diff --git a/README.md b/README.md
index 2ea12ffb..2b94d92c 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,4 @@
+
# terraform-aws-eks-cluster [](https://github.com/cloudposse/terraform-aws-eks-cluster/releases/latest) [](https://slack.cloudposse.com)
@@ -29,7 +30,6 @@
Terraform module to provision an [EKS](https://aws.amazon.com/eks/) cluster on AWS.
-
---
This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps.
@@ -59,7 +59,6 @@ We literally have [*hundreds of terraform modules*][terraform_modules] that are
-
## Introduction
The module provisions the following resources:
@@ -84,6 +83,7 @@ __NOTE:__ In `auth.tf`, we added `ignore_changes = [data["mapRoles"]]` to the `k
If you want to modify the Node Group (e.g. add more Node Groups to the cluster) or need to map other IAM roles to Kubernetes groups,
set the variable `kubernetes_config_map_ignore_role_changes` to `false` and re-provision the module. Then set `kubernetes_config_map_ignore_role_changes` back to `true`.
+
## Security & Compliance [
](https://bridgecrew.io/)
Security scanning is graciously provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance.
@@ -340,6 +340,7 @@ Available targets:
| [local](#requirement\_local) | >= 1.3 |
| [null](#requirement\_null) | >= 2.0 |
| [template](#requirement\_template) | >= 2.0 |
+| [tls](#requirement\_tls) | >= 2.2.0 |
## Providers
@@ -348,6 +349,7 @@ Available targets:
| [aws](#provider\_aws) | >= 2.0 |
| [kubernetes](#provider\_kubernetes) | >= 1.0 |
| [null](#provider\_null) | >= 2.0 |
+| [tls](#provider\_tls) | >= 2.2.0 |
## Modules
@@ -382,6 +384,7 @@ Available targets:
| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cluster_elb_service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [tls_certificate.cluster](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source |
## Inputs
@@ -463,6 +466,7 @@ Like this project? Please give it a ★ on [our GitHub](https://github.com/cloud
Are you using this project or any of our other projects? Consider [leaving a testimonial][testimonial]. =)
+
## Related Projects
Check out these related projects.
@@ -478,8 +482,6 @@ Check out these related projects.
- [terraform-aws-ec2-instance](https://github.com/cloudposse/terraform-aws-ec2-instance) - Terraform module for providing a general purpose EC2 instance
- [terraform-aws-ec2-instance-group](https://github.com/cloudposse/terraform-aws-ec2-instance-group) - Terraform module for provisioning multiple general purpose EC2 hosts for stateful applications
-
-
## Help
**Got a question?** We got answers.
diff --git a/docs/terraform.md b/docs/terraform.md
index 60dff98c..552e9ab7 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -9,6 +9,7 @@
| [local](#requirement\_local) | >= 1.3 |
| [null](#requirement\_null) | >= 2.0 |
| [template](#requirement\_template) | >= 2.0 |
+| [tls](#requirement\_tls) | >= 2.2.0 |
## Providers
@@ -17,6 +18,7 @@
| [aws](#provider\_aws) | >= 2.0 |
| [kubernetes](#provider\_kubernetes) | >= 1.0 |
| [null](#provider\_null) | >= 2.0 |
+| [tls](#provider\_tls) | >= 2.2.0 |
## Modules
@@ -51,6 +53,7 @@
| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cluster_elb_service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [tls_certificate.cluster](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source |
## Inputs
diff --git a/main.tf b/main.tf
index 3d88761a..c7df573f 100644
--- a/main.tf
+++ b/main.tf
@@ -84,13 +84,17 @@ resource "aws_eks_cluster" "default" {
# https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
# https://medium.com/@marcincuber/amazon-eks-with-oidc-provider-iam-roles-for-kubernetes-services-accounts-59015d15cb0c
#
-resource "aws_iam_openid_connect_provider" "default" {
+
+data "tls_certificate" "cluster" {
count = (local.enabled && var.oidc_provider_enabled) ? 1 : 0
url = join("", aws_eks_cluster.default.*.identity.0.oidc.0.issuer)
+}
- client_id_list = ["sts.amazonaws.com"]
+resource "aws_iam_openid_connect_provider" "default" {
+ count = (local.enabled && var.oidc_provider_enabled) ? 1 : 0
+ url = join("", aws_eks_cluster.default.*.identity.0.oidc.0.issuer)
+ tags = module.label.tags
- # it's thumbprint won't change for many years
- # https://github.com/terraform-providers/terraform-provider-aws/issues/10104
- thumbprint_list = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
+ client_id_list = ["sts.amazonaws.com"]
+ thumbprint_list = [join("", data.tls_certificate.cluster.*.certificates.0.sha1_fingerprint)]
}
diff --git a/versions.tf b/versions.tf
index 7dc28831..29328beb 100644
--- a/versions.tf
+++ b/versions.tf
@@ -22,5 +22,9 @@ terraform {
source = "hashicorp/kubernetes"
version = ">= 1.0"
}
+ tls = {
+ source = "hashicorp/tls"
+ version = ">= 2.2.0"
+ }
}
}