improvement: Generate aws-auth configmap's roles from Object. No more string concat. (#790)

Do not use string concat to generate a YAML data structure Co-authored-by: Thierno IB. BARRY <ibrahima.br@gmail.com>
2026-03-31 22:43:07 +02:00 · 2020-03-18 08:58:19 +01:00
parent e8a1ce17d8
commit 3957a7c02c
2 changed files with 62 additions and 60 deletions
--- a/aws_auth.tf
+++ b/aws_auth.tf
@@ -1,52 +1,61 @@
 data "aws_caller_identity" "current" {
 }
-data "template_file" "launch_template_worker_role_arns" {
+locals {
-  count    = var.create_eks ? local.worker_group_launch_template_count : 0
+  auth_launch_template_worker_roles = [
-  template = file("${path.module}/templates/worker-role.tpl")
+    for index in range(0, var.create_eks ? local.worker_group_launch_template_count : 0) : {
      worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element(
        coalescelist(
          aws_iam_instance_profile.workers_launch_template.*.role,
          data.aws_iam_instance_profile.custom_worker_group_launch_template_iam_instance_profile.*.role_name,
        ),
        index
      )}"
      platform = lookup(
        var.worker_groups_launch_template[index],
        "platform",
        local.workers_group_defaults["platform"]
      )
    }
  ]
-  vars = {
+  auth_worker_roles = [
-    worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element(
+    for index in range(0, var.create_eks ? local.worker_group_count : 0) : {
-      coalescelist(
+      worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element(
-        aws_iam_instance_profile.workers_launch_template.*.role,
+        coalescelist(
-        data.aws_iam_instance_profile.custom_worker_group_launch_template_iam_instance_profile.*.role_name,
+          aws_iam_instance_profile.workers.*.role,
-      ),
+          data.aws_iam_instance_profile.custom_worker_group_iam_instance_profile.*.role_name,
-      count.index,
+          [""]
-    )}"
+        ),
-    platform = lookup(
+        index,
-      var.worker_groups_launch_template[count.index],
+      )}"
-      "platform",
+      platform = lookup(
-      local.workers_group_defaults["platform"]
+        var.worker_groups[index],
-    )
+        "platform",
-  }
+        local.workers_group_defaults["platform"]
-}
+      )
    }
  ]
-data "template_file" "worker_role_arns" {
+  # Convert to format needed by aws-auth ConfigMap
-  count    = var.create_eks ? local.worker_group_count : 0
+  configmap_roles = [
-  template = file("${path.module}/templates/worker-role.tpl")
+    for role in concat(
-
+      local.auth_launch_template_worker_roles,
-  vars = {
+      local.auth_worker_roles,
-    worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element(
+      module.node_groups.aws_auth_roles,
-      coalescelist(
+    ) :
-        aws_iam_instance_profile.workers.*.role,
+    {
-        data.aws_iam_instance_profile.custom_worker_group_iam_instance_profile.*.role_name,
+      rolearn  = role["worker_role_arn"]
-        [""]
+      username = "system:node:{{EC2PrivateDNSName}}"
-      ),
+      groups = concat(
-      count.index,
+        [
-    )}"
+          "system:bootstrappers",
-    platform = lookup(
+          "system:nodes",
-      var.worker_groups[count.index],
+        ],
-      "platform",
+        role["platform"] == "windows" ? ["eks:kube-proxy-windows"] : []
-      local.workers_group_defaults["platform"]
+      )
-    )
+    }
-  }
+  ]
 }
 data "template_file" "node_group_arns" {
  count    = var.create_eks ? length(module.node_groups.aws_auth_roles) : 0
  template = file("${path.module}/templates/worker-role.tpl")
  vars = module.node_groups.aws_auth_roles[count.index]
 }
 resource "kubernetes_config_map" "aws_auth" {
@@ -59,12 +68,13 @@ resource "kubernetes_config_map" "aws_auth" {
  }
  data = {
-    mapRoles = <<EOF
+    mapRoles = yamlencode(
-${join("", distinct(concat(data.template_file.launch_template_worker_role_arns.*.rendered, data.template_file.worker_role_arns.*.rendered, data.template_file.node_group_arns.*.rendered
+      distinct(concat(
-)))}
+        local.configmap_roles,
-%{if length(var.map_roles) != 0}${yamlencode(var.map_roles)}%{endif}
+        var.map_roles,
-    EOF
+      ))
-mapUsers    = yamlencode(var.map_users)
+    )
-mapAccounts = yamlencode(var.map_accounts)
+    mapUsers    = yamlencode(var.map_users)
-}
+    mapAccounts = yamlencode(var.map_accounts)
  }
 }
--- a/templates/worker-role.tpl
+++ b/templates/worker-role.tpl
@@ -1,8 +0,0 @@
 - rolearn: ${worker_role_arn}
  username: system:node:{{EC2PrivateDNSName}}
  groups:
    - system:bootstrappers
    - system:nodes
    %{~ if platform == "windows" ~}
    - eks:kube-proxy-windows
    %{~ endif ~}