Deploy role for github runner access to ecr via module

terraform/modules/aws-iam-eks-trusted/outputs.tf

@@ -2,3 +2,8 @@ output "role_arn" {
   description = "This role ARN"
   value       = aws_iam_role.this.arn
 }
+
+output "role_name" {
+  description = "This role name"
+  value       = aws_iam_role.this.name
+}

terraform/modules/k8s-addons/eks-gha-runner-scale-set.tf

@@ -54,7 +54,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   annotations:
-    eks.amazonaws.com/role-arn: arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.gha_runner_scale_set.name}-role
+    eks.amazonaws.com/role-arn: arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${module.aws_iam_github_actions_runner[0].role_name}
   labels:
     actions.github.com/scale-set-name: gha-runner-scale-set
     actions.github.com/scale-set-namespace: ${local.gha_runner_scale_set.namespace}
@@ -86,58 +86,33 @@ resource "helm_release" "gha_runner_scale_set" {
   ]
 }
 
-resource "aws_iam_role" "github_actions_runner_role" {
-  count = local.gha_runner_scale_set.enabled ? 1 : 0
-  name = "${local.gha_runner_scale_set.name}-role"
-
-  assume_role_policy = data.aws_iam_policy_document.github_actions_runner_assume_role_policy.json
-
-  depends_on = [ helm_release.gha_runner_scale_set ]
-}
-
-data "aws_iam_policy_document" "github_actions_runner_assume_role_policy" {
-  statement {
-    actions = ["sts:AssumeRoleWithWebIdentity"]
-    effect  = "Allow"
-
-    principals {
-      type        = "Federated"
-      identifiers = [local.eks_oidc_provider_arn]
-    }
-
-    condition {
-      test     = "StringEquals"
-      variable = "${local.eks_oidc_provider_url}:sub"
-      values   = ["system:serviceaccount:${local.gha_runner_scale_set.namespace}:${local.gha_runner_scale_set.service_account_name}"]
-    }
-  }
-}
-
-resource "aws_iam_role_policy" "github_actions_runner_policy" {
-  count = local.gha_runner_scale_set.enabled ? 1 : 0
-  name = "${local.gha_runner_scale_set.name}-policy"
-  role = aws_iam_role.github_actions_runner_role[0].id
-
-  policy = data.aws_iam_policy_document.github_actions_runner_policy.json
-
-  depends_on = [ helm_release.gha_runner_scale_set ]
-}
-
-data "aws_iam_policy_document" "github_actions_runner_policy" {
-  statement {
-    actions = [
-      "ecr:GetDownloadUrlForLayer",
-      "ecr:BatchGetImage",
-      "ecr:BatchCheckLayerAvailability",
-      "ecr:PutImage",
-      "ecr:InitiateLayerUpload",
-      "ecr:UploadLayerPart",
-      "ecr:CompleteLayerUpload",
-      "ecr:GetAuthorizationToken",
-      "ecr:ListImages"
+module "aws_iam_github_actions_runner" {
+  count             = local.gha_runner_scale_set.enabled ? 1 : 0
+
+  source            = "../aws-iam-eks-trusted"
+  name              = "${local.gha_runner_scale_set.name}-role"
+  region            = local.region
+  oidc_provider_arn = local.eks_oidc_provider_arn
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+            {
+        "Effect" : "Allow",
+        "Action" : [
+           "ecr:GetDownloadUrlForLayer",
+           "ecr:BatchGetImage",
+           "ecr:BatchCheckLayerAvailability",
+           "ecr:PutImage",
+           "ecr:InitiateLayerUpload",
+           "ecr:UploadLayerPart",
+           "ecr:CompleteLayerUpload",
+           "ecr:GetAuthorizationToken",
+           "ecr:ListImages"
+            ],
+        "Resource" : "*"
+      }
     ]
-    resources = ["*"]
-  }
+  })
 }
 
 resource "kubectl_manifest" "github_runner_role" {