v2.0.0 IRSA trust policy now checks OIDC Audience

Require correct OIDC Audience value to assume role @Nuru (#33)

Breaking Changes

• If namespace and service account are supplied only in service_account_namespace_name_list then the IAM Role name will be derived from the first entry in the list, instead of ending with "all@all"
• If one of service_account_namespace or service_account_name is supplied and the other is not or is empty (""), the missing element will be replaced with a wildcard (*)
• Either or both of service_account_namespace or service_account_name can now be explicitly set to "*" or contain wildcards
• Removed service_account_list_qualifier (invalid/unnecessary)

what

• Created IAM Role's trust policy now includes a check for OIDC aud
• If the generated service account IAM Role Name would be too long, it is now truncated by null-label
• See "Breaking Changes" above
• Terraform minimum version bumped to 1.0.0
• AWS Provider minimum version bumped to 3.0

why

• Extra security, preventing ODIC assertions for one audience being used for another
• Fix rather than break due to too-long IAM Role names
• Role names must be unique, and using "all@all" would limit the cluster to a single multi-namespace role
• "ForAllValues" and "ForAnyValues" are for multi-valued keys. The OIDC keys have single values.

references

• Troubleshooting OIDC and IRSA
• IAM conditions with multiple values

Sync github @max-lobur (#32)

Rebuild github dir from the template