Make service account key path as variable (#12)

## what
* Made service account key path as variable

## why
* Different charts use different `variables.yaml` structure, 
   for some you use `serviceAccount` key path for annotations but other use `rbac.serviceAccount`.

README.md

@@ -279,7 +279,8 @@ Available targets:
 | <a name="input_reuse_values"></a> [reuse\_values](#input\_reuse\_values) | When upgrading, reuse the last release's values and merge in any overrides. If `reset_values` is specified, this is ignored. Defaults to `false`. | `bool` | `null` | no |
 | <a name="input_service_account_name"></a> [service\_account\_name](#input\_service\_account\_name) | Name of the Kubernetes ServiceAccount allowed to assume the IAM role created when `var.iam_role_enabled` is set to `true`.<br><br>In combination with `var.service_account_namespace`, this variable is used to determine which ServiceAccounts are allowed<br>to assume the IAM role in question.<br><br>It is *not* recommended to leave this variable as `null` or `""`, as this would mean ServiceAccounts of any name in the<br>namespace specified by `var.service_account_namespace` are allowed to assume the IAM role in question. If both variables<br>are omitted, then a ServiceAccount of any name in any namespace will be able to assume the IAM role in question, which<br>is the least secure scenario.<br><br>The best practice is to set this variable to the name of the ServiceAccount created by the Helm Chart. | `string` | `null` | no |
 | <a name="input_service_account_namespace"></a> [service\_account\_namespace](#input\_service\_account\_namespace) | Kubernetes Namespace of the Kubernetes ServiceAccount allowed to assume the IAM role created when `var.iam_role_enabled`<br>is set to `true`.<br><br>In combination with `var.service_account_name`, this variable is used to determine which ServiceAccounts are allowed<br>to assume the IAM role in question.<br><br>It is *not* recommended to leave this variable as `null` or `""`, as this would mean any ServiceAccounts matching the<br>name specified by `var.service_account_name` in any namespace are allowed to assume the IAM role in question. If both<br>variables are omitted, then a ServiceAccount of any name in any namespace will be able to assume the IAM role in question,<br>which is the least secure scenario.<br><br>The best practice is to set this variable to the namespace of the ServiceAccount created by the Helm Chart. | `string` | `null` | no |
-| <a name="input_service_account_role_arn_annotation_enabled"></a> [service\_account\_role\_arn\_annotation\_enabled](#input\_service\_account\_role\_arn\_annotation\_enabled) | Whether or not to dynamically insert an `eks.amazonaws.com/role-arn` annotation into `serviceAccount.annotations`, with the<br>value being the ARN of the IAM role created when `var.iam_role_enabled`.<br><br>Assuming the Helm Chart follows the standard convention of rendering ServiceAccount annotations in `serviceAccount.annotations`,<br>this allows the ServiceAccount created by the Helm Chart to assume the IAM Role in question via the EKS OIDC IdP, without<br>the consumer of this module having to set this annotation via `var.values` or `var.set`, which would involve manually<br>rendering the IAM Role ARN beforehand.<br><br>Ignored if `var.iam_role_enabled` is `false`. | `bool` | `true` | no |
+| <a name="input_service_account_role_arn_annotation_enabled"></a> [service\_account\_role\_arn\_annotation\_enabled](#input\_service\_account\_role\_arn\_annotation\_enabled) | Whether or not to dynamically insert an `eks.amazonaws.com/role-arn` annotation into `$var.service_account_set_key_path.annotations`<br>(by default, `serviceAccount.annotations`), with the value being the ARN of the IAM role created when `var.iam_role_enabled`.<br><br>Assuming the Helm Chart follows the standard convention of rendering ServiceAccount annotations in `serviceAccount.annotations`<br>(or a similar convention, which can be overriden by `var.service_account_set_key_path` as needed),<br>this allows the ServiceAccount created by the Helm Chart to assume the IAM Role in question via the EKS OIDC IdP, without<br>the consumer of this module having to set this annotation via `var.values` or `var.set`, which would involve manually<br>rendering the IAM Role ARN beforehand.<br><br>Ignored if `var.iam_role_enabled` is `false`. | `bool` | `true` | no |
+| <a name="input_service_account_set_key_path"></a> [service\_account\_set\_key\_path](#input\_service\_account\_set\_key\_path) | The key path used by Helm Chart values for ServiceAccount-related settings (e.g. `serviceAccount` or `rbac.serviceAccount`).<br><br>Ignored if either `var.service_account_role_arn_annotation_enabled` or `var.iam_role_enabled` are set to `false`. | `string` | `"serviceAccount"` | no |
 | <a name="input_set"></a> [set](#input\_set) | Value block with custom values to be merged with the values yaml. | <pre>list(object({<br>    name  = string<br>    value = string<br>    type  = string<br>  }))</pre> | `[]` | no |
 | <a name="input_set_sensitive"></a> [set\_sensitive](#input\_set\_sensitive) | Value block with custom sensitive values to be merged with the values yaml that won't be exposed in the plan's diff. | <pre>list(object({<br>    name  = string<br>    value = string<br>    type  = string<br>  }))</pre> | `[]` | no |
 | <a name="input_skip_crds"></a> [skip\_crds](#input\_skip\_crds) | If set, no CRDs will be installed. By default, CRDs are installed if not already present. Defaults to `false`. | `bool` | `null` | no |

