Use AWS API for EKS authentication and authorization #206
Conversation
|
/terratest |
|
/terratest |
|
I'm working on migrating my test cluster. Haven't reached plan stage yet, just changing code to new module variables. I'd appreciate, if there were examples about new With module version 3.0.0, I have somewhat typical configuration: map_additional_iam_roles = [
{
rolearn = replace(data.aws_iam_role.administrator_access.arn, "${data.aws_iam_role.administrator_access.path}/", "")
username = "devops"
groups = ["system:masters", "devops"]
},
{
rolearn = data.aws_iam_role.gitlab_ci.arn
username = "gitlab-ci"
groups = ["system:masters", "ci"]
},
{
rolearn = aws_iam_role.karpenter_node.arn
username = "system:node:{{EC2PrivateDNSName}}"
groups = ["system:bootstrappers", "system:nodes"]
},
{
rolearn = aws_iam_role.fargate.arn
username = "system:node:{{SessionName}}"
groups = ["system:bootstrappers", "system:nodes", "system:node-proxier"]
},
]And it isn't clear what would new AFAIU I should:
Is this right? Also there is some abbreviations to simplify things at https://github.com/cloudposse/terraform-aws-eks-cluster/pull/206/files#diff-7ca243b22dbf3bdfd94ff409bd87a336e7f6f61601041b57d470ae3b2f11e71fR6-R14, which aren't documented. |
|
@z0rc Thank you for the feedback. Answers to your questions are supposed to be in the migration document, and the README in the form of documentation of the input variables. Particularly regarding the abbreviations, there is the migration doc and the variable description. There is alos a brief example, as always, in I grant that there probably should be more in the README, but are you saying you didn't see the documentation, or that you read it but it did not satisfy you? (Your answer will guide my improvements.) P.S. I'm not sure where I updated the migration doc with an example transformation, using your configuration as a starting point. |
|
/terratest |
We're going to rely on the major version number bump to do the heavy lifting of "BREAKING CHANGE". The mitigating factors are that the new module will simply error out in a number of ways if you blindly try to update, and in general none of the changes should cause you to lose data. Worst consequence I can foresee from blindly plowing ahead is a security group or rule might change that cuts off network access. |
|
/terratest |
|
@Nuru thanks! With provided example I was able to understand access entries relationships and migration path. I believe I was a bit overwhelmed by amount of migration documentation. Ultimately I'd be able to do migration myself given more time.
I was reading example at https://github.com/cloudposse/terraform-aws-eks-cluster/blob/v4-rc/examples/complete/main.tf#L39-L48, plus https://github.com/cloudposse/terraform-aws-eks-cluster/blob/v4-rc/docs/migration-v3-v4.md#error-creating-eks-access-entry I wrongly assumed that I must add this entry now. Overall I'm very impressed with how many thoughts were put into migration process. Much appreciated! |
|
I migrated my test cluster to |
mergify
bot
added
triage
|
Important Cloud Posse Engineering Team Review RequiredThis pull request modifies files that require Cloud Posse's review. Please be patient, and a core maintainer will review your changes. To expedite this process, reach out to us on Slack in the |
|
This pull request now has conflicts. Could you fix it @Nuru? 🙏 |
mergify
bot
added
needs-test
|
/terratest |
Nuru
added
no-release
|
/terratest |
mergify
bot
removed
needs-cloudposse
Major Breaking Changes
Warning
This release has major breaking changes and requires significant manual intervention
to upgrade existing clusters. Read the migration document
for more details.
what
aws-authConfigMapgov1.21, Kubernetes 1.29, etc.why
references
authentication_modeconfig for eks_cluster #203Goversion. Pin thekubernetesprovider #201