Skip to content

Commit

Permalink
updates IAM role access
Browse files Browse the repository at this point in the history
  • Loading branch information
@BWMac
BWMac committed Nov 13, 2024
1 parent 7121fdc commit ac90e5b
Showing 1 changed file with 10 additions and 3 deletions.
13 changes: 10 additions & 3 deletions deployments/stacks/dpe-k8s-deployments/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,7 @@ module "clickhouse_backup_bucket" {

resource "aws_iam_policy" "clickhouse_backup_policy" {
name = "clickhouse-backup-access-policy"
description = "Policy to access the clickhouse backup bucket"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
Expand All @@ -180,8 +181,9 @@ resource "aws_iam_policy" "clickhouse_backup_policy" {
})
}

resource "aws_iam_role" "clickhouse_backup_access" {
resource "aws_iam_role" "clickhouse_backup_access_role" {
name = "clickhouse-backup-access-role"
description = "Assumed role to access the clickhouse backup policy"

assume_role_policy = jsonencode({
Version = "2012-10-17"
Expand All @@ -190,7 +192,12 @@ resource "aws_iam_role" "clickhouse_backup_access" {
Action = "sts:AssumeRoleWithWebIdentity"
Effect = "Allow"
Principal = {
Service = ["ec2.amazonaws.com", "eks.amazonaws.com"]
Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/oidc.eks.${var.region}.amazonaws.com/id/${var.cluster_name}"
}
Condition = {
StringEquals = {
"oidc.eks.${var.region}.amazonaws.com/id/${var.cluster_name}:aud" = "sts.amazonaws.com"
}
}
}
]
Expand All @@ -199,6 +206,6 @@ resource "aws_iam_role" "clickhouse_backup_access" {


resource "aws_iam_role_policy_attachment" "clickhouse_backup_policy_attachment" {
role = aws_iam_role.clickhouse_backup_access.name
role = aws_iam_role.clickhouse_backup_access_role.name
policy_arn = aws_iam_policy.clickhouse_backup_policy.arn
}

0 comments on commit ac90e5b

Please sign in to comment.