| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667 |
- data "aws_iam_policy_document" "eks_cluster_assume_role" {
- statement {
- actions = ["sts:AssumeRole"]
- principals {
- type = "Service"
- identifiers = ["eks.amazonaws.com"]
- }
- }
- }
- resource "aws_iam_role" "cluster" {
- name = "${var.name}-eks-cluster-role"
- assume_role_policy = data.aws_iam_policy_document.eks_cluster_assume_role.json
- tags = local.common_tags
- }
- resource "aws_iam_role_policy_attachment" "cluster_policy" {
- role = aws_iam_role.cluster.name
- policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
- }
- data "aws_iam_policy_document" "eks_node_assume_role" {
- statement {
- actions = ["sts:AssumeRole"]
- principals {
- type = "Service"
- identifiers = ["ec2.amazonaws.com"]
- }
- }
- }
- resource "aws_iam_role" "node" {
- name = "${var.name}-eks-node-role"
- assume_role_policy = data.aws_iam_policy_document.eks_node_assume_role.json
- tags = local.common_tags
- }
- resource "aws_iam_role_policy_attachment" "node_worker_policy" {
- role = aws_iam_role.node.name
- policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
- }
- resource "aws_iam_role_policy_attachment" "node_cni_policy" {
- role = aws_iam_role.node.name
- policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
- }
- resource "aws_iam_role_policy_attachment" "node_ecr_policy" {
- role = aws_iam_role.node.name
- policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
- }
- data "tls_certificate" "eks_oidc" {
- url = aws_eks_cluster.this.identity[0].oidc[0].issuer
- }
- resource "aws_iam_openid_connect_provider" "this" {
- client_id_list = ["sts.amazonaws.com"]
- thumbprint_list = [data.tls_certificate.eks_oidc.certificates[0].sha1_fingerprint]
- url = aws_eks_cluster.this.identity[0].oidc[0].issuer
- tags = local.common_tags
- }
|
