EKS AWS Auth Merger
This module contains a go CLI, docker container, and terraform module for deploying a Kubernetes controller for managing mappings between AWS IAM roles and users to RBAC groups in Kubernetes. The official way to manage the mapping is to add values in a single, central ConfigMap
. This module allows you to break up the central ConfigMap
across multiple, separate ConfigMaps
each configuring a subset of the mappings you ultimately want to use, allowing you to update entries in the ConfigMap
in isolated modules (e.g., when you add a new IAM role in a separate module from the EKS cluster). The aws-auth-merger
watches for aws-auth
compatible ConfigMaps
that can be merged to manage the aws-auth
authentication ConfigMap
for EKS.
Features
-
Break up the
aws-auth
KubernetesConfigMap
across multiple objects. -
Automatically merge new
ConfigMaps
as they are added and removed. -
Track automatically generated
aws-auth
sourceConfigMaps
that are generated by EKS.
Learn
Note
This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!
Core concepts
-
What is Kubernetes RBAC?: overview of Kubernetes RBAC, the underlying system managing authentication and authorization in Kubernetes.
-
What is AWS IAM role?: overview of AWS IAM Roles, the underlying system managing authentication and authorization in AWS.
-
Managing users or IAM roles for your cluster: The official AWS docs on how the
aws-auth
KubernetesConfigMap
works. -
What is the aws-auth-merger?: overview of the
aws-auth-merger
and how it works to manage theaws-auth
KubernetesConfigMap
.
Repo organization
-
modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.
-
examples: This folder contains working examples of how to use the submodules.
-
test: Automated tests for the modules and examples.
Deploy
Non-production deployment (quick start for learning)
If you just want to try this repo out for experimenting and learning, check out the following resources:
- examples folder: The
examples
folder contains sample code optimized for learning, experimenting, and testing (but not production usage).
Production deployment
If you want to deploy this repo in production, check out the following resources:
- How to deploy a production-grade Kubernetes cluster on AWS: A step-by-step guide for deploying a production-grade EKS cluster on AWS using the code in this repo.
EKS Cluster: Production-ready example code from the Reference Architecture: * app account configuration * base configuration
Manage
-
How to handle conflicts with automatic updates to the aws-auth ConfigMap by EKS
-
How to restrict users to specific actions on the EKS cluster
-
How to restrict users to specific namespaces on the EKS cluster
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EKS-AWS-AUTH-MERGER MODULE
# ------------------------------------------------------------------------------------------------------
module "eks_aws_auth_merger" {
source = "git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-aws-auth-merger?ref=v0.72.3"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# Location of the container image to use for the aws-auth-merger app.
aws_auth_merger_image = <object(
repo = string
tag = string
)>
# Namespace to deploy the aws-auth-merger into. The app will watch for
# ConfigMaps in this Namespace to merge into the aws-auth ConfigMap.
namespace = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# Labels to apply to ConfigMaps that are created automatically by the
# aws-auth-merger when snapshotting the existing main ConfigMap. This must
# match the label selector provided in configmap_label_selector.
autocreate_labels = {}
# A Kubernetes Label Selector for the Namespace to look for ConfigMaps that
# should be merged into the main aws-auth ConfigMap.
configmap_label_selector = ""
# If true, create a Fargate Profile so that the aws-auth-merger app runs on
# Fargate.
create_fargate_profile = false
# When true this will inform the module to create the Namespace.
create_namespace = true
# If you set this variable to false, this module will not create any
# resources. This is used as a workaround because Terraform does not allow you
# to use the 'count' parameter on modules. By using this parameter, you can
# optionally create or not create the resources within this module.
create_resources = true
# Tags to apply to all AWS resources managed by this module.
default_tags = {}
# Key value pairs of strings to apply as annotations on the Deployment.
deployment_annotations = {}
# Key value pairs of strings to apply as labels on the Deployment.
deployment_labels = {}
# Name to apply to the Deployment for the aws-auth-merger app.
deployment_name = "aws-auth-merger"
# A map of custom tags to apply to the Fargate Profile if enabled. The key is
# the tag name and the value is the tag value.
eks_fargate_profile_tags = {}
# Configuration options for the Fargate Profile. Only used if
# create_fargate_profile is set to true.
fargate_profile = null
# Logging verbosity level. Must be one of (in order of most verbose to least):
# trace, debug, info, warn, error, fatal, panic.
log_level = "info"
