r5b9 · April 10, 2026 13:08
diff --git a/policies.tf b/policies.tf
 data "aws_iam_policy_document" "trust_policy" {
  dynamic "statement" {
    for_each = var.irsa_support ? [] : [1]
    content {
      sid = "PodIdentity"
      actions = [
        "sts:AssumeRole",
        "sts:TagSession"
      ]

      principals {
        type        = "Service"
        identifiers = ["pods.eks.amazonaws.com"]
      }
    }
  }

  dynamic "statement" {
    for_each = length(var.trusted_role_arns) > 0 ? [1] : []
    content {
      sid = "AssumeRole"
      actions = [
        "sts:AssumeRole",
        "sts:TagSession"
      ]
      principals {
        type        = "AWS"
        identifiers = var.trusted_role_arns
      }
    }
  }

  dynamic "statement" {
    for_each = var.irsa_support ? [1] : []
    content {
      sid     = "IRSA"
      actions = ["sts:AssumeRoleWithWebIdentity"]

      principals {
        type        = "Federated"
        identifiers = [local.oidc_arn]
      }

      condition {
        test     = var.assume_role_condition_test
        variable = format("%s:sub", local.oidc_url)
        values   = ["system:serviceaccount:${var.namespace}:${var.sa_name}"]
      }

      condition {
        test     = var.assume_role_condition_test
        variable = format("%s:aud", local.oidc_url)
        values   = ["sts.amazonaws.com"]
      }
    }
  }
 }

 locals {
  oidc_url = var.irsa_support ? replace(split(",", data.aws_ssm_parameter.oidc[0].value)[0], "https://", "") : ""
  oidc_arn = var.irsa_support ? split(",", data.aws_ssm_parameter.oidc[0].value)[1] : ""
 }

 data "aws_ssm_parameter" "oidc" {
  count = var.irsa_support ? 1 : 0
  name  = "/org/oidc/id/${var.name}"
 }
	data "aws_iam_policy_document" "trust_policy" {
	dynamic "statement" {
	for_each = var.irsa_support ? [] : [1]
	content {
	sid = "PodIdentity"
	actions = [
	"sts:AssumeRole",
	"sts:TagSession"
	]

	principals {
	type = "Service"
	identifiers = ["pods.eks.amazonaws.com"]
	}
	}
	}

	dynamic "statement" {
	for_each = length(var.trusted_role_arns) > 0 ? [1] : []
	content {
	sid = "AssumeRole"
	actions = [
	"sts:AssumeRole",
	"sts:TagSession"
	]
	principals {
	type = "AWS"
	identifiers = var.trusted_role_arns
	}
	}
	}

	dynamic "statement" {
	for_each = var.irsa_support ? [1] : []
	content {
	sid = "IRSA"
	actions = ["sts:AssumeRoleWithWebIdentity"]

	principals {
	type = "Federated"
	identifiers = [local.oidc_arn]
	}

	condition {
	test = var.assume_role_condition_test
	variable = format("%s:sub", local.oidc_url)
	values = ["system:serviceaccount:${var.namespace}:${var.sa_name}"]
	}

	condition {
	test = var.assume_role_condition_test
	variable = format("%s:aud", local.oidc_url)
	values = ["sts.amazonaws.com"]
	}
	}
	}
	}

	locals {
	oidc_url = var.irsa_support ? replace(split(",", data.aws_ssm_parameter.oidc[0].value)[0], "https://", "") : ""
	oidc_arn = var.irsa_support ? split(",", data.aws_ssm_parameter.oidc[0].value)[1] : ""
	}

	data "aws_ssm_parameter" "oidc" {
	count = var.irsa_support ? 1 : 0
	name = "/org/oidc/id/${var.name}"
	}
No results found