PLAT-7025 Add CreateServiceLinkedRole perms to create-eks-role. Neede…

…d for fresh accounts. (#115) * PLAT-7025 Add CreateServiceLinkedRole perms to create-eks-role. Needed for fresh accounts. * Add Israel region
dominodatalab · Aug 2, 2023 · fcd47f8 · fcd47f8
1 parent ae85969
commit fcd47f8
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 5 deletions.
diff --git a/iam-bootstrap/variables.tf b/iam-bootstrap/variables.tf
@@ -13,7 +13,7 @@ variable "region" {
   description = "AWS region for the deployment"
   nullable    = false
   validation {
-    condition     = can(regex("(us(-gov)?|ap|ca|cn|eu|sa|me|af)-(central|(north|south)?(east|west)?)-[0-9]", var.region))
+    condition     = can(regex("(us(-gov)?|ap|ca|cn|eu|sa|me|af|il)-(central|(north|south)?(east|west)?)-[0-9]", var.region))
     error_message = "The provided region must follow the format of AWS region names, e.g., us-west-2, us-gov-west-1."
   }
 }

diff --git a/iam.tf b/iam.tf
@@ -75,6 +75,18 @@ data "aws_iam_policy_document" "create_eks_role" {
     resources = ["arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:role/${var.deploy_id}-*"]
     effect    = "Allow"
   }
+
+  statement {
+    sid = "EKSDeployerIAMSvcLinkedRole"
+    actions = [
+      "iam:CreateServiceLinkedRole",
+      "iam:AttachRolePolicy",
+      "iam:PutRolePolicy"
+    ]
+    resources = ["arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:role/aws-service-role/*"]
+    effect    = "Allow"
+  }
+
 }
 
 resource "aws_iam_policy" "create_eks_role" {

diff --git a/submodules/bastion/variables.tf b/submodules/bastion/variables.tf
@@ -8,7 +8,7 @@ variable "region" {
   type        = string
   nullable    = false
   validation {
-    condition     = can(regex("(us(-gov)?|ap|ca|cn|eu|sa|me|af)-(central|(north|south)?(east|west)?)-[0-9]", var.region))
+    condition     = can(regex("(us(-gov)?|ap|ca|cn|eu|sa|me|af|il)-(central|(north|south)?(east|west)?)-[0-9]", var.region))
     error_message = "The provided region must follow the format of AWS region names, e.g., us-west-2, us-gov-west-1."
   }
 }

diff --git a/submodules/eks/variables.tf b/submodules/eks/variables.tf
@@ -13,7 +13,7 @@ variable "region" {
   description = "AWS region for the deployment"
   nullable    = false
   validation {
-    condition     = can(regex("(us(-gov)?|ap|ca|cn|eu|sa|me|af)-(central|(north|south)?(east|west)?)-[0-9]", var.region))
+    condition     = can(regex("(us(-gov)?|ap|ca|cn|eu|sa|me|af|il)-(central|(north|south)?(east|west)?)-[0-9]", var.region))
     error_message = "The provided region must follow the format of AWS region names, e.g., us-west-2, us-gov-west-1."
   }
 }

diff --git a/submodules/network/variables.tf b/submodules/network/variables.tf
@@ -13,7 +13,7 @@ variable "region" {
   description = "AWS region for the deployment"
   nullable    = false
   validation {
-    condition     = can(regex("(us(-gov)?|ap|ca|cn|eu|sa|me|af)-(central|(north|south)?(east|west)?)-[0-9]", var.region))
+    condition     = can(regex("(us(-gov)?|ap|ca|cn|eu|sa|me|af|il)-(central|(north|south)?(east|west)?)-[0-9]", var.region))
     error_message = "The provided region must follow the format of AWS region names, e.g., us-west-2, us-gov-west-1."
   }
 }

diff --git a/variables.tf b/variables.tf
@@ -3,7 +3,7 @@ variable "region" {
   description = "AWS region for the deployment"
   nullable    = false
   validation {
-    condition     = can(regex("(us(-gov)?|ap|ca|cn|eu|sa|me|af)-(central|(north|south)?(east|west)?)-[0-9]", var.region))
+    condition     = can(regex("(us(-gov)?|ap|ca|cn|eu|sa|me|af|il)-(central|(north|south)?(east|west)?)-[0-9]", var.region))
     error_message = "The provided region must follow the format of AWS region names, e.g., us-west-2, us-gov-west-1."
   }
 }