frezbo/cert-manager-irsa-role.tf

## cert-manager-irsa-role.tf
resource "aws_iam_policy" "eks-role-policy-cert-manager" {
  name = "cert-manager-role-policy"
  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect = "Allow",
        Action = [
          "route53:GetChange"
        ],
        Resource = "*"
      },
      {
        Effect = "Allow",
        Action = [
          "route53:ChangeResourceRecordSets",
          "route53:ListResourceRecordSets"
        ],
        Resource = "arn:aws:route53:::hostedzone/*"
      },
      {
        Effect = "Allow",
        Action = [
          "route53:ListHostedZonesByName",
        ],
        Resource = "*"
      }
    ]
  })
}


resource "aws_iam_role" "cert-manager" {
  name = "cert-manager-prod"
  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect = "Allow",
        Principal = {
          Federated : module.eks.oidc_provider_arn
        }
        Action = "sts:AssumeRoleWithWebIdentity"
        Condition = {
          StringEquals = {
            "${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}:sub" = "system:serviceaccount:cert-manager:cert-manager"
          }
        }
      }

    ]
  })
  tags = {
    Name  = "cert-manager-prod"
  }
}

resource "aws_iam_role_policy_attachment" "cert-manager-policy-attachment" {
  policy_arn = aws_iam_policy.eks-role-policy-cert-manager.arn
  role       = aws_iam_role.cert-manager.name
}

######
# Worker node to assume role

resource "aws_iam_policy" "assume-cert-manager" {
  name = "worker-role-assume-policy-cert-manager"
  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect = "Allow",
        Action = [
          "sts:AssumeRole",
        ],
        Resource = aws_iam_role.cert-manager.arn
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "worker-node-cert-manager-assumerole" {
  policy_arn = aws_iam_policy.assume-cert-manager.arn
  role       = module.eks.worker_iam_role_name
}
	resource "aws_iam_policy" "eks-role-policy-cert-manager" {
	name = "cert-manager-role-policy"
	policy = jsonencode({
	Version = "2012-10-17",
	Statement = [
	{
	Effect = "Allow",
	Action = [
	"route53:GetChange"
	],
	Resource = "*"
	},
	{
	Effect = "Allow",
	Action = [
	"route53:ChangeResourceRecordSets",
	"route53:ListResourceRecordSets"
	],
	Resource = "arn:aws:route53:::hostedzone/*"
	},
	{
	Effect = "Allow",
	Action = [
	"route53:ListHostedZonesByName",
	],
	Resource = "*"
	}
	]
	})
	}


	resource "aws_iam_role" "cert-manager" {
	name = "cert-manager-prod"
	assume_role_policy = jsonencode({
	Version = "2012-10-17",
	Statement = [
	{
	Effect = "Allow",
	Principal = {
	Federated : module.eks.oidc_provider_arn
	}
	Action = "sts:AssumeRoleWithWebIdentity"
	Condition = {
	StringEquals = {
	"${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}:sub" = "system:serviceaccount:cert-manager:cert-manager"
	}
	}
	}

	]
	})
	tags = {
	Name = "cert-manager-prod"
	}
	}

	resource "aws_iam_role_policy_attachment" "cert-manager-policy-attachment" {
	policy_arn = aws_iam_policy.eks-role-policy-cert-manager.arn
	role = aws_iam_role.cert-manager.name
	}

	######
	# Worker node to assume role

	resource "aws_iam_policy" "assume-cert-manager" {
	name = "worker-role-assume-policy-cert-manager"
	policy = jsonencode({
	Version = "2012-10-17",
	Statement = [
	{
	Effect = "Allow",
	Action = [
	"sts:AssumeRole",
	],
	Resource = aws_iam_role.cert-manager.arn
	}
	]
	})
	}

	resource "aws_iam_role_policy_attachment" "worker-node-cert-manager-assumerole" {
	policy_arn = aws_iam_policy.assume-cert-manager.arn
	role = module.eks.worker_iam_role_name
	}