From 9ca9e8bfd5ef0cf4c6cd75bb4b5259bb2a1f0998 Mon Sep 17 00:00:00 2001
From: Lucas Rodriguez <lucas.rodriguez@defenseunicorns.com>
Date: Wed, 4 Oct 2023 00:01:49 -0500
Subject: [PATCH] Dynamically set AWS account ID in iam script

---
 bootstrap/iam/ecr-credential-helper-role.json | 2 +-
 bootstrap/iam/ecr-webhook-role.json           | 2 +-
 bootstrap/iam/iam.sh                          | 8 +++++++-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/bootstrap/iam/ecr-credential-helper-role.json b/bootstrap/iam/ecr-credential-helper-role.json
index e656919..3d42565 100644
--- a/bootstrap/iam/ecr-credential-helper-role.json
+++ b/bootstrap/iam/ecr-credential-helper-role.json
@@ -4,7 +4,7 @@
         {
             "Effect": "Allow",
             "Principal": {
-                "Federated": "arn:aws:iam::331924599099:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/{{EKS_CLUSTER_ID}}"
+                "Federated": "arn:aws:iam::{{AWS_ACCOUNT_ID}}:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/{{EKS_CLUSTER_ID}}"
             },
             "Action": "sts:AssumeRoleWithWebIdentity",
             "Condition": {
diff --git a/bootstrap/iam/ecr-webhook-role.json b/bootstrap/iam/ecr-webhook-role.json
index b659d3f..c2756ec 100644
--- a/bootstrap/iam/ecr-webhook-role.json
+++ b/bootstrap/iam/ecr-webhook-role.json
@@ -4,7 +4,7 @@
         {
             "Effect": "Allow",
             "Principal": {
-                "Federated": "arn:aws:iam::331924599099:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/{{EKS_CLUSTER_ID}}"
+                "Federated": "arn:aws:iam::{{AWS_ACCOUNT_ID}}:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/{{EKS_CLUSTER_ID}}"
             },
             "Action": "sts:AssumeRoleWithWebIdentity",
             "Condition": {
diff --git a/bootstrap/iam/iam.sh b/bootstrap/iam/iam.sh
index 722760a..58c26da 100755
--- a/bootstrap/iam/iam.sh
+++ b/bootstrap/iam/iam.sh
@@ -7,6 +7,9 @@ create() {
         exit 1
     fi
 
+    # Fetch AWS account ID
+    AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
+
     # Fetch the EKS Cluster ID
     EKS_CLUSTER_ID=$(aws eks describe-cluster --name "$2" --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
     if [ -z "$EKS_CLUSTER_ID" ]; then
@@ -14,11 +17,14 @@ create() {
         exit 1
     fi
 
-    # Replace the placeholder in the JSON files with the EKS Cluster ID
+    # Replace the placeholder in the JSON files with the AWS account ID and EKS cluster ID
     SED_CMD="sed"
     if [ "$(uname -s)" = "Darwin" ]; then
         SED_CMD="gsed"
     fi
+    "$SED_CMD" -i "s/{{AWS_ACCOUNT_ID}}/$AWS_ACCOUNT_ID/g" ecr-webhook-role.json
+    "$SED_CMD" -i "s/{{AWS_ACCOUNT_ID}}/$AWS_ACCOUNT_ID/g" ecr-credential-helper-role.json
+
     "$SED_CMD" -i "s/{{EKS_CLUSTER_ID}}/$EKS_CLUSTER_ID/g" ecr-webhook-role.json
     "$SED_CMD" -i "s/{{EKS_CLUSTER_ID}}/$EKS_CLUSTER_ID/g" ecr-credential-helper-role.json