From 96ac77cc1b712707a77418c91edb8dfcebc19dbc Mon Sep 17 00:00:00 2001
From: Noah Jackson <noah.jackson@dominodatalab.com>
Date: Thu, 14 Mar 2024 11:08:52 -0700
Subject: [PATCH] Minor flyte role updates (#227)

* move flyteadmin to the dataplane role, clean up a few things

* restrict to runs in compute namespace instead of all pods

* move flyteadmin back to control plane
---
 modules/flyte/iam.tf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/flyte/iam.tf b/modules/flyte/iam.tf
index c4b89ad0..25394f75 100644
--- a/modules/flyte/iam.tf
+++ b/modules/flyte/iam.tf
@@ -13,6 +13,7 @@ resource "aws_iam_role" "flyte_controlplane" {
           StringEquals : {
             "${trimprefix(local.oidc_provider_url, "https://")}:aud" : "sts.amazonaws.com",
             "${trimprefix(local.oidc_provider_url, "https://")}:sub" : [
+              "system:serviceaccount:${var.platform_namespace}:${var.serviceaccount_names.datacatalog}",
               "system:serviceaccount:${var.platform_namespace}:${var.serviceaccount_names.flyteadmin}",
               "system:serviceaccount:${var.platform_namespace}:${var.serviceaccount_names.flytepropeller}",
             ]
@@ -68,15 +69,14 @@ resource "aws_iam_role" "flyte_dataplane" {
           Federated = local.oidc_provider_arn
         }
         Condition : {
-          StringEquals : {
+          StringLike : {
             "${trimprefix(local.oidc_provider_url, "https://")}:aud" : "sts.amazonaws.com",
             "${trimprefix(local.oidc_provider_url, "https://")}:sub" : [
-              "system:serviceaccount:${var.platform_namespace}:${var.serviceaccount_names.datacatalog}",
-              "system:serviceaccount:${var.compute_namespace}:*"
+              "system:serviceaccount:${var.compute_namespace}:run-*"
             ]
           }
         }
-      },
+      }
     ]
   })
 }