provision a way to promote AWS IAM users as kubernetes admins

kubernetes-sigs/aws-iam-authenticator#176
dockup · Sep 23, 2019 · fd8c679 · fd8c679
1 parent 7510375
commit fd8c679
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 0 deletions.
diff --git a/main.tf b/main.tf
@@ -10,6 +10,7 @@ module "infra" {
   source = "./modules/infra"
 
   cluster_name = "${var.cluster_name}"
+  cluster_admins_arns = var.cluster_admins_arns
 }
 
 module "sw" {

diff --git a/modules/infra/cluster.tf b/modules/infra/cluster.tf
@@ -89,6 +89,14 @@ resource "kubernetes_config_map" "eks-nodes" {
   # Generated mapRoles using https://github.com/sl1pm4t/k2tf
   data = {
     mapRoles = "- rolearn: ${aws_iam_role.eks-nodes.arn}\n  username: system:node:{{EC2PrivateDNSName}}\n  groups:\n    - system:bootstrappers\n    - system:nodes\n"
+
+    mapUsers = yamlencode([
+      for admin_arn in var.cluster_admins_arns : {
+        userarn = admin_arn
+        username = element(split("/", admin_arn), 1) # 0 indexed
+        groups = ["system:masters"]
+      }
+    ])
   }
 
   depends_on = [aws_autoscaling_group.eks-nodes]

diff --git a/modules/infra/variables.tf b/modules/infra/variables.tf
@@ -6,3 +6,8 @@ variable "cluster_name" {
   default = "dockup"
   type    = "string"
 }
+
+variable "cluster_admins_arns" {
+  default = []                  # arns of users
+  type = "list"
+}
diff --git a/variables.tf b/variables.tf
@@ -7,6 +7,11 @@ variable "cluster_name" {
   type    = "string"
 }
 
+variable "cluster_admins_arns" {
+  default = []                  # arns of users
+  type = "list"
+}
+
 variable "agent_key" {
   default = "dockup-api-key"
   type    = "string"