From 0d20cf0b9d8aa0fc29e1959df77ef3a9f29fd4b4 Mon Sep 17 00:00:00 2001 From: Vitaly Markov Date: Wed, 20 Nov 2019 03:55:12 +0200 Subject: [PATCH] feat(oidc-provider): Add oidc_provider_enabled variable (#36) * feat(oidc-provider): Add oidc_provider_enabled variable For better developer experience better to create an aws_iam_openid_connect_provider resource inside module and export outside and variable, cause aws provider does not support a data source for aws_iam_openid_connect_provider Added oidc_provider_enabled variable in order to create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html * Update outputs.tf Co-Authored-By: Andriy Knysh * Update main.tf Co-Authored-By: Andriy Knysh * docs: Update README.md --- README.md | 6 ++++++ README.yaml | 4 ++++ docs/terraform.md | 2 ++ examples/complete/fixtures.us-east-2.tfvars | 2 ++ examples/complete/main.tf | 1 + examples/complete/variables.tf | 6 ++++++ main.tf | 19 +++++++++++++++++++ outputs.tf | 5 +++++ variables.tf | 6 ++++++ 9 files changed, 51 insertions(+) diff --git a/README.md b/README.md index 00479a62..d93a320a 100644 --- a/README.md +++ b/README.md @@ -234,6 +234,8 @@ Other examples: kubernetes_version = var.kubernetes_version kubeconfig_path = var.kubeconfig_path + oidc_provider_enabled = false + workers_security_group_ids = [module.eks_workers.security_group_id] workers_role_arns = [module.eks_workers.workers_role_arn] } @@ -305,6 +307,8 @@ Module usage with two worker groups: kubernetes_version = var.kubernetes_version kubeconfig_path = var.kubeconfig_path + oidc_provider_enabled = false + workers_role_arns = [module.eks_workers.workers_role_arn, module.eks_workers_2.workers_role_arn] workers_security_group_ids = [module.eks_workers.security_group_id, module.eks_workers_2.security_group_id] } @@ -397,6 +401,7 @@ Available targets: | map_additional_iam_users | Additional IAM users to add to `config-map-aws-auth` ConfigMap | object | `` | no | | name | Solution name, e.g. 'app' or 'cluster' | string | - | yes | | namespace | Namespace, which could be your organization name, e.g. 'eg' or 'cp' | string | `` | no | +| oidc_provider_enabled | Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html | bool | `false` | no | | region | AWS Region | string | - | yes | | stage | Stage, e.g. 'prod', 'staging', 'dev', or 'test' | string | `` | no | | subnet_ids | A list of subnet IDs to launch the cluster in | list(string) | - | yes | @@ -414,6 +419,7 @@ Available targets: | eks_cluster_endpoint | The endpoint for the Kubernetes API server | | eks_cluster_id | The name of the cluster | | eks_cluster_identity_oidc_issuer | The OIDC Identity issuer for the cluster | +| eks_cluster_identity_oidc_issuer_arn | The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account | | eks_cluster_version | The Kubernetes server version of the cluster | | security_group_arn | ARN of the EKS cluster Security Group | | security_group_id | ID of the EKS cluster Security Group | diff --git a/README.yaml b/README.yaml index 08ecefb7..a36ba405 100644 --- a/README.yaml +++ b/README.yaml @@ -214,6 +214,8 @@ usage: |- kubernetes_version = var.kubernetes_version kubeconfig_path = var.kubeconfig_path + oidc_provider_enabled = false + workers_security_group_ids = [module.eks_workers.security_group_id] workers_role_arns = [module.eks_workers.workers_role_arn] } @@ -285,6 +287,8 @@ usage: |- kubernetes_version = var.kubernetes_version kubeconfig_path = var.kubeconfig_path + oidc_provider_enabled = false + workers_role_arns = [module.eks_workers.workers_role_arn, module.eks_workers_2.workers_role_arn] workers_security_group_ids = [module.eks_workers.security_group_id, module.eks_workers_2.security_group_id] } diff --git a/docs/terraform.md b/docs/terraform.md index a35e7f85..75312340 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -30,6 +30,7 @@ | map_additional_iam_users | Additional IAM users to add to `config-map-aws-auth` ConfigMap | object | `` | no | | name | Solution name, e.g. 'app' or 'cluster' | string | - | yes | | namespace | Namespace, which could be your organization name, e.g. 'eg' or 'cp' | string | `` | no | +| oidc_provider_enabled | Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html | bool | `false` | no | | region | AWS Region | string | - | yes | | stage | Stage, e.g. 