Terraform-provider-aws: Amazon EKS Cluster OIDC Issuer URL
Community Note
- Please vote on this issue by adding a ๐ reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Amazon EKS now allows you to assign IAM permissions to Kubernetes service accounts.
This is achieved via an OIDC Issuer URL exposed on an EKS Cluster.
New or Affected Resource(s)
aws_eks_cluster
Potential Terraform Configuration
# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.
References
Announcement.
API reference.
Blog post.
AWS containers roadmap issue.
Requires AWS SDK v1.23.15:
ewbankkit
All 6 comments
I will have the new attributes and an example submitted shortly. ๐ e.g.
resource "aws_eks_cluster" "example" {
# ... other configuration ...
}
resource "aws_iam_openid_connect_provider" "example" {
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = []
url = "${aws_eks_cluster.example.identity.0.oidc.0.issuer}"
}
data "aws_iam_policy_document" "example_assume_role_policy" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
effect = "Allow"
condition {
test = "StringEquals"
variable = "${replace(aws_iam_openid_connect_provider.example.url, "https://", "")}:sub"
values = ["system:serviceaccount:kube-system:aws-node"]
}
principals {
identifiers = ["${aws_iam_openid_connect_provider.example.arn}"]
type = "Federated"
}
}
}
resource "aws_iam_role" "example" {
assume_role_policy = "${data.aws_iam_policy_document.example_assume_role_policy.json}"
name = "example"
}
bflad
on 5 Sep 2019
Pull request submitted: https://github.com/terraform-providers/terraform-provider-aws/pull/10006
bflad
on 5 Sep 2019
Pull request submitted: #10006
Can we please get that reviewed and merge asap ;)? So, I can finally remove kube2iam.
marcincuber
on 6 Sep 2019
The functionality to retrieve the OIDC issuer URL from the aws_eks_cluster resource and data source has been merged and will release with version 2.28.0 of the Terraform AWS Provider, on Thursday. ๐
bflad
on 6 Sep 2019
This has been released in version 2.28.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 12 Sep 2019
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
hashibot[bot]
on 1 Nov 2019
Related issues
hashibot
ยท
3Comments
hashibot
ยท
3Comments
hazmeister
ยท
3Comments
hashibot
ยท
3Comments
ccslamstack
ยท
3Comments
Most helpful comment
The functionality to retrieve the OIDC issuer URL from the
aws_eks_clusterresource and data source has been merged and will release with version 2.28.0 of the Terraform AWS Provider, on Thursday. ๐