Allow for multiple policy arns with IamServiceAccount resource
MMartyn opened this issue · 2 comments
I would like to attach multiple policy arns to a service account role which it looks like eksctl allows (https://eksctl.io/usage/iamserviceaccounts/#__code_1). I see two ways of handling and I would like to get your opinion on which you would prefer.
- Switch attach_policy_arn -> attach_policy_arns and drop attach_policy_arn. Not sure if you are terribly concerned with breaking changes at the moment as the project is so new.
- Add attach_policy_arns as another field and then use both of those for setting up the command to run eksctl with. Unclear if there are built in ways of enforcing at least one of them is given in terraform.
Thanks.
@MMartyn That should just work with a resource definition like the below:
resource "eksctl_cluster" "mycluster" {
name = "gitops1"
region = "us-east-2"
api_version = "eksctl.io/v1alpha5"
version = "1.16"
spec = <<EOS
nodeGroups:
- name: ng1
instanceType: m5.large
desiredCapacity: 1
iam:
withOIDC: true
serviceAccounts:
- metadata:
name: s3-reader
attachPolicyARNs:
- "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
EOS
}You can just write a snippet of eksctl cluslter.yaml in spec so that it gets merged into one generated by the provider. And you can use attachPolicyARNs to attach multiple policies in cluster.yaml.
I was trying to utilize the resource for iam service accounts from the provider as I have a separate terraform module that will be adding service accounts outside of cluster creation.
I suppose I could just move it around and use the spec though if that is best.