undeadops/index.ts

## index.ts
const kmsArns: pulumi.Output<string>[] = [];
config.get('kmsKeys').forEach((keyArgs: KmsKeyConfig) => {
  const kms = new KmsKeys({
    env: config.get('env'),
    ...keyArgs,
  });
  kmsArns.push(kms.arn);
});

const kmsInlinePolicy = pulumi.all(args.kmsKeys).apply((kmsKeys) => {
  const keys: any[] = [];
  kmsKeys.forEach((key) => { keys.push(key)});

  return aws.iam.getPolicyDocument({
  statements: [{
      actions: [
        "kms:Encrypt",
        "kms:Decrypt",
      ],
      effect: "Allow",
      resources: keys,
    }],
  });
});

const role = new aws.iam.Role(
  `k8sapp-${service.name}-sa-role`,
  {
    name: `k8sapp-${env}-${service.name}`,
    description: `EKS Service Account: ${service.namespace}/${service.serviceAccountName}`,
    assumeRolePolicy,
    tags: {
      Environment: env,
      Name: service.name,
      ...service.tags,
    },

    inlinePolicies: [
        {
            name: "kmsAllow",
            policy: kmsInlinePolicy.json
        },
    ],
  },
  { parent: this }
  );
	const kmsArns: pulumi.Output<string>[] = [];
	config.get('kmsKeys').forEach((keyArgs: KmsKeyConfig) => {
	const kms = new KmsKeys({
	env: config.get('env'),
	...keyArgs,
	});
	kmsArns.push(kms.arn);
	});

	const kmsInlinePolicy = pulumi.all(args.kmsKeys).apply((kmsKeys) => {
	const keys: any[] = [];
	kmsKeys.forEach((key) => { keys.push(key)});

	return aws.iam.getPolicyDocument({
	statements: [{
	actions: [
	"kms:Encrypt",
	"kms:Decrypt",
	],
	effect: "Allow",
	resources: keys,
	}],
	});
	});

	const role = new aws.iam.Role(
	`k8sapp-${service.name}-sa-role`,
	{
	name: `k8sapp-${env}-${service.name}`,
	description: `EKS Service Account: ${service.namespace}/${service.serviceAccountName}`,
	assumeRolePolicy,
	tags: {
	Environment: env,
	Name: service.name,
	...service.tags,
	},

	inlinePolicies: [
	{
	name: "kmsAllow",
	policy: kmsInlinePolicy.json
	},
	],
	},
	{ parent: this }
	);