From c24fa324d2a16e40d8c1c43855e4cf8ec4e2cac8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?N=C3=A9stor=20Salceda?= <nestor.salceda@gmail.com>
Date: Fri, 9 Nov 2018 19:23:54 +0100
Subject: [PATCH] Use a newly created system account instead of my personal one

This restricts attack surface, and work better in term of automation.
---
 .../kubernetes-response-engine/deployment/aws/lambda.tf     | 6 +++++-
 .../kubernetes-response-engine/deployment/aws/variables.tf  | 3 ---
 2 files changed, 5 insertions(+), 4 deletions(-)
 delete mode 100644 integrations/kubernetes-response-engine/deployment/aws/variables.tf

diff --git a/integrations/kubernetes-response-engine/deployment/aws/lambda.tf b/integrations/kubernetes-response-engine/deployment/aws/lambda.tf
index 375a2ef3..cc2f724c 100644
--- a/integrations/kubernetes-response-engine/deployment/aws/lambda.tf
+++ b/integrations/kubernetes-response-engine/deployment/aws/lambda.tf
@@ -1,3 +1,7 @@
+resource "aws_iam_user" "kubernetes-response-engine-user" {
+  name = "kubernetes_response_engine"
+}
+
 resource "aws_iam_role" "iam-for-lambda" {
   name = "iam_for_lambda"
 
@@ -9,7 +13,7 @@ resource "aws_iam_role" "iam-for-lambda" {
       "Action": "sts:AssumeRole",
       "Principal": {
         "Service": "lambda.amazonaws.com",
-        "AWS": "${var.iam-user-arn}"
+        "AWS": "${aws_iam_user.kubernetes-response-engine-user.arn}"
       },
       "Effect": "Allow",
       "Sid": ""
diff --git a/integrations/kubernetes-response-engine/deployment/aws/variables.tf b/integrations/kubernetes-response-engine/deployment/aws/variables.tf
deleted file mode 100644
index b9fb4052..00000000
--- a/integrations/kubernetes-response-engine/deployment/aws/variables.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-variable "iam-user-arn" {
-  type    = "string"
-}