Skip to main content
Amazon EKS 0.72.0Last updated in version 0.69.1

EKS AWS Auth Merger

View Source Release Notes

This module contains a go CLI, docker container, and terraform module for deploying a Kubernetes controller for managing mappings between AWS IAM roles and users to RBAC groups in Kubernetes. The official way to manage the mapping is to add values in a single, central ConfigMap. This module allows you to break up the central ConfigMap across multiple, separate ConfigMaps each configuring a subset of the mappings you ultimately want to use, allowing you to update entries in the ConfigMap in isolated modules (e.g., when you add a new IAM role in a separate module from the EKS cluster). The aws-auth-merger watches for aws-auth compatible ConfigMaps that can be merged to manage the aws-auth authentication ConfigMap for EKS.

Features

  • Break up the aws-auth Kubernetes ConfigMap across multiple objects.

  • Automatically merge new ConfigMaps as they are added and removed.

  • Track automatically generated aws-auth source ConfigMaps that are generated by EKS.

Learn

Note

This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!

Core concepts

Repo organization

  • modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.

  • examples: This folder contains working examples of how to use the submodules.

  • test: Automated tests for the modules and examples.

Deploy

Non-production deployment (quick start for learning)

If you just want to try this repo out for experimenting and learning, check out the following resources:

  • examples folder: The examples folder contains sample code optimized for learning, experimenting, and testing (but not production usage).

Production deployment

If you want to deploy this repo in production, check out the following resources:

EKS Cluster: Production-ready example code from the Reference Architecture: * app account configuration * base configuration

Manage

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EKS-AWS-AUTH-MERGER MODULE
# ------------------------------------------------------------------------------------------------------

module "eks_aws_auth_merger" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-aws-auth-merger?ref=v0.72.0"

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # Location of the container image to use for the aws-auth-merger app.
  aws_auth_merger_image = <object(
    repo = string
    tag = string
  )>

  # Namespace to deploy the aws-auth-merger into. The app will watch for
  # ConfigMaps in this Namespace to merge into the aws-auth ConfigMap.
  namespace = <string>

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # Labels to apply to ConfigMaps that are created automatically by the
  # aws-auth-merger when snapshotting the existing main ConfigMap. This must
  # match the label selector provided in configmap_label_selector.
  autocreate_labels = {}

  # A Kubernetes Label Selector for the Namespace to look for ConfigMaps that
  # should be merged into the main aws-auth ConfigMap.
  configmap_label_selector = ""

  # If true, create a Fargate Profile so that the aws-auth-merger app runs on
  # Fargate.
  create_fargate_profile = false

  # When true this will inform the module to create the Namespace.
  create_namespace = true

  # If you set this variable to false, this module will not create any
  # resources. This is used as a workaround because Terraform does not allow you
  # to use the 'count' parameter on modules. By using this parameter, you can
  # optionally create or not create the resources within this module.
  create_resources = true

  # Key value pairs of strings to apply as annotations on the Deployment.
  deployment_annotations = {}

  # Key value pairs of strings to apply as labels on the Deployment.
  deployment_labels = {}

  # Name to apply to the Deployment for the aws-auth-merger app.
  deployment_name = "aws-auth-merger"

  # Configuration options for the Fargate Profile. Only used if
  # create_fargate_profile is set to true.
  fargate_profile = null

  # Logging verbosity level. Must be one of (in order of most verbose to least):
  # trace, debug, info, warn, error, fatal, panic.
  log_level = "info"

  # Key value pairs of strings to apply as annotations on the Pod.
  pod_annotations = {}

  # Key value pairs of strings to apply as labels on the Pod.
  pod_labels = {}

  # Interval to poll the Namespace for aws-auth ConfigMaps to merge as a
  # duration string (e.g. 5m10s for 5 minutes 10 seconds).
  refresh_interval = "5m"

  # Key value pairs of strings to apply as annotations on the ServiceAccount.
  service_account_annotations = {}

  # Key value pairs of strings to apply as labels on the ServiceAccount.
  service_account_labels = {}

  # Name to apply to the ServiceAccount for the aws-auth-merger app.
  service_account_name = "aws-auth-merger"

  # Key value pairs of strings to apply as annotations on the RBAC Role for the
  # ServiceAccount.
  service_account_role_annotations = {}

  # Key value pairs of strings to apply as annotations on the RBAC Role Binding
  # for the ServiceAccount.
  service_account_role_binding_annotations = {}

