feat: Enable management of the aws-auth ConfigMap as a module

devopsmakers · Mar 9, 2020 · 392ecfd · 392ecfd
1 parent b84bf90
commit 392ecfd
Show file tree

Hide file tree

Showing 8 changed files with 96 additions and 6 deletions.
diff --git a/modules/aws_auth/README.md b/modules/aws_auth/README.md
@@ -3,14 +3,26 @@
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Providers
 
-No provider.
+| Name | Version |
+|------|---------|
+| kubernetes | >= 1.6.2 |
+| template | >= 2.1 |
 
 ## Inputs
 
-No input.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:-----:|
+| create\_eks | Controls if EKS resources should be created (it affects almost all resources). | `bool` | `true` | no |
+| manage\_aws\_auth | Whether to apply the aws-auth configmap file. | `bool` | `true` | no |
+| map\_accounts | Additional AWS account numbers to add to the aws-auth configmap. See examples/basic/variables.tf for example format. | `list(string)` | `[]` | no |
+| map\_instances | IAM instance roles to add to the aws-auth configmap. See examples/basic/variables.tf for example format. | <pre>list(object({<br>    instance_role_arn = string<br>    platform          = string<br>  }))</pre> | `[]` | no |
+| map\_roles | Additional IAM roles to add to the aws-auth configmap. See examples/basic/variables.tf for example format. | <pre>list(object({<br>    rolearn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | `[]` | no |
+| map\_users | Additional IAM users to add to the aws-auth configmap. See examples/basic/variables.tf for example format. | <pre>list(object({<br>    userarn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | `[]` | no |
 
 ## Outputs
 
-No output.
+| Name | Description |
+|------|-------------|
+| config\_map\_aws\_auth | A kubernetes configuration to authenticate to this EKS cluster. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/aws_auth/aws_auth.tf b/modules/aws_auth/aws_auth.tf
@@ -0,0 +1,24 @@
+data "template_file" "map_instances" {
+  count    = var.create_eks ? length(var.map_instances) : 0
+  template = file("${path.module}/templates/worker-role.tpl")
+
+  vars = var.map_instances[count.index]
+}
+
+resource "kubernetes_config_map" "aws_auth" {
+  count = var.create_eks && var.manage_aws_auth ? 1 : 0
+
+  metadata {
+    name      = "aws-auth"
+    namespace = "kube-system"
+  }
+
+  data = {
+    mapRoles    = <<EOF
+${join("", distinct(data.template_file.map_instances.*.rendered))}
+%{if length(var.map_roles) != 0}${yamlencode(var.map_roles)}%{endif}
+EOF
+    mapUsers    = yamlencode(var.map_users)
+    mapAccounts = yamlencode(var.map_accounts)
+  }
+}
diff --git a/modules/aws_auth/locals.tf b/modules/aws_auth/locals.tf
diff --git a/modules/aws_auth/main.tf b/modules/aws_auth/main.tf
diff --git a/modules/aws_auth/outputs.tf b/modules/aws_auth/outputs.tf
@@ -0,0 +1,4 @@
+output "config_map_aws_auth" {
+  description = "A kubernetes configuration to authenticate to this EKS cluster."
+  value       = kubernetes_config_map.aws_auth.*
+}
diff --git a/modules/aws_auth/templates/worker-role.tpl b/modules/aws_auth/templates/worker-role.tpl
@@ -0,0 +1,8 @@
+- rolearn: ${instance_role_arn}
+  username: system:node:{{EC2PrivateDNSName}}
+  groups:
+    - system:bootstrappers
+    - system:nodes
+    %{~ if platform == "windows" ~}
+    - eks:kube-proxy-windows
+    %{~ endif ~}
diff --git a/modules/aws_auth/variables.tf b/modules/aws_auth/variables.tf
@@ -0,0 +1,45 @@
+variable "create_eks" {
+  description = "Controls if EKS resources should be created (it affects almost all resources)."
+  type        = bool
+  default     = true
+}
+
+variable "manage_aws_auth" {
+  description = "Whether to apply the aws-auth configmap file."
+  default     = true
+}
+
+variable "map_accounts" {
+  description = "Additional AWS account numbers to add to the aws-auth configmap. See examples/basic/variables.tf for example format."
+  type        = list(string)
+  default     = []
+}
+
+variable "map_instances" {
+  description = "IAM instance roles to add to the aws-auth configmap. See examples/basic/variables.tf for example format."
+  type = list(object({
+    instance_role_arn = string
+    platform          = string
+  }))
+  default = []
+}
+
+variable "map_roles" {
+  description = "Additional IAM roles to add to the aws-auth configmap. See examples/basic/variables.tf for example format."
+  type = list(object({
+    rolearn  = string
+    username = string
+    groups   = list(string)
+  }))
+  default = []
+}
+
+variable "map_users" {
+  description = "Additional IAM users to add to the aws-auth configmap. See examples/basic/variables.tf for example format."
+  type = list(object({
+    userarn  = string
+    username = string
+    groups   = list(string)
+  }))
+  default = []
+}
diff --git a/modules/aws_auth/versions.tf b/modules/aws_auth/versions.tf
@@ -3,10 +3,7 @@ terraform {
 
   required_providers {
     aws        = ">= 2.44.0"
-    local      = ">= 1.2"
-    null       = ">= 2.1"
     template   = ">= 2.1"
-    random     = ">= 2.1"
     kubernetes = ">= 1.6.2"
   }
 }