github-mirrors/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/ysoftdevs/terraform-aws-eks.git synced 2026-01-17 00:57:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: Starting with 1.30, do not use the cluster OIDC issuer URL by default in the identity provider config (#3055)

Browse Source 
fix: Starting with `1.30`, do not use the cluster OIDC issuer URL by default in the identity provider config
This commit is contained in:
Bryant Biggs
2024-05-31 13:01:16 -04:00
committed by GitHub
parent 59024ebd0a
commit 00f076ada4
2 changed files with 19 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/UPGRADE-19.0.md
View File

@@ -364,8 +364,12 @@ EKS managed node groups on `v18.x` by default create a security group that does
# OIDC Identity provider # OIDC Identity provider
cluster_identity_providers = { cluster_identity_providers = {
sts = { cognito = {
client_id = "sts.amazonaws.com" client_id = "702vqsrjicklgb7c5b7b50i1gc"
issuer_url = "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_re1u6bpRA"
username_claim = "email"
groups_claim = "cognito:groups"
groups_prefix = "gid:"
} }
} }

17
main.tf
View File

@@ -552,6 +552,14 @@ resource "aws_eks_addon" "before_compute" {
# Note - this is different from IRSA # Note - this is different from IRSA
################################################################################ ################################################################################
locals {
# Maintain current behavior for <= 1.29, remove default for >= 1.30
# `null` will return the latest Kubernetes version from the EKS API, which at time of writing is 1.30
# https://github.com/kubernetes/kubernetes/pull/123561
idpc_backwards_compat_version = contains(["1.21", "1.22", "1.23", "1.24", "1.25", "1.26", "1.27", "1.28", "1.29"], coalesce(var.cluster_version, "1.30"))
idpc_issuer_url = local.idpc_backwards_compat_version ? try(aws_eks_cluster.this[0].identity[0].oidc[0].issuer, null) : null
}
resource "aws_eks_identity_provider_config" "this" { resource "aws_eks_identity_provider_config" "this" {
for_each = { for k, v in var.cluster_identity_providers : k => v if local.create && !local.create_outposts_local_cluster } for_each = { for k, v in var.cluster_identity_providers : k => v if local.create && !local.create_outposts_local_cluster }
@@ -562,10 +570,11 @@ resource "aws_eks_identity_provider_config" "this" {
groups_claim = lookup(each.value, "groups_claim", null) groups_claim = lookup(each.value, "groups_claim", null)
groups_prefix = lookup(each.value, "groups_prefix", null) groups_prefix = lookup(each.value, "groups_prefix", null)
identity_provider_config_name = try(each.value.identity_provider_config_name, each.key) identity_provider_config_name = try(each.value.identity_provider_config_name, each.key)
issuer_url = try(each.value.issuer_url, aws_eks_cluster.this[0].identity[0].oidc[0].issuer) # TODO - make argument explicitly required on next breaking change
required_claims = lookup(each.value, "required_claims", null) issuer_url = try(each.value.issuer_url, local.idpc_issuer_url)
username_claim = lookup(each.value, "username_claim", null) required_claims = lookup(each.value, "required_claims", null)
username_prefix = lookup(each.value, "username_prefix", null) username_claim = lookup(each.value, "username_claim", null)
username_prefix = lookup(each.value, "username_prefix", null)
} }
tags = merge(var.tags, try(each.value.tags, {})) tags = merge(var.tags, try(each.value.tags, {}))