Skip to content

Commit

Permalink
EKS - Auth - Back to regular auth config map usage (#322)
Browse files Browse the repository at this point in the history
  • Loading branch information
sekka1 authored Jun 16, 2022
1 parent 9af4438 commit 1070100
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 94 deletions.
97 changes: 6 additions & 91 deletions terraform-modules/aws/eks/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ resource "aws_kms_key" "eks" {

module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "18.7.2"
version = "18.23.0"
cluster_name = var.cluster_name
cluster_version = var.cluster_version
enable_irsa = var.enable_irsa
Expand Down Expand Up @@ -63,97 +63,12 @@ module "eks" {

node_security_group_additional_rules = var.node_security_group_additional_rules

}
# aws-auth configmap
manage_aws_auth_configmap = true

################################################################################
# aws-auth configmap
# Only EKS managed node groups automatically add roles to aws-auth configmap
# so we need to ensure fargate profiles and self-managed node roles are added
#
# This is necessary b/c of this issue: https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1744
# TL;DR - The new/updated EKS module wants to focus on the core EKS items and
# since there are so many ways to setup authentication to the EKS cluster
# they have opted to pull this out of the module. So we are doing the same
# thing and adding back in the aws-auth config.
#
# Following the same behavior as the example: https://github.com/terraform-aws-modules/terraform-aws-eks/blob/v18.7.2/examples/complete/main.tf#L323-L327
################################################################################

locals {
kubeconfig = yamlencode({
apiVersion = "v1"
kind = "Config"
current-context = "terraform"
clusters = [{
name = module.eks.cluster_id
cluster = {
certificate-authority-data = module.eks.cluster_certificate_authority_data
server = module.eks.cluster_endpoint
}
}]
contexts = [{
name = "terraform"
context = {
cluster = module.eks.cluster_id
user = "terraform"
}
}]
users = [{
name = "terraform"
user = {
token = data.aws_eks_cluster_auth.cluster.token
}
}]
})

configmap_roles = [
for item in module.eks.eks_managed_node_groups:
{
# Work around https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/153
# Strip the leading slash off so that Terraform doesn't think it's a regex
rolearn = item.iam_role_arn
username = "system:node:{{EC2PrivateDNSName}}"
groups = tolist(concat(
[
"system:bootstrappers",
"system:nodes",
],
))
}
]

full_aws_auth_configmap = yamlencode({
apiVersion = "v1"
kind = "ConfigMap"
metadata = {
name = "aws-auth"
namespace = "kube-system"
}
data = {
mapRoles = yamlencode(
distinct(concat(
local.configmap_roles,
var.map_roles,
))
)
mapUsers = yamlencode(var.map_users)
mapAccounts = yamlencode(var.map_accounts)
}
})

}
aws_auth_roles = var.aws_auth_roles

resource "null_resource" "patch" {
triggers = {
kubeconfig = base64encode(local.kubeconfig)
cmd_patch = "echo $KUBECONFIG | base64 -d > ./kubeconfig; echo \"${local.full_aws_auth_configmap}\" | ${var.kubectl_binary} apply -n kube-system --kubeconfig ./kubeconfig -f -"
}
aws_auth_users = var.aws_auth_users

provisioner "local-exec" {
interpreter = ["/bin/bash", "-c"]
environment = {
KUBECONFIG = self.triggers.kubeconfig
}
command = self.triggers.cmd_patch
}
aws_auth_accounts = var.aws_auth_accounts
}
6 changes: 3 additions & 3 deletions terraform-modules/aws/eks/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ variable "cluster_endpoint_public_access_cidrs" {
description = "Kube API public endpoint allow access cidrs"
}

variable "map_roles" {
variable "aws_auth_roles" {
type = list(any)
default = [
{
Expand All @@ -62,7 +62,7 @@ variable "map_roles" {
description = "A list of roles to give permission to access this cluster"
}

variable "map_users" {
variable "aws_auth_users" {
type = list(any)
default = [
{
Expand All @@ -79,7 +79,7 @@ variable "map_users" {
description = "A list of users to give permission to access this cluster"
}

variable "map_accounts" {
variable "aws_auth_accounts" {
description = "Additional AWS account numbers to add to the aws-auth configmap."
type = list(string)
default = []
Expand Down

0 comments on commit 1070100

Please sign in to comment.