Hello, I want write assume policy that handles both clutser within same aws account.
I tried to use templatefile for assume_policy and then pass the ocid of two clusters as a list.
I tried the following but getting an error. Using terraform 0.12.28
locals.tf
federated = [
"xxxxxxxxxxxxxxxxxxxx",
"yyyyyyyyyyyyyyyyyyyyy"
]
federatedList1 = [for oidc in local.federated : "arn:aws:iam::2222222222:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/${oidc}"]
federatedList2 = join("", [for oidc in local.federated : "\"oidc.eks.us-east-1.amazonaws.com/id/${oidc}:sub:\", \"system:serviceaccount:%s:%s\""])
eks_assume_policy.json.tpl
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": ["${federatedList1}",]
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${federatedList2}"
}
}
}
]
}
My goal is to use this policy in role .
resource "aws_iam_role" "launcher" {
name = local.Launcher
assume_role_policy =format(templatefile("./eks_assume_policy.json.tpl", {
federatedList1 = "${local.federatedList1}"
federatedList2 = "${local.federatedList2}" }), "my-namepsace", local.Launcher)
tags = {
terraform = "true"
owner = "stg"
}
}
Error:
Error: Error in function call
on role.tf line 49, in resource “aws_iam_role” “launcher”:
49: assume_role_policy = format(templatefile(“./eks_assume_policy.json.tpl”, {
50:
51:
|----------------
| local.federatedList1 is tuple with 2 elements
| local.federatedList2 is “"oidc.eks.us-east-1.amazonaws.com/id/xxxxxxxxxx:sub:", "system:serviceaccount:%s:%s""oidc.eks.us-east-1.amazonaws.com/id/yyyyyyyyyyy:sub:", "system:serviceaccount:%s:%s"”Call to function “templatefile” failed: ./eks_assume_policy.json.tpl:7,26-40:
Invalid template interpolation value; Cannot include the given value in a
string template: string required…
Can someone please help me with this.