Review

patterns/sso-iam-identity-center/aws-auth/README.md

@@ -16,7 +16,7 @@ With the active users, use one of the `terraform output` examples to configure y
 
 ### Admin user example
 
-```bash
+```sh
 configure_sso_admin = <<EOT
  # aws configure sso --profile EKSClusterAdmin
  SSO session name (Recommended): <SESSION_NAME>
@@ -47,7 +47,7 @@ EOT
 
 ### Read-only user example
 
-```bash
+```sh
 configure_sso_user = <<EOT
  # aws configure sso --profile EKSClusterUser
  SSO session name (Recommended): <SESSION_NAME>
@@ -78,7 +78,7 @@ EOT
 
 With the `kubeconfig` configured, you'll be able to run `kubectl` commands in your Amazon EKS Cluster with the impersonated user. The read-only user has a `cluster-viewer` Kubernetes role bound to it's group, whereas the admin user, has the `admin` Kubernetes role bound to it's group.
 
-```bash
+```sh
 kubectl get pods -A
 NAMESPACE NAME READY STATUS RESTARTS AGE
 amazon-guardduty aws-guardduty-agent-bl2v2 1/1 Running 0 3h54m
@@ -96,13 +96,13 @@ kube-system kube-proxy-q1fmc 1/1 Running 0 3h54
 
 If not revoked after the cluster creation, it's possible to use the `configure_kubectl` output to assume the *Cluster creator* role with `cluster-admin` access.
 
-```bash
+```sh
 configure_kubectl = "aws eks --region us-west-2 update-kubeconfig --name iam-identity-center"
 ```
 
 ## Destroy
 
-```bash
+```sh
 terraform destroy -target module.developers_team -target module.operators._team -auto-approve
 terraform destroy -target module.eks -auto-approve
 terraform destroy -auto-approve

patterns/sso-iam-identity-center/aws-auth/main.tf

@@ -2,6 +2,18 @@ provider "aws" {
  region = local.region
 }
 
+provider "kubernetes" {
+ host = module.eks.cluster_endpoint
+ cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+
+ exec {
+ api_version = "client.authentication.k8s.io/v1beta1"
+ command = "aws"
+ # This requires the awscli to be installed locally where Terraform is executed
+ args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
+ }
+}
+
 data "aws_availability_zones" "available" {}
 
 locals {

patterns/sso-iam-identity-center/aws-auth/outputs.tf

@@ -14,7 +14,7 @@ output "configure_sso_admins" {
  Attempting to automatically open the SSO authorization page in your default browser.
  If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
 
- https://device.sso.us-west-2.amazonaws.com/
+ https://device.sso.${local.region}.amazonaws.com/
 
  Then enter the code:
 
@@ -43,7 +43,7 @@ output "configure_sso_users" {
  Attempting to automatically open the SSO authorization page in your default browser.
  If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
 
- https://device.sso.us-west-2.amazonaws.com/
+ https://device.sso.${local.region}.amazonaws.com/
 
  Then enter the code:
 

patterns/sso-iam-identity-center/aws-auth/sso.tf

@@ -1,18 +1,6 @@
 # Pre requisite
 # Enable AWS IAM Identity Manager (https://console.aws.amazon.com/singlesignon/home/)
 
-provider "kubernetes" {
- host = module.eks.cluster_endpoint
- cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
-
- exec {
- api_version = "client.authentication.k8s.io/v1beta1"
- command = "aws"
- # This requires the awscli to be installed locally where Terraform is executed
- args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
- }
-}
-
 data "aws_caller_identity" "current" {}
 
 data "aws_ssoadmin_instances" "this" {}
@@ -21,15 +9,15 @@ resource "aws_ssoadmin_permission_set" "admin" {
  name = "EKSClusterAdmin"
  description = "Amazon EKS Cluster Admins."
  instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
- relay_state = "https://s3.console.aws.amazon.com/s3/home?region=us-west-2#"
+ relay_state = "https://s3.console.aws.amazon.com/s3/home?region=${local.region}#"
  session_duration = "PT1H"
 }
 
 resource "aws_ssoadmin_permission_set" "user" {
  name = "EKSClusterUser"
  description = "Amazon EKS Cluster Users."
  instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
- relay_state = "https://s3.console.aws.amazon.com/s3/home?region=us-west-2#"
+ relay_state = "https://s3.console.aws.amazon.com/s3/home?region=${local.region}#"
  session_duration = "PT1H"
 }
 

patterns/sso-iam-identity-center/cam/README.md

@@ -16,7 +16,7 @@ With the active users, use one of the `terraform output` examples to configure y
 
 ### Admin user example
 
-```bash
+```sh
 configure_sso_admin = <<EOT
  # aws configure sso --profile EKSClusterAdmin
  SSO session name (Recommended): <SESSION_NAME>
@@ -48,7 +48,7 @@ EOT
 
 ### Read-only user example
 
-```bash
+```sh
 configure_sso_user = <<EOT
  # aws configure sso --profile EKSClusterUser
  SSO session name (Recommended): <SESSION_NAME>
@@ -79,7 +79,7 @@ EOT
 
 With the `kubeconfig` configured, you'll be able to run `kubectl` commands in your Amazon EKS Cluster with the impersonated user. The read-only user has a `cluster-viewer` Kubernetes role bound to it's group, whereas the admin user, has the `admin` Kubernetes role bound to it's group.
 
-```bash
+```sh
 kubectl get pods -A
 NAMESPACE NAME READY STATUS RESTARTS AGE
 amazon-guardduty aws-guardduty-agent-bl2v2 1/1 Running 0 3h54m
@@ -97,15 +97,15 @@ kube-system kube-proxy-q1fmc 1/1 Running 0 3h54
 
 If not revoked after the cluster creation, it's possible to use the `configure_kubectl` output to assume the *Cluster creator* role with `cluster-admin` access.
 
-```bash
+```sh
 configure_kubectl = "aws eks --region us-west-2 update-kubeconfig --name iam-identity-center"
 ```
 
 ## Destroy
 
 If you revoked the *Cluster creator* `cluster-admin` permission, you may need to re-associate the `AmazonEKSClusterAdminPolicy` access entry to run `terraform destroy`.
 
-```bash
+```sh
 terraform destroy -target module.developers_team -auto-approve
 terraform destroy -target module.eks -auto-approve
 terraform destroy -auto-approve

patterns/sso-iam-identity-center/cam/main.tf

@@ -2,6 +2,18 @@ provider "aws" {
  region = local.region
 }
 
+provider "kubernetes" {
+ host = module.eks.cluster_endpoint
+ cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+
+ exec {
+ api_version = "client.authentication.k8s.io/v1beta1"
+ command = "aws"
+ # This requires the awscli to be installed locally where Terraform is executed
+ args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
+ }
+}
+
 data "aws_availability_zones" "available" {}
 
 locals {

patterns/sso-iam-identity-center/cam/outputs.tf

@@ -14,7 +14,7 @@ output "configure_sso_admins" {
  Attempting to automatically open the SSO authorization page in your default browser.
  If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
 
- https://device.sso.us-west-2.amazonaws.com/
+ https://device.sso.${local.region}.amazonaws.com/
 
  Then enter the code:
 
@@ -43,7 +43,7 @@ output "configure_sso_users" {
  Attempting to automatically open the SSO authorization page in your default browser.
  If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
 
- https://device.sso.us-west-2.amazonaws.com/
+ https://device.sso.${local.region}.amazonaws.com/
 
  Then enter the code:
 

patterns/sso-iam-identity-center/cam/sso.tf

@@ -1,18 +1,6 @@
 # Pre requisite
 # Enable AWS IAM Identity Manager (https://console.aws.amazon.com/singlesignon/home/)
 
-provider "kubernetes" {
- host = module.eks.cluster_endpoint
- cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
-
- exec {
- api_version = "client.authentication.k8s.io/v1beta1"
- command = "aws"
- # This requires the awscli to be installed locally where Terraform is executed
- args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
- }
-}
-
 data "aws_caller_identity" "current" {}
 
 data "aws_ssoadmin_instances" "this" {}
@@ -21,15 +9,15 @@ resource "aws_ssoadmin_permission_set" "admin" {
  name = "EKSClusterAdmin"
  description = "Amazon EKS Cluster Admins."
  instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
- relay_state = "https://s3.console.aws.amazon.com/s3/home?region=us-west-2#"
+ relay_state = "https://s3.console.aws.amazon.com/s3/home?region=${local.region}#"
  session_duration = "PT1H"
 }
 
 resource "aws_ssoadmin_permission_set" "user" {
  name = "EKSClusterUser"
  description = "Amazon EKS Cluster Users."
  instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
- relay_state = "https://s3.console.aws.amazon.com/s3/home?region=us-west-2#"
+ relay_state = "https://s3.console.aws.amazon.com/s3/home?region=${local.region}#"
  session_duration = "PT1H"
 }