Fix aws-auth config map for managed node groups (#627)

* Fix aws-auth config map for managed node groups This change adds the IAM role used for each managed node group to the aws-auth config map. This fixes an issue where managed nodes could not access the EKS kubernetes API server. * update changelog * fix format * add comment Co-authored-by: Max Williams <max.williams@deliveryhero.com>
2026-03-26 03:11:06 +01:00 · 2019-12-20 08:30:40 -08:00
parent 7c8bcc967b
commit bad9604882
2 changed files with 17 additions and 5 deletions
--- a/aws_auth.tf
+++ b/aws_auth.tf
@@ -42,6 +42,16 @@ data "template_file" "worker_role_arns" {
  }
 }

+data "template_file" "node_group_arns" {
+  count    = var.create_eks ? local.worker_group_managed_node_group_count : 0
+  template = file("${path.module}/templates/worker-role.tpl")
+
+  vars = {
+    worker_role_arn = lookup(var.node_groups[count.index], "iam_role_arn", aws_iam_role.node_groups[0].arn)
+    platform        = "linux" # Hardcoded because the EKS API currently only supports linux for managed node groups
+  }
+}
+
 resource "kubernetes_config_map" "aws_auth" {
  count = var.create_eks && var.manage_aws_auth ? 1 : 0

@@ -51,11 +61,12 @@ resource "kubernetes_config_map" "aws_auth" {
  }

  data = {
-    mapRoles    = <<EOF
-${join("", distinct(concat(data.template_file.launch_template_worker_role_arns.*.rendered, data.template_file.worker_role_arns.*.rendered)))}
+    mapRoles = <<EOF
+${join("", distinct(concat(data.template_file.launch_template_worker_role_arns.*.rendered, data.template_file.worker_role_arns.*.rendered, data.template_file.node_group_arns.*.rendered
+)))}
 %{if length(var.map_roles) != 0}${yamlencode(var.map_roles)}%{endif}
    EOF
-    mapUsers    = yamlencode(var.map_users)
-    mapAccounts = yamlencode(var.map_accounts)
-  }
+mapUsers    = yamlencode(var.map_users)
+mapAccounts = yamlencode(var.map_accounts)
+}
 }