fix: Use the aws_service_principal data source to retrieve the correct service principal for IRSA policies (#628)

bryantbiggs · web-flow · commit 673fb442b118 · 2025-10-29T10:20:48.000-05:00
diff --git a/examples/iam-account/README.md b/examples/iam-account/README.md
@@ -2,14 +2,14 @@
 
 Configuration in this directory sets [AWS account alias](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html) (also known as Console Account alias) and configures password policy.
 
-# Usage
+## Usage
 
 To run this example you need to execute:
 
 ```bash
-$ terraform init
-$ terraform plan
-$ terraform apply
+terraform init
+terraform plan
+terraform apply
 ```
 
 Run `terraform destroy` when you don't need these resources.
diff --git a/examples/iam-group/README.md b/examples/iam-group/README.md
@@ -2,14 +2,14 @@
 
 Configuration in this directory creates IAM group with users who are allowed to assume IAM roles and extended with IAM policies.
 
-# Usage
+## Usage
 
 To run this example you need to execute:
 
 ```bash
-$ terraform init
-$ terraform plan
-$ terraform apply
+terraform init
+terraform plan
+terraform apply
 ```
 
 Run `terraform destroy` when you don't need these resources.
diff --git a/examples/iam-oidc-provider/README.md b/examples/iam-oidc-provider/README.md
@@ -2,17 +2,19 @@
 
 - Creates an IAM identity provider for GitHub OIDC
 - Creates an IAM role that trust the IAM GitHub OIDC provider
-  - GitHub reference: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
-  - AWS IAM role reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub
+  - [GitHub reference](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
+  - [AWS IAM role reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub)
 
 Note: an IAM provider is 1 per account per given URL. This module would be provisioned once per AWS account, and multiple roles created with this provider as the trusted identity (typically 1 role per GitHub repository).
 
+## Usage
+
 To run this example you need to execute:
 
 ```bash
-$ terraform init
-$ terraform plan
-$ terraform apply
+terraform init
+terraform plan
+terraform apply
 ```
 
 Run `terraform destroy` when you don't need these resources.
diff --git a/examples/iam-policy/README.md b/examples/iam-policy/README.md
@@ -2,14 +2,14 @@
 
 Configuration in this directory creates IAM policies.
 
-# Usage
+## Usage
 
 To run this example you need to execute:
 
 ```bash
-$ terraform init
-$ terraform plan
-$ terraform apply
+terraform init
+terraform plan
+terraform apply
 ```
 
 Run `terraform destroy` when you don't need these resources.
diff --git a/examples/iam-read-only-policy/README.md b/examples/iam-read-only-policy/README.md
@@ -2,14 +2,14 @@
 
 Configuration in this directory creates a read-only IAM policy and attaches it to an AWS SSO permission set.
 
-# Usage
+## Usage
 
 To run this example you need to execute:
 
 ```bash
-$ terraform init
-$ terraform plan
-$ terraform apply
+terraform init
+terraform plan
+terraform apply
 ```
 
 Run `terraform destroy` when you don't need these resources.
diff --git a/examples/iam-role-for-service-accounts/README.md b/examples/iam-role-for-service-accounts/README.md
@@ -6,14 +6,14 @@
 
 Configuration in this directory creates IAM roles that can be assumed by multiple EKS `ServiceAccount`s for various tasks.
 
-# Usage
+## Usage
 
 To run this example you need to execute:
 
 ```bash
-$ terraform init
-$ terraform plan
-$ terraform apply
+terraform init
+terraform plan
+terraform apply
 ```
 
 Run `terraform destroy` when you don't need these resources.
diff --git a/examples/iam-role/README.md b/examples/iam-role/README.md
@@ -2,14 +2,14 @@
 
 Configuration in this directory creates IAM roles with different options for permissions and role assumption.
 
-# Usage
+## Usage
 
 To run this example you need to execute:
 
 ```bash
-$ terraform init
-$ terraform plan
-$ terraform apply
+terraform init
+terraform plan
+terraform apply
 ```
 
 Run `terraform destroy` when you don't need these resources.
diff --git a/examples/iam-user/README.md b/examples/iam-user/README.md
@@ -3,14 +3,14 @@
 Configuration in this directory creates an IAM user with a random password, a pair of IAM access/secret keys, uploads IAM SSH public key, and demonstrates inline policy creation.
 User password and secret key is encrypted using public key of keybase.io user named `test`.
 
