Merge pull request #76 from zama-ai/fred/fix/add-variable-for-role-name

piizama · web-flow · commit c03ef8d1756a · 2025-11-10T16:15:33.000+01:00
fix: add role name variable
diff --git a/modules/mpc-party/README.md b/modules/mpc-party/README.md
@@ -361,6 +361,7 @@ The module can optionally create:
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name of the EKS cluster for IRSA configuration | `string` | n/a | yes |
 | <a name="input_common_tags"></a> [common\_tags](#input\_common\_tags) | Deprecated common tags to apply to all AWS resources | `map(string)` | <pre>{<br/>  "module": "mpc-party",<br/>  "terraform": "true"<br/>}</pre> | no |
 | <a name="input_config_map_name"></a> [config\_map\_name](#input\_config\_map\_name) | Name of the ConfigMap | `string` | `"mpc-party"` | no |
+| <a name="input_connector_role_name"></a> [connector\_role\_name](#input\_connector\_role\_name) | The name of the connector role | `string` | `""` | no |
 | <a name="input_create_config_map"></a> [create\_config\_map](#input\_create\_config\_map) | Whether to create a ConfigMap with S3 bucket environment variables | `bool` | `true` | no |
 | <a name="input_create_irsa"></a> [create\_irsa](#input\_create\_irsa) | Whether to create IRSA (IAM Roles for Service Accounts) role for secure AWS access | `bool` | `true` | no |
 | <a name="input_create_namespace"></a> [create\_namespace](#input\_create\_namespace) | Whether to create the Kubernetes namespace | `bool` | `true` | no |
@@ -383,6 +384,7 @@ The module can optionally create:
 | <a name="input_kms_image_attestation_sha"></a> [kms\_image\_attestation\_sha](#input\_kms\_image\_attestation\_sha) | Attestation SHA for KMS image | `string` | n/a | yes |
 | <a name="input_kms_key_usage"></a> [kms\_key\_usage](#input\_kms\_key\_usage) | Key usage for KMS | `string` | `"ENCRYPT_DECRYPT"` | no |
 | <a name="input_kms_use_cross_account_kms_key"></a> [kms\_use\_cross\_account\_kms\_key](#input\_kms\_use\_cross\_account\_kms\_key) | Whether a KMS key has been created in a different AWS account | `bool` | `false` | no |
+| <a name="input_mpc_party_role_name"></a> [mpc\_party\_role\_name](#input\_mpc\_party\_role\_name) | The name of the MPC party role | `string` | `""` | no |
 | <a name="input_namespace_annotations"></a> [namespace\_annotations](#input\_namespace\_annotations) | Additional annotations to apply to the namespace | `map(string)` | `{}` | no |
 | <a name="input_namespace_labels"></a> [namespace\_labels](#input\_namespace\_labels) | Additional labels to apply to the namespace | `map(string)` | `{}` | no |
 | <a name="input_network_environment"></a> [network\_environment](#input\_network\_environment) | MPC network environment that determines region constraints | `string` | `"testnet"` | no |
diff --git a/modules/mpc-party/main.tf b/modules/mpc-party/main.tf
@@ -217,7 +217,7 @@ module "iam_assumable_role_mpc_party" {
   version                       = "5.48.0"
   provider_url                  = data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer
   create_role                   = true
-  role_name                     = "mpc-${var.cluster_name}-${var.party_name}"
+  role_name                     = var.mpc_party_role_name != "" ? var.mpc_party_role_name : "mpc-${var.cluster_name}-${var.party_name}"
   oidc_fully_qualified_subjects = ["system:serviceaccount:${var.k8s_namespace}:${var.k8s_service_account_name}"]
   role_policy_arns              = [aws_iam_policy.mpc_aws.arn]
   depends_on                    = [aws_s3_bucket.vault_private_bucket, aws_s3_bucket.vault_public_bucket, kubernetes_namespace.mpc_party_namespace]
@@ -252,7 +252,7 @@ module "iam_assumable_role_kms_connector" {
   version                       = "5.48.0"
   provider_url                  = data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer
   create_role                   = true
-  role_name                     = "mpc-${var.cluster_name}-${var.party_name}-connector"
+  role_name                     = var.connector_role_name != "" ? var.connector_role_name : "mpc-${var.cluster_name}-${var.party_name}-connector"
   oidc_fully_qualified_subjects = ["system:serviceaccount:${var.k8s_namespace}:${var.k8s_service_account_name}-connector"]
   role_policy_arns              = []
   depends_on                    = [kubernetes_namespace.mpc_party_namespace]
diff --git a/modules/mpc-party/variables.tf b/modules/mpc-party/variables.tf
@@ -30,6 +30,26 @@ variable "party_name" {
   }
 }
 
+variable "mpc_party_role_name" {
+  type        = string
+  description = "The name of the MPC party role"
+  default     = ""
+  validation {
+    condition     = length(var.mpc_party_role_name) <= 64
+    error_message = "MPC party role name must be 64 characters or less."
+  }
+}
+
+variable "connector_role_name" {
+  type        = string
+  description = "The name of the connector role"
+  default     = ""
+  validation {
+    condition     = length(var.connector_role_name) <= 64
+    error_message = "Connector role name must be 64 characters or less."
+  }
+}
+
 # EKS Cluster Configuration
 variable "cluster_name" {
   type        = string
