From cc6a35aaa04503e35a3555ed5d188149084bde02 Mon Sep 17 00:00:00 2001
From: Tibi <110664232+TiberiuGC@users.noreply.github.com>
Date: Mon, 27 Nov 2023 13:46:10 +0200
Subject: [PATCH] make IAM roles trust the production EKS Service Principal

---
 .../pod_identity_associations_test.go                      | 7 ++++---
 pkg/apis/eksctl.io/v1alpha5/iam.go                         | 1 +
 pkg/cfn/template/iam_helpers.go                            | 7 +++++--
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/integration/tests/pod_identity_associations/pod_identity_associations_test.go b/integration/tests/pod_identity_associations/pod_identity_associations_test.go
index bbc411266b0..7d230e473fd 100644
--- a/integration/tests/pod_identity_associations/pod_identity_associations_test.go
+++ b/integration/tests/pod_identity_associations/pod_identity_associations_test.go
@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"fmt"
 	"testing"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -420,14 +421,14 @@ var (
 		return cfg
 	}
 
-	trustPolicy = aws.String(`{
+	trustPolicy = aws.String(fmt.Sprintf(`{
 		"Version": "2012-10-17",
 		"Statement": [
 		  {
 			"Effect": "Allow",
 			"Principal": {
 			  "Service": [
-				"beta.pods.eks.aws.internal"
+				"%s"
 			  ]
 			},
 			"Action": [
@@ -436,7 +437,7 @@ var (
 			]
 		  }
 		]
-	  }`)
+	  }`, api.EKSServicePrincipal))
 
 	permissionPolicy = api.InlineDocument{
 		"Version": "2012-10-17",
diff --git a/pkg/apis/eksctl.io/v1alpha5/iam.go b/pkg/apis/eksctl.io/v1alpha5/iam.go
index 12a7aefc92e..af81ab3382f 100644
--- a/pkg/apis/eksctl.io/v1alpha5/iam.go
+++ b/pkg/apis/eksctl.io/v1alpha5/iam.go
@@ -10,6 +10,7 @@ import (
 // Commonly-used constants
 const (
 	AnnotationEKSRoleARN = "eks.amazonaws.com/role-arn"
+	EKSServicePrincipal  = "pods.eks.amazonaws.com"
 )
 
 // ClusterIAM holds all IAM attributes of a cluster
diff --git a/pkg/cfn/template/iam_helpers.go b/pkg/cfn/template/iam_helpers.go
index 220cdd76bbb..1d5070edf5e 100644
--- a/pkg/cfn/template/iam_helpers.go
+++ b/pkg/cfn/template/iam_helpers.go
@@ -1,6 +1,9 @@
 package template
 
-import gfn "github.com/weaveworks/goformation/v4/cloudformation/types"
+import (
+	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
+	gfn "github.com/weaveworks/goformation/v4/cloudformation/types"
+)
 
 // AttachPolicy attaches the specified policy document
 func (t *Template) AttachPolicy(name string, refRole *Value, policyDoc MapOfInterfaces) {
@@ -63,7 +66,7 @@ func MakeAssumeRolePolicyDocumentForPodIdentity() MapOfInterfaces {
 			"sts:TagSession",
 		},
 		"Principal": map[string]string{
-			"Service": "beta.pods.eks.aws.internal",
+			"Service": api.EKSServicePrincipal,
 		},
 	})
 }