feat: patch CMK module and updated EksIp6 module

2026-02-25 18:06:40 +08:00
parent df22fcf46b
commit acd42ff526
7 changed files with 115 additions and 68 deletions
@@ -11,4 +11,37 @@ module "aws_lb_controller_pod_identity" {
      service_account = "aws-load-balancer-controller-sa"
    }
  }
+}
+
+module "CsiPodIdentity" {
+  source      = "../modules/security_identity_compliance/iam-role-v2"
+  description = "EKSCSIDriverRole"
+  role-name   = "AmazonEBSCSIDriverRole"
+  trusted-entity = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Principal" : {
+            "Service" : "pods.eks.amazonaws.com"
+          },
+          "Action" : [
+            "sts:AssumeRole",
+            "sts:TagSession"
+          ]
+        }
+      ]
+    }
+  )
+}
+
+# 2 policies are required for the ebs csi to work
+resource "aws_iam_role_policy_attachment" "CsiPodIdentity" {
+  for_each = toset([
+    "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
+    "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+  ])
+  role       = module.CsiPodIdentity.name
+  policy_arn = each.value
 }