Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

make EKS access entry user_name and type configurable #35391

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .changelog/35391.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
```release-note:bug
resource/aws_eks_access_entry: Mark `type` and `user_name` as Optional, allowing values to be configured
```

```release-note:bug
resource/aws_eks_access_entry: Mark `kubernetes_groups` as Computed
```
19 changes: 17 additions & 2 deletions internal/service/eks/access_entry.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
"github.com/hashicorp/terraform-provider-aws/internal/conns"
"github.com/hashicorp/terraform-provider-aws/internal/errs"
"github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag"
Expand Down Expand Up @@ -64,6 +65,7 @@ func resourceAccessEntry() *schema.Resource {
"kubernetes_groups": {
Type: schema.TypeSet,
Optional: true,
Computed: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
Expand All @@ -81,12 +83,16 @@ func resourceAccessEntry() *schema.Resource {
names.AttrTags: tftags.TagsSchema(),
names.AttrTagsAll: tftags.TagsSchemaComputed(),
"type": {
Type: schema.TypeString,
Computed: true,
Type: schema.TypeString,
Optional: true,
ForceNew: true,
Default: accessEntryTypeStandard,
ValidateFunc: validation.StringInSlice(accessEntryType_Values(), false),
},
"user_name": {
Type: schema.TypeString,
Computed: true,
ewbankkit marked this conversation as resolved.
Show resolved Hide resolved
Optional: true,
},
},
}
Expand All @@ -103,12 +109,17 @@ func resourceAccessEntryCreate(ctx context.Context, d *schema.ResourceData, meta
ClusterName: aws.String(clusterName),
PrincipalArn: aws.String(principalARN),
Tags: getTagsIn(ctx),
Type: aws.String(d.Get("type").(string)),
}

if v, ok := d.GetOk("kubernetes_groups"); ok {
input.KubernetesGroups = flex.ExpandStringValueSet(v.(*schema.Set))
}

if v, ok := d.GetOk("user_name"); ok {
input.Username = aws.String(v.(string))
}

_, err := conn.CreateAccessEntry(ctx, input)

if err != nil {
Expand Down Expand Up @@ -174,6 +185,10 @@ func resourceAccessEntryUpdate(ctx context.Context, d *schema.ResourceData, meta
input.KubernetesGroups = flex.ExpandStringValueSet(d.Get("kubernetes_groups").(*schema.Set))
}

if d.HasChange("user_name") {
input.Username = aws.String(d.Get("user_name").(string))
}

_, err = conn.UpdateAccessEntry(ctx, input)

if err != nil {
Expand Down
129 changes: 128 additions & 1 deletion internal/service/eks/access_entry_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ func TestAccEKSAccessEntry_basic(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "kubernetes_groups.#", "0"),
acctest.CheckResourceAttrRFC3339(resourceName, "modified_at"),
resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
resource.TestCheckResourceAttrSet(resourceName, "type"),
resource.TestCheckResourceAttr(resourceName, "type", "STANDARD"),
resource.TestCheckResourceAttrSet(resourceName, "user_name"),
),
},
Expand Down Expand Up @@ -176,6 +176,87 @@ func TestAccEKSAccessEntry_tags(t *testing.T) {
})
}

func TestAccEKSAccessEntry_type(t *testing.T) {
ctx := acctest.Context(t)
if testing.Short() {
t.Skip("skipping long-running test in short mode")
}

var accessentry types.AccessEntry
rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
resourceName := "aws_eks_access_entry.test"

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() {
acctest.PreCheck(ctx, t)
testAccPreCheck(ctx, t)
},
ErrorCheck: acctest.ErrorCheck(t, names.EKSEndpointID),
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
CheckDestroy: testAccCheckAccessEntryDestroy(ctx),
Steps: []resource.TestStep{
{
Config: testAccAccessEntryConfig_type(rName),
Check: resource.ComposeTestCheckFunc(
testAccCheckAccessEntryExists(ctx, resourceName, &accessentry),
acctest.CheckResourceAttrGreaterThanOrEqualValue(resourceName, "kubernetes_groups.#", 1),
resource.TestCheckResourceAttr(resourceName, "type", "EC2_LINUX"),
resource.TestCheckResourceAttrSet(resourceName, "user_name"),
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
},
},
})
}

func TestAccEKSAccessEntry_username(t *testing.T) {
ctx := acctest.Context(t)
if testing.Short() {
t.Skip("skipping long-running test in short mode")
}

var accessentry types.AccessEntry
rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
resourceName := "aws_eks_access_entry.test"

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() {
acctest.PreCheck(ctx, t)
testAccPreCheck(ctx, t)
},
ErrorCheck: acctest.ErrorCheck(t, names.EKSEndpointID),
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
CheckDestroy: testAccCheckAccessEntryDestroy(ctx),
Steps: []resource.TestStep{
{
Config: testAccAccessEntryConfig_username(rName, "user1"),
Check: resource.ComposeTestCheckFunc(
testAccCheckAccessEntryExists(ctx, resourceName, &accessentry),
resource.TestCheckResourceAttr(resourceName, "type", "STANDARD"),
resource.TestCheckResourceAttr(resourceName, "user_name", "user1"),
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccAccessEntryConfig_username(rName, "user2"),
Check: resource.ComposeTestCheckFunc(
testAccCheckAccessEntryExists(ctx, resourceName, &accessentry),
resource.TestCheckResourceAttr(resourceName, "type", "STANDARD"),
resource.TestCheckResourceAttr(resourceName, "user_name", "user2"),
),
},
},
})
}

