From 29ba8e5b9e60e01f55421c38855530d3079560c1 Mon Sep 17 00:00:00 2001
From: jaygridley <github-action@actions-template-sync.noreply.github.com>
Date: Sat, 5 Jul 2025 00:01:31 +0000
Subject: [PATCH] feat(sync): sync universal-addon changes

Signed-off-by: jaygridley <github-action@actions-template-sync.noreply.github.com>
---
 .github/workflows/cache-warmup.yaml | 45 +++++++++++++++++++++++++++++
 .github/workflows/pre-commit.yaml   | 21 +++++---------
 .github/workflows/validate.yaml     |  2 +-
 .pre-commit-config.yaml             |  4 +--
 .tool-versions                      |  5 ++--
 addon-irsa.tf                       |  6 +++-
 addon.tf                            |  2 +-
 examples/basic/versions.tf          |  2 +-
 variables-addon-irsa.tf             | 22 ++++++++++----
 variables-addon.tf                  |  2 +-
 versions.tf                         |  2 +-
 11 files changed, 84 insertions(+), 29 deletions(-)
 create mode 100644 .github/workflows/cache-warmup.yaml

diff --git a/.github/workflows/cache-warmup.yaml b/.github/workflows/cache-warmup.yaml
new file mode 100644
index 0000000..81b12a8
--- /dev/null
+++ b/.github/workflows/cache-warmup.yaml
@@ -0,0 +1,45 @@
+name: Cache Warmup
+
+on:
+  push:
+    branches:
+      - main # caches from the main branch are shared with all other branches and pull requests
+
+permissions: {}
+
+env:
+  # renovate: datasource=github-releases depName=asdf-vm/asdf
+  ASDF_VERSION: 0.18.0
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Setup ASDF
+        uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 # v4.0.0
+        with:
+          asdf_version: ${{ env.ASDF_VERSION }}
+
+      - name: Cache ASDF
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        id: asdf-cache
+        with:
+          # https://github.com/asdf-vm/asdf/blob/master/.gitignore
+          path: |
+            ~/.asdf/installs
+            ~/.asdf/plugins
+            ~/.asdf/shims
+            ~/.cache/pip
+          key: ${{ runner.os }}-asdf-${{ hashFiles('.tool-versions') }}-warmup
+          restore-keys: ${{ runner.os }}-asdf-
+
+      - name: Install ASDF
+        uses: asdf-vm/actions/install@1902764435ca0dd2f3388eea723a4f92a4eb8302 # v4.0.0
+        if: ${{ steps.asdf-cache.outputs.cache-hit != 'true' }}
+        with:
+          asdf_version: ${{ env.ASDF_VERSION }}
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
index d4d1dc6..3285c5c 100644
--- a/.github/workflows/pre-commit.yaml
+++ b/.github/workflows/pre-commit.yaml
@@ -16,7 +16,7 @@ concurrency:
 
 env:
   # renovate: datasource=github-releases depName=asdf-vm/asdf
-  ASDF_VERSION: 31e8c93004abd76253d186b8896785895069749b # v0.15.0 # pragma: allowlist secret
+  ASDF_VERSION: 0.18.0
 
 jobs:
   pre-commit:
@@ -28,7 +28,9 @@ jobs:
           persist-credentials: false
 
       - name: Setup ASDF
-        uses: asdf-vm/actions/setup@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2
+        uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 # v4.0.0
+        with:
+          asdf_version: ${{ env.ASDF_VERSION }}
 
       - name: Cache ASDF
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
@@ -39,27 +41,20 @@ jobs:
             ~/.asdf/installs
             ~/.asdf/plugins
             ~/.asdf/shims
+            ~/.cache/pip
           key: ${{ runner.os }}-asdf-${{ hashFiles('.tool-versions') }}
-          restore-keys: ${{ runner.os }}-asdf-
+          restore-keys: ${{ runner.os }}-asdf-${{ hashFiles('.tool-versions') }}-
 
       - name: Install ASDF
-        uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2
+        uses: asdf-vm/actions/install@1902764435ca0dd2f3388eea723a4f92a4eb8302 # v4.0.0
         if: ${{ steps.asdf-cache.outputs.cache-hit != 'true' }}
         with:
-          asdf_branch: ${{ env.ASDF_VERSION }}
+          asdf_version: ${{ env.ASDF_VERSION }}
 
       - name: Reshim installed ASDF tools
         shell: bash
         run: asdf reshim
 
-      - name: Cache pip
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-        with:
-          path: ~/.cache/pip/
-          key: ${{ runner.os }}-pip-${{ hashFiles('.pre-commit-config.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pip-
-
       - name: Run pre-commit
         run: pre-commit run --show-diff-on-failure --color=always --all-files
         env:
diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml
index b7463fe..6062040 100644
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -23,7 +23,7 @@ jobs:
 
       - name: Extract Terraform min/max versions
         id: terraform-min-max
-        uses: clowdhaus/terraform-min-max@f489335873df04c3ce04b5e73f385a726d910039 # v1.3.2
+        uses: clowdhaus/terraform-min-max@503e88c41953f537fc2b283a310c85e0a2cd585c # v1.4.0
         with:
           directory: .
     outputs:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 6adba1b..4a9c4a1 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -40,7 +40,7 @@ repos:
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
     # renovate: datasource=github-releases depName=antonbabenko/pre-commit-terraform
-    rev: 55d0143972eec4905fdaea2f444f1e88218f9dce # v1.96.3 # pragma: allowlist secret
+    rev: 2f8bda194a420ad77a050a9de627d77a74841fdc # v1.99.4 # pragma: allowlist secret
     hooks:
       - id: terraform_docs # should be run after luactl sync
         args:
@@ -56,6 +56,6 @@ repos:
 
   - repo: https://github.com/woodruffw/zizmor-pre-commit
     # renovate: datasource=github-releases depName=woodruffw/zizmor-pre-commit
-    rev: 07a06156e31897fbb5ba0e22a961e8e3c2a0677b # v1.16.0 # pragma: allowlist secret
+    rev: 69fa534d69454f44ddd4451b5e2da7a1c48e525b # v1.11.0 # pragma: allowlist secret
     hooks:
       - id: zizmor
diff --git a/.tool-versions b/.tool-versions
index a480dfd..d8745b0 100644
--- a/.tool-versions
+++ b/.tool-versions
@@ -1,7 +1,6 @@
 terraform 1.5.7
 terraform-docs 0.20.0
 tflint 0.50.3
-checkov 3.2.352
-awscli 2.27.42
+checkov 3.2.447
+awscli 2.27.49
 pre-commit 4.2.0
-python 3.13.5
diff --git a/addon-irsa.tf b/addon-irsa.tf
index 8d12aba..cadaec7 100644
--- a/addon-irsa.tf
+++ b/addon-irsa.tf
@@ -2,7 +2,7 @@
 module "addon-irsa" {
   for_each = local.addon_irsa
 
-  source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.22"
+  source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.23"
 
   enabled = var.enabled
 
@@ -19,6 +19,8 @@ module "addon-irsa" {
   irsa_role_name_prefix = var.irsa_role_name_prefix != null ? var.irsa_role_name_prefix : lookup(each.value, "irsa_role_name_prefix", "${local.addon.name}-irsa")
   irsa_role_name        = var.irsa_role_name != null ? var.irsa_role_name : lookup(each.value, "irsa_role_name", local.addon_name)
 
+  irsa_role_additional_trust_policies = var.irsa_role_additional_trust_policies != null ? var.irsa_role_additional_trust_policies : lookup(each.value, "irsa_role_additional_trust_policies", null)
+
   irsa_policy_enabled       = var.irsa_policy_enabled != null ? var.irsa_policy_enabled : lookup(each.value, "irsa_policy_enabled", null)
   irsa_policy               = var.irsa_policy != null ? var.irsa_policy : lookup(each.value, "irsa_policy", null)
   irsa_assume_role_enabled  = var.irsa_assume_role_enabled != null ? var.irsa_assume_role_enabled : lookup(each.value, "irsa_assume_role_enabled", null)
@@ -38,6 +40,8 @@ module "addon-irsa" {
   pod_identity_role_name_prefix = var.pod_identity_role_name_prefix != null ? var.pod_identity_role_name_prefix : lookup(each.value, "pod_identity_role_name_prefix", "${local.addon.name}-pi")
   pod_identity_role_name        = var.pod_identity_role_name != null ? var.pod_identity_role_name : lookup(each.value, "pod_identity_role_name", local.addon_name)
 
+  pod_identity_role_additional_trust_policies = var.pod_identity_role_additional_trust_policies != null ? var.pod_identity_role_additional_trust_policies : lookup(each.value, "pod_identity_role_additional_trust_policies", null)
+
   pod_identity_policy_enabled       = var.pod_identity_policy_enabled != null ? var.pod_identity_policy_enabled : lookup(each.value, "pod_identity_policy_enabled", null)
   pod_identity_policy               = var.pod_identity_policy != null ? var.pod_identity_policy : lookup(each.value, "pod_identity_policy", null)
   pod_identity_permissions_boundary = var.pod_identity_permissions_boundary != null ? var.pod_identity_permissions_boundary : lookup(each.value, "pod_identity_permissions_boundary", null)
diff --git a/addon.tf b/addon.tf
index 3ac4900..01c99d2 100644
--- a/addon.tf
+++ b/addon.tf
@@ -11,7 +11,7 @@ locals {
 }
 
 module "addon" {
-  source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.22"
+  source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.23"
 
   enabled = var.enabled
 
diff --git a/examples/basic/versions.tf b/examples/basic/versions.tf
index 4897168..b38be4b 100644
--- a/examples/basic/versions.tf
+++ b/examples/basic/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.5.0"
+  required_version = "~> 1.5.0"
 
   required_providers {
     aws = {
diff --git a/variables-addon-irsa.tf b/variables-addon-irsa.tf
index 3f4fdc9..c71afdf 100644
--- a/variables-addon-irsa.tf
+++ b/variables-addon-irsa.tf
@@ -54,6 +54,12 @@ variable "irsa_role_name" {
   description = "IRSA role name. The value is prefixed by `irsa_role_name_prefix`. Either `irsa_role_name` or `irsa_role_name_prefix` must be set. Defaults to `\"\"`."
 }
 
+variable "irsa_role_additional_trust_policies" {
+  type        = map(any)
+  default     = null
+  description = "Map of additional trust policy statements to attach to the IRSA role where map key is a statement SID and value is a statement object. Defaults to `{}`."
+}
+
 variable "irsa_policy_enabled" {
   type        = bool
   default     = null
@@ -111,13 +117,13 @@ variable "irsa_assume_role_policy_condition_values" {
 variable "cluster_name" {
   type        = string
   default     = null
-  description = "The name of the cluster (required for pod identity). Defaults to `\"\"`."
+  description = "The name of the cluster (required for Pod Identity). Defaults to `\"\"`."
 }
 
 variable "pod_identity_role_create" {
   type        = bool
   default     = null
-  description = "Whether to create pod identity role and annotate Service Account. Defaults to `false`."
+  description = "Whether to create Pod Identity role and annotate Service Account. Defaults to `false`."
 }
 
 variable "pod_identity_role_name_prefix" {
@@ -132,6 +138,12 @@ variable "pod_identity_role_name" {
   description = "Pod identity role name. The value is prefixed by `pod_identity_role_name_prefix`. Either `pod_identity_role_name` or `pod_identity_role_name_prefix` must be set. Defaults to `\"\"`."
 }
 
+variable "pod_identity_role_additional_trust_policies" {
+  type        = map(any)
+  default     = null
+  description = "Additional trust policy statements to attach to the Pod Identity role where map key is a statement SID and value is a statement object. Defaults to `{}`."
+}
+
 variable "pod_identity_policy_enabled" {
   type        = bool
   default     = null
@@ -141,19 +153,19 @@ variable "pod_identity_policy_enabled" {
 variable "pod_identity_policy" {
   type        = string
   default     = null
-  description = "AWS IAM policy JSON document to be attached to the pod identity role. Applied only if `pod_identity_policy_enabled` is `true`. Defaults to `\"\"`."
+  description = "AWS IAM policy JSON document to be attached to the Pod Identity role. Applied only if `pod_identity_policy_enabled` is `true`. Defaults to `\"\"`."
 }
 
 variable "pod_identity_permissions_boundary" {
   type        = string
   default     = null
-  description = "ARN of the policy that is used to set the permissions boundary for the pod identity role. Defaults to `null`."
+  description = "ARN of the policy that is used to set the permissions boundary for the Pod Identity role. Defaults to `null`."
 }
 
 variable "pod_identity_additional_policies" {
   type        = map(string)
   default     = null
-  description = "Map of the additional policies to be attached to pod identity role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`."
+  description = "Map of the additional policies to be attached to Pod Identity role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`."
 }
 
 variable "pod_identity_tags" {
diff --git a/variables-addon.tf b/variables-addon.tf
index 26786d8..59d03c2 100644
--- a/variables-addon.tf
+++ b/variables-addon.tf
@@ -105,7 +105,7 @@ variable "argo_helm_wait_backoff_limit" {
 variable "argo_helm_wait_kubectl_version" {
   type        = string
   default     = null
-  description = "Version of kubectl to use for ArgoCD Application wait job. Defaults to `1.33.0`."
+  description = "Version of kubectl to use for ArgoCD Application wait job. Defaults to `1.33.2`."
 }
 
 variable "argo_source_type" {
diff --git a/versions.tf b/versions.tf
index cb5b91f..c6abec7 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,6 +1,6 @@
 # IMPORTANT: This file is synced with the "terraform-aws-eks-universal-addon" module. Any changes to this file might be overwritten upon the next release of that module.
 terraform {
-  required_version = ">= 1.5.0"
+  required_version = "~> 1.5.0"
 
   required_providers {
     aws = {