# Key value pairs of strings to apply as annotations on the Pod.
pod_annotations = {}
# Key value pairs of strings to apply as labels on the Pod.
pod_labels = {}
# Interval to poll the Namespace for aws-auth ConfigMaps to merge as a
# duration string (e.g. 5m10s for 5 minutes 10 seconds).
refresh_interval = "5m"
# Key value pairs of strings to apply as annotations on the ServiceAccount.
service_account_annotations = {}
# Key value pairs of strings to apply as labels on the ServiceAccount.
service_account_labels = {}
# Name to apply to the ServiceAccount for the aws-auth-merger app.
service_account_name = "aws-auth-merger"
# Key value pairs of strings to apply as annotations on the RBAC Role for the
# ServiceAccount.
service_account_role_annotations = {}
# Key value pairs of strings to apply as annotations on the RBAC Role Binding
# for the ServiceAccount.
service_account_role_binding_annotations = {}
# Key value pairs of strings to apply as labels on the RBAC Role Binding for
# the ServiceAccount.
service_account_role_binding_labels = {}
# Name to apply to the RBAC Role Binding for the ServiceAccount.
service_account_role_binding_name = "aws-auth-merger"
# Key value pairs of strings to apply as labels on the RBAC Role for the
# ServiceAccount.
service_account_role_labels = {}
# Name to apply to the RBAC Role for the ServiceAccount.
service_account_role_name = "aws-auth-merger"
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EKS-AWS-AUTH-MERGER MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-aws-auth-merger?ref=v0.72.3"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# Location of the container image to use for the aws-auth-merger app.
aws_auth_merger_image = <object(
repo = string
tag = string
)>
# Namespace to deploy the aws-auth-merger into. The app will watch for
# ConfigMaps in this Namespace to merge into the aws-auth ConfigMap.
namespace = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# Labels to apply to ConfigMaps that are created automatically by the
# aws-auth-merger when snapshotting the existing main ConfigMap. This must
# match the label selector provided in configmap_label_selector.
autocreate_labels = {}
# A Kubernetes Label Selector for the Namespace to look for ConfigMaps that
# should be merged into the main aws-auth ConfigMap.
configmap_label_selector = ""
# If true, create a Fargate Profile so that the aws-auth-merger app runs on
# Fargate.
create_fargate_profile = false
# When true this will inform the module to create the Namespace.
create_namespace = true
# If you set this variable to false, this module will not create any
# resources. This is used as a workaround because Terraform does not allow you
# to use the 'count' parameter on modules. By using this parameter, you can
# optionally create or not create the resources within this module.
create_resources = true
# Tags to apply to all AWS resources managed by this module.
default_tags = {}
# Key value pairs of strings to apply as annotations on the Deployment.
deployment_annotations = {}
# Key value pairs of strings to apply as labels on the Deployment.
deployment_labels = {}
# Name to apply to the Deployment for the aws-auth-merger app.
deployment_name = "aws-auth-merger"
# A map of custom tags to apply to the Fargate Profile if enabled. The key is
# the tag name and the value is the tag value.
eks_fargate_profile_tags = {}
# Configuration options for the Fargate Profile. Only used if
# create_fargate_profile is set to true.
fargate_profile = null
# Logging verbosity level. Must be one of (in order of most verbose to least):
# trace, debug, info, warn, error, fatal, panic.
log_level = "info"
# Key value pairs of strings to apply as annotations on the Pod.
pod_annotations = {}
# Key value pairs of strings to apply as labels on the Pod.
pod_labels = {}
# Interval to poll the Namespace for aws-auth ConfigMaps to merge as a
# duration string (e.g. 5m10s for 5 minutes 10 seconds).
refresh_interval = "5m"
# Key value pairs of strings to apply as annotations on the ServiceAccount.
service_account_annotations = {}
# Key value pairs of strings to apply as labels on the ServiceAccount.
service_account_labels = {}
# Name to apply to the ServiceAccount for the aws-auth-merger app.
service_account_name = "aws-auth-merger"
# Key value pairs of strings to apply as annotations on the RBAC Role for the
# ServiceAccount.
service_account_role_annotations = {}
# Key value pairs of strings to apply as annotations on the RBAC Role Binding
# for the ServiceAccount.
service_account_role_binding_annotations = {}
# Key value pairs of strings to apply as labels on the RBAC Role Binding for
# the ServiceAccount.
service_account_role_binding_labels = {}
# Name to apply to the RBAC Role Binding for the ServiceAccount.
service_account_role_binding_name = "aws-auth-merger"
# Key value pairs of strings to apply as labels on the RBAC Role for the
# ServiceAccount.
service_account_role_labels = {}
# Name to apply to the RBAC Role for the ServiceAccount.
service_account_role_name = "aws-auth-merger"
}
Reference
- Inputs
- Outputs
Required
aws_auth_merger_image
object(…)Location of the container image to use for the aws-auth-merger app.
