Merge pull request #56 from max-rocket-internet/aws-auth_enhancemnts

Fully manage aws-auth configmap file

Author: brandonjbjelland

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this
 project adheres to [Semantic Versioning](http://semver.org/).
 
+## [[v1.4.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.3.0...v1.4.0)] - 2018-07-12]
+
+### Added
+
+- New variables `map_accounts`, `map_roles` and `map_users` in order to manage additional entries in the `aws-auth` configmap. (by @max-rocket-internet)
+
 ## [[v1.3.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.2.0...v1.3.0)] - 2018-07-??]
 
 ### Added

README.md

@@ -98,12 +98,14 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | cluster_security_group_id | If provided, the EKS cluster will be attached to this security group. If not given, a security group will be created with necessary ingres/egress to work with the workers and provide API access to your current IP/32. | string | `` | no |
 | cluster_version | Kubernetes version to use for the EKS cluster. | string | `1.10` | no |
 | config_output_path | Determines where config files are placed if using configure_kubectl_session and you want config files to land outside the current working directory. | string | `./` | no |
-| configure_kubectl_session | Configure the current session's kubectl to use the instantiated EKS cluster. | string | `true` | no |
-| kubeconfig_aws_authenticator_command | Command to use to to fetch AWS EKS credentials | string | `aws-iam-authenticator` | no |
-| kubeconfig_aws_authenticator_additional_args | Any additional arguments to pass to the authenticator such as the role to assume. ["-r", "MyEksRole"] | list | `<list>` | no |
-| kubeconfig_aws_authenticator_env_variables | Environment variables that should be used when executing the authenticator. e.g. { AWS_PROFILE = "eks"} | map | `<map>` | no |
+| kubeconfig_aws_authenticator_additional_args | Any additional arguments to pass to the authenticator such as the role to assume ["-r", "MyEksRole"] | list | `<list>` | no |
+| kubeconfig_aws_authenticator_command | Command to use to to fetch AWS EKS credentials | string | `heptio-authenticator-aws` | no |
+| kubeconfig_aws_authenticator_env_variables | Environment variables that should be used when executing the authenticator i.e. { AWS_PROFILE = "eks"} | map | `<map>` | no |
 | kubeconfig_name | Override the default name used for items kubeconfig. | string | `` | no |
 | manage_aws_auth | Whether to write and apply the aws-auth configmap file. | string | `true` | no |
+| map_accounts | Additional AWS account numbers to add to the aws-auth configmap. See examples/eks_test_fixture/variables.tf for example format. | list | `<list>` | no |
+| map_roles | Additional IAM roles to add to the aws-auth configmap. See examples/eks_test_fixture/variables.tf for example format. | list | `<list>` | no |
+| map_users | Additional IAM users to add to the aws-auth configmap. See examples/eks_test_fixture/variables.tf for example format. | list | `<list>` | no |
 | subnets | A list of subnets to place the EKS cluster and workers within. | list | - | yes |
 | tags | A map of tags to add to all resources. | map | `<map>` | no |
 | vpc_id | VPC where the cluster and workers will be deployed. | string | - | yes |
@@ -112,7 +114,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | worker_sg_ingress_from_port | Minimum port number from which pods will accept communication. Must be changed to a lower value if some pods in your cluster will expose a port lower than 1025 (e.g. 22, 80, or 443). | string | `1025` | no |
 | workers_group_defaults | Default values for target groups as defined by the list of maps. | map | `<map>` | no |
 | workstation_cidr | Override the default ingress rule that allows communication with the EKS cluster API. If not given, will use current IP/32. | string | `` | no |
-| write_kubeconfig | Whether to write a kubeconfig file containing the cluster configuration | string | `true` | no |
+| write_kubeconfig | Whether to write a kubeconfig file containing the cluster configuration. | string | `true` | no |
 
 ## Outputs
 

aws_auth.tf

@@ -1,12 +1,12 @@
 resource "local_file" "config_map_aws_auth" {
   content  = "${data.template_file.config_map_aws_auth.rendered}"
-  filename = "${var.config_output_path}/config-map-aws-auth.yaml"
+  filename = "${var.config_output_path}/config-map-aws-auth_${var.cluster_name}.yaml"
   count    = "${var.manage_aws_auth ? 1 : 0}"
 }
 
 resource "null_resource" "update_config_map_aws_auth" {
   provisioner "local-exec" {
-    command = "kubectl apply -f ${var.config_output_path}/config-map-aws-auth.yaml --kubeconfig ${var.config_output_path}/kubeconfig"
+    command = "kubectl apply -f ${var.config_output_path}/config-map-aws-auth_${var.cluster_name}.yaml --kubeconfig ${var.config_output_path}/kubeconfig_${var.cluster_name}"
   }
 
   triggers {
@@ -15,3 +15,45 @@ resource "null_resource" "update_config_map_aws_auth" {
 
