A Terraform module to manage cluster authentication (aws-auth
) for an Elastic Kubernetes (EKS) cluster on AWS.
This modules works similar to the aws_auth.tf file that was deprecated from the terraform-eks-module. The original approach for initializing the aws-auth
ConfigMap used the exec
resource to call kubectl
. This solution can be problematic because it is OS specific and requires the host to have kubectl
installed.
This module implements a pure Terraform solution by using an Kubernetes Job to replace the original aws-auth
ConfigMap with another managed by Terraform.
A basic example can be found at examples/basic.
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = ">= 18.0.0"
cluster_name = var.name
eks_managed_node_groups = {
foo = {}
}
}
module "eks_auth" {
source = "aidanmelen/eks-auth/aws"
eks_aws_auth_configmap_yaml = module.eks.aws_auth_configmap_yaml
}
A complete example can be found at examples/complete.
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = ">= 18.0.0"
cluster_name = var.name
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
eks_managed_node_groups = {
foo = {}
}
fargate_profiles = {
bar = {}
}
}
module "eks_auth" {
source = "aidanmelen/eks-auth/aws"
eks_aws_auth_configmap_yaml = module.eks.aws_auth_configmap_yaml
map_roles = [
{
rolearn = "arn:aws:iam::66666666666:role/role1"
username = "role1"
groups = ["system:masters"]
},
]
map_users = [
{
userarn = "arn:aws:iam::66666666666:user/user1"
username = "user1"
groups = ["system:masters"]
},
{
userarn = "arn:aws:iam::66666666666:user/user2"
username = "user2"
groups = ["system:masters"]
},
]
map_accounts = [
"777777777777",
"888888888888",
]
}
Available targets:
help This help.
build Build docker image
install Install pre-commit
test Test with Terratest
test-basic Test Basic Example
test-complete Test Complete Example
tests Lint and Test
MIT Licensed. See LICENSE for full details.
Name | Version |
---|---|
terraform | >= 0.13.1 |
aws | >= 3.72 |
kubernetes | >= 1.11.1 |
Name | Version |
---|---|
kubernetes | 2.8.0 |
No modules.
Name | Type |
---|---|
kubernetes_config_map.aws_auth | resource |
kubernetes_job_v1.aws_auth | resource |
kubernetes_role_binding_v1.aws_auth | resource |
kubernetes_role_v1.aws_auth | resource |
kubernetes_service_account_v1.aws_auth | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
aws_auth_additional_labels | Additional kubernetes labels applied on aws-auth ConfigMap | map(string) |
{} |
no |
eks_aws_auth_configmap_yaml | The aws_auth_configmap_yaml output from the terraform-aws-eks module. |
string |
`"apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: aws-auth\n namespace: kube-system\ndata:\n mapRoles: | \n -\n"` |
kubectl_image_url | Docker image name for the kubectl command line interface. |
string |
"bitnami/kubectl:latest" |
no |
map_accounts | Additional AWS account numbers to add to the aws-auth configmap. | list(string) |
[] |
no |
map_roles | Additional IAM roles to add to the aws-auth configmap. | list(object({ |
[] |
no |
map_users | Additional IAM users to add to the aws-auth configmap. | list(object({ |
[] |
no |
Name | Description |
---|---|
configmap | The aws-auth configmap containing the provided roles, users and accounts merged with the eks roles used in cluster node groups/fargate profiles. |
configmap_yaml | Formatted yaml output for the aws-auth configmap containing the provided roles, users and accounts merged with the eks roles used in cluster node groups/fargate profiles. |