docs/terraform.md

@@ -81,7 +81,8 @@
 | <a name="input_reuse_values"></a> [reuse\_values](#input\_reuse\_values) | When upgrading, reuse the last release's values and merge in any overrides. If `reset_values` is specified, this is ignored. Defaults to `false`. | `bool` | `null` | no |
 | <a name="input_service_account_name"></a> [service\_account\_name](#input\_service\_account\_name) | Name of the Kubernetes ServiceAccount allowed to assume the IAM role created when `var.iam_role_enabled` is set to `true`.<br><br>In combination with `var.service_account_namespace`, this variable is used to determine which ServiceAccounts are allowed<br>to assume the IAM role in question.<br><br>It is *not* recommended to leave this variable as `null` or `""`, as this would mean ServiceAccounts of any name in the<br>namespace specified by `var.service_account_namespace` are allowed to assume the IAM role in question. If both variables<br>are omitted, then a ServiceAccount of any name in any namespace will be able to assume the IAM role in question, which<br>is the least secure scenario.<br><br>The best practice is to set this variable to the name of the ServiceAccount created by the Helm Chart. | `string` | `null` | no |
 | <a name="input_service_account_namespace"></a> [service\_account\_namespace](#input\_service\_account\_namespace) | Kubernetes Namespace of the Kubernetes ServiceAccount allowed to assume the IAM role created when `var.iam_role_enabled`<br>is set to `true`.<br><br>In combination with `var.service_account_name`, this variable is used to determine which ServiceAccounts are allowed<br>to assume the IAM role in question.<br><br>It is *not* recommended to leave this variable as `null` or `""`, as this would mean any ServiceAccounts matching the<br>name specified by `var.service_account_name` in any namespace are allowed to assume the IAM role in question. If both<br>variables are omitted, then a ServiceAccount of any name in any namespace will be able to assume the IAM role in question,<br>which is the least secure scenario.<br><br>The best practice is to set this variable to the namespace of the ServiceAccount created by the Helm Chart. | `string` | `null` | no |
-| <a name="input_service_account_role_arn_annotation_enabled"></a> [service\_account\_role\_arn\_annotation\_enabled](#input\_service\_account\_role\_arn\_annotation\_enabled) | Whether or not to dynamically insert an `eks.amazonaws.com/role-arn` annotation into `serviceAccount.annotations`, with the<br>value being the ARN of the IAM role created when `var.iam_role_enabled`.<br><br>Assuming the Helm Chart follows the standard convention of rendering ServiceAccount annotations in `serviceAccount.annotations`,<br>this allows the ServiceAccount created by the Helm Chart to assume the IAM Role in question via the EKS OIDC IdP, without<br>the consumer of this module having to set this annotation via `var.values` or `var.set`, which would involve manually<br>rendering the IAM Role ARN beforehand.<br><br>Ignored if `var.iam_role_enabled` is `false`. | `bool` | `true` | no |
+| <a name="input_service_account_role_arn_annotation_enabled"></a> [service\_account\_role\_arn\_annotation\_enabled](#input\_service\_account\_role\_arn\_annotation\_enabled) | Whether or not to dynamically insert an `eks.amazonaws.com/role-arn` annotation into `$var.service_account_set_key_path.annotations`<br>(by default, `serviceAccount.annotations`), with the value being the ARN of the IAM role created when `var.iam_role_enabled`.<br><br>Assuming the Helm Chart follows the standard convention of rendering ServiceAccount annotations in `serviceAccount.annotations`<br>(or a similar convention, which can be overriden by `var.service_account_set_key_path` as needed),<br>this allows the ServiceAccount created by the Helm Chart to assume the IAM Role in question via the EKS OIDC IdP, without<br>the consumer of this module having to set this annotation via `var.values` or `var.set`, which would involve manually<br>rendering the IAM Role ARN beforehand.<br><br>Ignored if `var.iam_role_enabled` is `false`. | `bool` | `true` | no |
+| <a name="input_service_account_set_key_path"></a> [service\_account\_set\_key\_path](#input\_service\_account\_set\_key\_path) | The key path used by Helm Chart values for ServiceAccount-related settings (e.g. `serviceAccount` or `rbac.serviceAccount`).<br><br>Ignored if either `var.service_account_role_arn_annotation_enabled` or `var.iam_role_enabled` are set to `false`. | `string` | `"serviceAccount"` | no |
 | <a name="input_set"></a> [set](#input\_set) | Value block with custom values to be merged with the values yaml. | <pre>list(object({<br>    name  = string<br>    value = string<br>    type  = string<br>  }))</pre> | `[]` | no |
 | <a name="input_set_sensitive"></a> [set\_sensitive](#input\_set\_sensitive) | Value block with custom sensitive values to be merged with the values yaml that won't be exposed in the plan's diff. | <pre>list(object({<br>    name  = string<br>    value = string<br>    type  = string<br>  }))</pre> | `[]` | no |
 | <a name="input_skip_crds"></a> [skip\_crds](#input\_skip\_crds) | If set, no CRDs will be installed. By default, CRDs are installed if not already present. Defaults to `false`. | `bool` | `null` | no |

