aws eks create-addon --cluster-name skills-eks-cluster --addon-name eks-pod-identity-agent > /dev/null

ES_ARN=$(aws opensearch describe-domain --domain-name skills-opensearch-domain  --query "DomainStatus.ARN" --output text)

cat <<EOF> es-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "es:ESHttp*"
            ],
            "Resource": "${ES_ARN}",
            "Effect": "Allow"
        }
    ]
}
EOF

aws iam create-policy --policy-name es-policy --policy-document file://es-policy.json > /dev/null

cat <<EOF> trust-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::$ACCOUNT_ID:oidc-provider/$CLUSTER_OIDC"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
		                "$CLUSTER_OIDC:sub": "system:serviceaccount:default:fluent-bit",
                    "$CLUSTER_OIDC:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}
EOF

aws iam create-role --role-name es-role --assume-role-policy-document file://trust-policy.json > /dev/null

aws iam attach-role-policy --role-name es-role --policy-arn arn:aws:iam::$ACCOUNT_ID:policy/es-policy

apiVersion: v1
kind: ServiceAccount
metadata:
  name: fluent-bit
  namespace: default
  annotations:
    eks.amazonaws.com/role-arn: ROLE_ARN

ROLE_ARN=$(aws iam get-role --role-name es-role --query "Role.Arn" --output text)

sed -i "s|ROLE_ARN|$ROLE_ARN|g" fluent-bit-sa.yaml