=sg-017102217399269b0,purpose]
module.eks.data.aws_eks_addon_version.this["vpc-cni"]: Read complete after 1s [id=vpc-cni]
module.eks.data.tls_certificate.this[0]: Reading...
module.eks.data.aws_eks_addon_version.this["kube-proxy"]: Read complete after 1s [id=kube-proxy]
module.eks.module.eks_managed_node_group["default"].data.aws_ssm_parameter.ami[0]: Reading...
module.eks.module.eks_managed_node_group["default"].module.user_data.null_resource.validate_cluster_service_cidr: Refreshing state... [id=5379422231627766317]
module.eks.aws_eks_addon.before_compute["vpc-cni"]: Refreshing state... [id=sedemo-primary:vpc-cni]
module.eks.module.eks_managed_node_group["default"].aws_launch_template.this[0]: Refreshing state... [id=lt-020badef43ed61817]
module.eks.data.tls_certificate.this[0]: Read complete after 0s [id=4687b9863b4f2caa907e2ad6c9ffcf73433dc367]
module.eks.aws_iam_openid_connect_provider.oidc_provider[0]: Refreshing state... [id=arn:aws:iam::218691292270:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/7F08F2E347A55192C0B80AD9E96F647F]
module.eks.aws_eks_access_policy_association.this["fieldeng_eks_access_namespace_policy"]: Refreshing state... [id=sedemo-primary#arn:aws:iam::218691292270:role/sedemo-iac-operator-role#arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy]
module.eks.aws_eks_access_policy_association.this["sso_admin_access_admin_policy"]: Refreshing state... [id=sedemo-primary#arn:aws:iam::218691292270:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6#arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy]
module.eks.aws_eks_access_policy_association.this["pipeline_eks_access_namespace_policy"]: Refreshing state... [id=sedemo-primary#arn:aws:iam::218691292270:role/sedemo-iac-pipeline-role#arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy]
module.eks.aws_eks_access_policy_association.this["sso_admin_access_namespace_policy"]: Refreshing state... [id=sedemo-primary#arn:aws:iam::218691292270:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6#arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy]
module.eks.aws_eks_access_policy_association.this["pipeline_eks_access_admin_policy"]: Refreshing state... [id=sedemo-primary#arn:aws:iam::218691292270:role/sedemo-iac-pipeline-role#arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy]
module.eks.aws_eks_access_policy_association.this["fieldeng_eks_access_admin_policy"]: Refreshing state... [id=sedemo-primary#arn:aws:iam::218691292270:role/sedemo-iac-operator-role#arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy]
module.eks.module.eks_managed_node_group["default"].data.aws_ssm_parameter.ami[0]: Read complete after 0s [id=/aws/service/eks/optimized-ami/1.34/amazon-linux-2023/x86_64/standard/recommended/release_version]
aws_iam_role_policy_attachment.irsa_secrets: Refreshing state... [id=sedemo-primary-irsa-role-external-secrets/arn:aws:iam::218691292270:policy/sedemo-primary-irsa-policy-external-secrets]
module.eks.module.eks_managed_node_group["default"].aws_eks_node_group.this[0]: Refreshing state... [id=sedemo-primary:default-2025111119331203410000000a]
module.eks.aws_eks_addon.this["coredns"]: Refreshing state... [id=sedemo-primary:coredns]
module.eks.aws_eks_addon.this["kube-proxy"]: Refreshing state... [id=sedemo-primary:kube-proxy]
helm_release.nginx_ingress: Refreshing state... [id=ingress-nginx]
data.kubernetes_service_v1.nginx_ingress: Reading...
data.kubernetes_service_v1.nginx_ingress: Read complete after 1s [id=ingress-nginx/ingress-nginx-controller]
data.aws_elb.nginx_ingress: Reading...
aws_route53_record.records["*."]: Refreshing state... [id=Z06080061D8PFBX2D8WN4_*_CNAME]
data.aws_elb.nginx_ingress: Read complete after 1s [id=a1e1866182f2849afbb3697aa4826fc9]
aws_route53_record.landing_global_record: Refreshing state... [id=Z06080061D8PFBX2D8WN4_akpdemoapps.link_A_sedemo-primary]

Note: Objects have changed outside of OpenTofu

OpenTofu detected the following changes made outside of OpenTofu since the
last "tofu apply" which may have affected this plan:

  # module.eks.aws_eks_cluster.this[0] has changed
  ~ resource "aws_eks_cluster" "this" {
        id                            = "sedemo-primary"
        name                          = "sedemo-primary"
      ~ platform_version              = "eks.7" -> "eks.9"
        tags                          = {
            "Team"                  = "Sales Engineering"
            "cost_center"           = "sales"
            "critical_until"        = "2035-12-31"
            "data_classification"   = "low"
            "iac"                   = "true"
            "owner"                 = "[email protected]"
            "purpose"               = "ARAD - Akuity Reference Architecture Demo"
            "terraform-aws-modules" = "eks"
        }
        # (13 unchanged attributes hidden)

        # (7 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

OpenTofu used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place (current -> planned)
-/+ destroy and then create replacement

OpenTofu will perform the following actions:

