From acf15aae1e2aad042b28a551f4897172ae514992 Mon Sep 17 00:00:00 2001
From: Petr Drastil <petr.drastil@gmail.com>
Date: Sun, 3 Dec 2023 11:59:26 +0100
Subject: [PATCH 1/4] feat(iam-role-for-service-accounts-eks): Add support for
 pod identity service

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>
---
 modules/iam-role-for-service-accounts-eks/main.tf | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/modules/iam-role-for-service-accounts-eks/main.tf b/modules/iam-role-for-service-accounts-eks/main.tf
index 6095f390..d9569023 100644
--- a/modules/iam-role-for-service-accounts-eks/main.tf
+++ b/modules/iam-role-for-service-accounts-eks/main.tf
@@ -62,6 +62,16 @@ data "aws_iam_policy_document" "this" {
 
     }
   }
+
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole", "sts:TagSession"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["pods.eks.amazonaws.com"]
+    }
+  }
 }
 
 resource "aws_iam_role" "this" {

From 86ab19d0372fc53e888ddf31610714d8f8ace3ad Mon Sep 17 00:00:00 2001
From: Petr Drastil <petr.drastil@gmail.com>
Date: Sun, 3 Dec 2023 12:22:28 +0100
Subject: [PATCH 2/4] Add example for pod identity role

---
 .../iam-role-for-service-accounts-eks/main.tf | 27 +++++++++++++++++++
 .../versions.tf                               |  2 +-
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf
index 5c4a0e8b..7640496e 100644
--- a/examples/iam-role-for-service-accounts-eks/main.tf
+++ b/examples/iam-role-for-service-accounts-eks/main.tf
@@ -399,6 +399,26 @@ module "iam_eks_role" {
   }
 }
 
+################################################################################
+# Pod Identity Roles
+################################################################################
+module "iam_pod_identity_role" {
+  source    = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  role_name = "my-pod-identity"
+
+  role_policy_arns = {
+    policy = module.iam_policy.arn
+  }
+}
+
+# This resource requires installed eks-pod-identity-agent to work
+resource "aws_eks_pod_identity_association" "my_app_staging" {
+  cluster_name    = module.eks.cluster_name
+  role_arn        = module.iam_pod_identity_role.iam_role_arn
+  namespace       = "default"
+  service_account = "my-app-staging"
+}
+
 ################################################################################
 # Supporting Resources
 ################################################################################
@@ -438,6 +458,13 @@ module "eks" {
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.private_subnets
 
+  cluster_addons = {
+    # Required for Pod Identity roles
+    eks-pod-identity-agent = {
+      most_recent = true
+    }
+  }
+
   eks_managed_node_groups = {
     default = {}
   }
diff --git a/examples/iam-role-for-service-accounts-eks/versions.tf b/examples/iam-role-for-service-accounts-eks/versions.tf
index d8dd1a44..ef42ed42 100644
--- a/examples/iam-role-for-service-accounts-eks/versions.tf
+++ b/examples/iam-role-for-service-accounts-eks/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.0"
+      version = ">= 5.29"
     }
   }
 }

From cf4da978c0ecabb532c0291cf010033c188df924 Mon Sep 17 00:00:00 2001
From: Petr Drastil <petr.drastil@gmail.com>
Date: Sun, 3 Dec 2023 12:27:04 +0100
Subject: [PATCH 3/4] Bump AWS provider version

---
 modules/iam-role-for-service-accounts-eks/versions.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/iam-role-for-service-accounts-eks/versions.tf b/modules/iam-role-for-service-accounts-eks/versions.tf
index d8dd1a44..ef42ed42 100644
--- a/modules/iam-role-for-service-accounts-eks/versions.tf
+++ b/modules/iam-role-for-service-accounts-eks/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.0"
+      version = ">= 5.29"
     }
   }
 }

From dda0b85792f16476bc00503c8b77a79f6c2c0f33 Mon Sep 17 00:00:00 2001
From: Petr Drastil <petr.drastil@gmail.com>
Date: Sun, 3 Dec 2023 12:55:11 +0100
Subject: [PATCH 4/4] Update docs

---
 examples/iam-role-for-service-accounts-eks/README.md | 6 ++++--
 modules/iam-role-for-service-accounts-eks/README.md  | 4 ++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/examples/iam-role-for-service-accounts-eks/README.md b/examples/iam-role-for-service-accounts-eks/README.md
index 25fcda06..b8dd0f0e 100644
--- a/examples/iam-role-for-service-accounts-eks/README.md
+++ b/examples/iam-role-for-service-accounts-eks/README.md
@@ -20,13 +20,13 @@ Run `terraform destroy` when you don't need these resources.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.29 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.29 |
 
 ## Modules
 
@@ -46,6 +46,7 @@ Run `terraform destroy` when you don't need these resources.
 | <a name="module_external_secrets_irsa_role"></a> [external\_secrets\_irsa\_role](#module\_external\_secrets\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_fsx_lustre_csi_irsa_role"></a> [fsx\_lustre\_csi\_irsa\_role](#module\_fsx\_lustre\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_iam_eks_role"></a> [iam\_eks\_role](#module\_iam\_eks\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
+| <a name="module_iam_pod_identity_role"></a> [iam\_pod\_identity\_role](#module\_iam\_pod\_identity\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_iam_policy"></a> [iam\_policy](#module\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | n/a |
 | <a name="module_irsa_role"></a> [irsa\_role](#module\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_karpenter_controller_irsa_role"></a> [karpenter\_controller\_irsa\_role](#module\_karpenter\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
@@ -61,6 +62,7 @@ Run `terraform destroy` when you don't need these resources.
 
 | Name | Type |
 |------|------|
+| [aws_eks_pod_identity_association.my_app_staging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_pod_identity_association) | resource |
 | [aws_iam_policy.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 
diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md
index 72031c6e..875fffe5 100644
--- a/modules/iam-role-for-service-accounts-eks/README.md
+++ b/modules/iam-role-for-service-accounts-eks/README.md
@@ -105,13 +105,13 @@ module "eks" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.29 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.29 |
 
 ## Modules