github-mirrors/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/ysoftdevs/terraform-aws-eks.git synced 2026-01-16 00:34:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix aws-auth config map for managed node groups (#627)

Browse Source 
* Fix aws-auth config map for managed node groups

This change adds the IAM role used for each managed node group to the
aws-auth config map. This fixes an issue where managed nodes could not
access the EKS kubernetes API server.

* update changelog

* fix format

* add comment

Co-authored-by: Max Williams <max.williams@deliveryhero.com>
This commit is contained in:
Will Bertelsen
2019-12-20 08:30:40 -08:00
committed by Max Williams
parent 7c8bcc967b
commit bad9604882
2 changed files with 17 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -20,6 +20,7 @@ project adheres to [Semantic Versioning](http://semver.org/).
- Updated minimum version of Terraform to avoid a bug (by @dpiddockcmp)
- Fix cluster_oidc_issuer_url output from list to string (by @chewvader)
- Fix idempotency issues for node groups with no remote_access configuration (by @jeffmhastings)
- Fix aws-auth config map for managed node groups (by @wbertelsen)
- Added support to create IAM OpenID Connect Identity Provider to enable EKS Identity Roles for Service Accounts (IRSA). (by @alaa)
- Adding node group iam role arns to outputs. (by @mukgupta)
- **Breaking:** Change logic of security group whitelisting. Will always whitelist worker security group on control plane security group either provide one or create new one. See Important notes below for upgrade notes (by @ryanooi)

21
aws_auth.tf
View File

@@ -42,6 +42,16 @@ data "template_file" "worker_role_arns" {
}
}
data "template_file" "node_group_arns" {
count = var.create_eks ? local.worker_group_managed_node_group_count : 0
template = file("${path.module}/templates/worker-role.tpl")
vars = {
worker_role_arn = lookup(var.node_groups[count.index], "iam_role_arn", aws_iam_role.node_groups[0].arn)
platform = "linux" # Hardcoded because the EKS API currently only supports linux for managed node groups
}
}
resource "kubernetes_config_map" "aws_auth" {
count = var.create_eks && var.manage_aws_auth ? 1 : 0
@@ -51,11 +61,12 @@ resource "kubernetes_config_map" "aws_auth" {
}
data = {
mapRoles = <<EOF
${join("", distinct(concat(data.template_file.launch_template_worker_role_arns.*.rendered, data.template_file.worker_role_arns.*.rendered)))}
mapRoles = <<EOF
${join("", distinct(concat(data.template_file.launch_template_worker_role_arns.*.rendered, data.template_file.worker_role_arns.*.rendered, data.template_file.node_group_arns.*.rendered
)))}
%{if length(var.map_roles) != 0}${yamlencode(var.map_roles)}%{endif}
EOF
mapUsers = yamlencode(var.map_users)
mapAccounts = yamlencode(var.map_accounts)
}
mapUsers = yamlencode(var.map_users)
mapAccounts = yamlencode(var.map_accounts)
}
}