diff --git a/aws_auth.tf b/aws_auth.tf index 487763b68e..6c41f753e0 100644 --- a/aws_auth.tf +++ b/aws_auth.tf @@ -1,52 +1,61 @@ data "aws_caller_identity" "current" { } -data "template_file" "launch_template_worker_role_arns" { - count = var.create_eks ? local.worker_group_launch_template_count : 0 - template = file("${path.module}/templates/worker-role.tpl") +locals { + auth_launch_template_worker_roles = [ + for index in range(0, var.create_eks ? local.worker_group_launch_template_count : 0) : { + worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element( + coalescelist( + aws_iam_instance_profile.workers_launch_template.*.role, + data.aws_iam_instance_profile.custom_worker_group_launch_template_iam_instance_profile.*.role_name, + ), + index + )}" + platform = lookup( + var.worker_groups_launch_template[index], + "platform", + local.workers_group_defaults["platform"] + ) + } + ] - vars = { - worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element( - coalescelist( - aws_iam_instance_profile.workers_launch_template.*.role, - data.aws_iam_instance_profile.custom_worker_group_launch_template_iam_instance_profile.*.role_name, - ), - count.index, - )}" - platform = lookup( - var.worker_groups_launch_template[count.index], - "platform", - local.workers_group_defaults["platform"] - ) - } -} - -data "template_file" "worker_role_arns" { - count = var.create_eks ? local.worker_group_count : 0 - template = file("${path.module}/templates/worker-role.tpl") - - vars = { - worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element( - coalescelist( - aws_iam_instance_profile.workers.*.role, - data.aws_iam_instance_profile.custom_worker_group_iam_instance_profile.*.role_name, - [""] - ), - count.index, - )}" - platform = lookup( - var.worker_groups[count.index], - "platform", - local.workers_group_defaults["platform"] - ) - } -} - -data "template_file" "node_group_arns" { - count = var.create_eks ? length(module.node_groups.aws_auth_roles) : 0 - template = file("${path.module}/templates/worker-role.tpl") + auth_worker_roles = [ + for index in range(0, var.create_eks ? local.worker_group_count : 0) : { + worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element( + coalescelist( + aws_iam_instance_profile.workers.*.role, + data.aws_iam_instance_profile.custom_worker_group_iam_instance_profile.*.role_name, + [""] + ), + index, + )}" + platform = lookup( + var.worker_groups[index], + "platform", + local.workers_group_defaults["platform"] + ) + } + ] - vars = module.node_groups.aws_auth_roles[count.index] + # Convert to format needed by aws-auth ConfigMap + configmap_roles = [ + for role in concat( + local.auth_launch_template_worker_roles, + local.auth_worker_roles, + module.node_groups.aws_auth_roles, + ) : + { + rolearn = role["worker_role_arn"] + username = "system:node:{{EC2PrivateDNSName}}" + groups = concat( + [ + "system:bootstrappers", + "system:nodes", + ], + role["platform"] == "windows" ? ["eks:kube-proxy-windows"] : [] + ) + } + ] } resource "kubernetes_config_map" "aws_auth" { @@ -59,12 +68,13 @@ resource "kubernetes_config_map" "aws_auth" { } data = { - mapRoles = <