I’m currently on a cool project where we are automating the deployment of EKS clusters with Terraform. The TFE server is configured with an IAM user, that TF user will automatically be added to the aws-auth section of the configmap. We have EKS module code to add our SSO group’s rolearn to the configmap. The issue we’ve “run” into is a race issue. The configmap may or may not be created at the time the TF code attempts to write the configmap.
Our solution was to create the aws-auth via the Kubernetes provider. Here’s the sample code:
resource "kubernetes_config_map" "aws-auth" {
data = {
"mapRoles" = templatefile("${path.module}/config-map.tpl", {aws_account = data.aws_caller_identity.current.account_id})
}
metadata {
name = "aws-auth"
namespace = "kube-system"
}
lifecycle {
ignore_changes = [data]
}
}The config-map.tpl:
- rolearn: arn:aws:iam::${aws_account}:role/tf-admin
username: tf-admin
groups:
- system:masters
- rolearn: arn:aws:iam::${aws_account}:role/eks-worker-role
username: worker
groups:
- system:masters
- system:nodes
- system:bootstappers
- rolearn: arn:aws:iam::${aws_account}:role/eks-aws-admin
username: aws-admin
groups:
- system:masters
- rolearn: arn:aws:iam::${aws_account}:role/eks-aws-engineer
username: aws-engineer
By using the tpl file we are able to make the code more portal. We will be promoting the code to create clusters in TEST the PROD environments so the more we can parameterize the better. Note the “lifecycle” setting, we add this to ensure TF only creates the configmap once.
I’m always excited to learn, and this EKS and Kubernetes stuff is amazing. As I learn more, I’ll share more posts.
In the meantime…
Happy Building,
D