Merge pull request #139 from resource-watch/add_oidc_role_to_eks

tanderegg · web-flow · commit da4aac3d6db0 · 2026-02-06T16:22:11.000-05:00
Adds access entry for GHA OIDC role. (Self-approving for a small change)
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -56,6 +56,7 @@ module "eks" {
   ebs_csi_addon_version = var.ebs_csi_addon_version
   kube_proxy_addon_version = var.kube_proxy_addon_version
   admin_role_arns       = data.aws_iam_roles.admin_arn.arns
+  gha_role_arn          = var.gha_role_arn
   subnet_ids = [
     module.vpc.private_subnets[0].id,
     module.vpc.private_subnets[1].id,
diff --git a/terraform/modules/eks/main.tf b/terraform/modules/eks/main.tf
@@ -286,3 +286,23 @@ resource "aws_eks_access_policy_association" "admin_policy" {
     aws_eks_access_entry.admin_role
   ]
 }
+
+resource "aws_eks_access_entry" "gha_role" {
+  cluster_name  = aws_eks_cluster.eks_cluster.name
+  principal_arn = var.gha_role_arn
+  type          = "STANDARD"
+}
+
+resource "aws_eks_access_policy_association" "gha_policy" {
+  cluster_name    = aws_eks_cluster.eks_cluster.name
+  policy_arn      = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+  principal_arn   = var.gha_role_arn
+
+  access_scope {
+    type = "cluster"
+  }
+
+  depends_on = [
+    aws_eks_access_entry.gha_role
+  ]
+}
diff --git a/terraform/modules/eks/variable.tf b/terraform/modules/eks/variable.tf
@@ -44,3 +44,8 @@ variable "admin_role_arns" {
   type        = set(string)
   description = "ARN of the Role used for admin cluster access."
 }
+
+variable "gha_role_arn" {
+  type        = string
+  description = "ARN of the Role used for Github Actions."
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -283,3 +283,8 @@ variable "email_recipients" {
   description = "List of email addresses to contact in case an alert fails"
   default     = []
 }
+
+variable "gha_role_arn" {
+  type        = string
+  description = "ARN of the Role used for Github Actions."
+}
diff --git a/terraform/vars/terraform-dev.tfvars b/terraform/vars/terraform-dev.tfvars
@@ -26,3 +26,4 @@ gateway_node_group_desired_size = 0
 hibernate                       = false
 aq_bucket_cors_allowed_origin   = "*"
 deploy_sparkpost_templates      = false
+gha_role_arn                    = "arn:aws:iam::842534099497:role/wri-api-dev-githubactions-role"

Original file line number	Diff line number	Diff line change
`@@ -44,3 +44,8 @@ variable "admin_role_arns" {`
`44`	`44`	`type = set(string)`
`45`	`45`	`description = "ARN of the Role used for admin cluster access."`
`46`	`46`	`}`
	`47`	`+`
	`48`	`+variable "gha_role_arn" {`
	`49`	`+ type = string`
	`50`	`+ description = "ARN of the Role used for Github Actions."`
	`51`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -283,3 +283,8 @@ variable "email_recipients" {`
`283`	`283`	`description = "List of email addresses to contact in case an alert fails"`
`284`	`284`	`default = []`
`285`	`285`	`}`
	`286`	`+`
	`287`	`+variable "gha_role_arn" {`
	`288`	`+ type = string`
	`289`	`+ description = "ARN of the Role used for Github Actions."`
	`290`	`+}`