Use K8S Provider to manage AWS Auth ConfirMap

`kubernetes_config_map_v1_data`
See terraform-aws-modules/terraform-aws-eks#1999

Author: lawliet89

.tflint.hcl

@@ -1,6 +1,6 @@
 plugin "aws" {
   enabled = true
-  version = "0.12.0"
+  version = "0.13.2"
   source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
 

README.md

@@ -35,21 +35,20 @@ provision additional node groups.
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
-| <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.1 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~> 2.10 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
-| <a name="provider_null"></a> [null](#provider\_null) | ~> 3.1 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 4.13.1 |
-| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 18.7.2 |
+| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 18.20.0 |
 | <a name="module_kms_ebs"></a> [kms\_ebs](#module\_kms\_ebs) | app.terraform.io/sph/kms/aws | ~> 0.1.0 |
 | <a name="module_kms_secret"></a> [kms\_secret](#module\_kms\_secret) | app.terraform.io/sph/kms/aws | ~> 0.1.0 |
 | <a name="module_node_groups"></a> [node\_groups](#module\_node\_groups) | ./modules/self_managed_nodes | n/a |
@@ -73,7 +72,6 @@ provision additional node groups.
 | [aws_iam_role_policy_attachment.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.workers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_service_linked_role.autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role) | resource |
-| [null_resource.apply](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_ami.eks_default_bottlerocket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |

aws_auth.tf

@@ -0,0 +1,5 @@
+provider "kubernetes" {
+  host                   = module.eks.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+  token                  = data.aws_eks_cluster_auth.this.token
+}

k8s_provider.tf

@@ -1,6 +1,6 @@
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 18.7.2"
+  version = "~> 18.20.0"
 
   cluster_name    = var.cluster_name
   cluster_version = var.cluster_version
@@ -63,4 +63,11 @@ module "eks" {
   enable_irsa = true
 
   create_node_security_group = true
+
+  # aws-auth configmap
+  manage_aws_auth_configmap               = true
+  aws_auth_node_iam_role_arns_non_windows = [aws_iam_role.workers.arn]
+  aws_auth_roles                          = var.role_mapping
+  aws_auth_users                          = var.user_mapping
+  aws_auth_accounts                       = []
 }

main.tf

@@ -53,7 +53,7 @@ the type of images:
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_self_managed_group"></a> [self\_managed\_group](#module\_self\_managed\_group) | terraform-aws-modules/eks/aws//modules/self-managed-node-group | ~> 18.7.2 |
+| <a name="module_self_managed_group"></a> [self\_managed\_group](#module\_self\_managed\_group) | terraform-aws-modules/eks/aws//modules/self-managed-node-group | ~> 18.20.0 |
 
 ## Resources
 

modules/self_managed_nodes/README.md

@@ -40,7 +40,7 @@ locals {
 
 module "self_managed_group" {
   source  = "terraform-aws-modules/eks/aws//modules/self-managed-node-group"
-  version = "~> 18.7.2"
+  version = "~> 18.20.0"
 
   for_each = local.self_managed_node_groups
 
@@ -157,5 +157,6 @@ module "self_managed_group" {
   security_group_rules           = try(each.value.security_group_rules, local.self_managed_node_group_defaults.security_group_rules, {})
   security_group_tags            = try(each.value.security_group_tags, local.self_managed_node_group_defaults.security_group_tags, {})
 
-  tags = merge(var.tags, try(each.value.tags, local.self_managed_node_group_defaults.tags, {}))
+  tags             = merge(var.tags, try(each.value.tags, local.self_managed_node_group_defaults.tags, {}))
+  use_default_tags = true
 }

modules/self_managed_nodes/main.tf

@@ -5,9 +5,9 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 4.0"
     }
-    null = {
-      source  = "hashicorp/null"
-      version = "~> 3.1"
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.10"
     }
   }
 }