luthersystems · sam-at-luther · Jul 22, 2025 · Jul 18, 2025 · Jul 18, 2025 · Jul 19, 2025
diff --git a/aws-platform-ui-main/eks-vpc.tf b/aws-platform-ui-main/eks-vpc.tf
@@ -79,6 +79,10 @@ output "oidc_provider_arn" {
   value = module.eks_vpc.oidc_provider_arn
 }
 
+output "oidc_provider_thumbprints" {
+  value = module.eks_vpc.oidc_provider_thumbprints
+}
+
 output "aws_cloudwatch_log_group" {
   value = "${module.eks_vpc.aws_cloudwatch_log_group}:*"
 }

diff --git a/aws-sftp/transfer_server.tf b/aws-sftp/transfer_server.tf
@@ -243,8 +243,8 @@ module "luthername_eip" {
 }
 
 resource "aws_eip" "sftp" {
-  count = length(local.region_availability_zones)
-  vpc   = true
+  count  = length(local.region_availability_zones)
+  domain = "vpc"
 
   depends_on = [aws_internet_gateway.sftp]
 

diff --git a/eks-vpc/bastion.tf b/eks-vpc/bastion.tf
@@ -135,7 +135,7 @@ locals {
     k8s_cluster_storageclass_sc1_encrypted = local.storageclass_sc1_encrypted
     aws_load_balancer_controller_iam_role  = module.aws_lb_controller_service_account_iam_role.arn
     eks_worker_iam_role_arn                = aws_iam_role.eks_worker.arn
-    k8s_admin_role_arn                     = data.aws_iam_role.assumed_role_admin.arn
+    k8s_admin_role_arn                     = local.admin_role_arn
     k8s_alt_admin_role_arn                 = local.k8s_alt_admin_role_arn
     storage_kms_key_id                     = var.volumes_aws_kms_key_id
 

diff --git a/eks-vpc/eks_master.tf b/eks-vpc/eks_master.tf
@@ -90,6 +90,10 @@ output "oidc_provider_arn" {
   value = local.oidc_provider_arn
 }
 
+output "oidc_provider_thumbprints" {
+  value = aws_iam_openid_connect_provider.app.thumbprint_list
+}
+
 module "luthername_eks_master_role" {
   source         = "../luthername"
   luther_project = var.luther_project

diff --git a/eks-vpc/k8s_resources.tf b/eks-vpc/k8s_resources.tf
@@ -1,5 +1,24 @@
-data "aws_iam_role" "assumed_role_admin" {
-  name = "admin"
+data "aws_caller_identity" "current" {}
+
+locals {
+  admin_role_arn = data.aws_iam_role.admin_role.arn
+}
+
+
+# Extract the role name (the segment between "assumed-role/" and the session name)
+locals {
+  sts_arn_parts     = split("/", data.aws_caller_identity.current.arn)
+  assumed_role_name = local.sts_arn_parts[1]
+}
+
+# Look up the IAM Role by name
+data "aws_iam_role" "admin_role" {
+  name = local.assumed_role_name
+}
+
+# Now you have a stable IAM Role ARN
+output "admin_role_arn" {
+  value = local.admin_role_arn
 }
 
 # deprecated - moved to ansible
@@ -28,7 +47,7 @@ data:
       groups:
         - system:bootstrappers
         - system:nodes
-    - rolearn: ${data.aws_iam_role.assumed_role_admin.arn}
+    - rolearn: ${local.admin_role_arn}
       username: luther:admin
       groups:
         - system:masters