terraform-aws-eks-roles

A terraform module to create all necessary resources for Admin, Operations and ViewOnly AWS policies/roles and its respective ClusterRoles, ClusterRoleBindings and its ConfigMap aws-auth. Inspired by and adapted from this doc and its source code. Read the AWS docs on EKS to get connected to the k8s dashboard.

Assumptions

• You have an EKS cluster in an AWS Account
• You have an AWS CLI with access to AWS Account were EKS cluster exist
• You have an AWS user with sufficient permissions to create IAM policies and IAM roles
• You have a kubeconfig file with access as system:master to the EKS Cluster
• You have kubectl installed and configured properly

Usage example

A full example is contained in the examples/basic directory.

module "kubernetes-roles" {
    source             = "./terraform-aws-eks-roles"

    cluster_name             = var.cluster-name
    master_user              = var.master-user
    local_kube_context       = var.local-kube-context
    cluster_nodes_role       = var.cluster-nodes-role
    tags                     = var.tags
}

Conditional creation

Need more roles?

Sometimes you need to have a way to create other roles, you can add them using the variables, also including the yml files in cluster-roles and cluster-roles-binding folders. Keep in mind the variables cluster_role_qty and cluster_role_binding_qty must be increased or reduced according. And final you need to crate the resources, locals and outputs for each new role.

dry-run for aws-auth.yml

The variable overwrite_aws_auth will allow you to generate the aws-auth.yml file without apply, so you can review it, edit or whatever you need from it. By default, this variable is false.

variable "overwrite_aws_auth" {
  type        = bool
  default     = false
  description = "WARNING!!! If true it will override the aws-auth ConfigMap of your cluster"
}

Resources Names

Name of the resources in AWS will follow a predefined pattern, like:

prefix + Role name or Policy name + Cluster name

Other documentation

• IAM Permissions: Minimum IAM permissions needed to setup EKS Cluster.
• EKS FAQ: Frequently Asked Questions

Doc generation

Code formatting and documentation for variables and outputs is generated using pre-commit-terraform hooks which uses terraform-docs.

Follow these instructions to install pre-commit locally.

And install terraform-docs with go get github.com/segmentio/terraform-docs or brew install terraform-docs.

Contributing

Report issues/questions/feature requests on in the issues section.

Full contributing guidelines are covered here.

Change log

The changelog captures all important release notes from v1.0.0

Authors

Created by:

• David Caballero Gitlab | Github | d@dcaballero.net

License

MIT License

Copyright (c) 2020 The terraform-aws-eks-roles module Authors.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Requirements

Name	Version
terraform	>= 0.12.23
aws	>= 2.54.0
local	>= 1.4.0
null	>= 2.1.2

Providers

Name	Version
aws	>= 2.54.0
local	>= 1.4.0
null	>= 2.1.2

Inputs

Name	Description	Type	Default	Required
cluster_name	EKS cluster name in AWS	string	n/a	yes
cluster_nodes_role	IAM Role ARN used by EKS Cluster Nodes, a.k.a Cluster IAM Role ARN	string	n/a	yes
cluster_role_binding_qty	amount of ClusterRolesBinding to be provisioned, it helps with local iterations	number	3	no
cluster_role_qty	amount of ClusterRoles to be provisioned, it helps with local iterations	number	3	no
cluster_roles	ClusterRoles to be provisioned in EKS	list	[ "cluster-role-cluster-admin", "cluster-role-cluster-operations", "cluster-role-cluster-viewonly" ]	no
cluster_roles_binding	ClusterRolesBinding to be provisioned in EKS	list	[ "cluster-role-binding-cluster-admin", "cluster-role-binding-cluster-operations", "cluster-role-binding-cluster-viewonly" ]	no
local_kube_context	Local kubectl context to be used to provision	string	n/a	yes
master_user	Master cluster user, in case aws-auth roles don't work	string	n/a	yes
overwrite_aws_auth	WARNING!!! If true it will override the aws-auth ConfigMap of your cluster	bool	false	no
policy_names	IAM policy names	list	[ "EKS-AdminPolicy", "EKS-OpsPolicy", "EKS-ViewOnlyPolicy" ]	no
resources_prefix	This variable will be a prefix for each IAM Role and Policy	string	""	no
roles_names	IAM role names	list	[ "EKS-AdminsRole", "EKS-OpsRole", "EKS-ViewOnlyRole" ]	no
tags	n/a	map(string)	{ "Name": "" }	no

Outputs

Name	Description
iam_policy_KubernetesAdminPolicy	KubernetesAdminPolicy ARN
iam_policy_KubernetesOpsPolicy	KubernetesOpsPolicy ARN
iam_policy_KubernetesViewOnlyPolicy	KubernetesViewOnlyPolicy ARN
iam_role_KubernetesAdminRole	KubernetesAdminRole ARN
iam_role_KubernetesOpsRole	KubernetesOpsRole ARN
iam_role_KubernetesViewOnlyRole	KubernetesViewOnlyRole ARN