I'm currently using this module to create the OIDC, account-wide IAM roles and operator roles for my ROSA cluster. I started having a problem when using shared VPCs because the operator role arn:aws:sts::xxxxxxxxxx:assumed-role/test-openshift-ingress-operator-cloud-credentials/OCM cannot assume the appropriate role in the account that's sharing the VPC. I understand the module has an input to support the usage of clusters with shared VPCs: shared_vpc_role_arn. That input is used to create an operator policy that has sts:AssumeRole on that role, but that policy does not get attached to the operator roles that need it as part of the operator_roles_creation module. Instead, it attaches the policy named ManagedOpenShift-openshift-cloud-credential-operator-cloud-crede, which it obtained from data.ocm_rosa_operator_roles.operator_roles, as is done in this sample code in the README. I believe there should be an additional aws_iam_policy_attachment in the operator_role_resource.tf to take care of that.
I'm currently using this module to create the OIDC, account-wide IAM roles and operator roles for my ROSA cluster. I started having a problem when using shared VPCs because the operator role
arn:aws:sts::xxxxxxxxxx:assumed-role/test-openshift-ingress-operator-cloud-credentials/OCMcannot assume the appropriate role in the account that's sharing the VPC. I understand the module has an input to support the usage of clusters with shared VPCs:shared_vpc_role_arn. That input is used to create an operator policy that has sts:AssumeRole on that role, but that policy does not get attached to the operator roles that need it as part of theoperator_roles_creationmodule. Instead, it attaches the policy namedManagedOpenShift-openshift-cloud-credential-operator-cloud-crede, which it obtained fromdata.ocm_rosa_operator_roles.operator_roles, as is done in this sample code in the README. I believe there should be an additionalaws_iam_policy_attachmentin the operator_role_resource.tf to take care of that.