jodem · April 23, 2020 15:11
diff --git a/aws_auth.template.yaml b/aws_auth.template.yaml
 # FROM https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html https://amazon-eks.s3.us-west-2.amazonaws.com/cloudformation/2020-04-21/aws-auth-cm.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: aws-auth
  namespace: kube-system
 data:
  mapRoles: |
    - rolearn: ${cluster_role_ARN}  #<ARN of instance role (not instance profile)>
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:bootstrappers
        - system:nodes
  mapUsers: |
  %{ for index, userInstance in users ~}
  - userarn: ${element(users[index],0)}
      username: ${element(users[index],1)}
      groups:
        - ${element(users[index],2)}
  %{ endfor }
diff --git a/stack.tf b/stack.tf
 resource "kubectl_manifest" "aws-auth-config" {
  yaml_body = templatefile("${path.module}/k8_templates/aws_auth.template.yaml",
    {
      cluster_role_ARN = aws_iam_role.main_cluster_role.arn,
      users = var.iam_users_allowed_to_use_kubectl
    }
  )
 }

 //  Policy to attach to users to use k8 api 
 data "aws_iam_policy_document" "allow_k8_cluster_use_template" {
  statement {
    sid = "1"

    actions = [
      "sts:AssumeRole"
    ]

    resources = [
      aws_iam_role.main_cluster_role.arn
    ]
  }

 }

 resource "aws_iam_policy" "allow_k8_cluster_use_for_iam_users" {
  name   = "policy_${var.env_name}_allow_kubectl"
  path   = "/"
  policy = data.aws_iam_policy_document.allow_k8_cluster_use_template.json
 }
diff --git a/variable.tf b/variable.tf
 variable "iam_users_allowed_to_use_kubectl" {
  type = list(list(string))
  default = [
    ["arn:aws:iam::922564820568:user/john.doe" , "john.doe", "system:masters"],
    ["arn:aws:iam::922564820568:user/john2.doe" , "john2.doe", "system:masters"]
    # Add users here you still need to manually assign them the policy "allow_k8_cluster_use_for_iam_users"

  ]
 }
	# FROM https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html https://amazon-eks.s3.us-west-2.amazonaws.com/cloudformation/2020-04-21/aws-auth-cm.yaml
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: aws-auth
	namespace: kube-system
	data:
	mapRoles: \|
	- rolearn: ${cluster_role_ARN} #<ARN of instance role (not instance profile)>
	username: system:node:{{EC2PrivateDNSName}}
	groups:
	- system:bootstrappers
	- system:nodes
	mapUsers: \|
	%{ for index, userInstance in users ~}
	- userarn: ${element(users[index],0)}
	username: ${element(users[index],1)}
	groups:
	- ${element(users[index],2)}
	%{ endfor }
	resource "kubectl_manifest" "aws-auth-config" {
	yaml_body = templatefile("${path.module}/k8_templates/aws_auth.template.yaml",
	{
	cluster_role_ARN = aws_iam_role.main_cluster_role.arn,
	users = var.iam_users_allowed_to_use_kubectl
	}
	)
	}

	// Policy to attach to users to use k8 api
	data "aws_iam_policy_document" "allow_k8_cluster_use_template" {
	statement {
	sid = "1"

	actions = [
	"sts:AssumeRole"
	]

	resources = [
	aws_iam_role.main_cluster_role.arn
	]
	}

	}

	resource "aws_iam_policy" "allow_k8_cluster_use_for_iam_users" {
	name = "policy_${var.env_name}_allow_kubectl"
	path = "/"
	policy = data.aws_iam_policy_document.allow_k8_cluster_use_template.json
	}
	variable "iam_users_allowed_to_use_kubectl" {
	type = list(list(string))
	default = [
	["arn:aws:iam::922564820568:user/john.doe" , "john.doe", "system:masters"],
	["arn:aws:iam::922564820568:user/john2.doe" , "john2.doe", "system:masters"]
	# Add users here you still need to manually assign them the policy "allow_k8_cluster_use_for_iam_users"

	]
	}