From 4f481ccb977e9f647fef939d87c90bb033ecf488 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A5rten=20Svantesson?= <Marten.Svantesson@ticket.se>
Date: Mon, 3 Nov 2025 12:31:37 +0100
Subject: [PATCH] feat: support multiple service accounts to assume role

---
 main.tf      | 2 +-
 variables.tf | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 163e343..67e8a04 100644
--- a/main.tf
+++ b/main.tf
@@ -144,7 +144,7 @@ data "aws_iam_policy_document" "assume_role" {
       condition {
         test     = "StringLike"
         variable = join(":", [var.iam_irsa_openid_connect_provider_url, "sub"])
-        values   = [var.iam_irsa_service_account]
+        values   = compact(concat([var.iam_irsa_service_account], var.iam_irsa_service_accounts))
       }
     }
   }
diff --git a/variables.tf b/variables.tf
index 2698ba7..8232f59 100644
--- a/variables.tf
+++ b/variables.tf
@@ -142,6 +142,12 @@ variable "iam_irsa_service_account" {
   description = "Kubernetes ServiceAccount to allow to access the Elastic Domain via IRSA"
 }
 
+variable "iam_irsa_service_accounts" {
+  type        = list(string)
+  default     = []
+  description = "Kubernetes ServiceAccounts to allow to access the Elastic Domain via IRSA"
+}
+
 variable "zone_awareness_enabled" {
   type        = bool
   default     = true