From 85c1e4baf2d4868fa4e9d11a12fbd4d837d63679 Mon Sep 17 00:00:00 2001
From: Aldo Lacuku <aldo@lacuku.eu>
Date: Wed, 17 Jul 2024 10:57:41 +0200
Subject: [PATCH] new(config/cluster): add iam ruole for cluster-autoscaler

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
---
 config/clusters/iam.tf | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/config/clusters/iam.tf b/config/clusters/iam.tf
index 12eceb77d9..dc37798a5e 100644
--- a/config/clusters/iam.tf
+++ b/config/clusters/iam.tf
@@ -31,6 +31,25 @@ resource "aws_iam_policy" "ebs_controller_policy" {
   policy      = data.aws_iam_policy_document.ebs_controller_policy_doc.json
 }
 
+##### Cluster-autoscaler
+
+module "cluster_autoscaler" {
+  source           = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version          = "4.1.0"
+  create_role      = true
+  role_name        = "${local.cluster_name}-cluster-autoscaler"
+  provider_url     = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
+  role_policy_arns = [aws_iam_policy.cluster_autoscaler_policy.arn]
+  oidc_fully_qualified_subjects = [
+    "system:serviceaccount:kube-system:cluster-autoscaler",
+  ]
+}
+
+resource "aws_iam_policy" "cluster_autoscaler_policy" {
+  name_prefix = "${local.cluster_name}-cluster-autoscaler"
+  policy      = data.aws_iam_policy_document.cluster_autoscaler_policy_doc.json
+}
+
 data "aws_iam_policy_document" "cluster_autoscaler_policy_doc" {
   statement {
     effect    = "Allow"
@@ -60,11 +79,6 @@ data "aws_iam_policy_document" "cluster_autoscaler_policy_doc" {
   }
 }
 
-resource "aws_iam_policy" "cluster_autoscaler_policy" {
-  name_prefix = "${local.cluster_name}-cluster-autoscaler"
-  policy      = data.aws_iam_policy_document.cluster_autoscaler_policy_doc.json
-}
-
 ##### S3 for Prow uploads
 
 module "iam_assumable_role_admin" {