wip: feat(irsa): allow custom trust policy statements on IAM roles

[cunymatthieu]

What does this PR do?

⚠️ This PR is not ready to merge yet. It depends on aws-ia/terraform-aws-eks-blueprints-addon#43 being released. Once the new version is published, this PR will be ready for review.

Add trust_policy_statements attribute to all modules that create IAM roles for service accounts (IRSA). This allows users to customize the trust policy of the IAM roles by adding additional statements.

The following modules now support trust_policy_statements:

• aws_cloudwatch_metrics
• aws_efs_csi_driver
• aws_for_fluentbit
• aws_fsx_csi_driver
• aws_load_balancer_controller
• aws_node_termination_handler
• aws_privateca_issuer
• cert_manager
• cluster_autoscaler
• external_dns
• external_secrets
• karpenter
• velero
• aws_gateway_api_controller

This attribute is only added to modules that have the create_role option, as it is only relevant when an IAM role is being created.

Also updates aws-ia/eks-blueprints-addon module version to 1.2.0 for all addons including bottlerocket_shadow and bottlerocket_update_operator.

Motivation

Enable users to add additional trust policy statements to IRSA roles when needed, such as:

• Smooth migration to EKS Pod Identity: organizations can progressively migrate from IRSA to Pod Identity by adding the Pod Identity trust relationship to existing IAM roles, allowing both authentication methods to coexist during the transition
• Cross-account access scenarios
• Additional service principals
• Custom federation configurations

More

• Yes, I have tested the PR using my local account setup (Provide any test evidence report under Additional Notes)
• Yes, I ran pre-commit run -a with this PR

For Moderators

• E2E Test successfully complete before merge?

Additional Notes

Example usage:

module "irsa_extra_statements" {
  source  = "aws-ia/eks-blueprints-addon/aws"
  version = "1.2.0"

  # Disable helm release
  create_release = false

  # IAM role for service account (IRSA + extra statements)
  create_role = true
  role_name   = "aws-vpc-cni-ipv4"
  role_policies = {
    AmazonEKS_CNI_Policy = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
  }

  oidc_providers = {
    this = {
      provider_arn    = module.eks.oidc_provider_arn
      namespace       = "kube-system"
      service_account = "aws-node"
    }
  }

  trust_policy_statements = [
    {
      sid    = "PodIdentity"
      effect = "Allow"
      actions = [
        "sts:AssumeRole",
        "sts:TagSession",
      ]
      principals = [
        {
          type        = "Service"
          identifiers = ["pods.eks.amazonaws.com"]
        }
      ]
    }
  ]

  tags = local.tags
}