haarchri/gist:9a7e30a9e8ac7344703fda2ddaf006e0

## gistfile1.txt
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: eks.aws.example.com
  labels:
    provider: aws
spec:
  writeConnectionSecretsToNamespace: crossplane-system
  compositeTypeRef:
    apiVersion: aws.example.com/v1alpha1
    kind: EKS
  resources:
[...]
    - name: EKS-Cluster
      base:
        apiVersion: eks.aws.crossplane.io/v1beta1
        kind: Cluster
        spec:
          forProvider:
            roleArnSelector:
              matchControllerRef: true
              matchLabels:
                role: controlplane
            resourcesVpcConfig:
              subnetIdSelector:
                matchLabels:
                  access: public
              endpointPrivateAccess: true
              endpointPublicAccess: false
      patches:
      [...]
        - type: ToCompositeFieldPath
          fromFieldPath: status.atProvider.identity.oidc.issuer
          toFieldPath: status.eks.oidc
          policy:
            fromFieldPath: Optional
        - type: ToCompositeFieldPath
          fromFieldPath: status.atProvider.identity.oidc.issuer
          toFieldPath: status.eks.iamoidc
          transforms:
            - type: string
              string:
                type: TrimPrefix
                trim: 'https://'
          policy:
            fromFieldPath: Optional
      [...]
[...]

    - name: IAM-Role-System-external-dns
      base:
        apiVersion: iam.aws.crossplane.io/v1beta1
        kind: Role
        metadata:
          labels:
            role: external-dns
      patches:
      [...]
        - type: ToCompositeFieldPath
          fromFieldPath: status.atProvider.arn
          toFieldPath: status.eks.iamRole.external-dns
          policy:
            fromFieldPath: Optional
        - type: CombineFromComposite
          combine:
            variables:
              - fromFieldPath: metadata.labels[tags.example.com/account]
              - fromFieldPath: status.eks.iamoidc
              - fromFieldPath: status.eks.iamoidc
            strategy: string
            string:
              fmt: |
                {
                  "Version": "2012-10-17",
                  "Statement": [
                    {
                      "Effect": "Allow",
                      "Principal": {
                        "Federated": "arn:aws:iam::%s:oidc-provider/%s"
                      },
                      "Action": "sts:AssumeRoleWithWebIdentity",
                      "Condition": {
                        "StringLike": {
                          "%s:sub": "system:serviceaccount:external-dns:external-dns"
                        }
                      }
                    }
                  ]
                }
          toFieldPath: spec.forProvider.assumeRolePolicyDocument
          policy:
            fromFieldPath: Required
	apiVersion: apiextensions.crossplane.io/v1
	kind: Composition
	metadata:
	name: eks.aws.example.com
	labels:
	provider: aws
	spec:
	writeConnectionSecretsToNamespace: crossplane-system
	compositeTypeRef:
	apiVersion: aws.example.com/v1alpha1
	kind: EKS
	resources:
	[...]
	- name: EKS-Cluster
	base:
	apiVersion: eks.aws.crossplane.io/v1beta1
	kind: Cluster
	spec:
	forProvider:
	roleArnSelector:
	matchControllerRef: true
	matchLabels:
	role: controlplane
	resourcesVpcConfig:
	subnetIdSelector:
	matchLabels:
	access: public
	endpointPrivateAccess: true
	endpointPublicAccess: false
	patches:
	[...]
	- type: ToCompositeFieldPath
	fromFieldPath: status.atProvider.identity.oidc.issuer
	toFieldPath: status.eks.oidc
	policy:
	fromFieldPath: Optional
	- type: ToCompositeFieldPath
	fromFieldPath: status.atProvider.identity.oidc.issuer
	toFieldPath: status.eks.iamoidc
	transforms:
	- type: string
	string:
	type: TrimPrefix
	trim: 'https://'
	policy:
	fromFieldPath: Optional
	[...]
	[...]

	- name: IAM-Role-System-external-dns
	base:
	apiVersion: iam.aws.crossplane.io/v1beta1
	kind: Role
	metadata:
	labels:
	role: external-dns
	patches:
	[...]
	- type: ToCompositeFieldPath
	fromFieldPath: status.atProvider.arn
	toFieldPath: status.eks.iamRole.external-dns
	policy:
	fromFieldPath: Optional
	- type: CombineFromComposite
	combine:
	variables:
	- fromFieldPath: metadata.labels[tags.example.com/account]
	- fromFieldPath: status.eks.iamoidc
	- fromFieldPath: status.eks.iamoidc
	strategy: string
	string:
	fmt: \|
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"Federated": "arn:aws:iam::%s:oidc-provider/%s"
	},
	"Action": "sts:AssumeRoleWithWebIdentity",
	"Condition": {
	"StringLike": {
	"%s:sub": "system:serviceaccount:external-dns:external-dns"
	}
	}
	}
	]
	}
	toFieldPath: spec.forProvider.assumeRolePolicyDocument
	policy:
	fromFieldPath: Required