Skip to content

Commit

Permalink
feat(oidc-provider): Add oidc_provider_enabled variable (cloudposse#36)
Browse files Browse the repository at this point in the history
* feat(oidc-provider): Add oidc_provider_enabled variable

For better developer experience better to create an aws_iam_openid_connect_provider resource inside module
and export outside and variable, cause aws provider does not support a data source for aws_iam_openid_connect_provider

Added oidc_provider_enabled variable in order to create an IAM OIDC identity provider for the cluster,
then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam.
For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html

* Update outputs.tf

Co-Authored-By: Andriy Knysh <[email protected]>

* Update main.tf

Co-Authored-By: Andriy Knysh <[email protected]>

* docs: Update README.md
  • Loading branch information
vymarkov authored and aknysh committed Nov 20, 2019
1 parent e1133e3 commit 0d20cf0
Show file tree
Hide file tree
Showing 9 changed files with 51 additions and 0 deletions.
6 changes: 6 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,8 @@ Other examples:
kubernetes_version = var.kubernetes_version
kubeconfig_path = var.kubeconfig_path
oidc_provider_enabled = false
workers_security_group_ids = [module.eks_workers.security_group_id]
workers_role_arns = [module.eks_workers.workers_role_arn]
}
Expand Down Expand Up @@ -305,6 +307,8 @@ Module usage with two worker groups:
kubernetes_version = var.kubernetes_version
kubeconfig_path = var.kubeconfig_path
oidc_provider_enabled = false
workers_role_arns = [module.eks_workers.workers_role_arn, module.eks_workers_2.workers_role_arn]
workers_security_group_ids = [module.eks_workers.security_group_id, module.eks_workers_2.security_group_id]
}
Expand Down Expand Up @@ -397,6 +401,7 @@ Available targets:
| map_additional_iam_users | Additional IAM users to add to `config-map-aws-auth` ConfigMap | object | `<list>` | no |
| name | Solution name, e.g. 'app' or 'cluster' | string | - | yes |
| namespace | Namespace, which could be your organization name, e.g. 'eg' or 'cp' | string | `` | no |
| oidc_provider_enabled | Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html | bool | `false` | no |
| region | AWS Region | string | - | yes |
| stage | Stage, e.g. 'prod', 'staging', 'dev', or 'test' | string | `` | no |
| subnet_ids | A list of subnet IDs to launch the cluster in | list(string) | - | yes |
Expand All @@ -414,6 +419,7 @@ Available targets:
| eks_cluster_endpoint | The endpoint for the Kubernetes API server |
| eks_cluster_id | The name of the cluster |
| eks_cluster_identity_oidc_issuer | The OIDC Identity issuer for the cluster |
| eks_cluster_identity_oidc_issuer_arn | The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account |
| eks_cluster_version | The Kubernetes server version of the cluster |
| security_group_arn | ARN of the EKS cluster Security Group |
| security_group_id | ID of the EKS cluster Security Group |
Expand Down
4 changes: 4 additions & 0 deletions README.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,8 @@ usage: |-
kubernetes_version = var.kubernetes_version
kubeconfig_path = var.kubeconfig_path
oidc_provider_enabled = false
workers_security_group_ids = [module.eks_workers.security_group_id]
workers_role_arns = [module.eks_workers.workers_role_arn]
}
Expand Down Expand Up @@ -285,6 +287,8 @@ usage: |-
kubernetes_version = var.kubernetes_version
kubeconfig_path = var.kubeconfig_path
oidc_provider_enabled = false
workers_role_arns = [module.eks_workers.workers_role_arn, module.eks_workers_2.workers_role_arn]
workers_security_group_ids = [module.eks_workers.security_group_id, module.eks_workers_2.security_group_id]
}
Expand Down
2 changes: 2 additions & 0 deletions docs/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
| map_additional_iam_users | Additional IAM users to add to `config-map-aws-auth` ConfigMap | object | `<list>` | no |
| name | Solution name, e.g. 'app' or 'cluster' | string | - | yes |
| namespace | Namespace, which could be your organization name, e.g. 'eg' or 'cp' | string | `` | no |
| oidc_provider_enabled | Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html | bool | `false` | no |
| region | AWS Region | string | - | yes |
| stage | Stage, e.g. 'prod', 'staging', 'dev', or 'test' | string | `` | no |
| subnet_ids | A list of subnet IDs to launch the cluster in | list(string) | - | yes |
Expand All @@ -47,6 +48,7 @@
| eks_cluster_endpoint | The endpoint for the Kubernetes API server |
| eks_cluster_id | The name of the cluster |
| eks_cluster_identity_oidc_issuer | The OIDC Identity issuer for the cluster |
| eks_cluster_identity_oidc_issuer_arn | The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account |
| eks_cluster_version | The Kubernetes server version of the cluster |
| security_group_arn | ARN of the EKS cluster Security Group |
| security_group_id | ID of the EKS cluster Security Group |
Expand Down
2 changes: 2 additions & 0 deletions examples/complete/fixtures.us-east-2.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,5 @@ associate_public_ip_address = true
kubernetes_version = "1.14"

