/terraform-aws-eks-auth

A Terraform module to manage cluster authentication (aws-auth) for an Elastic Kubernetes (EKS) cluster on AWS.

Primary LanguageGoApache License 2.0Apache-2.0

Archive Notice

The terraform-aws-modules/eks/aws v.18.20.0 release has brought back support aws-auth configmap! For this reason, I highly encourage users to manage the aws-auth configmap with the EKS module.

I am planning to archive this repo on May 1st, 2022. You are welcome to open an issue here if you are having trouble with the migration steps below and will do my best to help.

Migration:

steps

  1. Remove the aidanmelen/eks-auth/aws declaration for your terraform code.
  2. Remove the aidanmelen/eks-auth/aws resources from terraform state.
  • The aws-auth configmap should still exist on the cluster but will no longer be managed by this module.
  • A plan should show that there are no infrastructure changes to the EKS cluster.
  1. Upgrade the version of the EKS module: version = ">= v18.20.0"
  2. Configure the terraform-aws-modules/eks/aws with manage_aws_auth_configmap = true. This version of the EKS module uses the new kubernetes_config_map_v1_data resource to patch aws-auth configmap data (just like the v1.0.0 version of this module).
  3. Plan and Apply.
  • The aws-auth configmap should now be managed by the EKS module.

Please see the complete example for more information.

Pre-Commit cookiecutter-tf-module

terraform-aws-eks-auth

A Terraform module to manage cluster authentication for an Elastic Kubernetes (EKS) cluster on AWS.

Assumptions

Usage

Grant access to the AWS EKS cluster by adding map_roles, map_user or map_accounts to the aws-auth configmap.

module "eks" {
  source = "terraform-aws-modules/eks/aws"
  # insert the 15 required variables here
}

module "eks_auth" {
  source = "aidanmelen/eks-auth/aws"
  eks    = module.eks

  map_roles = [
    {
      rolearn  = "arn:aws:iam::66666666666:role/role1"
      username = "role1"
      groups   = ["system:masters"]
    },
  ]

  map_users = [
    {
      userarn  = "arn:aws:iam::66666666666:user/user1"
      username = "user1"
      groups   = ["system:masters"]
    },
    {
      userarn  = "arn:aws:iam::66666666666:user/user2"
      username = "user2"
      groups   = ["system:masters"]
    },
  ]

  map_accounts = [
    "777777777777",
    "888888888888",
  ]
}

Please see the complete example for more information.

Requirements

Name Version
terraform >= 0.14.8
http >= 2.4.1
kubernetes >= 2.10.0

Providers

Name Version
http >= 2.4.1
kubernetes >= 2.10.0

Modules

No modules.

Resources

Name Type
kubernetes_config_map_v1.aws_auth resource
kubernetes_config_map_v1_data.aws_auth resource
http_http.wait_for_cluster data source

Inputs

Name Description Type Default Required
eks The outputs from the terraform-aws-modules/terraform-aws-eks module. any n/a yes
map_accounts Additional AWS account numbers to add to the aws-auth configmap. list(string) [] no
map_roles Additional IAM roles to add to the aws-auth configmap. 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
 [] no
map_users Additional IAM users to add to the aws-auth configmap. 
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
 [] no
wait_for_cluster_timeout A timeout (in seconds) to wait for cluster to be available. number 300 no

Outputs

Name Description
aws_auth_configmap_yaml Formatted yaml output for aws-auth configmap.
map_accounts The aws-auth map accounts.
map_roles The aws-auth map roles merged with the eks managed node group, self managed node groups and fargate profile roles.
map_users The aws-auth map users.

License

Apache 2 Licensed. See LICENSE for full details.