Added group role assumption permissions and attached

6fd8fbb5 · Chris Merrett · 5692bf8d · 6fd8fbb5 · 6fd8fbb5
Commit 6fd8fbb5 authored Jun 22, 2018 by Chris Merrett
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 2 deletions

cluster.tf cluster.tf +10 -0

data.tf data.tf +8 -2

No files found.
--- a/cluster.tf
+++ b/cluster.tf
@@ -65,3 +65,13 @@ resource "aws_iam_role" "admin" {
 resource "aws_iam_group" "admin" {
  name = "${var.cluster_name}-eks-kubernetes-admin"
 }
+resource "aws_iam_policy" "admin_assumerole" {
+  name   = "${var.cluster_name}-eks-kubernetes-admin-assumerole"
+  policy = "${data.aws_iam_policy_document.admin_assumerole.json}"
+}
+resource "aws_iam_group_policy_attachment" "admin_assumerole" {
+  group      = "${aws_iam_group.admin.name}"
+  policy_arn = "${aws_iam_policy.admin_assumerole.arn}"
+}
--- a/data.tf
+++ b/data.tf
@@ -55,13 +55,19 @@ data "aws_iam_policy_document" "admin" {
      identifiers = [
        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
-        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:group/${var.cluster_name}-eks-kubernetes-admin",
-        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/Steamhaus",
      ]
    }
  }
 }
+data "aws_iam_policy_document" "admin_assumerole" {
+  statement {
+    effect    = "Allow"
+    actions   = ["sts:AssumeRole"]
+    resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.cluster_name}-eks-kubernetes-admin"]
+  }
+}
 data "template_file" "kubeconfig" {
  template = "${file("${path.module}/templates/kubeconfig.tpl")}"