object({
# Container image repository where the aws-auth-merger app container image lives
repo = string
# Tag of the aws-auth-merger container to deploy
tag = string
})
namespace
stringNamespace to deploy the aws-auth-merger into. The app will watch for ConfigMaps in this Namespace to merge into the aws-auth ConfigMap.
Optional
autocreate_labels
map(string)Labels to apply to ConfigMaps that are created automatically by the aws-auth-merger when snapshotting the existing main ConfigMap. This must match the label selector provided in configmap_label_selector.
{}
configmap_label_selector
stringA Kubernetes Label Selector for the Namespace to look for ConfigMaps that should be merged into the main aws-auth ConfigMap.
""
If true, create a Fargate Profile so that the aws-auth-merger app runs on Fargate.
false
create_namespace
boolWhen true this will inform the module to create the Namespace.
true
create_resources
boolIf you set this variable to false, this module will not create any resources. This is used as a workaround because Terraform does not allow you to use the 'count' parameter on modules. By using this parameter, you can optionally create or not create the resources within this module.
true
default_tags
map(string)Tags to apply to all AWS resources managed by this module.
{}
deployment_annotations
map(string)Key value pairs of strings to apply as annotations on the Deployment.
{}
deployment_labels
map(string)Key value pairs of strings to apply as labels on the Deployment.
{}
deployment_name
stringName to apply to the Deployment for the aws-auth-merger app.
"aws-auth-merger"
eks_fargate_profile_tags
map(string)A map of custom tags to apply to the Fargate Profile if enabled. The key is the tag name and the value is the tag value.
{}
fargate_profile
object(…)Configuration options for the Fargate Profile. Only used if create_fargate_profile is set to true.
object({
# Name of the Fargate Profile (this must be unique per cluster).
name = string
# Name of the EKS cluster that the Fargate Profile belongs to.
eks_cluster_name = string
# List of VPC subnet IDs to use for the Pods.
worker_subnet_ids = list(string)
# ARN of an IAM role to use for the Pod execution. This role is primarily used to setup the container, like pulling
# the container image, setting up volumes, mounting secrets, etc.
pod_execution_role_arn = string
})
null
Details
Name of the EKS cluster that the Fargate Profile belongs to.
Details
List of VPC subnet IDs to use for the Pods.
Details
ARN of an IAM role to use for the Pod execution. This role is primarily used to setup the container, like pulling
the container image, setting up volumes, mounting secrets, etc.
log_level
stringLogging verbosity level. Must be one of (in order of most verbose to least): trace, debug, info, warn, error, fatal, panic.
"info"
pod_annotations
map(string)Key value pairs of strings to apply as annotations on the Pod.
{}
pod_labels
map(string)Key value pairs of strings to apply as labels on the Pod.
{}
refresh_interval
stringInterval to poll the Namespace for aws-auth ConfigMaps to merge as a duration string (e.g. 5m10s for 5 minutes 10 seconds).
"5m"
service_account_annotations
map(string)Key value pairs of strings to apply as annotations on the ServiceAccount.
{}
service_account_labels
map(string)Key value pairs of strings to apply as labels on the ServiceAccount.
{}
service_account_name
stringName to apply to the ServiceAccount for the aws-auth-merger app.
"aws-auth-merger"
service_account_role_annotations
map(string)Key value pairs of strings to apply as annotations on the RBAC Role for the ServiceAccount.
{}
service_account_role_binding_annotations
map(string)Key value pairs of strings to apply as annotations on the RBAC Role Binding for the ServiceAccount.
{}
service_account_role_binding_labels
map(string)Key value pairs of strings to apply as labels on the RBAC Role Binding for the ServiceAccount.
{}
Name to apply to the RBAC Role Binding for the ServiceAccount.
"aws-auth-merger"
service_account_role_labels
map(string)Key value pairs of strings to apply as labels on the RBAC Role for the ServiceAccount.
{}
Name to apply to the RBAC Role for the ServiceAccount.
"aws-auth-merger"
The name of the namespace that is used. If create_namespace is true, this output is only computed after the namespace is done creating.