From 48f76f04ad5e151b56a483888adf3b7ef91a4b8f Mon Sep 17 00:00:00 2001
From: Poornima Krishnasamy <poornima.krishnasamy@digital.justice.gov.uk>
Date: Tue, 28 Sep 2021 11:30:59 +0100
Subject: [PATCH] Remove null_resouce for associate_provider and add as
 terraform resource (#1372)

* Remove null_resouce for associate_provider and add as terraform resource

* Re-triggering checks again

* Add null resource provider
---
 .../cloud-platform-aws/vpc/eks/main.tf        | 39 +++++--------------
 .../cloud-platform-aws/vpc/eks/variables.tf   |  6 ---
 .../cloud-platform-aws/vpc/eks/versions.tf    |  3 ++
 3 files changed, 13 insertions(+), 35 deletions(-)

diff --git a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/main.tf b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/main.tf
index 26684c1e..e059850a 100644
--- a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/main.tf
+++ b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/main.tf
@@ -122,34 +122,15 @@ module "auth0" {
   extra_callbacks      = lookup(local.auth0_extra_callbacks, terraform.workspace, [""])
 }
 
-resource "null_resource" "associate_identity_provider" {
-  depends_on = [module.eks.cluster_id]
-  provisioner "local-exec" {
-    command = "aws eks --region 'eu-west-2' describe-identity-provider-config --cluster-name '${terraform.workspace}' --identity-provider-config type='oidc',name='Auth0' --output json --query 'identityProviderConfig.oidc.status' || aws eks --region 'eu-west-2' associate-identity-provider-config --cluster-name '${terraform.workspace}' --oidc identityProviderConfigName='Auth0',issuerUrl='${var.auth0_issuerUrl}',clientId='${module.auth0.oidc_kubernetes_client_id}',usernameClaim=email,groupsClaim='${var.auth0_groupsClaim}',requiredClaims={}"
+resource "aws_eks_identity_provider_config" "oidc_associate" {
+  cluster_name = terraform.workspace
+
+  oidc {
+    client_id                     = module.auth0.oidc_kubernetes_client_id
+    identity_provider_config_name = "Auth0"
+    issuer_url                    = var.auth0_issuerUrl
+    username_claim                = "email"
+    groups_claim                  = var.auth0_groupsClaim
+    required_claims               = {}
   }
-
-}
-
-resource "null_resource" "wait_for_active_associate" {
-  count      = var.check_associate == "true" ? 1 : 0
-  depends_on = [null_resource.associate_identity_provider]
-  provisioner "local-exec" {
-    command     = var.wait_for_active_associate_cmd
-    interpreter = var.wait_for_active_associate_interpreter
-    environment = {
-      CLUSTER = terraform.workspace
-    }
-  }
-}
-
-variable "wait_for_active_associate_cmd" {
-  description = "Custom local-exec command to execute for determining if the associate identity provider is active. Cluster name will be available as an environment variable called CLUSTER"
-  type        = string
-  default     = "for i in `seq 1 60`; do if [[ `aws eks --region 'eu-west-2' describe-identity-provider-config --cluster-name $CLUSTER --identity-provider-config type='oidc',name='Auth0' --output json --query 'identityProviderConfig.oidc.status'` == '\"ACTIVE\"' ]]; then exit 0;else echo 'Checking again for active Auth0 association'; sleep 30;fi; done; echo 'TIMEOUT due to maximum retries to check for active Auth0 association'; exit 1"
-}
-
-variable "wait_for_active_associate_interpreter" {
-  description = "Custom local-exec command line interpreter for the command to determining if the Auth0 association to eks cluster is active."
-  type        = list(string)
-  default     = ["/bin/sh", "-c"]
 }
diff --git a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/variables.tf b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/variables.tf
index e5b65439..637bfa41 100644
--- a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/variables.tf
+++ b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/variables.tf
@@ -16,12 +16,6 @@ variable "auth0_groupsClaim" {
   default     = "https://k8s.integration.dsd.io/groups"
 }
 
-variable "check_associate" {
-  type        = string
-  default     = "true"
-  description = "Check for active association during cluster creation. This is required for kuberos to authenticate to the cluster."
-}
-
 variable "cluster_enabled_log_types" {
   default     = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
   description = "A list of the desired control plane logging to enable."
diff --git a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/versions.tf b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/versions.tf
index ab54e51b..2d1b0fe3 100644
--- a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/versions.tf
+++ b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/versions.tf
@@ -11,6 +11,9 @@ terraform {
       source  = "hashicorp/kubernetes"
       version = "~> 1.11"
     }
+    null = {
+      source = "hashicorp/null"
+    }
   }
   required_version = ">= 0.14"
 }