hybrid cluster auth (cm deprecated)

Author: aliziel

.github/workflows/ci.yaml

@@ -41,6 +41,9 @@ jobs:
         with:
           aws-region: ${{ env.AWS_REGION }}
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE }}
+      # TODO: this should likely include a HOT role as well
+      # TODO: determine if GH envs preferred, set TF_VAR_ 
+      - run: sed -i 's/DEPLOY_ROLE/${{ secrets.AWS_OIDC_ROLE }}/' ${{ env.VAR_FILE }}
       - name: TF Format
         id: fmt
         run: tofu fmt -no-color

terraform/cluster.tf

@@ -1,19 +1,11 @@
-provider "kubernetes" {
-  host                   = aws_eks_cluster.cluster.endpoint
-  cluster_ca_certificate = base64decode(aws_eks_cluster.cluster.certificate_authority[0].data)
-
-  exec {
-    api_version = "client.authentication.k8s.io/v1beta1"
-    command     = "aws"
-    args = ["eks", "get-token", "--cluster-name", aws_eks_cluster.cluster.name]
-  }
-}
-
 resource "aws_eks_cluster" "cluster" {
   name     = "${local.cluster_prefix}-cluster"
   role_arn = aws_iam_role.cluster_control_plane.arn
   version  = var.kubernetes_version
 
+  access_config {
+    authentication_mode = "API_AND_CONFIG_MAP"
+  }
   vpc_config {
     subnet_ids = concat(module.vpc.private_subnets, module.vpc.public_subnets)
   }
@@ -118,23 +110,22 @@ resource "aws_iam_role_policy_attachment" "cluster_autoscaler" {
   policy_arn = aws_iam_policy.cluster_autoscaler.arn
 }
 
+resource "aws_eks_access_entry" "admin" {
+  for_each = toset(var.cluster_admin_access_role_arns)
 
-resource "kubernetes_config_map" "aws_auth" {
-  metadata {
-    name      = "aws-auth"
-    namespace = "kube-system"
-  }
+  cluster_name      = aws_eks_cluster.cluster.name
+  principal_arn     = each.value
+  kubernetes_groups = ["cluster-admin"]
+}
+
+resource "aws_eks_access_policy_association" "admin_policy" {
+  for_each = aws_eks_access_entry.admin
 
-  data = {
-    mapRoles = yamlencode([
-      {
-        rolearn  = aws_iam_role.nodegroup.arn
-        username = "system:node:{{EC2PrivateDNSName}}"
-        groups   = ["system:bootstrappers", "system:nodes"]
-      }
-    ])
-    mapAccounts = yamlencode([])
-    mapUsers    = yamlencode(var.map_users)
+  cluster_name  = aws_eks_cluster.cluster.name
+  policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+  principal_arn = each.value.principal_arn
+
+  access_scope {
+    type = "cluster"
   }
-  depends_on = [aws_eks_cluster.cluster]
-}
+}

terraform/variables.tf

@@ -148,14 +148,11 @@ variable "metrics_server_version" {
   EOT
 }
 
-variable "map_users" {
-  type = list(object({
-    userarn  = string
-    username = string
-    groups   = list(string)
-  }))
-  default = []
-  description = <<-EOT
-  (Optional) Users to include on aws-auth ConfigMap
+variable "cluster_admin_access_role_arns" {
+  type        = list(string)
+  default     = []
+  sensitive   = true
+  description = <<-EOT
+  (Optional) Roles allowed admin access to cluster
   EOT
 }

terraform/vars/develop.tfvars

@@ -1,7 +1,8 @@
-environment         = "develop"
-region              = "us-east-1"
-instance_type       = "t3.xlarge"
-bucket_names        = ["pgstac-backup",]
-tags                = {
+environment                    = "develop"
+region                         = "us-east-1"
+instance_type                  = "t3.xlarge"
+bucket_names                   = ["pgstac-backup", ]
+cluster_admin_access_role_arns = ["DEPLOY_ROLE", ]
+tags = {
   project = "k8s-infra"
 }