Enhance Kubernetes provider configuration (#119)

cloudposse · Jul 17, 2021 · 51ccc3e · 51ccc3e
1 parent c25940a
commit 51ccc3e
Show file tree

Hide file tree

Showing 18 changed files with 889 additions and 414 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -15,8 +15,8 @@
 
 # Cloud Posse must review any changes to standard context definition,
 # but some changes can be rubber-stamped.
-**/*.tf @cloudposse/engineering @cloudposse/approvers
-README.yaml @cloudposse/engineering @cloudposse/approvers
+**/*.tf @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
+README.yaml @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
 README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
 docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
 

diff --git a/.github/auto-release.yml b/.github/auto-release.yml
@@ -46,7 +46,7 @@ template: |
 
 replacers:
 # Remove irrelevant information from Renovate bot
-- search: '/---\s+^#.*Renovate configuration(?:.|\n)*?This PR has been generated .*/gm'
+- search: '/(?<=---\s+)+^#.*(Renovate configuration|Configuration)(?:.|\n)*?This PR has been generated .*/gm'
  replace: ''
 # Remove Renovate bot banner image
 - search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm'

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
@@ -3,7 +3,9 @@ name: auto-release
 on:
  push:
  branches:
+ - main
  - master
+ - production
 
 jobs:
  publish:
@@ -14,7 +16,7 @@ jobs:
  id: get-merged-pull-request
  with:
  github_token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
- # Drafts your next Release notes as Pull Requests are merged into "master"
+ # Drafts your next Release notes as Pull Requests are merged into "main"
  - uses: release-drafter/release-drafter@v5
  if: "!contains(steps.get-merged-pull-request.outputs.labels, 'no-release')"
  with:

diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml
@@ -1,5 +1,7 @@
 name: Validate Codeowners
 on:
+ workflow_dispatch:
+
  pull_request:
 
 jobs:

diff --git a/README.md b/README.md
diff --git a/README.yaml b/README.yaml
diff --git a/auth.tf b/auth.tf
@@ -27,6 +27,17 @@
 
 
 locals {
+ yaml_quote = var.aws_auth_yaml_strip_quotes ? "" : "\""
+
+ need_kubernetes_provider = local.enabled && var.apply_config_map_aws_auth
+
+ kubeconfig_path_enabled = local.need_kubernetes_provider && var.kubeconfig_path_enabled
+ kube_exec_auth_enabled = local.kubeconfig_path_enabled ? false : local.need_kubernetes_provider && var.kube_exec_auth_enabled
+ kube_data_auth_enabled = local.kube_exec_auth_enabled ? false : local.need_kubernetes_provider && var.kube_data_auth_enabled
+
+ exec_profile = local.kube_exec_auth_enabled && var.kube_exec_auth_aws_profile_enabled ? ["--profile", var.kube_exec_auth_aws_profile] : []
+ exec_role = local.kube_exec_auth_enabled && var.kube_exec_auth_role_arn_enabled ? ["--role-arn", var.kube_exec_auth_role_arn] : []
+
  certificate_authority_data_list = coalescelist(aws_eks_cluster.default.*.certificate_authority, [[{ data : "" }]])
  certificate_authority_data_list_internal = local.certificate_authority_data_list[0]
  certificate_authority_data_map = local.certificate_authority_data_list_internal[0]
@@ -59,25 +70,43 @@ resource "null_resource" "wait_for_cluster" {
  }
 }
 
-data "aws_eks_cluster" "eks" {
- count = local.enabled && var.apply_config_map_aws_auth ? 1 : 0
- name = join("", aws_eks_cluster.default.*.id)
-}
 
 # Get an authentication token to communicate with the EKS cluster.
 # By default (before other roles are added to the Auth ConfigMap), you can authenticate to EKS cluster only by assuming the role that created the cluster.
 # `aws_eks_cluster_auth` uses IAM credentials from the AWS provider to generate a temporary token.
 # If the AWS provider assumes an IAM role, `aws_eks_cluster_auth` will use the same IAM role to get the auth token.
 # https://www.terraform.io/docs/providers/aws/d/eks_cluster_auth.html
+#
+# You can set `kube_exec_auth_enabled` to use a different IAM Role or AWS config profile to fetch the auth token
+#
 data "aws_eks_cluster_auth" "eks" {
- count = local.enabled && var.apply_config_map_aws_auth ? 1 : 0
+ count = local.kube_data_auth_enabled ? 1 : 0
  name = join("", aws_eks_cluster.default.*.id)
 }
 
+
 provider "kubernetes" {
- token = join("", data.aws_eks_cluster_auth.eks.*.token)
- host = join("", data.aws_eks_cluster.eks.*.endpoint)
- cluster_ca_certificate = base64decode(join("", data.aws_eks_cluster.eks.*.certificate_authority.0.data))
+ # Without a dummy API server configured, the provider will throw an error and prevent a "plan" from succeeding
+ # in situations where Terraform does not provide it with the cluster endpoint before triggering an API call.
+ # Since those situations are limited to ones where we do not care about the failure, such as fetching the
+ # ConfigMap before the cluster has been created or in preparation for deleting it, and the worst that will
+ # happen is that the aws-auth ConfigMap will be unnecessarily updated, it is just better to ignore the error
+ # so we can proceed with the task of creating or destroying the cluster.
+ #
+ # If this solution bothers you, you can disable it by setting var.dummy_kubeapi_server = null
+ host = local.enabled ? coalesce(aws_eks_cluster.default[0].endpoint, var.dummy_kubeapi_server) : var.dummy_kubeapi_server
+ cluster_ca_certificate = local.enabled ? base64decode(local.certificate_authority_data) : null
+ token = local.kube_data_auth_enabled ? data.aws_eks_cluster_auth.eks[0].token : null
+ config_path = local.kubeconfig_path_enabled ? var.kubeconfig_path : null
+
+ dynamic "exec" {
+ for_each = local.kube_exec_auth_enabled ? ["exec"] : []
+ content {
+ api_version = "client.authentication.k8s.io/v1alpha1"
+ command = "aws"
+ args = concat(local.exec_profile, ["eks", "get-token", "--cluster-name", aws_eks_cluster.default[0].id], local.exec_role)
+ }
+ }
 }
 
 resource "kubernetes_config_map" "aws_auth_ignore_changes" {
@@ -110,8 +139,8 @@ resource "kubernetes_config_map" "aws_auth" {
  }
 
  data = {
- mapRoles = yamlencode(distinct(concat(local.map_worker_roles, var.map_additional_iam_roles)))
- mapUsers = yamlencode(var.map_additional_iam_users)
- mapAccounts = yamlencode(var.map_additional_aws_accounts)
+ mapRoles = replace(yamlencode(distinct(concat(var.map_additional_iam_roles, local.map_worker_roles))), "\"", local.yaml_quote)
+ mapUsers = replace(yamlencode(var.map_additional_iam_users), "\"", local.yaml_quote)
+ mapAccounts = replace(yamlencode(var.map_additional_aws_accounts), "\"", local.yaml_quote)
  }
 }