Check for tenants' use of kiam - has implications for EKS migration

[davidread]

Background

With the move to EKS we will no longer be supporting KIAM and moving to IRSA. However we have identified use users who are using KIAM and the migration will break what they are using.

We need to consider what we do about these for the migration.

Proposed user journey

Address reliance on KIAM.

Approach

TBC

Which part of the user docs does this impact

TBC

Questions / Assumptions

TBC

Definition of done

TBC

Reference

How to write good user stories

[davidread]

@jasonBirchall found some: https://github.com/ministryofjustice/cloud-platform-environments/search?q=iam.amazonaws.com%2Fpermitted

[poornima-krishnasamy]

There are 5 iam_roles which uses KIAM that are linked to the namespaces using the annotations.
https://github.com/ministryofjustice/cloud-platform-environments/search?q=iam.amazonaws.com%2Fpermitted

The IAM roles for those namespaces are defined in here: https://github.com/ministryofjustice/cloud-platform-infrastructure/tree/main/terraform/cross-account-IAM

These IAM roles have to be migrated to IRSA roles when these namespaces are migrated to EKS.
User guide: https://user-guide.cloud-platform.service.justice.gov.uk/documentation/other-topics/access-cross-aws-resources-irsa-eks.html#use-iam-roles-for-service-accounts-to-access-resources-in-a-different-aws-account

Note: The pathfinder-preprod and pathfinder-prod namespace, has another IAM user which also can be migrated to be IRSA role during migration.