From 1c2f946db4d7c607ef1a9fc32f372bdae3c12090 Mon Sep 17 00:00:00 2001
From: sethAmazon <81644108+sethAmazon@users.noreply.github.com>
Date: Wed, 8 Dec 2021 13:51:51 -0500
Subject: [PATCH] Dynamic Assume Role Creation (#421) (#426)

---
 ...argate.yml => service_account_fargate.tpl} |  2 +-
 terraform/eks/container_insights_agent.tf     | 10 ++++++++--
 terraform/eks/main.tf                         | 19 ++++++++++++++++++-
 3 files changed, 27 insertions(+), 4 deletions(-)
 rename terraform/eks/container-insights-agent/{service_account_fargate.yml => service_account_fargate.tpl} (55%)

diff --git a/terraform/eks/container-insights-agent/service_account_fargate.yml b/terraform/eks/container-insights-agent/service_account_fargate.tpl
similarity index 55%
rename from terraform/eks/container-insights-agent/service_account_fargate.yml
rename to terraform/eks/container-insights-agent/service_account_fargate.tpl
index 373e6b33d..71711f1de 100644
--- a/terraform/eks/container-insights-agent/service_account_fargate.yml
+++ b/terraform/eks/container-insights-agent/service_account_fargate.tpl
@@ -4,4 +4,4 @@ metadata:
   name: adot-collector-service-account
   namespace: default
   annotations:
-    eks.amazonaws.com/role-arn: arn:aws:iam::611364707713:role/ServiceAccount-eks-test-aoc-role
+    eks.amazonaws.com/role-arn: ${RoleArn}
diff --git a/terraform/eks/container_insights_agent.tf b/terraform/eks/container_insights_agent.tf
index 4526ae791..1998c2c48 100644
--- a/terraform/eks/container_insights_agent.tf
+++ b/terraform/eks/container_insights_agent.tf
@@ -31,8 +31,14 @@ data "template_file" "daemonset_file" {
 }
 
 resource "kubectl_manifest" "service_account" {
-  count     = var.aoc_base_scenario == "infra" && var.deployment_type == "fargate" ? 1 : 0
-  yaml_body = file("./container-insights-agent/service_account_fargate.yml")
+  count = var.aoc_base_scenario == "infra" && var.deployment_type == "fargate" ? 1 : 0
+  yaml_body = templatefile("./container-insights-agent/service_account_fargate.tpl",
+    {
+      RoleArn : module.iam_assumable_role_admin.iam_role_arn
+  })
+  depends_on = [
+    module.iam_assumable_role_admin
+  ]
 }
 
 resource "kubectl_manifest" "cluster_role" {
diff --git a/terraform/eks/main.tf b/terraform/eks/main.tf
index d1ebe9a6a..82778bbab 100644
--- a/terraform/eks/main.tf
+++ b/terraform/eks/main.tf
@@ -116,11 +116,28 @@ resource "kubernetes_service_account" "aoc-fargate-role" {
     name      = "aoc-fargate-role-${module.common.testing_id}"
     namespace = "default"
     annotations = {
-      "eks.amazonaws.com/role-arn" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/ServiceAccount-eks-test-aoc-role"
+      "eks.amazonaws.com/role-arn" : module.iam_assumable_role_admin.iam_role_arn
     }
   }
 
   automount_service_account_token = true
+  depends_on                      = [module.iam_assumable_role_admin]
+}
+
+module "iam_assumable_role_admin" {
+  create_role = true
+
+  role_name = "aoc-eks-assume-role-${module.common.testing_id}"
+
+  provider_url = trimprefix(data.aws_eks_cluster.testing_cluster.identity[0].oidc[0].issuer, "https://")
+
+  role_policy_arns = [
+    "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
+    "arn:aws:iam::aws:policy/AWSXrayFullAccess",
+    "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
+  ]
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version = "4.7.0"
 }
 
 resource "kubernetes_cluster_role_binding" "aoc-role-binding" {