Use kubernetes provider to manage aws auth (#355)

This commit changes the way aws auth is managed. Before a local file was used the generate the template and a null resource to apply it. This is now switched to the terraform kubernetes provider.
2026-04-20 07:41:18 +02:00 · 2019-11-28 10:25:13 +01:00
parent b69c8fb759
commit 9363662574
10 changed files with 108 additions and 82 deletions
--- a/aws_auth.tf
+++ b/aws_auth.tf
@@ -1,40 +1,3 @@
-resource "local_file" "config_map_aws_auth" {
-  count    = var.write_aws_auth_config ? 1 : 0
-  content  = data.template_file.config_map_aws_auth.rendered
-  filename = "${var.config_output_path}config-map-aws-auth_${var.cluster_name}.yaml"
-}
-
-resource "null_resource" "update_config_map_aws_auth" {
-  count      = var.manage_aws_auth ? 1 : 0
-  depends_on = [aws_eks_cluster.this]
-
-  provisioner "local-exec" {
-    working_dir = path.module
-
-    command = <<EOS
-completed_apply=0
-for i in `seq 1 10`; do \
-echo "${null_resource.update_config_map_aws_auth[0].triggers.kube_config_map_rendered}" > kube_config.yaml && \
-echo "${null_resource.update_config_map_aws_auth[0].triggers.config_map_rendered}" > aws_auth_configmap.yaml && \
-kubectl apply -f aws_auth_configmap.yaml --kubeconfig kube_config.yaml && \
-completed_apply=1 && break || \
-sleep 10; \
-done; \
-rm aws_auth_configmap.yaml kube_config.yaml;
-if [ "$completed_apply" = "0" ]; then exit 1; fi;
-EOS
-
-
-    interpreter = var.local_exec_interpreter
-  }
-
-  triggers = {
-    kube_config_map_rendered = data.template_file.kubeconfig.rendered
-    config_map_rendered      = data.template_file.config_map_aws_auth.rendered
-    endpoint                 = aws_eks_cluster.this.endpoint
-  }
-}
-
 data "aws_caller_identity" "current" {
 }

@@ -79,21 +42,20 @@ data "template_file" "worker_role_arns" {
  }
 }

-data "template_file" "config_map_aws_auth" {
-  template = file("${path.module}/templates/config-map-aws-auth.yaml.tpl")
+resource "kubernetes_config_map" "aws_auth" {
+  count = var.manage_aws_auth ? 1 : 0

-  vars = {
-    worker_role_arn = join(
-      "",
-      distinct(
-        concat(
-          data.template_file.launch_template_worker_role_arns.*.rendered,
-          data.template_file.worker_role_arns.*.rendered,
-        ),
-      ),
-    )
-    map_users    = yamlencode(var.map_users),
-    map_roles    = yamlencode(var.map_roles),
-    map_accounts = yamlencode(var.map_accounts)
+  metadata {
+    name      = "aws-auth"
+    namespace = "kube-system"
+  }
+
+  data = {
+    mapRoles    = <<EOF
+${join("", distinct(concat(data.template_file.launch_template_worker_role_arns.*.rendered, data.template_file.worker_role_arns.*.rendered)))}
+${yamlencode(var.map_roles)}
+    EOF
+    mapUsers    = yamlencode(var.map_users)
+    mapAccounts = yamlencode(var.map_accounts)
  }
 }