  # module.eks.aws_eks_access_entry.this["sso_admin_access"] must be replaced
-/+ resource "aws_eks_access_entry" "this" {
      ~ access_entry_arn  = "arn:aws:eks:us-west-2:218691292270:access-entry/sedemo-primary/role/218691292270/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6/a2cd3a33-eda8-1bfa-0af4-2b7e1162dac5" -> (known after apply)
      ~ created_at        = "2025-11-11T19:32:34Z" -> (known after apply)
      ~ id                = "sedemo-primary:arn:aws:iam::218691292270:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6" -> (known after apply)
      ~ kubernetes_groups = [] -> (known after apply)
      ~ modified_at       = "2025-11-11T19:32:34Z" -> (known after apply)
      ~ principal_arn     = "arn:aws:iam::218691292270:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6" -> "arn:aws:iam::218691292270:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_PowerUserAccess_8de5f1934424d9c6" # forces replacement
        tags              = {
            "Team"                = "Sales Engineering"
            "cost_center"         = "sales"
            "critical_until"      = "2035-12-31"
            "data_classification" = "low"
            "iac"                 = "true"
            "owner"               = "[email protected]"
            "purpose"             = "ARAD - Akuity Reference Architecture Demo"
        }
      ~ user_name         = "arn:aws:sts::218691292270:assumed-role/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6/{{SessionName}}" -> (known after apply)
        # (4 unchanged attributes hidden)
    }

  # module.eks.aws_eks_access_policy_association.this["sso_admin_access_admin_policy"] must be replaced
-/+ resource "aws_eks_access_policy_association" "this" {
      ~ associated_at = "2025-11-11 19:32:36.14 +0000 UTC" -> (known after apply)
      ~ id            = "sedemo-primary#arn:aws:iam::218691292270:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6#arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" -> (known after apply)
      ~ modified_at   = "2025-11-11 19:32:36.14 +0000 UTC" -> (known after apply)
      ~ principal_arn = "arn:aws:iam::218691292270:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6" -> "arn:aws:iam::218691292270:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_PowerUserAccess_8de5f1934424d9c6" # forces replacement
        # (3 unchanged attributes hidden)

      ~ access_scope {
          - namespaces = [] -> null
            # (1 unchanged attribute hidden)
        }
    }

  # module.eks.aws_eks_access_policy_association.this["sso_admin_access_namespace_policy"] must be replaced
-/+ resource "aws_eks_access_policy_association" "this" {
      ~ associated_at = "2025-11-11 19:32:36.195 +0000 UTC" -> (known after apply)
      ~ id            = "sedemo-primary#arn:aws:iam::218691292270:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6#arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy" -> (known after apply)
      ~ modified_at   = "2025-11-11 19:32:36.195 +0000 UTC" -> (known after apply)
      ~ principal_arn = "arn:aws:iam::218691292270:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_AdministratorAccess_e2e980dbad09a8b6" -> "arn:aws:iam::218691292270:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_PowerUserAccess_8de5f1934424d9c6" # forces replacement
        # (3 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.eks.aws_eks_addon.before_compute["vpc-cni"] will be updated in-place
  ~ resource "aws_eks_addon" "before_compute" {
      ~ addon_version               = "v1.20.4-eksbuild.1" -> "v1.20.5-eksbuild.1"
        id                          = "sedemo-primary:vpc-cni"
        tags                        = {
            "Team"                = "Sales Engineering"
            "cost_center"         = "sales"
            "critical_until"      = "2035-12-31"
            "data_classification" = "low"
            "iac"                 = "true"
            "owner"               = "[email protected]"
            "purpose"             = "ARAD - Akuity Reference Architecture Demo"
        }
        # (11 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.eks.aws_eks_addon.this["kube-proxy"] will be updated in-place
  ~ resource "aws_eks_addon" "this" {
      ~ addon_version               = "v1.34.0-eksbuild.4" -> "v1.34.1-eksbuild.2"
        id                          = "sedemo-primary:kube-proxy"
        tags                        = {
            "Team"                = "Sales Engineering"
            "cost_center"         = "sales"
            "critical_until"      = "2035-12-31"
            "data_classification" = "low"
            "iac"                 = "true"
            "owner"               = "[email protected]"
            "purpose"             = "ARAD - Akuity Reference Architecture Demo"
        }
        # (10 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.eks.module.eks_managed_node_group["default"].aws_eks_node_group.this[0] will be updated in-place
  ~ resource "aws_eks_node_group" "this" {
        id                     = "sedemo-primary:default-2025111119331203410000000a"
      ~ release_version        = "1.34.1-20251108" -> "1.34.2-20251120"
        tags                   = {
            "Name"                = "default"
            "Team"                = "Sales Engineering"
            "cost_center"         = "sales"
            "critical_until"      = "2035-12-31"
            "data_classification" = "low"
            "iac"                 = "true"
            "owner"               = "[email protected]"
            "purpose"             = "ARAD - Akuity Reference Architecture Demo"
        }
        # (16 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

Plan: 3 to add, 3 to change, 3 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so OpenTofu can't
guarantee to take exactly these actions if you run "tofu apply" now.

Pusher: @eddiewebb, Action: pull_request, Workflow: AWS IAC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eddiewebb