tombooth/kubernetes-iam.rb

## kubernetes-iam.rb
require 'json'

Terrafying::Generator.generate do

  resource :aws_iam_role, "test_assume_role", {
             name: "test-assume-role",
             assume_role_policy: JSON.pretty_generate(
               {
                 Version: "2012-10-17",
                 Statement: [
                   {
                     Sid: "",
                     Action: "sts:AssumeRole",
                     Effect: "Allow",
                     Principal: {
                       AWS: "arn:aws:iam::#{aws.account_id}:role/kiam_role",
                     },
                     Condition: {
                       StringLike: {
                         "aws:userid": "${aws_iam_role.kiam_role.unique_id}:cluster.namespace.service-account-name",
                       },
                     },
                   },
                 ],
               }
             ),
           }

  role = resource :aws_iam_role, "kiam_role", {
             name: "kiam_role",
             assume_role_policy: JSON.pretty_generate(
               {
                 Version: "2012-10-17",
                 Statement: [
                   {
                     Action: "sts:AssumeRole",
                     Principal: {
                       AWS: "arn:aws:iam::#{aws.account_id}",
                     },
                     Effect: "Allow",
                     Sid: ""
                   },
                 ],
               }
             ),
           }

  resource :aws_iam_role_policy, "kiam_role_policy", {
             name: "kiam_role_assume",
             role: role,
             policy: JSON.pretty_generate(
               {
                 Version: "2012-10-17",
                 Statement: [
                   {
                     Action: [
                       "sts:AssumeRole"
                     ],
                     Effect: "Allow",
                     Resource: "arn:aws:iam::#{aws.account_id}:role/test-assume-role",
                   },
                 ],
               }
             ),
           }

end
	require 'json'

	Terrafying::Generator.generate do

	resource :aws_iam_role, "test_assume_role", {
	name: "test-assume-role",
	assume_role_policy: JSON.pretty_generate(
	{
	Version: "2012-10-17",
	Statement: [
	{
	Sid: "",
	Action: "sts:AssumeRole",
	Effect: "Allow",
	Principal: {
	AWS: "arn:aws:iam::#{aws.account_id}:role/kiam_role",
	},
	Condition: {
	StringLike: {
	"aws:userid": "${aws_iam_role.kiam_role.unique_id}:cluster.namespace.service-account-name",
	},
	},
	},
	],
	}
	),
	}

	role = resource :aws_iam_role, "kiam_role", {
	name: "kiam_role",
	assume_role_policy: JSON.pretty_generate(
	{
	Version: "2012-10-17",
	Statement: [
	{
	Action: "sts:AssumeRole",
	Principal: {
	AWS: "arn:aws:iam::#{aws.account_id}",
	},
	Effect: "Allow",
	Sid: ""
	},
	],
	}
	),
	}

	resource :aws_iam_role_policy, "kiam_role_policy", {
	name: "kiam_role_assume",
	role: role,
	policy: JSON.pretty_generate(
	{
	Version: "2012-10-17",
	Statement: [
	{
	Action: [
	"sts:AssumeRole"
	],
	Effect: "Allow",
	Resource: "arn:aws:iam::#{aws.account_id}:role/test-assume-role",
	},
	],
	}
	),
	}

	end