-
Notifications
You must be signed in to change notification settings - Fork 2
/
aws_auth.tf
65 lines (59 loc) · 2.15 KB
/
aws_auth.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
locals {
aws_auth_fargate_profile_pod_execution_role_arns = var.fargate_cluster ? distinct(
compact(
concat(
values(module.fargate_profiles[0].fargate_profile_pod_execution_role_arn),
var.aws_auth_fargate_profile_pod_execution_role_arns,
)
)
) : var.aws_auth_fargate_profile_pod_execution_role_arns
additional_aws_auth_fargate_profile_pod_execution_role_arns = var.autoscaling_mode == "karpenter" && var.create_fargate_profile_for_karpenter ? concat(
values(module.karpenter[0].fargate_profile_pod_execution_role_arn)
) : []
node_iam_role_arns_non_windows = [aws_iam_role.workers.arn]
node_iam_role_arns_windows = var.enable_cluster_windows_support ? [aws_iam_role.workers.arn] : []
fargate_profile_pod_execution_role_arns = concat(local.aws_auth_fargate_profile_pod_execution_role_arns, local.additional_aws_auth_fargate_profile_pod_execution_role_arns)
aws_auth_roles = concat(
[for role_arn in local.node_iam_role_arns_non_windows : {
rolearn = role_arn
username = "system:node:{{EC2PrivateDNSName}}"
groups = [
"system:bootstrappers",
"system:nodes",
]
}
],
[for role_arn in local.node_iam_role_arns_windows : {
rolearn = role_arn
username = "system:node:{{EC2PrivateDNSName}}"
groups = [
"eks:kube-proxy-windows",
"system:bootstrappers",
"system:nodes",
]
}
],
# Fargate profile
[for role_arn in local.fargate_profile_pod_execution_role_arns : {
rolearn = role_arn
username = "system:node:{{SessionName}}"
groups = [
"system:bootstrappers",
"system:nodes",
"system:node-proxier",
]
}
],
var.role_mapping
)
}
module "eks_aws_auth" {
count = var.authentication_mode != "API" ? 1 : 0
source = "terraform-aws-modules/eks/aws//modules/aws-auth"
version = "~> 20.29.0"
create_aws_auth_configmap = var.create_aws_auth_configmap
manage_aws_auth_configmap = var.manage_aws_auth_configmap
aws_auth_roles = local.aws_auth_roles
aws_auth_users = var.user_mapping
aws_auth_accounts = []
}