resource "aws_iam_group" "eks_full_access" {
  name = "${module.eks_full_access_label.id}"
  path = "/"
}

resource "aws_iam_group_policy_attachment" "assume_eks_full_access" {
  group      = "${aws_iam_group.eks_full_access.name}"
  policy_arn = "${aws_iam_policy.assume_eks_full_access.arn}"
}

resource "aws_iam_policy" "assume_eks_full_access" {
  name        = "${aws_iam_group.eks_full_access.name}-assume-policy"
  description = "User policy to assume eks full access role"
  policy      = "${data.aws_iam_policy_document.assume_eks_full_access_role.json}"
}

# allow eks_full_access to assume the cluster role
data "aws_iam_policy_document" "assume_eks_full_access_role" {
  statement = {
    actions = [
      "sts:AssumeRole",
    ]

    resources = [
      "${aws_iam_role.eks_full_access.arn}",
    ]
  }
}