Merge pull request #32 from appvia/aws-auth-configmap

Allow passing in IAM Roles to add to the AWS Auth ConfigMap.

Author: KashifSaadat

README.md

@@ -75,6 +75,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_disable_local_login"></a> [disable\_local\_login](#input\_disable\_local\_login) | Whether to disable local login for Wayfinder. Note: An IDP must be configured within Wayfinder, otherwise you will not be able to log in. | `bool` | `false` | no |
 | <a name="input_dns_zone_arn"></a> [dns\_zone\_arn](#input\_dns\_zone\_arn) | The AWS Route53 DNS Zone ARN to use (e.g. arn:aws:route53:::hostedzone/ABCDEFG1234567). | `string` | n/a | yes |
 | <a name="input_ebs_csi_kms_cmk_ids"></a> [ebs\_csi\_kms\_cmk\_ids](#input\_ebs\_csi\_kms\_cmk\_ids) | List of KMS CMKs to allow EBS CSI to manage encrypted volumes. This is required if EBS encryption is set at the account level with a default KMS CMK. | `list(string)` | `[]` | no |
+| <a name="input_eks_aws_auth_roles"></a> [eks\_aws\_auth\_roles](#input\_eks\_aws\_auth\_roles) | List of IAM Role maps to add to the aws-auth configmap. This is required if you use a different IAM Role for Terraform Plan actions. | <pre>list(object({<br>    rolearn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_eks_ng_capacity_type"></a> [eks\_ng\_capacity\_type](#input\_eks\_ng\_capacity\_type) | The capacity type to use for the EKS managed node group. | `string` | `"ON_DEMAND"` | no |
 | <a name="input_eks_ng_desired_size"></a> [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | The desired size to use for the EKS managed node group. | `number` | `2` | no |
 | <a name="input_eks_ng_instance_types"></a> [eks\_ng\_instance\_types](#input\_eks\_ng\_instance\_types) | The instance types to use for the EKS managed node group. | `list(string)` | <pre>[<br>  "t3.xlarge"<br>]</pre> | no |

eks.tf

@@ -115,6 +115,9 @@ module "eks" {
       ipv6_cidr_blocks = ["::/0"]
     }
   }, var.node_security_group_additional_rules)
+
+  manage_aws_auth_configmap = true
+  aws_auth_roles            = var.eks_aws_auth_roles
 }
 
 module "irsa-ebs-csi-driver" {

examples/complete/README.md

@@ -44,6 +44,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_environment"></a> [environment](#input\_environment) | The environment name we are provisioning. | `string` | `"production"` | no |
 | <a name="input_idp_provider"></a> [idp\_provider](#input\_idp\_provider) | The Identity Provider type to configure for Wayfinder (supported: generic, aad). | `string` | `"generic"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to all resources. | `map(any)` | `{}` | no |
+| <a name="input_terraform_plan_role_arn"></a> [terraform\_plan\_role\_arn](#input\_terraform\_plan\_role\_arn) | The ARN of the IAM role used for Terraform plan operations. | `string` | n/a | yes |
 | <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | CIDR block for the Wayfinder VPC. | `string` | `"10.0.0.0/21"` | no |
 | <a name="input_vpc_private_subnets"></a> [vpc\_private\_subnets](#input\_vpc\_private\_subnets) | List of private subnets in the Wayfinder VPC. | `list(string)` | <pre>[<br>  "10.0.0.0/24",<br>  "10.0.1.0/24",<br>  "10.0.2.0/24"<br>]</pre> | no |
 | <a name="input_vpc_public_subnets"></a> [vpc\_public\_subnets](#input\_vpc\_public\_subnets) | List of public subnets in the Wayfinder VPC. | `list(string)` | <pre>[<br>  "10.0.3.0/24",<br>  "10.0.4.0/24",<br>  "10.0.5.0/24"<br>]</pre> | no |

examples/complete/main.tf

@@ -24,6 +24,14 @@ module "wayfinder" {
     azureTenantId = var.idp_provider == "aad" ? jsondecode(data.aws_secretsmanager_secret_version.wayfinder.secret_string)["idpAzureTenantId"] : ""
   }
 
+  eks_aws_auth_roles = [
+    {
+      rolearn  = var.terraform_plan_role_arn
+      username = "terraform-identity-plan"
+      groups   = ["system:masters"]
+    }
+  ]
+
   # cluster_security_group_additional_rules = {
   #   allow_access_from_vpn = {
   #     description = "Allow access to the Wayfinder API from within My Organisation's internal network"

examples/complete/terraform.tfvars.sample

@@ -3,6 +3,7 @@ disable_local_login   = true
 dns_zone_name         = "wf.example.com"
 idp_provider          = "generic"
 wayfinder_instance_id = "your-wayfinder-instance-id"
+terraform_plan_role_arn  = "arn:aws:iam::123456789012:role/terraform-plan-role"
 tags = {
   Repository  = "Your Repository URL"
   Provisioner = "Terraform"

examples/complete/variables.tf

@@ -66,6 +66,11 @@ variable "tags" {
   default     = {}
 }
 
+variable "terraform_plan_role_arn" {
+  description = "The ARN of the IAM role used for Terraform plan operations."
+  type        = string
+}
+
 variable "vpc_cidr" {
   description = "CIDR block for the Wayfinder VPC."
   type        = string

variables.tf

@@ -50,6 +50,16 @@ variable "ebs_csi_kms_cmk_ids" {
   default     = []
 }
 
+variable "eks_aws_auth_roles" {
+  description = "List of IAM Role maps to add to the aws-auth configmap. This is required if you use a different IAM Role for Terraform Plan actions."
+  default     = []
+  type = list(object({
+    rolearn  = string
+    username = string
+    groups   = list(string)
+  }))
+}
+
 variable "eks_ng_capacity_type" {
   description = "The capacity type to use for the EKS managed node group."
   type        = string