{{- $cluster := .Values.clusterName -}} {{- $namespace := .Values.piNamespace -}} {{- $name := .Values.name -}} {{- $root := . -}} {{- $serviceAccounts := .Values.serviceAccounts -}} {{- $policyDocument := .Values.policyDocument -}} {{- range $serviceAccounts }} apiVersion: kro.run/v1alpha1 kind: PodIdentity metadata: name: "{{ include "kro-pi-instance.name" $root }}-{{ . }}" annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "-5" spec: name: {{$name}} values: aws: clusterName: {{ $cluster }} policy: policyDocument: | { "Version": "2012-10-17", "Statement": [ {{- range $index, $policy := $policyDocument }} { "Effect": "Allow", "Action": [ {{- range $i, $action := $policy.actions }} "{{ $action }}"{{ if not (eq (add $i 1) (len $policy.actions)) }},{{ end }} {{- end }} ], "Resource": [ {{- if $policy.customArn }} "{{ $policy.customArn }}" {{- else if eq $policy.resourceName "*" }} "*" {{- else }} "arn:aws:{{ $policy.resourceType }}:{{ $.Values.region }}:{{ $.Values.accountId }}:{{ $policy.resourceName }}" {{- end }} ] {{- if $policy.conditions }} ,"Condition": { {{- range $j, $condition := $policy.conditions }} "{{ $condition.test }}": { "{{ $condition.variable }}": [ {{- range $k, $value := $condition.values }} "{{ $value }}"{{ if not (eq (add $k 1) (len $condition.values)) }},{{ end }} {{- end }} ] } {{- end }} } {{- end }} }{{ if not (eq (add $index 1) (len $.Values.policyDocument)) }},{{ end }} {{- end }} ] } piAssociation: serviceAccount: {{ . }} piNamespace: {{ $namespace }} --- {{- end}}