chore(crossplane): split providerconfigs and use a chain of AssumeRoles

bootstrap/crossplane/kustomization.yaml

@@ -11,7 +11,9 @@ helmCharts:
 
 resources:
   - ns.yaml
-  - providerconfig.yaml
+  - providerconfig.default.yaml
+  - providerconfig.route53.yaml
+  - providerconfig.s3.yaml
 
 generators:
   - secret-generator.yaml

bootstrap/crossplane/providerconfig.default.yaml

@@ -6,13 +6,12 @@ metadata:
     argocd.argoproj.io/hook: PostSync
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
+  assumeRoleChain:
+    - roleARN: "arn:aws:iam::000654387266:role/CrossplaneServiceRole"
+
   credentials:
     source: Secret
     secretRef:
       namespace: crossplane-system
       name: aws-secret
       key: creds
-
-  assumeRole:
-    roleARN: "arn:aws:iam::000654387266:role/crossplane"
-

bootstrap/crossplane/providerconfig.route53.yaml

@@ -0,0 +1,18 @@
+apiVersion: aws.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: route53
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  assumeRoleChain:
+    - roleARN: "arn:aws:iam::000654387266:role/CrossplaneServiceRole"
+    - roleARN: "arn:aws:iam::000654387266:role/Route53ManagementRole"
+
+  credentials:
+    source: Secret
+    secretRef:
+      namespace: crossplane-system
+      name: aws-secret
+      key: creds

bootstrap/crossplane/providerconfig.s3.yaml

@@ -0,0 +1,18 @@
+apiVersion: aws.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: s3
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  assumeRoleChain:
+    - roleARN: "arn:aws:iam::000654387266:role/CrossplaneServiceRole"
+    - roleARN: "arn:aws:iam::000654387266:role/S3ManageHomelab"
+
+  credentials:
+    source: Secret
+    secretRef:
+      namespace: crossplane-system
+      name: aws-secret
+      key: creds