'prod', 'staging', 'dev', or 'test' | string | `` | no | | subnet_ids | A list of subnet IDs to launch the cluster in | list(string) | - | yes | @@ -47,6 +48,7 @@ | eks_cluster_endpoint | The endpoint for the Kubernetes API server | | eks_cluster_id | The name of the cluster | | eks_cluster_identity_oidc_issuer | The OIDC Identity issuer for the cluster | +| eks_cluster_identity_oidc_issuer_arn | The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account | | eks_cluster_version | The Kubernetes server version of the cluster | | security_group_arn | ARN of the EKS cluster Security Group | | security_group_id | ID of the EKS cluster Security Group | diff --git a/examples/complete/fixtures.us-east-2.tfvars b/examples/complete/fixtures.us-east-2.tfvars index 1df7ec87..48fa2263 100644 --- a/examples/complete/fixtures.us-east-2.tfvars +++ b/examples/complete/fixtures.us-east-2.tfvars @@ -29,3 +29,5 @@ associate_public_ip_address = true kubernetes_version = "1.14" kubeconfig_path = "/.kube/config" + +oidc_provider_enabled = true \ No newline at end of file diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 2a047957..3ff4e7e3 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -94,6 +94,7 @@ module "eks_cluster" { configmap_auth_template_file = var.configmap_auth_template_file configmap_auth_file = var.configmap_auth_file + oidc_provider_enabled = var.oidc_provider_enabled install_aws_cli = var.install_aws_cli install_kubectl = var.install_kubectl diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 492e5678..83750da6 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -122,6 +122,12 @@ variable "map_additional_iam_users" { default = [] } +variable "oidc_provider_enabled" { + type = bool + default = false + description = "Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html" +} + variable "kubeconfig_path" { type = string description = "The path to `kubeconfig` file" diff --git a/main.tf b/main.tf index 6e70e8d6..885654f6 100644 --- a/main.tf +++ b/main.tf @@ -113,3 +113,22 @@ resource "aws_eks_cluster" "default" { aws_iam_role_policy_attachment.amazon_eks_service_policy ] } + +# Enabling IAM Roles for Service Accounts in Kubernetes cluster +# +# From official docs: +# The IAM roles for service accounts feature is available on new Amazon EKS Kubernetes version 1.14 clusters, +# and clusters that were updated to versions 1.14 or 1.13 on or after September 3rd, 2019. +# +# https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html +# https://medium.com/@marcincuber/amazon-eks-with-oidc-provider-iam-roles-for-kubernetes-services-accounts-59015d15cb0c +# +resource "aws_iam_openid_connect_provider" "default" { + count = (var.enabled && var.oidc_provider_enabled) ? 1 : 0 + url = join("", aws_eks_cluster.default.*.identity.0.oidc.0.issuer) + + client_id_list = ["sts.amazonaws.com"] + # it's thumbprint won't change for many years :) + # https://github.com/terraform-providers/terraform-provider-aws/issues/10104 + thumbprint_list = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"] +} diff --git a/outputs.tf b/outputs.tf index 9321f189..3bca3e9f 100644 --- a/outputs.tf +++ b/outputs.tf @@ -38,6 +38,11 @@ output "eks_cluster_identity_oidc_issuer" { value = join("", aws_eks_cluster.default.*.identity.0.oidc.0.issuer) } +output "eks_cluster_identity_oidc_issuer_arn" { + description = "The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account" + value = join("", aws_iam_openid_connect_provider.default.*.arn) +} + output "eks_cluster_certificate_authority_data" { description = "The Kubernetes cluster certificate authority data" value = local.certificate_authority_data diff --git a/variables.tf b/variables.tf index a8e166ad..f7e4ebef 100644 --- a/variables.tf +++ b/variables.tf @@ -88,6 +88,12 @@ variable "kubernetes_version" { description = "Desired Kubernetes master version. If you do not specify a value, the latest available version is used" } +variable "oidc_provider_enabled" { + type = bool + default = false + description = "Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html" +} + variable "endpoint_private_access" { type = bool default = false