Right now when someone wants to create a new application and give it access to something in AWS we give them instructions on how to do it using "IRSA", the new mechanism for granting access to pods, but there's still quite a bit of manual work and confusion. I think we could simplify it by writing some terraform that would allow them to supply a list of service account names and corresponding AWS IAM policies, and we can create all the required resources. We can either just leave the list blank to start or maybe we could use it to create some of the service accounts we need for stuff we set up like external-dns.

I imagine this could look like another file in infrastructure/terraform/environments/<env>/ maybe application_iam_policy where they can specify policy blocks like:

data "aws_iam_policy_document" "my_application" {
  statement {
    actions = [
      "whatever",
    ]

    resources = ["*"]
  }
}

And then in infrastructure/terraform/environments/<env>/main.tf in the vars we pass to environment we add a map of serviceaccount to policy like:

  application_iam_policies = {
    service_account = my_application
    namespace       = app_namespace
    policy          = aws_iam_policy_document.my_application
  }

Then in the background we create the role for them. We can do something similar in infrastructure/kubernetes and accept a list of serviceaccounts and namespaces and create the service accounts for them.