main.tf

@@ -99,7 +99,7 @@ resource "helm_release" "this" {
   dynamic "set" {
     for_each = local.iam_role_enabled && var.service_account_role_arn_annotation_enabled ? [module.eks_iam_role.service_account_role_arn] : []
     content {
-      name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
+      name  = format("%s.annotations.eks\\.amazonaws\\.com/role-arn", var.service_account_set_key_path)
       value = set.value
       type  = "string"
     }

variables.tf

@@ -49,19 +49,30 @@ variable "eks_cluster_oidc_issuer_url" {
 variable "service_account_role_arn_annotation_enabled" {
   type        = bool
   description = <<-EOT
-  Whether or not to dynamically insert an `eks.amazonaws.com/role-arn` annotation into `serviceAccount.annotations`, with the
-  value being the ARN of the IAM role created when `var.iam_role_enabled`.
-
-  Assuming the Helm Chart follows the standard convention of rendering ServiceAccount annotations in `serviceAccount.annotations`,
+  Whether or not to dynamically insert an `eks.amazonaws.com/role-arn` annotation into `$var.service_account_set_key_path.annotations`
+  (by default, `serviceAccount.annotations`), with the value being the ARN of the IAM role created when `var.iam_role_enabled`.
+  
+  Assuming the Helm Chart follows the standard convention of rendering ServiceAccount annotations in `serviceAccount.annotations`
+  (or a similar convention, which can be overriden by `var.service_account_set_key_path` as needed),
   this allows the ServiceAccount created by the Helm Chart to assume the IAM Role in question via the EKS OIDC IdP, without
   the consumer of this module having to set this annotation via `var.values` or `var.set`, which would involve manually
   rendering the IAM Role ARN beforehand.
-
+  
   Ignored if `var.iam_role_enabled` is `false`.
   EOT
   default     = true
 }
 
+variable "service_account_set_key_path" {
+  type        = string
+  description = <<-EOT
+  The key path used by Helm Chart values for ServiceAccount-related settings (e.g. `serviceAccount` or `rbac.serviceAccount`).
+  
+  Ignored if either `var.service_account_role_arn_annotation_enabled` or `var.iam_role_enabled` are set to `false`.
+  EOT
+  default     = "serviceAccount"
+}
+
 variable "service_account_name" {
   type        = string
   description = <<-EOT