feat(iam/agent)!: require explicit assume_role_arns, drop implicit permissions role#421
Merged
agustincelentano merged 18 commits intoJul 1, 2026
Merged
Conversation
…rmissions role The agent module no longer injects the k8s permissions role ARN by naming convention into the sts:AssumeRole policy. Callers must now pass every role the agent should assume explicitly via assume_role_arns and/or permissions_roles. - Remove [local.permissions_role_arn] from the assume-role policy Resource - Remove the now-dead permissions_role_name variable, permissions_role_arn local, and nullplatform_agent_permissions_role_arn output - Add a lifecycle precondition requiring at least one assumable role, so an empty Resource (rejected by AWS) fails fast at plan with a clear message - Update tests and README accordingly BREAKING CHANGE: clusters that relied on the implicit permissions role must now pass it explicitly in assume_role_arns. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
agustincelentano
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
The
infrastructure/aws/iam/agentmodule used to prepend a conventionally-named permissions role ARN (nullplatform-{cluster}-agent-permissions-role) into the agent'ssts:AssumeRolepolicy on every apply, without the caller asking for it. This PR removes that implicit behavior so the agent only assumes the roles explicitly provided.Why
assume_role_arns+permissions_roles).AssumeRolepointing at a nonexistent role.Changes
main.tf: drop[local.permissions_role_arn]from the policyResource; remove the deadpermissions_role_arnlocal; add alifecycle.preconditionrequiring at least one assumable role (avoids an emptyResource, which AWS rejects — now fails fast atplan).variables.tf: remove unusedpermissions_role_name.outputs.tf: removenullplatform_agent_permissions_role_arn.tests/agent.tftest.hcl: assert the convention ARN is no longer injected, and thatplanfails when no role is provided (expect_failures).README.md: docs updated.Verification
tofu fmt -check -recursive→ cleantofu validate→ Successtofu test→ 4 passed, 0 failedEvery cluster with containers that relied on the implicit permissions role must now pass it explicitly:
Without it, the next
planfails the new precondition (explicit failure, not silent). Those caller changes live in the consuming repo.🤖 Generated with Claude Code