Skip to content

refactor(k8s): move IAM requirements to k8s/requirements/aws + rename role to convention#194

Open
agustincelentano wants to merge 1 commit into
betafrom
feat/k8s-requirements-module
Open

refactor(k8s): move IAM requirements to k8s/requirements/aws + rename role to convention#194
agustincelentano wants to merge 1 commit into
betafrom
feat/k8s-requirements-module

Conversation

@agustincelentano

Copy link
Copy Markdown
Collaborator

Qué

Alinea el scope k8s con el layout y naming de lambda y static-files:

  1. Mueve el módulo de permisos IAM de k8s/specs/tofuk8s/requirements/aws (git rename, preserva historial). Deja k8s/requirements/<cloud> para multi-cloud futuro, igual que static-files/requirements/aws.
  2. Renombra el default del rol de permisos: nullplatform-<cluster>-agent-permissions-rolenullplatform_<cluster>_k8s_role, siguiendo la convención nullplatform_<cluster>_<scope>_role (lambda = _lambda_role, static = _static_files_role). Se puede overridear con permissions_role_name.

El runtime del scope resuelve el rol por selector, no por nombre, así que el rename no afecta la lógica de assume-role; solo recrea el recurso IAM.

⚠️ BREAKING

  • Path: consumidores que referencien //k8s/specs/tofu?ref=beta deben actualizar el source a //k8s/requirements/aws. La ruta vieja deja de existir.
  • Rol: al aplicar, el rol de permisos se recrea (destroy+create, ARN nuevo). Las policies (route53/eks/elb) se preservan; solo se re-attachean. Consumidores deben re-publicar el ARN nuevo en su provider IAM (selector k8s).

Validación

  • tofu validate + fmt OK sobre k8s/requirements/aws.
  • Probado end-to-end desde implementation-aws apuntando a esta branch: plan = 4 to add, 1 to change, 4 to destroy (recreate del rol + re-attach; policies intactas).

Nota

PR abierto para revisión/coordinación antes de mergear: el cambio de path y el recreate del rol impactan a otras implementaciones que consuman scopes//k8s @ beta.

…e role

Move the k8s permissions-role module from k8s/specs/tofu to k8s/requirements/aws,
aligning with the lambda/static-files requirements layout. Rename the default
permissions role to nullplatform_<cluster>_k8s_role (was
nullplatform-<cluster>-agent-permissions-role) to follow the
nullplatform_<cluster>_<scope>_role convention.

BREAKING: consumers referencing //k8s/specs/tofu must update the source to
//k8s/requirements/aws.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant