How to edit aws-auth configmap through terraform?

Question

I'm creating an eks cluster using the Kuberbetes provider and the Terraform EKS module. The problem is that I am using a Terraform Enterprise workspace to create it, so I can't edit the aws configmap from my IAM role. How do I edit the configmap through terraform so that it adds the desired roles and users to the generated was auth configmap?

Answer 1

Apply auth after eks cluster creation. you can follow below steps. Create a template file having content like and pass value in your variable file. (I am providing a just sample at very high level, some values are not assigned here while declaring resources/data terraform below )

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    ${indent(4, worker_roles_yaml)}
%{if iam_roles_yaml != "[]" }
    ${indent(4, iam_roles_yaml)}
%{ endif }
%{if iam_users_yaml != "[]" }
  mapUsers: |
    ${indent(4, iam_users_yaml)}
%{ endif }
%{if aws_accounts_yaml != "[]" }
  mapAccounts: |
    ${indent(4, aws_accounts_yaml)}
%{ endif }

Create data using above template file

data "template_file" "configmap_auth" {
 
  template = file(local.configmap_auth_template_file)
##pass all variables, i am giving samples only.
  vars = {
    iam_users_yaml=var.iam_users_yaml
    iam_users_yaml=var.iam_users_yaml
  }
}

then render file

resource "local_file" "configmap_auth" {
  content  = join("", data.template_file.configmap_auth.*.rendered)
  filename = var.configmap_auth_file
}

create null_resource having trigger and use local exec provisioner to apply auth file

resource "null_resource" "apply_configmap_auth" {
  ##i am using cluster health/status and file content changes

  triggers = {
    cluster_updated                     = join("", aws_eks_cluster.default.*.id)
    worker_roles_updated                = var.worker_roles_yaml
    additional_roles_updated            = var.iam_roles_yaml
    additional_users_updated            = var.iam_users_yaml
    additional_aws_accounts_updated     = var.aws_accounts_yaml
    configmap_auth_file_content_changed = join("", var.configmap_auth.*.content)
    configmap_auth_file_id_changed      = join("", var.configmap_auth.*.id)
  }

depends_on = [aws_eks_cluster.default, local_file.configmap_auth]
     provisioner "local-exec" {
     command = <<EOT
      sleep 240
      set -e
aws eks update-kubeconfig --name= --region= --kubeconfig=abc
kubectl apply -f ${var.configmap_auth_file} --kubeconfig abc

}

}

Answer 2

Use the Code below for using aws auth config map in teraform:

manage_aws_auth_configmap = true

  aws_auth_users = [
    {
      userarn  = "ARN of your IAM user"
      username = "Username of IAM"
      groups   = ["system:masters"]
    },
    {
      userarn  = "ARN of your IAM user"
      username = "Username of IAM"
      groups   = ["system:masters"]
    },
    {
      userarn  = "ARN of your IAM user"
      username = "Username of IAM"
      groups   = ["system:masters"]