kubeconfig_path = "/.kube/config"

oidc_provider_enabled = true
1 change: 1 addition & 0 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ module "eks_cluster" {

configmap_auth_template_file = var.configmap_auth_template_file
configmap_auth_file = var.configmap_auth_file
oidc_provider_enabled = var.oidc_provider_enabled

install_aws_cli = var.install_aws_cli
install_kubectl = var.install_kubectl
Expand Down
6 changes: 6 additions & 0 deletions examples/complete/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,12 @@ variable "map_additional_iam_users" {
default = []
}

variable "oidc_provider_enabled" {
type = bool
default = false
description = "Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html"
}

variable "kubeconfig_path" {
type = string
description = "The path to `kubeconfig` file"
Expand Down
19 changes: 19 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -113,3 +113,22 @@ resource "aws_eks_cluster" "default" {
aws_iam_role_policy_attachment.amazon_eks_service_policy
]
}

# Enabling IAM Roles for Service Accounts in Kubernetes cluster
#
# From official docs:
# The IAM roles for service accounts feature is available on new Amazon EKS Kubernetes version 1.14 clusters,
# and clusters that were updated to versions 1.14 or 1.13 on or after September 3rd, 2019.
#
# https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
# https://medium.com/@marcincuber/amazon-eks-with-oidc-provider-iam-roles-for-kubernetes-services-accounts-59015d15cb0c
#
resource "aws_iam_openid_connect_provider" "default" {
count = (var.enabled && var.oidc_provider_enabled) ? 1 : 0
url = join("", aws_eks_cluster.default.*.identity.0.oidc.0.issuer)

client_id_list = ["sts.amazonaws.com"]
# it's thumbprint won't change for many years :)
# https://github.com/terraform-providers/terraform-provider-aws/issues/10104
thumbprint_list = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
}
5 changes: 5 additions & 0 deletions outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,11 @@ output "eks_cluster_identity_oidc_issuer" {
value = join("", aws_eks_cluster.default.*.identity.0.oidc.0.issuer)
}

output "eks_cluster_identity_oidc_issuer_arn" {
description = "The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account"
value = join("", aws_iam_openid_connect_provider.default.*.arn)
}

output "eks_cluster_certificate_authority_data" {
description = "The Kubernetes cluster certificate authority data"
value = local.certificate_authority_data
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,12 @@ variable "kubernetes_version" {
description = "Desired Kubernetes master version. If you do not specify a value, the latest available version is used"
}

variable "oidc_provider_enabled" {
type = bool
default = false
description = "Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html"
}

variable "endpoint_private_access" {
type = bool
default = false
Expand Down

0 comments on commit 0d20cf0

Please sign in to comment.