chore: consolidate configmap data blocks

Author: bryantbiggs

examples/self_managed_node_group/main.tf

@@ -41,12 +41,9 @@ module "eks" {
   cluster_endpoint_public_access  = true
 
   cluster_addons = {
-    # Note: launching a new cluster where the module manages the aws-auth configmap
-    # and tries to manage the CoreDNS will fail due to order of deploy. Managed CoreDNS addon
-    # after aws-auth has been updated with node IAM roles
-    # coredns = {
-    #   resolve_conflicts = "OVERWRITE"
-    # }
+    coredns = {
+      resolve_conflicts = "OVERWRITE"
+    }
     kube-proxy = {}
     vpc-cni = {
       resolve_conflicts = "OVERWRITE"

main.tf

@@ -368,17 +368,8 @@ locals {
     [for group in module.fargate_profile : group.fargate_profile_pod_execution_role_arn],
     var.aws_auth_fargate_profile_pod_execution_role_arns,
   ))
-}
-
-resource "kubernetes_config_map" "aws_auth" {
-  count = var.create && var.create_aws_auth_configmap ? 1 : 0
-
-  metadata {
-    name      = "aws-auth"
-    namespace = "kube-system"
-  }
 
-  data = {
+  aws_auth_configmap_data = {
     mapRoles = yamlencode(concat(
       [for role_arn in local.node_iam_role_arns_non_windows : {
         rolearn  = role_arn
@@ -415,6 +406,17 @@ resource "kubernetes_config_map" "aws_auth" {
     mapUsers    = yamlencode(var.aws_auth_users)
     mapAccounts = yamlencode(var.aws_auth_accounts)
   }
+}
+
+resource "kubernetes_config_map" "aws_auth" {
+  count = var.create && var.create_aws_auth_configmap ? 1 : 0
+
+  metadata {
+    name      = "aws-auth"
+    namespace = "kube-system"
+  }
+
+  data = local.aws_auth_configmap_data
 
   lifecycle {
     # We are ignoring the data here since we will manage it with the resource below
@@ -426,52 +428,17 @@ resource "kubernetes_config_map" "aws_auth" {
 resource "kubernetes_config_map_v1_data" "aws_auth" {
   count = var.create && var.manage_aws_auth_configmap ? 1 : 0
 
-  force = false
+  force = true
 
   metadata {
     name      = "aws-auth"
     namespace = "kube-system"
   }
 
-  data = {
-    mapRoles = yamlencode(concat(
-      [for role_arn in local.node_iam_role_arns_non_windows : {
-        rolearn  = role_arn
-        username = "system:node:{{EC2PrivateDNSName}}"
-        groups = [
-          "system:bootstrappers",
-          "system:nodes",
-        ]
-        }
-      ],
-      [for role_arn in local.node_iam_role_arns_windows : {
-        rolearn  = role_arn
-        username = "system:node:{{EC2PrivateDNSName}}"
-        groups = [
-          "eks:kube-proxy-windows",
-          "system:bootstrappers",
-          "system:nodes",
-        ]
-        }
-      ],
-      # Fargate profile
-      [for role_arn in local.fargate_profile_pod_execution_role_arns : {
-        rolearn  = role_arn
-        username = "system:node:{{SessionName}}"
-        groups = [
-          "system:bootstrappers",
-          "system:nodes",
-          "system:node-proxier",
-        ]
-        }
-      ],
-      var.aws_auth_roles
-    ))
-    mapUsers    = yamlencode(var.aws_auth_users)
-    mapAccounts = yamlencode(var.aws_auth_accounts)
-  }
+  data = local.aws_auth_configmap_data
 
   depends_on = [
+    # Required for instances where the configmap does not exist yet to avoid race condition
     kubernetes_config_map.aws_auth,
   ]
 }