apply csi for all namspaces

opszero · Nov 18, 2024 · 4cfc229 · 4cfc229
1 parent 34ae8ec
commit 4cfc229
Showing 1 changed file with 7 additions and 24 deletions.
diff --git a/aws_csi_secrets_store.tf b/aws_csi_secrets_store.tf
@@ -65,32 +65,15 @@ resource "aws_iam_policy" "secrets_policy" {
 }
 
 data "aws_iam_policy_document" "trust_relationship" {
-  # Create a statement for each namespace
-  dynamic "statement" {
-    for_each = var.csi_enabled_namespaces
+  statement {
+    effect = "Allow"
 
-    content {
-      effect = "Allow"
-
-      principals {
-        type        = "Federated"
-        identifiers = [local.oidc_provider_arn]
-      }
-
-      actions = ["sts:AssumeRoleWithWebIdentity"]
-
-      condition {
-        test     = "StringEquals"
-        variable = "${replace(aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:aud"
-        values   = ["sts.amazonaws.com"]
-      }
-
-      condition {
-        test     = "StringEquals"
-        variable = "${replace(aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:sub"
-        values   = ["system:serviceaccount:${statement.value}:csi-secrets-service-account"]
-      }
+    principals {
+      type        = "Federated"
+      identifiers = [local.oidc_provider_arn]
     }
+
+    actions = ["sts:AssumeRoleWithWebIdentity"]
   }
 }