From c6cb656c0e4d25277a408cfd32ea005431cebe2c Mon Sep 17 00:00:00 2001
From: Yusuke Kuoka <ykuoka@gmail.com>
Date: Mon, 25 Jan 2021 09:12:06 +0900
Subject: [PATCH] Update README and an example for `assume_role` support

---
 README.md                    | 17 ++++++++++++++++-
 examples/existingvpc/main.tf | 26 +++++++++++++++++++++++++-
 2 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 932fca5..342a238 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,7 @@ Benefits:
 Features:
 
 - Manage eksctl clusters using Terraform
+- [Support for AssumeRole and Cross-Account usage](#assume-role-and-cross-account)
 - [Install and upgrade eksctl version using Terraform](#declarative-binary-version-management)
 - [Cluster canary deployment using ALB](#cluster-canary-deployment-using-alb)
 - [Cluster canary deployment using Route 53 + NLB](#cluster-canary-deployment-using-route-53-and-nlb)
@@ -740,7 +741,8 @@ resource "eksctl_courier_route53_record" "www" {
 
 ## Advanced Features
 
-- Declarative biniary version management
+- [Declarative biniary version management](#declarative-binary-version-management)
+- [AssumeRole and Cross Account](#assumerole-and-cross-account)
 
 ### Declarative binary version management
 
@@ -761,6 +763,19 @@ resource "eksctl_cluster" "mystack" {
   // snip
 ```
 
+### AssumeRole and Cross Account
+
+Providing the `assume_role` block, you can let the provider to call `sts:AssumeRole` for assuming an AWS role
+in the same account or another account before calling AWS API and running `eksctl` or `kubectl`.
+
+```hcl-terraform
+resource "eksctl_cluster" "red" {
+  assume_role {
+    role_arn = "arn:aws:iam::${var.account_id}:role/${var.role_name}"
+  }
+  // snip
+```
+
 ## The Goal
 
 My goal for this project is to allow automated canary deployment of a whole K8s cluster via single `terraform apply` run.
diff --git a/examples/existingvpc/main.tf b/examples/existingvpc/main.tf
index 745c0d4..e5727bf 100644
--- a/examples/existingvpc/main.tf
+++ b/examples/existingvpc/main.tf
@@ -1,6 +1,21 @@
 provider "eksctl" {}
 provider "helmfile" {}
 
+terraform {
+  required_providers {
+    eksctl = {
+      source = "mumoshu/eksctl"
+      version = "0.0.1"
+    }
+
+    helmfile = {
+      source = "mumoshu/helmfile"
+      version = "0.12.0"
+    }
+  }
+}
+
+
 variable "region" {
   default = "us-east-2"
   description = "AWS region"
@@ -198,9 +213,18 @@ nodeGroups:
 
 iam:
   withOIDC: true
-  serviceAccounts: []
+  serviceAccounts:
+  - metadata:
+      name: reader2
+      namespace: default
+      labels: {aws-usage: "application"}
+    attachPolicyARNs:
+    - "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
 
 vpc:
+  clusterEndpoints:
+    privateAccess: true
+    publicAccess: true
   cidr: "${module.vpc.vpc_cidr_block}"       # (optional, must match CIDR used by the given VPC)
   subnets:
     # must provide 'private' and/or 'public' subnets by availibility zone as shown