Open clareliguori opened 1 year ago
@clareliguori I'm also interested in this feature, but in the meanwhile, do you know if this controller is capable of assuming a cross-account role? Another option can be to use K8s to assume a service account in the same way flux components do.
@gitbluf The controller should be able to use a cross-account IAM role with EKS service accounts, and then run one controller per account you want to deploy to.
See the first example on this page for configuring a cross-account IAM role: https://docs.aws.amazon.com/eks/latest/userguide/cross-account-access.html
Instructions for using service accounts with this controller are here: https://github.com/awslabs/aws-cloudformation-controller-for-flux/blob/main/docs/install.md#option-1-short-lived-credentials-using-iam-roles-for-service-accounts-on-an-eks-cluster-recommended
The CFN controller currently supports deploying stacks to only a single account, using the AWS credentials found in the controller's environment. Potentially we could follow the ACK method of mapping AWS accounts to roles in a ConfigMap. I'm not sure whether we should follow the ACK example of binding accounts to namespaces (so all stacks in a namespace will be deployed to the same account) or if each CloudFormationStack object should be annotated with the account ID it belongs in.
https://aws-controllers-k8s.github.io/community/docs/user-docs/cross-account-resource-management/