feat(agent): IAM assume-role support + multi-instance parametrization#386
Merged
Conversation
Adds optional `assume_role_arns` variable (default []) to the agent IAM module. When non-empty, creates a scoped sts:AssumeRole policy and attaches it to the agent role alongside the existing Route53/ELB/EKS/AVP policies. Includes ARN format validation and tftest coverage for both the default (no policy created) and enabled (policy created and named correctly) cases. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…deploys
Allow running multiple nullplatform agents in the same cluster without name
collisions by making IAM and Helm resource names configurable.
- iam/agent: add role_name and policies_name_prefix overrides (default to the
existing nullplatform-{cluster_name} convention); trust the configurable
service_account_name in the OIDC provider trust relationship
- nullplatform/agent: add release_name, service_account_name and
image_repository variables; render serviceAccount (create/automount/name)
and image.repository in the Helm values template
Also ignore the local np-api-skill.token credential.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Track the provider lock file for reproducible builds. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
agustincelentano
approved these changes
Jun 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends the agent modules (
infrastructure/aws/iam/agentandnullplatform/agent) with two capabilities:sts:AssumeRolesupport — the agent can be granted permission to assume a configurable list of IAM roles.Changes
infrastructure/aws/iam/agentassume_role_arns(list(string), default[]): creates a conditionalsts:AssumeRolepolicy (count-gated) and attaches it to the agent role only when ARNs are provided. ARNs are format-validated. Covered by tests intests/agent.tftest.hcl.role_name/policies_name_prefixoverrides — default to the existingnullplatform-{cluster_name}/nullplatform_{cluster_name}convention, so existing consumers see no diff.service_account_name— the OIDC trust relationship now trusts this SA name instead of the hardcodednullplatform-agent.nullplatform/agentrelease_name— thehelm_releasename is now configurable (was hardcodednullplatform-agent).service_account_name— the values template renders theserviceAccountblock (create/automount/name).image_repository— allows overriding the agent container image repository (previously only the tag).Compatibility
All new variables default to the previous hardcoded behavior — no diff for existing consumers (the assume-role policy and SA/repository overrides are opt-in).
Notes
mainup tov4.0.1(includes thev4.0.0breaking changefeat(dns,ingress,iam)!, which does not touch the agent modules).np-api-skill.tokencredential was added to.gitignore(never committed).Testing
tofu test,tofu validateandtofu fmtpass via pre-commit hooks.🤖 Generated with Claude Code