   count = "${var.manage_aws_auth ? 1 : 0}"
 }
+
+data "template_file" "config_map_aws_auth" {
+  template = "${file("${path.module}/templates/config-map-aws-auth.yaml.tpl")}"
+
+  vars {
+    worker_role_arn = "${aws_iam_role.workers.arn}"
+    map_users       = "${join("", data.template_file.map_users.*.rendered)}"
+    map_roles       = "${join("", data.template_file.map_roles.*.rendered)}"
+    map_accounts    = "${join("", data.template_file.map_accounts.*.rendered)}"
+  }
+}
+
+data "template_file" "map_users" {
+  count    = "${length(var.map_users)}"
+  template = "${file("${path.module}/templates/config-map-aws-auth-map_users.yaml.tpl")}"
+
+  vars {
+    user_arn = "${lookup(var.map_users[count.index], "user_arn")}"
+    username = "${lookup(var.map_users[count.index], "username")}"
+    group    = "${lookup(var.map_users[count.index], "group")}"
+  }
+}
+
+data "template_file" "map_roles" {
+  count    = "${length(var.map_roles)}"
+  template = "${file("${path.module}/templates/config-map-aws-auth-map_roles.yaml.tpl")}"
+
+  vars {
+    role_arn = "${lookup(var.map_roles[count.index], "role_arn")}"
+    username = "${lookup(var.map_roles[count.index], "username")}"
+    group    = "${lookup(var.map_roles[count.index], "group")}"
+  }
+}
+
+data "template_file" "map_accounts" {
+  count    = "${length(var.map_accounts)}"
+  template = "${file("${path.module}/templates/config-map-aws-auth-map_accounts.yaml.tpl")}"
+
+  vars {
+    account_number = "${element(var.map_accounts, count.index)}"
+  }
+}

data.tf

@@ -73,14 +73,6 @@ EOF
   }
 }
 
-data "template_file" "config_map_aws_auth" {
-  template = "${file("${path.module}/templates/config-map-aws-auth.yaml.tpl")}"
-
-  vars {
-    role_arn = "${aws_iam_role.workers.arn}"
-  }
-}
-
 data "template_file" "userdata" {
   template = "${file("${path.module}/templates/userdata.sh.tpl")}"
   count    = "${length(var.worker_groups)}"

examples/eks_test_fixture/main.tf

@@ -70,4 +70,7 @@ module "eks" {
   tags          = "${local.tags}"
   vpc_id        = "${module.vpc.vpc_id}"
   worker_groups = "${local.worker_groups}"
+  map_roles     = "${var.map_roles}"
+  map_users     = "${var.map_users}"
+  map_accounts  = "${var.map_accounts}"
 }

examples/eks_test_fixture/variables.tf

@@ -1,3 +1,44 @@
 variable "region" {
   default = "us-west-2"
 }
+
+variable "map_accounts" {
+  description = "Additional AWS account numbers to add to the aws-auth configmap."
+  type        = "list"
+
+  default = [
+    "777777777777",
+    "888888888888",
+  ]
+}
+
+variable "map_roles" {
+  description = "Additional IAM roles to add to the aws-auth configmap."
+  type        = "list"
+
+  default = [
+    {
+      role_arn = "arn:aws:iam::66666666666:role/role1"
+      username = "role1"
+      group    = "system:masters"
+    },
+  ]
+}
+
+variable "map_users" {
+  description = "Additional IAM users to add to the aws-auth configmap."
+  type        = "list"
+
+  default = [
+    {
+      user_arn = "arn:aws:iam::66666666666:user/user1"
+      username = "user1"
+      group    = "system:masters"
+    },
+    {
+      user_arn = "arn:aws:iam::66666666666:user/user2"
+      username = "user2"
+      group    = "system:masters"
+    },
+  ]
+}

templates/config-map-aws-auth-map_accounts.yaml.tpl

@@ -0,0 +1 @@
+    - "${account_number}"

templates/config-map-aws-auth-map_roles.yaml.tpl

@@ -0,0 +1,4 @@
+    - rolearn: ${role_arn}
+      username: ${username}
+      groups:
+        - ${group}

templates/config-map-aws-auth-map_users.yaml.tpl

@@ -0,0 +1,4 @@
+    - userarn: ${user_arn}
+      username: ${username}
+      groups:
+        - ${group}

templates/config-map-aws-auth.yaml.tpl

@@ -5,8 +5,13 @@ metadata:
   namespace: kube-system
 data:
   mapRoles: |
-    - rolearn: ${role_arn}
+    - rolearn: ${worker_role_arn}
       username: system:node:{{EC2PrivateDNSName}}
       groups:
         - system:bootstrappers
         - system:nodes
+${map_roles}
+  mapUsers: |
+${map_users}
+  mapAccounts: |
+${map_accounts}