-# Usage
+## Usage
 
 To run this example you need to execute:
 
 ```bash
-$ terraform init
-$ terraform plan
-$ terraform apply
+terraform init
+terraform plan
+terraform apply
 ```
 
 Run `terraform destroy` when you don't need these resources.
diff --git a/modules/iam-role-for-service-accounts/README.md b/modules/iam-role-for-service-accounts/README.md
@@ -8,6 +8,7 @@
 > The [karpenter](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/modules/karpenter) sub-module contains the necessary AWS resources for running Karpenter, including the Karpenter controller IAM role & policy
 
 Creates an IAM role which can be assumed by AWS EKS `ServiceAccount`s with optional policies for commonly used controllers/custom resources within EKS. The optional policies supported include:
+
 - [Cert-Manager](https://cert-manager.io/docs/configuration/acme/dns01/route53/#set-up-an-iam-role)
 - [Cluster Autoscaler](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md)
 - [EBS CSI Driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/example-iam-policy.json)
@@ -158,6 +159,10 @@ No modules.
 | [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_service_principal.delivery_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source |
+| [aws_service_principal.elasticloadbalancing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source |
+| [aws_service_principal.fsx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source |
+| [aws_service_principal.vpc_lattice](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source |
 
 ## Inputs
 
@@ -213,6 +218,7 @@ No modules.
 | <a name="input_policy_description"></a> [policy\_description](#input\_policy\_description) | IAM policy description | `string` | `null` | no |
 | <a name="input_policy_name"></a> [policy\_name](#input\_policy\_name) | Name to use on IAM policy created | `string` | `null` | no |
 | <a name="input_policy_path"></a> [policy\_path](#input\_policy\_path) | Path of IAM policy | `string` | `null` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region where *select resource(s) will be managed (IAM resources are global). Defaults to the Region set in the provider configuration | `string` | `null` | no |
 | <a name="input_source_inline_policy_documents"></a> [source\_inline\_policy\_documents](#input\_source\_inline\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no |
 | <a name="input_source_policy_documents"></a> [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
diff --git a/modules/iam-role-for-service-accounts/main.tf b/modules/iam-role-for-service-accounts/main.tf
@@ -1,11 +1,4 @@
-data "aws_partition" "current" {
-  count = var.create ? 1 : 0
-}
-
 locals {
-  partition  = try(data.aws_partition.current[0].partition, "")
-  dns_suffix = try(data.aws_partition.current[0].dns_suffix, "")
-
   policy_description = try(coalesce(
     var.policy_description,
     var.attach_aws_gateway_controller_policy ? "Provides permissions for the AWS Gateway Controller" : null,
diff --git a/modules/iam-role-for-service-accounts/policies.tf b/modules/iam-role-for-service-accounts/policies.tf
@@ -1,3 +1,38 @@
+data "aws_partition" "current" {
+  count = var.create ? 1 : 0
+}
+
+locals {
+  partition = try(data.aws_partition.current[0].partition, "")
+}
+
+data "aws_service_principal" "elasticloadbalancing" {
+  count = var.create && var.attach_load_balancer_controller_policy ? 1 : 0
+
+  service_name = "elasticloadbalancing"
+  region       = var.region
+}
+
+data "aws_service_principal" "fsx" {
+  count = var.create && (var.attach_fsx_lustre_csi_policy || var.attach_fsx_openzfs_csi_policy) ? 1 : 0
+
+  service_name = "fsx"
+  region       = var.region
+}
+
+data "aws_service_principal" "vpc_lattice" {
+  count = var.create && var.attach_aws_gateway_controller_policy ? 1 : 0
+
+  service_name = "vpc-lattice"
+  region       = var.region
+}
+
+data "aws_service_principal" "delivery_logs" {
+  count = var.create && var.attach_aws_gateway_controller_policy ? 1 : 0
+
+  service_name = "delivery.logs"
+  region       = var.region
+}
 ################################################################################
 # AWS Gateway Controller Policy
 ################################################################################
@@ -31,21 +66,21 @@ data "aws_iam_policy_document" "aws_gateway_controller" {
 
   statement {
     actions   = ["iam:CreateServiceLinkedRole"]
-    resources = ["arn:${local.partition}:iam::*:role/aws-service-role/vpc-lattice.${local.dns_suffix}/AWSServiceRoleForVpcLattice"]
+    resources = ["arn:${local.partition}:iam::*:role/aws-service-role/${data.aws_service_principal.vpc_lattice[0].name}/AWSServiceRoleForVpcLattice"]
     condition {
       test     = "StringLike"
       variable = "iam:AWSServiceName"
-      values   = ["vpc-lattice.${local.dns_suffix}"]
+      values   = [data.aws_service_principal.vpc_lattice[0].name]
     }
   }
 
   statement {
     actions   = ["iam:CreateServiceLinkedRole"]
-    resources = ["arn:${local.partition}:iam::*:role/aws-service-role/delivery.logs.${local.dns_suffix}/AWSServiceRoleForLogDelivery"]
+    resources = ["arn:${local.partition}:iam::*:role/aws-service-role/${data.aws_service_principal.delivery_logs[0].name}/AWSServiceRoleForLogDelivery"]
     condition {
       test     = "StringLike"
       variable = "iam:AWSServiceName"
-      values   = ["delivery.logs.${local.dns_suffix}"]
+      values   = [data.aws_service_principal.delivery_logs[0].name]
     }
   }
 }
@@ -560,7 +595,7 @@ data "aws_iam_policy_document" "fsx_lustre_csi" {
     condition {
       test     = "StringLike"
       variable = "iam:AWSServiceName"
-      values   = ["fsx.${local.dns_suffix}"]
+      values   = [data.aws_service_principal.fsx[0].name]
     }
   }
 
