Merge pull request #12 from MaterializeInc/allow_multiple_service_acc…

…ounts_to_assume_role Allow any service account to assume the role
MaterializeInc · Dec 20, 2024 · e5304a9 · e5304a9
2 parents dc32a58 + 33a805f
commit e5304a9
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 22 deletions.
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/examples/simple/versions.tf b/examples/simple/versions.tf
diff --git a/examples/simple/versions.tf b/examples/simple/versions.tf
@@ -0,0 +1 @@
+../../versions.tf
diff --git a/main.tf b/main.tf
@@ -116,7 +116,7 @@ resource "aws_iam_role" "materialize_s3" {
         Action = "sts:AssumeRoleWithWebIdentity"
         Condition = {
           StringEquals = {
-            "${trimprefix(module.eks.cluster_oidc_issuer_url, "https://")}:sub" : "${var.bucket_prefix}:serviceaccount:${var.namespace}:${var.service_account_name}",
+            "${trimprefix(module.eks.cluster_oidc_issuer_url, "https://")}:sub" : "system:serviceaccount:*:*",
             "${trimprefix(module.eks.cluster_oidc_issuer_url, "https://")}:aud" : "sts.amazonaws.com"
           }
         }

diff --git a/variables.tf b/variables.tf
@@ -246,12 +246,6 @@ variable "service_account_name" {
   default     = "12345678-1234-1234-1234-123456789012"
 }
 
-variable "bucket_prefix" {
-  description = "Prefix for the S3 bucket"
-  type        = string
-  default     = "system"
-}
-
 variable "mz_iam_service_account_name" {
   description = "Name of the IAM user for Materialize service authentication (will be prefixed with environment name)"
   type        = string

diff --git a/versions.tf b/versions.tf
@@ -14,5 +14,9 @@ terraform {
       source  = "hashicorp/helm"
       version = "~> 2.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.0"
+    }
   }
 }