func testAccCheckAccessEntryDestroy(ctx context.Context) resource.TestCheckFunc {
return func(s *terraform.State) error {
conn := acctest.Provider.Meta().(*conns.AWSClient).EKSClient(ctx)
Expand Down Expand Up @@ -337,3 +418,49 @@ resource "aws_eks_access_entry" "test" {
}
`, rName, tagKey1, tagValue1, tagKey2, tagValue2))
}

func testAccAccessEntryConfig_type(rName string) string {
return acctest.ConfigCompose(testAccAccessEntryConfig_base(rName), fmt.Sprintf(`
resource "aws_iam_role" "test2" {
name = "%[1]s-2"

assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.${data.aws_partition.current.dns_suffix}"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}

resource "aws_eks_access_entry" "test" {
cluster_name = aws_eks_cluster.test.name
principal_arn = aws_iam_role.test2.arn

type = "EC2_LINUX"
}
`, rName))
}

func testAccAccessEntryConfig_username(rName, username string) string {
return acctest.ConfigCompose(testAccAccessEntryConfig_base(rName), fmt.Sprintf(`
resource "aws_iam_user" "test" {
name = %[1]q
}

resource "aws_eks_access_entry" "test" {
cluster_name = aws_eks_cluster.test.name
principal_arn = aws_iam_user.test.arn

type = "STANDARD"
user_name = %[2]q
}
`, rName, username))
}
2 changes: 1 addition & 1 deletion internal/service/eks/cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ func resourceCluster() *schema.Resource {
Required: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice(Resources_Values(), false),
ValidateFunc: validation.StringInSlice(resources_Values(), false),
},
},
},
Expand Down
24 changes: 20 additions & 4 deletions internal/service/eks/consts.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,19 +8,35 @@ import (
)

const (
IdentityProviderConfigTypeOIDC = "oidc"
identityProviderConfigTypeOIDC = "oidc"
)

const (
ResourcesSecrets = "secrets"
resourcesSecrets = "secrets"
)

func Resources_Values() []string {
func resources_Values() []string {
return []string{
ResourcesSecrets,
resourcesSecrets,
}
}

const (
propagationTimeout = 2 * time.Minute
)

const (
accessEntryTypeEC2Linux = "EC2_LINUX"
accessEntryTypeEC2Windows = "EC2_WINDOWS"
accessEntryTypeFargateLinux = "FARGATE_LINUX"
accessEntryTypeStandard = "STANDARD"
)

func accessEntryType_Values() []string {
return []string{
accessEntryTypeEC2Linux,
accessEntryTypeEC2Windows,
accessEntryTypeFargateLinux,
accessEntryTypeStandard,
}
}
2 changes: 1 addition & 1 deletion internal/service/eks/find.go
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ func FindOIDCIdentityProviderConfigByClusterNameAndConfigName(ctx context.Contex
ClusterName: aws.String(clusterName),
IdentityProviderConfig: &types.IdentityProviderConfig{
Name: aws.String(configName),
Type: aws.String(IdentityProviderConfigTypeOIDC),
Type: aws.String(identityProviderConfigTypeOIDC),
},
}

Expand Down
4 changes: 2 additions & 2 deletions internal/service/eks/identity_provider_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@ func resourceIdentityProviderConfigDelete(ctx context.Context, d *schema.Resourc
ClusterName: aws.String(clusterName),
IdentityProviderConfig: &types.IdentityProviderConfig{
Name: aws.String(configName),
Type: aws.String(IdentityProviderConfigTypeOIDC),
Type: aws.String(identityProviderConfigTypeOIDC),
},
})

Expand Down Expand Up @@ -242,7 +242,7 @@ func findOIDCIdentityProviderConfigByTwoPartKey(ctx context.Context, conn *eks.C
ClusterName: aws.String(clusterName),
IdentityProviderConfig: &types.IdentityProviderConfig{
Name: aws.String(configName),
Type: aws.String(IdentityProviderConfigTypeOIDC),
Type: aws.String(identityProviderConfigTypeOIDC),
},
}

Expand Down
5 changes: 3 additions & 2 deletions website/docs/r/eks_access_entry.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ resource "aws_eks_access_entry" "example" {
cluster_name = aws_eks_cluster.example.name
principal_arn = aws_iam_role.example.arn
kubernetes_groups = ["group-1", "group-2"]
type = "STANDARD"
}
```

Expand All @@ -31,6 +32,8 @@ The following arguments are optional:

* `kubernetes_groups` – (Optional) List of string which can optionally specify the Kubernetes groups the user would belong to when creating an access entry.
* `tags` - (Optional) Key-value map of resource tags. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
* `type` - (Optional) Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or groups, and prevent associations.
* `user_name` - (Optional) Defaults to principal ARN if user is principal else defaults to assume-role/session-name is role is used.

## Attribute Reference

Expand All @@ -39,8 +42,6 @@ This resource exports the following attributes in addition to the arguments abov
* `access_entry_arn` - Amazon Resource Name (ARN) of the Access Entry.
* `created_at` - Date and time in [RFC3339 format](https://tools.ietf.org/html/rfc3339#section-5.8) that the EKS add-on was created.
* `modified_at` - Date and time in [RFC3339 format](https://tools.ietf.org/html/rfc3339#section-5.8) that the EKS add-on was updated.
* `user_name` - Defaults to principal ARN if user is principal else defaults to assume-role/session-name is role is used.
* `type` - Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or groups, and prevent associations.
* `tags_all` - (Optional) Key-value map of resource tags, including those inherited from the provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block).

## Timeouts
Expand Down
Loading