@@ -601,7 +636,7 @@ data "aws_iam_policy_document" "fsx_openzfs_csi" {
     condition {
       test     = "StringLike"
       variable = "iam:AWSServiceName"
-      values   = ["fsx.${local.dns_suffix}"]
+      values   = [data.aws_service_principal.fsx[0].name]
     }
   }
 
@@ -639,7 +674,7 @@ data "aws_iam_policy_document" "load_balancer_controller" {
     condition {
       test     = "StringEquals"
       variable = "iam:AWSServiceName"
-      values   = ["elasticloadbalancing.${local.dns_suffix}"]
+      values   = [data.aws_service_principal.elasticloadbalancing[0].name]
     }
   }
 
diff --git a/modules/iam-role-for-service-accounts/variables.tf b/modules/iam-role-for-service-accounts/variables.tf
@@ -4,6 +4,12 @@ variable "create" {
   default     = true
 }
 
+variable "region" {
+  description = "Region where *select resource(s) will be managed (IAM resources are global). Defaults to the Region set in the provider configuration"
+  type        = string
+  default     = null
+}
+
 variable "tags" {
   description = "A map of tags to add to all resources"
   type        = map(string)
diff --git a/modules/iam-role/README.md b/modules/iam-role/README.md
@@ -1,15 +1,15 @@
-# AWS IAM OIDC Role Terraform Module
+# AWS IAM Role Terraform Module
 
-Creates a single IAM role which can be assumed by trusted resources using OpenID connect federation.
+Creates a single IAM role which can be assumed by trusted resources.
 
 ## Usage
 
-### [GitHub Free, Pro, & Team](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
+### [IAM Role - GitHub Free, Pro, & Team OIDC](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
 
 The defaults provided by the module are suitable for GitHub Free, Pro, & Team, including use with the official [AWS GitHub action](https://github.com/aws-actions/configure-aws-credentials).
 
 ```hcl
-module "iam_oidc_role" {
+module "iam_role" {
   source = "terraform-aws-modules/iam/aws//modules/iam-role"
 
   enable_github_oidc = true
@@ -27,12 +27,12 @@ module "iam_oidc_role" {
 }
 ```
 
-### [GitHub Enterprise Server](https://docs.github.com/en/enterprise-server@3.7/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
+### [IAM Role - GitHub Enterprise Server OIDC](https://docs.github.com/en/enterprise-server@3.7/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
 
 For GitHub Enterprise Server, users will need to provide value for the `oidc_audience` and `provider_urls` to suit their `<GITHUB_ORG>` installation:
 
 ```hcl
-module "iam_oidc_role" {
+module "iam_role" {
   source = "terraform-aws-modules/iam/aws//modules/iam-role"
 
   enable_github_oidc = true
@@ -53,7 +53,7 @@ module "iam_oidc_role" {
 }
 ```
 
-### Something
+### IAM Role - User assume
 
 ```hcl
 module "iam_role" {
@@ -94,15 +94,15 @@ module "iam_role" {
 }
 ```
 
-### SAML 2.0
+### IAM Role - SAML 2.0
 
 Creates an IAM role that trusts a SAML provider. Useful for trusting external identity providers such as Okta, OneLogin, etc.
 
 [Creating IAM SAML Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
 [Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html)
 
 ```hcl
-module "iam_role_saml" {
+module "iam_role" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role"
 
   name = "example"
diff --git a/wrappers/iam-role-for-service-accounts/main.tf b/wrappers/iam-role-for-service-accounts/main.tf
@@ -53,6 +53,7 @@ module "wrapper" {
   policy_description                                              = try(each.value.policy_description, var.defaults.policy_description, null)
   policy_name                                                     = try(each.value.policy_name, var.defaults.policy_name, null)
   policy_path                                                     = try(each.value.policy_path, var.defaults.policy_path, null)
+  region                                                          = try(each.value.region, var.defaults.region, null)
   source_inline_policy_documents                                  = try(each.value.source_inline_policy_documents, var.defaults.source_inline_policy_documents, [])
   source_policy_documents                                         = try(each.value.source_policy_documents, var.defaults.source_policy_documents, [])
   tags                                                            = try(each.value.tags, var.defaults.tags, {})
