feat: Add support for managing aws-auth configmap using new kubernetes_config_map_v1_data resource (#1999)

2026-03-28 20:21:48 +01:00 · 2022-04-09 03:15:46 -04:00
parent 3ff17205a4
commit da3d54cde7
16 changed files with 263 additions and 208 deletions
--- a/main.tf
+++ b/main.tf
@@ -347,3 +347,98 @@ resource "aws_eks_identity_provider_config" "this" {

  tags = var.tags
 }
+
+################################################################################
+# aws-auth configmap
+################################################################################
+
+locals {
+  node_iam_role_arns_non_windows = compact(concat(
+    [for group in module.eks_managed_node_group : group.iam_role_arn],
+    [for group in module.self_managed_node_group : group.iam_role_arn if group.platform != "windows"],
+    var.aws_auth_node_iam_role_arns_non_windows,
+  ))
+
+  node_iam_role_arns_windows = compact(concat(
+    [for group in module.self_managed_node_group : group.iam_role_arn if group.platform == "windows"],
+    var.aws_auth_node_iam_role_arns_windows,
+  ))
+
+  fargate_profile_pod_execution_role_arns = compact(concat(
+    [for group in module.fargate_profile : group.fargate_profile_pod_execution_role_arn],
+    var.aws_auth_fargate_profile_pod_execution_role_arns,
+  ))
+
+  aws_auth_configmap_data = {
+    mapRoles = yamlencode(concat(
+      [for role_arn in local.node_iam_role_arns_non_windows : {
+        rolearn  = role_arn
+        username = "system:node:{{EC2PrivateDNSName}}"
+        groups = [
+          "system:bootstrappers",
+          "system:nodes",
+        ]
+        }
+      ],
+      [for role_arn in local.node_iam_role_arns_windows : {
+        rolearn  = role_arn
+        username = "system:node:{{EC2PrivateDNSName}}"
+        groups = [
+          "eks:kube-proxy-windows",
+          "system:bootstrappers",
+          "system:nodes",
+        ]
+        }
+      ],
+      # Fargate profile
+      [for role_arn in local.fargate_profile_pod_execution_role_arns : {
+        rolearn  = role_arn
+        username = "system:node:{{SessionName}}"
+        groups = [
+          "system:bootstrappers",
+          "system:nodes",
+          "system:node-proxier",
+        ]
+        }
+      ],
+      var.aws_auth_roles
+    ))
+    mapUsers    = yamlencode(var.aws_auth_users)
+    mapAccounts = yamlencode(var.aws_auth_accounts)
+  }
+}
+
+resource "kubernetes_config_map" "aws_auth" {
+  count = var.create && var.create_aws_auth_configmap ? 1 : 0
+
+  metadata {
+    name      = "aws-auth"
+    namespace = "kube-system"
+  }
+
+  data = local.aws_auth_configmap_data
+
+  lifecycle {
+    # We are ignoring the data here since we will manage it with the resource below
+    # This is only intended to be used in scenarios where the configmap does not exist
+    ignore_changes = [data]
+  }
+}
+
+resource "kubernetes_config_map_v1_data" "aws_auth" {
+  count = var.create && var.manage_aws_auth_configmap ? 1 : 0
+
+  force = true
+
+  metadata {
+    name      = "aws-auth"
+    namespace = "kube-system"
+  }
+
+  data = local.aws_auth_configmap_data
+
+  depends_on = [
+    # Required for instances where the configmap does not exist yet to avoid race condition
+    kubernetes_config_map.aws_auth,
+  ]
+}