feat: add a second identity for role assumtions

Signed-off-by: Jorge Turrado <[email protected]>
kedacore · Oct 8, 2023 · d78c661 · d78c661
1 parent 050b252
commit d78c661
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 2 deletions.
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -342,6 +342,10 @@ module "github_secrets" {
       name  = "TF_AWS_ACCOUNT_ID"
       value = data.aws_caller_identity.current.account_id
     },
+    {
+      name  = "TF_AWS_WORKLOAD_ROLE"
+      value = module.aws_iam.workload_role_arn
+    },
     {
       name  = "TF_GCP_SA_CREDENTIALS"
       value = module.gcp_iam.e2e_user_credentials

diff --git a/terraform/modules/aws/iam/main.tf b/terraform/modules/aws/iam/main.tf
@@ -1,3 +1,8 @@
+
+locals {
+  workload_role_name = "keda-workload-1"
+}
+
 resource "aws_iam_user" "e2e_test" {
   name = "e2e-test-user"
   path = "/"
@@ -131,7 +136,7 @@ resource "aws_iam_policy" "policy" {
         {
             "Effect": "Allow",
             "Action": "sqs:*",
-            "Resource": "arn:aws:sqs:*:589761922677:*"
+            "Resource": "arn:aws:sqs:regular-queue-*:589761922677:*"
         },
         {
             "Effect": "Allow",
@@ -151,8 +156,58 @@ resource "aws_iam_policy" "policy" {
                 "arn:aws:kinesis:*:589761922677:*/*/consumer/*:*",
                 "arn:aws:kinesis:*:589761922677:stream/*"
             ]
+        },
+        {
+          "Effect": "Allow",
+          "Action": "sts:AssumeRole",
+          "Resource": "arn:aws:iam::*:role/${local.workload_role_name}"
         }
     ]
 }
 EOF
 }
+
+resource "aws_iam_role" "workload_role" {
+  name  = local.workload_role_name
+  tags  = var.tags
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "role_assignements" {
+  role       = aws_iam_role.workload_role.name
+  policy_arn = aws_iam_policy.workload_role_policy.arn
+}
+
+
+resource "aws_iam_policy" "workload_role_policy" {
+  name = "e2e-test-assume-role-policy"
+  tags = var.tags
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "sqs:*",
+            "Resource": "arn:aws:sqs:asume-role-queue-*:589761922677:*"
+        },
+    ]
+}
+EOF
+}
diff --git a/terraform/modules/aws/iam/outputs.tf b/terraform/modules/aws/iam/outputs.tf
@@ -4,4 +4,8 @@ output "e2e_user_access_key" {
 
 output "e2e_user_secret_key" {
   value = aws_iam_access_key.e2e_test.secret
-}
+}
+
+output "workload_role_arn" {
+  value = aws_iam_role.workload_role.arn
+}