improvement: Generate aws-auth configmap's roles from Object. No more string concat. (#790)

Do not use string concat to generate a YAML data structure Co-authored-by: Thierno IB. BARRY <ibrahima.br@gmail.com>
2026-03-11 21:11:32 +01:00 · 2020-03-18 08:58:19 +01:00
parent e8a1ce17d8
commit 3957a7c02c
2 changed files with 62 additions and 60 deletions
--- a/aws_auth.tf
+++ b/aws_auth.tf
@@ -1,52 +1,61 @@
 data "aws_caller_identity" "current" {
 }

-data "template_file" "launch_template_worker_role_arns" {
-  count    = var.create_eks ? local.worker_group_launch_template_count : 0
-  template = file("${path.module}/templates/worker-role.tpl")
+locals {
+  auth_launch_template_worker_roles = [
+    for index in range(0, var.create_eks ? local.worker_group_launch_template_count : 0) : {
+      worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element(
+        coalescelist(
+          aws_iam_instance_profile.workers_launch_template.*.role,
+          data.aws_iam_instance_profile.custom_worker_group_launch_template_iam_instance_profile.*.role_name,
+        ),
+        index
+      )}"
+      platform = lookup(
+        var.worker_groups_launch_template[index],
+        "platform",
+        local.workers_group_defaults["platform"]
+      )
+    }
+  ]

-  vars = {
-    worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element(
-      coalescelist(
-        aws_iam_instance_profile.workers_launch_template.*.role,
-        data.aws_iam_instance_profile.custom_worker_group_launch_template_iam_instance_profile.*.role_name,
-      ),
-      count.index,
-    )}"
-    platform = lookup(
-      var.worker_groups_launch_template[count.index],
-      "platform",
-      local.workers_group_defaults["platform"]
-    )
-  }
-}
+  auth_worker_roles = [
+    for index in range(0, var.create_eks ? local.worker_group_count : 0) : {
+      worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element(
+        coalescelist(
+          aws_iam_instance_profile.workers.*.role,
+          data.aws_iam_instance_profile.custom_worker_group_iam_instance_profile.*.role_name,
+          [""]
+        ),
+        index,
+      )}"
+      platform = lookup(
+        var.worker_groups[index],
+        "platform",
+        local.workers_group_defaults["platform"]
+      )
+    }
+  ]

-data "template_file" "worker_role_arns" {
-  count    = var.create_eks ? local.worker_group_count : 0
-  template = file("${path.module}/templates/worker-role.tpl")
-
-  vars = {
-    worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element(
-      coalescelist(
-        aws_iam_instance_profile.workers.*.role,
-        data.aws_iam_instance_profile.custom_worker_group_iam_instance_profile.*.role_name,
-        [""]
-      ),
-      count.index,
-    )}"
-    platform = lookup(
-      var.worker_groups[count.index],
-      "platform",
-      local.workers_group_defaults["platform"]
-    )
-  }
-}
-
-data "template_file" "node_group_arns" {
-  count    = var.create_eks ? length(module.node_groups.aws_auth_roles) : 0
-  template = file("${path.module}/templates/worker-role.tpl")
-
-  vars = module.node_groups.aws_auth_roles[count.index]
+  # Convert to format needed by aws-auth ConfigMap
+  configmap_roles = [
+    for role in concat(
+      local.auth_launch_template_worker_roles,
+      local.auth_worker_roles,
+      module.node_groups.aws_auth_roles,
+    ) :
+    {
+      rolearn  = role["worker_role_arn"]
+      username = "system:node:{{EC2PrivateDNSName}}"
+      groups = concat(
+        [
+          "system:bootstrappers",
+          "system:nodes",
+        ],
+        role["platform"] == "windows" ? ["eks:kube-proxy-windows"] : []
+      )
+    }
+  ]
 }

 resource "kubernetes_config_map" "aws_auth" {
@@ -59,12 +68,13 @@ resource "kubernetes_config_map" "aws_auth" {
  }

  data = {
-    mapRoles = <<EOF
-${join("", distinct(concat(data.template_file.launch_template_worker_role_arns.*.rendered, data.template_file.worker_role_arns.*.rendered, data.template_file.node_group_arns.*.rendered
-)))}
-%{if length(var.map_roles) != 0}${yamlencode(var.map_roles)}%{endif}
-    EOF
-mapUsers    = yamlencode(var.map_users)
-mapAccounts = yamlencode(var.map_accounts)
-}
+    mapRoles = yamlencode(
+      distinct(concat(
+        local.configmap_roles,
+        var.map_roles,
+      ))
+    )
+    mapUsers    = yamlencode(var.map_users)
+    mapAccounts = yamlencode(var.map_accounts)
+  }
 }
--- a/templates/worker-role.tpl
+++ b/templates/worker-role.tpl
@@ -1,8 +0,0 @@
- rolearn: ${worker_role_arn}
-  username: system:node:{{EC2PrivateDNSName}}
-  groups:
-    - system:bootstrappers
-    - system:nodes
-    %{~ if platform == "windows" ~}
-    - eks:kube-proxy-windows
-    %{~ endif ~}