Skip to content

operator_roles_creation module should attach operator policies created in account_roles_creation module #31

Description

@RelicCornhusk

I'm currently using this module to create the OIDC, account-wide IAM roles and operator roles for my ROSA cluster. I started having a problem when using shared VPCs because the operator role arn:aws:sts::xxxxxxxxxx:assumed-role/test-openshift-ingress-operator-cloud-credentials/OCM cannot assume the appropriate role in the account that's sharing the VPC. I understand the module has an input to support the usage of clusters with shared VPCs: shared_vpc_role_arn. That input is used to create an operator policy that has sts:AssumeRole on that role, but that policy does not get attached to the operator roles that need it as part of the operator_roles_creation module. Instead, it attaches the policy named ManagedOpenShift-openshift-cloud-credential-operator-cloud-crede, which it obtained from data.ocm_rosa_operator_roles.operator_roles, as is done in this sample code in the README. I believe there should be an additional aws_iam_policy_attachment in the operator_role_resource.tf to take care of that.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions