func createRole()

in main.go [100:150]

• 45 lines of code
• 8 McCabe index (conditional complexity)

func createRole(sess *session.Session) error {
	iamSvc := iam.New(sess)
	eksSvc := eks.New(sess)
	stsSvc := sts.New(sess)
	clusterOut, err := eksSvc.DescribeCluster(&eks.DescribeClusterInput{
		Name: aws.String(cluster),
	})
	if err != nil {
		return fmt.Errorf("failed to find the EKS cluster: %v", err)
	}

	callerIdentityOut, err := stsSvc.GetCallerIdentity(&sts.GetCallerIdentityInput{})
	if err != nil {
		return fmt.Errorf("failed to get caller's identity: %v", err)
	}

	trustDoc := bytes.NewBuffer(nil)
	if err := trustDocTmpl.Execute(trustDoc, &trustDocVars{
		Account:        *callerIdentityOut.Account,
		Namespace:      namespace,
		ServiceAccount: serviceAccount,
		OIDC:           strings.ReplaceAll(*clusterOut.Cluster.Identity.Oidc.Issuer, "https://", ""),
	}); err != nil {
		return fmt.Errorf("failed to generate the trust relationship document: %v", err)
	}

	_, err = iamSvc.CreateRole(&iam.CreateRoleInput{
		RoleName:                 aws.String(role),
		AssumeRolePolicyDocument: aws.String(trustDoc.String()),
		Description:              aws.String(defaultIAMRoleDescription),
	})
	if err != nil {
		if aerr, ok := err.(awserr.Error); ok {
			if aerr.Code() != iam.ErrCodeEntityAlreadyExistsException {
				return fmt.Errorf("failed to create the IAM role: %v", err)
			}
			// TODO(jbd): Instead of returning an error, validate the document.
			return fmt.Errorf("role %q already exists, delete it manually to recreate", role)
		}
	}

	_, err = iamSvc.AttachRolePolicy(&iam.AttachRolePolicyInput{
		PolicyArn: aws.String(ampRemoteWritePolicy),
		RoleName:  aws.String(role),
	})
	if err != nil {
		return fmt.Errorf("failed to attach the policy to the role: %v", err)
	}

	return nil
}