From 71b8ecaa87db89c454b2c9446ff3d7675e4dc5a7 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Sat, 17 Dec 2022 07:32:04 -0500 Subject: [PATCH] fix: Use IAM session context data source to resolve the identities role when using `assumed_role` (#2347) --- README.md | 1 + main.tf | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 234a4b2aff..423546a973 100644 --- a/README.md +++ b/README.md @@ -270,6 +270,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple | [aws_eks_addon_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_addon_version) | data source | | [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cni_ipv6_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_session_context.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_session_context) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | | [tls_certificate.this](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source | diff --git a/main.tf b/main.tf index 7566db516f..e94231e569 100644 --- a/main.tf +++ b/main.tf @@ -1,6 +1,14 @@ data "aws_partition" "current" {} data "aws_caller_identity" "current" {} +data "aws_iam_session_context" "current" { + # This data source provides information on the IAM source role of an STS assumed role + # For non-role ARNs, this data source simply passes the ARN through issuer ARN + # Ref https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2327#issuecomment-1355581682 + # Ref https://github.com/hashicorp/terraform-provider-aws/issues/28381 + arn = data.aws_caller_identity.current.arn +} + locals { create = var.create && var.putin_khuylo @@ -122,7 +130,7 @@ module "kms" { # Policy enable_default_policy = var.kms_key_enable_default_policy key_owners = var.kms_key_owners - key_administrators = coalescelist(var.kms_key_administrators, [data.aws_caller_identity.current.arn]) + key_administrators = coalescelist(var.kms_key_administrators, [data.aws_iam_session_context.current.issuer_arn]) key_users = concat([local.cluster_role], var.kms_key_users) key_service_users = var.kms_key_service_users source_policy_documents = var.kms_key_source_policy_documents