feat: (PSKD-904) Support credentials when assuming an IAM role

.github/workflows/linter-analysis.yaml

@@ -48,6 +48,12 @@ jobs:
         path: ~/.tflint.d/plugins
         key: ubuntu-latest-tflint-${{ hashFiles('.tflint.hcl') }}
 
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: "^1.9.8"
+        terraform_wrapper: false
+
     - name: Setup TFLint
       uses: terraform-linters/[email protected]
       with:

docs/CONFIG-VARS.md

@@ -266,6 +266,8 @@ Custom policy:
 | autoscaling_enabled | Enable cluster autoscaling | bool | true | |
 | ssh_public_key | File name of public ssh key for jump and nfs VM | string | "~/.ssh/id_rsa.pub" | Required with `create_jump_vm=true` or `storage_type=standard` |
 | cluster_api_mode | Public or private IP for the cluster api| string|"public"|Valid Values: "public", "private" |
+| authentication_mode | The authentication mode for the EKS cluster.| string|"API_AND_CONFIG_MAP"| Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAP |
+| access_entry_role_arns | Create an EKS access entry associated with the AmazonEKSClusterAdminPolicy for each existing IAM role ARN specified in this list. | list of strings | | **Note:** The assumed-role used to authenticate to Terraform should not be included this list. The format role ARNs take is: "arn:aws:iam::<Subscription_ID>:role/<rolename>"|
 
 ## Node Pools
 

docs/user/TerraformAWSAuthentication.md

@@ -1,8 +1,8 @@
 # Authenticating Terraform to Access AWS
 
-In order to create and destroy AWS resources on your behalf, Terraform needs a AWS account that has sufficient permissions to perform all the actions defined in the Terraform manifest. You will need an AWS account IAM user that has at a minimum the permissions listed in [this policy](../../files/policies/devops-iac-eks-policy.json).
+In order to create and destroy AWS resources on your behalf, Terraform needs to authenticate with credentials associated with an AWS account IAM user or credentials generated by assuming an IAM role that has sufficient permissions to perform all the actions defined in the Terraform manifest. You will need either an AWS account IAM user or an AWS IAM role that has at a minimum the permissions listed in [this policy](../../files/policies/devops-iac-eks-policy.json).
 
-You can either use static credentials (including temporary credentials with session token) or a [profile with a credentials file](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).
+You can either use static credentials (including temporary credentials with a session token) or a [profile with a credentials file](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).
 
 You can pass AWS credentials to Terraform by using either [AWS environment variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) or [TF_VAR_name](https://www.terraform.io/docs/cli/config/environment-variables.html#tf_var_name) environment variables. 
 
@@ -28,7 +28,9 @@ TF_VAR_aws_secret_access_key=<your_aws_secret_access_key>
 TF_VAR_aws_session_token=<your_aws_session_token>
 ```
 
-> **NOTE** `AWS_SESSION_TOKEN` is optional and is only required when using you are using temporary AWS credentials. See the [AWS documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) on environment variables for more information.
+> **NOTE** `AWS_SESSION_TOKEN` is optional and is only required when you are using temporary AWS credentials like those you would generate when assuming an IAM role.  See the [AWS documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) on environment variables for more information.
+
+See [AWS IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) for more information about temporary credentials when using an assumed role. In order for an IAM user to be able to assume a role, a trust relationship for that user needs to be created within the role, see [granting AssumeRole permission for a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html) for more information.
 
 ## Using AWS Profile with Credentials File
 

main.tf

@@ -165,35 +165,10 @@ module "eks" {
   create_iam_role = var.cluster_iam_role_arn == null ? true : false
   iam_role_arn    = var.cluster_iam_role_arn
 
-  # Cluster access entry
-  # To add the current caller identity as an administrator
-  enable_cluster_creator_admin_permissions = true
+  authentication_mode = var.authentication_mode
 
-  access_entries = {
-    # access entry with cluster and namespace scoped policies
-    cluster_creator = {
-      kubernetes_groups = ["rbac.authorization.k8s.io"]
-      principal_arn     = data.aws_caller_identity.terraform.arn
-      user_name         = local.aws_caller_identity_user_name
-      type              = "STANDARD"
-
-      policy_associations = {
-        cluster_creator_assoc = {
-          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
-          access_scope = {
-            type = "cluster"
-          }
-        },
-        namespace_creator_assoc = {
-          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy"
-          access_scope = {
-            type       = "namespace"
-            namespaces = ["kube-system"]
-          }
-        }
-      },
-    },
-  }
+  # Create access entry for current caller identity as a cluster admin
+  enable_cluster_creator_admin_permissions = true
 
   iam_role_additional_policies = {
     "additional" : "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
@@ -213,6 +188,26 @@ module "eks" {
   eks_managed_node_groups = local.node_groups
 }
 
+resource "aws_eks_access_entry" "instance" {
+  for_each = toset(coalesce(var.access_entry_role_arns, []))
+
+  cluster_name      = module.eks.cluster_name
+  principal_arn     = each.value
+  type              = "STANDARD"
+}
+
+resource "aws_eks_access_policy_association" "cluster_assoc" {
+  for_each = aws_eks_access_entry.instance
+
+  cluster_name      = module.eks.cluster_name
+  policy_arn        = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+  principal_arn     = each.value.principal_arn
+
+  access_scope {
+    type = "cluster"
+  }
+}
+
 module "autoscaling" {
   source = "./modules/aws_autoscaling"
   count  = var.autoscaling_enabled ? 1 : 0

variables.tf

@@ -719,3 +719,20 @@ variable "enable_nist_features" {
   type        = bool
   default     = false
 }
+
+variable "authentication_mode" {
+  description = "The authentication mode for the EKS cluster. Supported values are 'API_AND_CONFIG_MAP' and 'API'."
+  type        = string
+  default     = "API_AND_CONFIG_MAP"
+
+  validation {
+    condition     = contains(["API_AND_CONFIG_MAP", "API"], var.authentication_mode)
+    error_message = "ERROR: Supported values for `authentication_mode` are API_AND_CONFIG_MAP and API."
+  }
+}
+
+variable "access_entry_role_arns" {
+  description = "List of IAM role ARNs to create EKS access_entries for."
+  type        = list(string)
+  default     = null
+}