0

I'm trying to apply a role to a Kubernetes Service Account and as part of that I'm trying to convert the following json

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "Federated": "${oidc_arn}"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
            "StringEquals": {
                "${oidc_url}:sub": "system:serviceaccount:${k8s_namespace}:${role_name}",
                "${oidc_url}:aud": "sts.amazonaws.com"
            }
        }
    }]
}

Into HCL

variable "pod_iam_role_name" {
  default = "PodAssumeRole"
}

variable "instance_manager_namespace" {
  default = "instance-manager"
}

resource "aws_iam_role" "pod_role" {
  name = var.pod_iam_role_name
  path = "/"
  assume_role_policy = aws_iam_policy.pod_role.arn
  force_detach_policies = false
}

resource "aws_iam_policy" "pod_role" {
  name = "PodAssumeRolePolicy"
  path = "/"
  policy = data.aws_iam_policy_document.pod_role.json
}

data "aws_iam_policy_document" "pod_role" {
  version = "2012-10-17"
  statement {
    sid = "PodAssumeRole"
    effect = "Allow"

    principals {
      type = "Service"
      identifiers = [
        module.eks.oidc_provider_arn
      ]
    }

    actions = [
      "sts:AssumeRoleWithWebIdentity",
    ]

    condition {
      test = "StringEquals"
      values = [
        "${module.eks.cluster_oidc_issuer_url}:aud"
      ]
      variable = "sts.amazonaws.com"
    }

    condition {
      test = "StringEquals"
      values = [
        "${module.eks.cluster_oidc_issuer_url}:sub"
      ]
      variable = "system:serviceaccount:${var.instance_manager_namespace}:${var.pod_iam_role_name}"
    }
  }
}

But I'm getting the following error

Error: error creating IAM policy PodAssumeRolePolicy: MalformedPolicyDocument: The policy failed legacy parsing
    status code: 400, request id: 47efe363-c069-46b6-bd7e-51d9f6032969

  on ../../modules/k8s/openid.tf line 32, in resource "aws_iam_policy" "pod_role":
  32: resource "aws_iam_policy" "pod_role" {

For the sake of credits and full disclosure I can inform that I'm following this tutorial.

Marcin
  • 215,873
  • 14
  • 235
  • 294
user672009
  • 4,379
  • 8
  • 44
  • 77
  • 1
    The error is about `aws_iam_policy.openid` yet your code does not have such a thing. – Marcin Jul 07 '21 at 07:42
  • @Marcin - I copy and pasted and old error message, my bad. The problem persists. – user672009 Jul 07 '21 at 10:35
  • @Marcin It's working with a template file but that's what I was trying to avoid. However I've been busy with other assignments so I haven't had time to look into this – user672009 Jul 16 '21 at 08:37

2 Answers2

0

assume_role_policy should be json. So assuming that everything else is is correct, it should be:

assume_role_policy = data.aws_iam_policy_document.pod_role.json
Marcin
  • 215,873
  • 14
  • 235
  • 294
  • That doesn't work. I think I'm hitting this bug... https://github.com/hashicorp/terraform-provider-aws/issues/10419 – user672009 Jul 07 '21 at 22:16
  • @user672009 I see. If this is indeed the bug, then you have to explicitly specify `assume_role_policy` as JSON string. – Marcin Jul 07 '21 at 22:44
0

You could try something like this:

  • the aws_iam_policy (just update the path for your json)
resource "aws_iam_policy" "pod_role" {
  name = "PodAssumeRolePolicy"
  path = "/"
  policy = templatefile("${path.module}/foo/policy.json", {
    oidc_arn      = module.eks.oidc_provider_arn
    oidc_url      = module.eks.cluster_oidc_issuer_url
    k8s_namespace = var.instance_manager_namespace
    role_name     = var.pod_iam_role_name
  })
}
  • your original json
{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "Federated": "${oidc_arn}"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
            "StringEquals": {
                "${oidc_url}:sub": "system:serviceaccount:${k8s_namespace}:${role_name}",
                "${oidc_url}:aud": "sts.amazonaws.com"
            }
        }
    }]
}
Guilherme Krynczak
  • 13
  • 2