This Terraform sub-module manages the IAM roles used by operators within the cluster for their necessary actions in the AWS account.
The following permissions are included in this sub-module:
- ROSA Ingress Operator IAM role.
- ROSA back-end storage IAM role.
- ROSA Machine Config Operator role.
- ROSA Cloud Credential Operator role.
- ROSA Image Registry Operator role.
For more information, see the operator-policies sub-module description and About IAM resources for ROSA clusters that use STS in the ROSA documentation.
module "operator_policies" {
source = "terraform-redhat/rosa-classic/rhcs//modules/operator-policies"
account_role_prefix = "my-cluster-account"
openshift_version = "4.14.24"
}
module "operator_roles" {
source = "terraform-redhat/rosa-classic/rhcs//modules/operator-roles"
operator_role_prefix = "my-cluster-operator"
account_role_prefix = "my-cluster-account"
oidc_endpoint_url = "my-url"
}
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.0 |
| rhcs | >= 1.6.2 |
| time | >= 0.9 |
| Name | Version |
|---|---|
| aws | >= 4.0 |
| rhcs | >= 1.6.2 |
| time | >= 0.9 |
No modules.
| Name | Type |
|---|---|
| aws_iam_role.operator_role | resource |
| aws_iam_role_policy_attachment.operator_role_policy_attachment | resource |
| time_sleep.role_resources_propagation | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.custom_trust_policy | data source |
| aws_partition.current | data source |
| rhcs_rosa_operator_roles.operator_roles | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_role_prefix | User-defined prefix for all generated AWS resources. | string |
n/a | yes |
| oidc_endpoint_url | Registered OIDC configuration issuer URL, added as the trusted relationship to the operator roles. | string |
n/a | yes |
| operator_role_prefix | User-defined prefix for generated AWS operator policies. Use "account-role-prefix" in case no value provided. | string |
null |
no |
| path | The ARN path for the account/operator roles as well as their policies. Must use the same path used for "account_iam_roles". | string |
"/" |
no |
| permissions_boundary | The ARN of the policy that is used to set the permissions boundary for the IAM roles in STS clusters. | string |
"" |
no |
| tags | List of AWS resource tags to apply. | map(string) |
null |
no |
| Name | Description |
|---|---|
| operator_role_prefix | Prefix used for generated AWS operator policies. |
| operator_roles_arn | List of Amazon Resource Names (ARNs) for all operator roles created. |