Modify raw iam resources to terraform-aws-iam module #222
Comments
bryantbiggs
added
enhancement
|
Once IRSAv2 is released, we plan on revisiting the approach used for permissions. The current implementation here is a 1:1 of addon to IRSA, but IRSAv2 intends to provide better support for sharing roles (i.e. - you can create a VPC CNI IRSA and share that with n-number of clusters) which potentially makes the IRSA roles provided here less useful. (Postulating) I suspect that with IRSAv2 that https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-role-for-service-accounts-eks will be more heavily used due to this improvement in role sharing. At that time it would make sense to use that module here and then users can simply opt in or out of this module creating the IRSA roles (if it creates it - its the 1:1 approach, if not, you can use the shared approach) |
Community Note
What is the outcome that you are trying to reach?
The idea is to give less maintenance to code that already exists in another repository and create association with the work already done by the community. Furthermore, all code modifications in terms of iam will be implemented in the terraform-aws-iam/module/iam-role-for-service-accounts-eks module.
Describe the solution you would like
Instead of using pure Terraform resources and maintaining potentially duplicated code, we can utilize the terraform-aws-iam/module/iam-role-for-service-accounts-eks module to create pre-created roles and policies in policies.tf for various addons, such as:
Describe alternatives you have considered
Additional context
The text was updated successfully, but these errors were encountered: