Skip to content

Commit

Permalink
refactor: new cluster access auth method w terraform-aws-modules/eks/…
Browse files Browse the repository at this point in the history
…aws v20.0
  • Loading branch information
lpm0073 committed Feb 6, 2024
1 parent 29707e4 commit bd2ae69
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 59 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
# - https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/
#
#------------------------------------------------------------------------------
data "aws_partition" "current" {}

locals {
# Used by Karpenter config to determine correct partition (i.e. - `aws`, `aws-gov`, `aws-cn`, etc.)
Expand All @@ -26,38 +27,6 @@ locals {

}

resource "kubernetes_config_map_v1_data" "aws_auth_new" {
metadata {
name = "aws-auth"
namespace = "kube-system"
}

data = {
"mapAccounts" = jsonencode([])
"mapRoles" = <<-EOT
- "groups":
- "system:bootstrappers"
- "system:nodes"
"rolearn": "arn:aws:iam::${var.account_id}:role/service-eks-node-group-20230225001424228200000001"
{% raw %}"username": "system:node:{{EC2PrivateDNSName}}"{% endraw %}
- "groups":
- "system:bootstrappers"
- "system:nodes"
"rolearn": "arn:aws:iam::${var.account_id}:role/wordpress-eks-node-group-20230821193015357700000001"
{% raw %}"username": "system:node:{{EC2PrivateDNSName}}"{% endraw %}
EOT
"mapUsers" = <<-EOT
- "groups":
- "system:masters"
"userarn": "arn:aws:iam::${var.account_id}:user/system/bastion-user/apps-hosting-service-bastion"
"username": "apps-hosting-service-bastion"
EOT
}

field_manager = "Terraform"
force = true
}

module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "~> {{ cookiecutter.terraform_aws_modules_eks }}"
Expand Down Expand Up @@ -89,6 +58,24 @@ module "eks" {
# kubectl and k9s work from inside the bastion server by default.
create_iam_role = true

# Cluster access entry
enable_cluster_creator_admin_permissions = true
access_entries = {
bastion = {
kubernetes_groups = []
principal_arn = var.bastion_iam_arn

policy_associations = {
admin = {
policy_arn = "arn:${local.partition}:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
access_scope = {
type = "cluster"
}
}
}
}
}

tags = merge(
local.tags,
module.cookiecutter_meta.tags,
Expand Down Expand Up @@ -353,7 +340,7 @@ resource "aws_security_group" "worker_group_mgmt" {
{ Name = "eks-${var.shared_resource_identifier}-worker_group_mgmt" },
{
"cookiecutter/resource/source" = "hashicorp/aws/aws_security_group"
"cookiecutter/resource/version" = "{{ cookiecutter.terraform_provider_hashicorp_aws_version }}"
"cookiecutter/resource/version" = "5.35"
}
)
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,6 @@
# the local kubeconfig file.
#------------------------------------------------------------------------------

# Required by Karpenter
data "aws_partition" "current" {}

provider "kubernetes" {
host = module.eks.cluster_endpoint
cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -93,34 +93,13 @@ inputs = {
hosting_group_min_size = local.hosting_group_min_size
hosting_group_max_size = local.hosting_group_max_size

map_roles = []
kms_key_owners = [
"${local.bastion_iam_arn}",
"${local.bastion_iam_arn}"
# -------------------------------------------------------------------------
# ADD MORE CLUSTER ADMIN USER IAM ACCOUNTS TO THE AWS KMS KEY OWNER LIST:
# -------------------------------------------------------------------------
"arn:aws:iam::${local.account_id}:user/mcdaniel",
#"arn:aws:iam::${local.account_id}:user/mcdaniel",
#"arn:aws:iam::${local.account_id}:user/bob_marley",
]
map_users = [
{
userarn = local.bastion_iam_arn
username = local.bastion_iam_username
groups = ["system:masters"]
},
# -------------------------------------------------------------------------
# ADD MORE CLUSTER ADMIN USER IAM ACCOUNTS HERE:
# -------------------------------------------------------------------------
{
userarn = "arn:aws:iam::${local.account_id}:user/mcdaniel"
username = "mcdaniel"
groups = ["system:masters"]
},
#{
# userarn = "arn:aws:iam::${local.account_id}:user/bob_marley"
# username = "bob_marley"
# groups = ["system:masters"]
#},
]

}

0 comments on commit bd2ae69

Please sign in to comment.