fix: Grant bedrock access to dma service account

fpopa · fpopa · commit 29e6f9638084 · 2025-09-12T13:24:59.000+04:00
diff --git a/modules/eks/roles.tf b/modules/eks/roles.tf
@@ -76,6 +76,20 @@ module "dfshell_role" {
   }
 }
 
+# dma
+module "dma_role" {
+  count              = 1
+  source             = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  role_name          = "${var.deployment_name}-${var.dma_service_account_name}"
+
+  oidc_providers = {
+    ex = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["${var.deployment_name}:${var.dma_service_account_name}"]
+    }
+  }
+}
+
 # worker_portal
 module "worker_portal_role" {
   count              = 1
@@ -249,6 +263,12 @@ resource "aws_iam_role_policy_attachment" "bedrock_dfshell_attachment" {
   policy_arn = aws_iam_policy.bedrock_access_policy[0].arn
 }
 
+resource "aws_iam_role_policy_attachment" "bedrock_dma_attachment" {
+  count      = var.k8s_access_bedrock ? 1 : 0
+  role       = module.dma_role[0].iam_role_name
+  policy_arn = aws_iam_policy.bedrock_access_policy[0].arn
+}
+
 resource "aws_iam_role_policy_attachment" "bedrock_server_attachment" {
   count      = var.k8s_access_bedrock ? 1 : 0
   role       = module.server_role[0].iam_role_name
diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf
@@ -135,6 +135,12 @@ variable "dfshell_service_account_name" {
   description = "Name of the service account for dfshell"
 }
 
+variable "dma_service_account_name" {
+  type        = string
+  default     = "datafold-dma"
+  description = "Name of the service account for dma"
+}
+
 variable "worker_portal_service_account_name" {
   type        = string
   default     = "datafold-worker-portal"
