add beginning of example for cluster admin

examples/cluster-assume-role/group.tf

@@ -0,0 +1,2 @@
+# add to user group
+#  aws_iam_policy.list_assume_policy.arn

examples/cluster-assume-role/policies.tf

@@ -0,0 +1,33 @@
+# we want the per-cluster assume policies, but adding them all to the role may exceed the limit.  Here, we'll create a policy that
+# includes all the clusters that this group woudl manage
+
+data "aws_iam_role" "list" {
+  for_each = toset([for c in var.admin_cluster_list : format("r-eks-%v-cluster-admin", c)])
+  name     = each.key
+}
+
+#---
+# cluster admin assume policy
+#---
+resource "aws_iam_policy" "list_assume_policy" {
+  name        = format("p-%v-cluster-admin-role-assume", local.app_name)
+  path        = "/"
+  description = "Allow SAML role to assume cluster-admin roles"
+  policy      = data.aws_iam_policy_document.cluster-admin_assume_policy.json
+
+  tags = merge(
+    local.base_tags,
+    #    var.tags,
+    var.application_tags,
+    tomap({ "Name" = format("p-%v-cluster-admin-role-assume", local.app_name) }),
+  )
+}
+
+data "aws_iam_policy_document" "cluster-admin_assume_policy" {
+  statement {
+    sid       = "AllowSTSAssumeClusterAdminRole"
+    effect    = "Allow"
+    actions   = ["sts:AssumeRole"]
+    resources = [for k, v in data.aws_iam_role.list : v.arn]
+  }
+}

examples/cluster-assume-role/variables.tf

@@ -0,0 +1,5 @@
+variable "admin_cluster_list" {
+  description = "List of cluster names for which {cluster-name}-cluster-admin roles should be granted"
+  type        = list(string)
+  default     = []
+}