-
Notifications
You must be signed in to change notification settings - Fork 11
/
roles.tf
119 lines (92 loc) · 3.6 KB
/
roles.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
#
# iam account roles
#
# classic
module "account_roles_classic" {
count = var.hosted_control_plane ? 0 : 1
source = "terraform-redhat/rosa-classic/rhcs//modules/account-iam-resources"
version = "1.6.4"
account_role_prefix = var.cluster_name
openshift_version = local.classic_version
tags = var.tags
}
# hosted control plane
module "account_roles_hcp" {
count = var.hosted_control_plane ? 1 : 0
source = "terraform-redhat/rosa-hcp/rhcs//modules/account-iam-resources"
version = "1.6.4"
account_role_prefix = var.cluster_name
tags = var.tags
}
#
# iam operator roles and oidc provider
#
# classic
module "oidc_config_and_provider_classic" {
count = var.hosted_control_plane ? 0 : 1
source = "terraform-redhat/rosa-classic/rhcs//modules/oidc-config-and-provider"
version = "1.6.4"
managed = true
tags = var.tags
}
module "operator_policies_classic" {
count = var.hosted_control_plane ? 0 : 1
source = "terraform-redhat/rosa-classic/rhcs//modules/operator-policies"
version = "1.6.4"
account_role_prefix = var.cluster_name
openshift_version = local.classic_version
tags = var.tags
}
module "operator_roles_classic" {
count = var.hosted_control_plane ? 0 : 1
source = "terraform-redhat/rosa-classic/rhcs//modules/operator-roles"
version = "1.6.4"
operator_role_prefix = var.cluster_name
account_role_prefix = module.operator_policies_classic[0].account_role_prefix
oidc_endpoint_url = module.oidc_config_and_provider_classic[0].oidc_endpoint_url
tags = var.tags
}
# hosted control plane
module "oidc_config_and_provider_hcp" {
count = var.hosted_control_plane ? 1 : 0
source = "terraform-redhat/rosa-hcp/rhcs//modules/oidc-config-and-provider"
version = "1.6.4"
managed = true
tags = var.tags
}
module "operator_roles_hcp" {
count = var.hosted_control_plane ? 1 : 0
source = "terraform-redhat/rosa-hcp/rhcs//modules/operator-roles"
version = "1.6.4"
oidc_endpoint_url = module.oidc_config_and_provider_hcp[0].oidc_endpoint_url
operator_role_prefix = var.cluster_name
tags = var.tags
}
#
# sts role block
# NOTE: this is the sts role block that is passed into the cluster creation process
#
locals {
role_prefix = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.cluster_name}"
# account roles
installer_role_arn = var.hosted_control_plane ? "${local.role_prefix}-HCP-ROSA-Installer-Role" : "${local.role_prefix}-Installer-Role"
support_role_arn = var.hosted_control_plane ? "${local.role_prefix}-HCP-ROSA-Support-Role" : "${local.role_prefix}-Support-Role"
# instance roles
master_role_arn = var.hosted_control_plane ? null : "${local.role_prefix}-ControlPlane-Role"
worker_role_arn = var.hosted_control_plane ? "${local.role_prefix}-HCP-ROSA-Worker-Role" : "${local.role_prefix}-Worker-Role"
# oidc config
oidc_config_id = var.hosted_control_plane ? module.oidc_config_and_provider_hcp[0].oidc_config_id : module.oidc_config_and_provider_classic[0].oidc_config_id
oidc_endpoint_url = var.hosted_control_plane ? module.oidc_config_and_provider_hcp[0].oidc_endpoint_url : module.oidc_config_and_provider_classic[0].oidc_endpoint_url
# sts roles
sts_roles = {
role_arn = local.installer_role_arn,
support_role_arn = local.support_role_arn,
instance_iam_roles = {
master_role_arn = local.master_role_arn,
worker_role_arn = local.worker_role_arn
},
operator_role_prefix = var.cluster_name,
oidc_config_id = local.oidc_config_id
oidc_endpoint_url = local.oidc_endpoint_url
}
}