fix: Remove legacy IRSAv2 artifact

Author: bryantbiggs

examples/iam-role-for-service-accounts/README.md

@@ -38,16 +38,13 @@ Run `terraform destroy` when you don't need these resources.
 | <a name="module_cluster_autoscaler_irsa"></a> [cluster\_autoscaler\_irsa](#module\_cluster\_autoscaler\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_disabled"></a> [disabled](#module\_disabled) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_ebs_csi_irsa"></a> [ebs\_csi\_irsa](#module\_ebs\_csi\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
-| <a name="module_ebs_csi_irsa_v2"></a> [ebs\_csi\_irsa\_v2](#module\_ebs\_csi\_irsa\_v2) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_efs_csi_irsa"></a> [efs\_csi\_irsa](#module\_efs\_csi\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 21.0 |
 | <a name="module_external_dns_irsa"></a> [external\_dns\_irsa](#module\_external\_dns\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_external_secrets_irsa"></a> [external\_secrets\_irsa](#module\_external\_secrets\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_fsx_lustre_csi_irsa"></a> [fsx\_lustre\_csi\_irsa](#module\_fsx\_lustre\_csi\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_fsx_openzfs_csi_irsa"></a> [fsx\_openzfs\_csi\_irsa](#module\_fsx\_openzfs\_csi\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_irsa"></a> [irsa](#module\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
-| <a name="module_irsa_v2_custom_policy"></a> [irsa\_v2\_custom\_policy](#module\_irsa\_v2\_custom\_policy) | ../../modules/iam-role-for-service-accounts | n/a |
-| <a name="module_irsa_v2_empty"></a> [irsa\_v2\_empty](#module\_irsa\_v2\_empty) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_load_balancer_controller_irsa"></a> [load\_balancer\_controller\_irsa](#module\_load\_balancer\_controller\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_load_balancer_controller_targetgroup_binding_only_irsa"></a> [load\_balancer\_controller\_targetgroup\_binding\_only\_irsa](#module\_load\_balancer\_controller\_targetgroup\_binding\_only\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_mountpoint_s3_csi_irsa"></a> [mountpoint\_s3\_csi\_irsa](#module\_mountpoint\_s3\_csi\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |

examples/iam-role-for-service-accounts/main.tf

@@ -17,48 +17,6 @@ locals {
   }
 }
 
-################################################################################
-# IRSAv2 Roles
-################################################################################
-
-module "irsa_v2_empty" {
-  source = "../../modules/iam-role-for-service-accounts"
-
-  name = "${local.name}-v2"
-
-  enable_irsa_v2 = true
-
-  tags = local.tags
-}
-
-module "ebs_csi_irsa_v2" {
-  source = "../../modules/iam-role-for-service-accounts"
-
-  name = "ebs-csi-v2"
-
-  enable_irsa_v2        = true
-  attach_ebs_csi_policy = true
-
-  tags = local.tags
-}
-
-module "irsa_v2_custom_policy" {
-  source = "../../modules/iam-role-for-service-accounts"
-
-  name = "${local.name}-custom-name"
-
-  enable_irsa_v2 = true
-  policy_statements = {
-    DescribeEc2 = {
-      actions   = ["ec2:Describe*"]
-      effect    = "Allow"
-      resources = ["*"]
-    }
-  }
-
-  tags = local.tags
-}
-
 ################################################################################
 # IRSA Roles
 ################################################################################

modules/iam-role-for-service-accounts/README.md

@@ -189,7 +189,6 @@ No modules.
 | <a name="input_create_policy"></a> [create\_policy](#input\_create\_policy) | Whether to create an IAM policy that is attached to the IAM role created | `bool` | `true` | no |
 | <a name="input_description"></a> [description](#input\_description) | Description of the role | `string` | `null` | no |
 | <a name="input_ebs_csi_kms_cmk_arns"></a> [ebs\_csi\_kms\_cmk\_arns](#input\_ebs\_csi\_kms\_cmk\_arns) | KMS CMK ARNs to allow EBS CSI to manage encrypted volumes | `list(string)` | `[]` | no |
-| <a name="input_enable_irsa_v2"></a> [enable\_irsa\_v2](#input\_enable\_irsa\_v2) | Determines whether to add the new IRSAv2 IAM assume role trust policy | `bool` | `false` | no |
 | <a name="input_external_dns_hosted_zone_arns"></a> [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow External DNS to manage records | `list(string)` | `[]` | no |
 | <a name="input_external_secrets_kms_key_arns"></a> [external\_secrets\_kms\_key\_arns](#input\_external\_secrets\_kms\_key\_arns) | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | `list(string)` | `[]` | no |
 | <a name="input_external_secrets_secrets_manager_arns"></a> [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | `[]` | no |

modules/iam-role-for-service-accounts/main.tf

@@ -14,23 +14,6 @@ locals {
 data "aws_iam_policy_document" "assume" {
   count = var.create ? 1 : 0
 
-  dynamic "statement" {
-    for_each = var.enable_irsa_v2 ? [1] : []
-
-    content {
-      sid     = "EksAssume"
-      effect  = "Allow"
-      actions = ["sts:AssumeRole"]
-
-      principals {
-        type = "Service"
-        # identifier subject to change
-        # identifiers = ["eks-pods.${local.dns_suffix}"]
-        identifiers = ["eks.${local.dns_suffix}"]
-      }
-    }
-  }
-
   dynamic "statement" {
     for_each = var.oidc_providers
 
@@ -55,7 +38,6 @@ data "aws_iam_policy_document" "assume" {
         variable = "${replace(statement.value.provider_arn, "/^(.*provider/)/", "")}:aud"
         values   = ["sts.amazonaws.com"]
       }
-
     }
   }
 }

modules/iam-role-for-service-accounts/variables.tf

@@ -62,12 +62,6 @@ variable "oidc_providers" {
   default     = {}
 }
 
-variable "enable_irsa_v2" {
-  description = "Determines whether to add the new IRSAv2 IAM assume role trust policy"
-  type        = bool
-  default     = false
-}
-
 variable "policies" {
   description = "Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format"
   type        = map(string)

wrappers/iam-role-for-service-accounts/main.tf

@@ -28,7 +28,6 @@ module "wrapper" {
   create_policy                                                   = try(each.value.create_policy, var.defaults.create_policy, true)
   description                                                     = try(each.value.description, var.defaults.description, null)
   ebs_csi_kms_cmk_arns                                            = try(each.value.ebs_csi_kms_cmk_arns, var.defaults.ebs_csi_kms_cmk_arns, [])
-  enable_irsa_v2                                                  = try(each.value.enable_irsa_v2, var.defaults.enable_irsa_v2, false)
   external_dns_hosted_zone_arns                                   = try(each.value.external_dns_hosted_zone_arns, var.defaults.external_dns_hosted_zone_arns, [])
   external_secrets_kms_key_arns                                   = try(each.value.external_secrets_kms_key_arns, var.defaults.external_secrets_kms_key_arns, [])
   external_secrets_secrets_manager_arns                           = try(each.value.external_secrets_secrets_manager_arns, var.defaults.external_secrets_secrets_manager_arns, [])