Support use of role by any service account in a namespace, or other StringLike patterns (iam-role-for-service-account-eks)

[tculp]

Is your request related to a new offering from AWS?

No

Is your request related to a problem? Please describe.

Sometimes service accounts are created dynamically, such that it would be challenging to provide the exact service account names.

Describe the solution you'd like.

It would be useful to be able to provide a regex string to represent the service accounts, such as namespace:*.

StringEquals is currently the only supported option.

condition {
        test     = "StringEquals"
        variable = "${replace(statement.value.provider_arn, "/^(.*provider/)/", "")}:sub"
        values   = [for sa in statement.value.namespace_service_accounts : "system:serviceaccount:${sa}"]
      }

I'm currently using a custom role that does the following:

    dynamic "condition" {
      for_each = var.restrict_role_to_serviceaccount && var.serviceaccount != null ? [""] : []

      content {
        test     = "StringEquals"
        variable = "${local.oidc_provider}:sub"

        values = ["system:serviceaccount:${var.namespace}:${var.serviceaccount}"]
      }
    }

    dynamic "condition" {
      for_each = var.restrict_role_to_namespace && var.namespace != null ? [""] : []

      content {
        test     = "StringLike"
        variable = "${local.oidc_provider}:sub"

        values = ["system:serviceaccount:${var.namespace}:*"]
      }
    }

However, it theoretically could also be done by determining if any sa in statement.value.namespace_service_accounts contains a StringLike-supported character (* or ?) per https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String.

Alternatively, an extra variable for role_condition (default "StringEquals") would be a simpler way of allowing the user to specify.

Describe alternatives you've considered.

Dealing with it or continuing to use my custom module.

Additional context

The GitLab helm chart can automatically create many service accounts, but allowing a global annotation to be applied to each. This is a case where hard-coding the (probable) service account names in Terraform would be difficult.

[antonbabenko]

This issue has been resolved in version 4.14.0 🎉

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.