enha: added ServiceAccount creation for each IAM role with Kubernetes…

… provider

main.tf

@@ -169,7 +169,7 @@ resource "aws_iam_openid_connect_provider" "main" {
 
 # creating the IAM roles
 data "aws_iam_policy_document" "main" {
-  count = length(var.pod_roles)
+  count = length(var.service_accounts)
 
   statement {
     actions = ["sts:AssumeRoleWithWebIdentity"]
@@ -178,7 +178,7 @@ data "aws_iam_policy_document" "main" {
     condition {
       test     = "StringEquals"
       variable = "${replace(aws_iam_openid_connect_provider.main.url, "https://", "")}:sub"
-      values   = ["system:serviceaccount:${var.pod_roles[count.index]["service_account"]}"]
+      values   = ["system:serviceaccount:${var.service_accounts[count.index]["name_space"]}:${var.service_accounts[count.index]["service_account"]}"]
     }
 
     principals {
@@ -189,14 +189,14 @@ data "aws_iam_policy_document" "main" {
 }
 
 resource "aws_iam_role" "main" {
-  count              = length(var.pod_roles)
+  count              = length(var.service_accounts)
   assume_role_policy = data.aws_iam_policy_document.main[count.index].json
-  name               = var.pod_roles[count.index]["identifier"]
+  name               = var.service_accounts[count.index]["iam_role_name"]
 }
 
-# map each policy to it's role from hierarchical objects
+# map each policy to it's role from tree like objects
 locals {
-  policy_mapping = flatten([for i, v in var.pod_roles : [for w in v["policies"] : {
+  policy_mapping = flatten([for i, v in var.service_accounts : [for w in v["policies"] : {
     role       = aws_iam_role.main[i].name,
     policy_arn = w
   }]])
@@ -207,3 +207,28 @@ resource "aws_iam_role_policy_attachment" "main" {
   role       = local.policy_mapping[count.index]["role"]
   policy_arn = local.policy_mapping[count.index]["policy_arn"]
 }
+
+# Kubernetes provider to create ServiceAccounts inside the EKS cluster
+provider "kubernetes" {
+  host                   = aws_eks_cluster.main.endpoint
+  cluster_ca_certificate = base64decode(aws_eks_cluster.main.certificate_authority[0].data)
+
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    args        = ["eks", "get-token", "--cluster-name", var.identifier]
+    command     = "aws"
+  }
+}
+
+# create a ServiceAccount inside Kubernetes mapped to an IAM role for each role
+resource "kubernetes_service_account" "main" {
+  count = length(var.service_accounts)
+
+  metadata {
+    name      = var.service_accounts[count.index]["service_account"]
+    namespace = var.service_accounts[count.index]["name_space"]
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.main[count.index].arn
+    }
+  }
+}

variables.tf

@@ -10,7 +10,7 @@ variable "identifier" {
 variable "kubernetes_version" {
   description = "The Kubernetes version the cluster runs on."
   type        = string
-  default     = "1.29"
+  default     = null
 }
 
 variable "subnets" {
@@ -66,12 +66,13 @@ variable "max_size" {
   default     = 1
 }
 
-variable "pod_roles" {
-  description = "A list of objects which define IAM roles which can be assumed by pods via ServiceAccounts."
+variable "service_accounts" {
+  description = "A list of objects to create IAM roles which are automatically mapped to ServiceAccounts inside Kubernetes."
   type = list(object({
-    identifier      = string
-    policies        = list(string)
+    name_space      = string
     service_account = string
+    iam_role_name   = string
+    policies        = list(string)
   }))
   default = []
 }

versions.tf

@@ -10,5 +10,9 @@ terraform {
       source  = "hashicorp/tls"
       version = ">= 2.2.0"
     }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.27.0"
+    }
   }
 }