Add trusted relations for AWS roles (#128)

* add trusted relations Signed-off-by: Jorge Turrado <[email protected]> * fix resources Signed-off-by: Jorge Turrado <[email protected]> --------- Signed-off-by: Jorge Turrado <[email protected]>
kedacore · Oct 10, 2023 · 4e1b9ba · 4e1b9ba
1 parent 89b582c
commit 4e1b9ba
Showing 1 changed file with 14 additions and 12 deletions.
diff --git a/terraform/modules/aws/iam/main.tf b/terraform/modules/aws/iam/main.tf
@@ -1,6 +1,17 @@
 
 locals {
   workload_role_name = "keda-workload-1"
+  workload_trust_relations = jsonencode(
+    [for role in aws_iam_role.roles :
+      {
+        Sid : "",
+        Effect : "Allow"
+        Action : "sts:AssumeRole",
+        Principal : {
+          "AWS" : role.arn
+        }
+    }]
+  )
 }
 
 resource "aws_iam_user" "e2e_test" {
@@ -141,7 +152,7 @@ resource "aws_iam_policy" "policy" {
         {
             "Effect": "Deny",
             "Action": "sqs:*",
-            "Resource": "arn:aws:sqs:asume-role-queue-*:589761922677:*"
+            "Resource": "arn:aws:sqs:*:589761922677:asume-role-queue-*"
         },
         {
             "Effect": "Allow",
@@ -179,16 +190,7 @@ resource "aws_iam_role" "workload_role" {
   assume_role_policy = <<EOF
 {
   "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "ec2.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
+  "Statement": ${local.workload_trust_relations}
 }
 EOF
 }
@@ -210,7 +212,7 @@ resource "aws_iam_policy" "workload_role_policy" {
         {
             "Effect": "Allow",
             "Action": "sqs:*",
-            "Resource": "arn:aws:sqs:asume-role-queue-*:589761922677:*"
+            "Resource": "arn:aws:sqs:*:589761922677:asume-role-queue-*"
         }
     ]
 }