fix: Correct cluster access entry to create multiple policy associations per access entry (#2892)

2026-03-11 21:11:32 +01:00 · 2024-02-03 06:47:15 -05:00
parent a68aac6cf2
commit 417791374c
4 changed files with 104 additions and 10 deletions
--- a/examples/eks_managed_node_group/README.md
+++ b/examples/eks_managed_node_group/README.md
@@ -55,6 +55,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Type |
 |------|------|
 | [aws_iam_policy.node_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_security_group.remote_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_ami.eks_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_ami.eks_default_arm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
--- a/examples/eks_managed_node_group/main.tf
+++ b/examples/eks_managed_node_group/main.tf
@@ -35,6 +35,8 @@ module "eks" {
  cluster_ip_family          = "ipv6"
  create_cni_ipv6_iam_policy = true

+  enable_cluster_creator_admin_permissions = true
+
  cluster_addons = {
    coredns = {
      most_recent = true
@@ -241,6 +243,46 @@ module "eks" {
    }
  }

+  access_entries = {
+    # One access entry with a policy associated
+    ex-single = {
+      kubernetes_groups = []
+      principal_arn     = aws_iam_role.this["single"].arn
+
+      policy_associations = {
+        single = {
+          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
+          access_scope = {
+            namespaces = ["default"]
+            type       = "namespace"
+          }
+        }
+      }
+    }
+
+    # Example of adding multiple policies to a single access entry
+    ex-multiple = {
+      kubernetes_groups = []
+      principal_arn     = aws_iam_role.this["multiple"].arn
+
+      policy_associations = {
+        ex-one = {
+          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSEditPolicy"
+          access_scope = {
+            namespaces = ["default"]
+            type       = "namespace"
+          }
+        }
+        ex-two = {
+          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
+          access_scope = {
+            type = "cluster"
+          }
+        }
+      }
+    }
+  }
+
  tags = local.tags
 }

@@ -436,3 +478,26 @@ data "aws_ami" "eks_default_bottlerocket" {
    values = ["bottlerocket-aws-k8s-${local.cluster_version}-x86_64-*"]
  }
 }
+
+resource "aws_iam_role" "this" {
+  for_each = toset(["single", "multiple"])
+
+  name = "ex-${each.key}"
+
+  # Just using for this example
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = "Example"
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+      },
+    ]
+  })
+
+  tags = local.tags
+}