mwoodson-cb
commented
11 months ago We can probably close this. I think I figured it out. I needed to update the role_name like this:
module "vpc_cni_irsa_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "vpc-cni-${module.eks.cluster_name}"
attach_vpc_cni_policy = true
vpc_cni_enable_ipv4 = true
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["default:my-app", "canary:my-app"]
}
}
}
github-actions[bot]
Is your request related to a new offering from AWS?
Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.
NO
Is your request related to a problem? Please describe.
Apologies if I have a misunderstanding on how to use the module iam-role-for-service-accounts-eks.
Is there a way to have each role and policy in this module be created scoped to a particular cluster?
For example, it seems that if I create a role like this:
I then have to update this resource with a new addition to the oidc_providers everytime I create a new EKS cluster, and of course remove this entry when the cluster is removed.
We tend to keep a tf directory of each EKS cluster. I believe that the example above, and this line:
provider_arn = module.eks.oidc_provider_arnWould make it difficult to use with multiple clusters/eks oidc providers.Describe the solution you'd like.
I would prefer to create this role and policy for each cluster that is created. This would benefit us in a few ways:
I would prefer that each instance of the role created
It would be great if I could create the role and policy with the -${cluster-name} appended.
Describe alternatives you've considered.
Maintaining my own roles and policies for each item, as to keep them separate.
Again, if this is already there, I can happily close this.
Additional context