  # Key value pairs of strings to apply as labels on the RBAC Role Binding for
  # the ServiceAccount.
  service_account_role_binding_labels = {}

  # Name to apply to the RBAC Role Binding for the ServiceAccount.
  service_account_role_binding_name = "aws-auth-merger"

  # Key value pairs of strings to apply as labels on the RBAC Role for the
  # ServiceAccount.
  service_account_role_labels = {}

  # Name to apply to the RBAC Role for the ServiceAccount.
  service_account_role_name = "aws-auth-merger"

}


Reference

Required

aws_auth_merger_imageobject(…)required

Location of the container image to use for the aws-auth-merger app.

object({
    # Container image repository where the aws-auth-merger app container image lives
    repo = string
    # Tag of the aws-auth-merger container to deploy
    tag = string
  })
namespacestringrequired

Namespace to deploy the aws-auth-merger into. The app will watch for ConfigMaps in this Namespace to merge into the aws-auth ConfigMap.

Optional

autocreate_labelsmap(string)optional

Labels to apply to ConfigMaps that are created automatically by the aws-auth-merger when snapshotting the existing main ConfigMap. This must match the label selector provided in configmap_label_selector.

{}

A Kubernetes Label Selector for the Namespace to look for ConfigMaps that should be merged into the main aws-auth ConfigMap.

""

If true, create a Fargate Profile so that the aws-auth-merger app runs on Fargate.

false
create_namespacebooloptional

When true this will inform the module to create the Namespace.

true
create_resourcesbooloptional

If you set this variable to false, this module will not create any resources. This is used as a workaround because Terraform does not allow you to use the 'count' parameter on modules. By using this parameter, you can optionally create or not create the resources within this module.

true
deployment_annotationsmap(string)optional

Key value pairs of strings to apply as annotations on the Deployment.

{}
deployment_labelsmap(string)optional

Key value pairs of strings to apply as labels on the Deployment.

{}
deployment_namestringoptional

Name to apply to the Deployment for the aws-auth-merger app.

"aws-auth-merger"
fargate_profileobject(…)optional

Configuration options for the Fargate Profile. Only used if create_fargate_profile is set to true.

object({
    # Name of the Fargate Profile (this must be unique per cluster).
    name = string

    # Name of the EKS cluster that the Fargate Profile belongs to.
    eks_cluster_name = string

    # List of VPC subnet IDs to use for the Pods.
    worker_subnet_ids = list(string)

    # ARN of an IAM role to use for the Pod execution. This role is primarily used to setup the container, like pulling
    # the container image, setting up volumes, mounting secrets, etc.
    pod_execution_role_arn = string
  })
null
Details

     Name of the EKS cluster that the Fargate Profile belongs to.

Details

     List of VPC subnet IDs to use for the Pods.

Details

     ARN of an IAM role to use for the Pod execution. This role is primarily used to setup the container, like pulling
     the container image, setting up volumes, mounting secrets, etc.

log_levelstringoptional

Logging verbosity level. Must be one of (in order of most verbose to least): trace, debug, info, warn, error, fatal, panic.

"info"
pod_annotationsmap(string)optional

Key value pairs of strings to apply as annotations on the Pod.

{}
pod_labelsmap(string)optional

Key value pairs of strings to apply as labels on the Pod.

{}
refresh_intervalstringoptional

Interval to poll the Namespace for aws-auth ConfigMaps to merge as a duration string (e.g. 5m10s for 5 minutes 10 seconds).

"5m"
service_account_annotationsmap(string)optional

Key value pairs of strings to apply as annotations on the ServiceAccount.

{}
service_account_labelsmap(string)optional

Key value pairs of strings to apply as labels on the ServiceAccount.

{}
service_account_namestringoptional

Name to apply to the ServiceAccount for the aws-auth-merger app.

"aws-auth-merger"

Key value pairs of strings to apply as annotations on the RBAC Role for the ServiceAccount.

{}

Key value pairs of strings to apply as annotations on the RBAC Role Binding for the ServiceAccount.

{}

Key value pairs of strings to apply as labels on the RBAC Role Binding for the ServiceAccount.

{}

Name to apply to the RBAC Role Binding for the ServiceAccount.

"aws-auth-merger"
service_account_role_labelsmap(string)optional

Key value pairs of strings to apply as labels on the RBAC Role for the ServiceAccount.

{}

Name to apply to the RBAC Role for the ServiceAccount.

"aws-auth-merger"