Terraform-provider-aws: Data Source to query return back a list of EKS Cluster OIDC urls

Created on 11 Jun 2020  路  5Comments  路  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Our company has been looking into ways of implementing IAM roles for service accounts (IRSA) and were hoping we could simplify the discovery process of any newly create/destroyed EKS clusters through the use of tags.

By allowing us to return a list of AWS EKS clusters, we would be able to create the required IAM trust relationship.

For this to operate, it would involve:

  • list all eks clusters
  • describe each cluster
  • filter and return

New or Affected Resource(s)


Potential idea for the new data source:
Add New data source eks_clusters.

Potential Terraform Configuration

data aws_caller_identity "current" {}

data eks_clusters "this" {
  filter {
    name   = "tag:group"
    values = ["foobar"]
  }
}

data "aws_iam_policy_document" "assume_role" {
  dynamic "statement" {
    for_each = data.eks_clusters.this
    content {
      effect  = "Allow"
      actions = ["sts:AssumeRoleWithWebIdentity"]

      principals {
        type        = "Federated"
        identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${trimprefix(statement.value.identity.0.oidc.0.issuer, "https://")}"]
      }
    }
  }
}

References

  • 0000

    • enhancement new-data-source serviceks
    Source
    picture dliao-tyro
    👍4

    Most helpful comment

    I've added a draft PR @Vince-Chenal, just need to publish the output of acceptance testing. Once they've passed I'll open it ready for review.

    picture jdheyburn on 17 Sep 2020
    👍2

    All 5 comments

    Happy to pick this one up.

    Thinking about implementation, in the sdk there are two API calls for reading clusters: ListClusters and DescribeCluster. The former retrieves a list of cluster names in the region whereas the latter provides the detail of each cluster.

    Unfortunately there's no DescribeClusters API endpoint which, if followed other API convention, would take in some parameters for filtering the result. Therefore have no choice but to follow this:

    1. Call ListClusters
    2. For each cluster name:

      1. call DescribeCluster

      2. if cluster matches the filter then add to response

    3. Return response

    This makes a lot of API calls, I'll raise some tickets for the addition of a DescribeClusters endpoint - will post them here once done.

    jdheyburn picture jdheyburn on 3 Aug 2020

    Update: I started working on a PR for this for the workaround specified above (while we are waiting for the API to be implemented - I raised a feature request with AWS for this). Hope to have the PR created soon so that it can be reviewed.

    jdheyburn picture jdheyburn on 21 Aug 2020

    Hello @jdheyburn,

    I was starting to write the needed datasource and then I found this issue.
    Do you have something to submit already ?

    Just a little remark:
    Instead of retrieving the actual list of clusters as proposed in @dliao-tyro's example, we can make it as simple as it is for aws_instances by only retrieving clusters names and then leverage the existing aws_eks_cluster data source.

    EC2 example:

    data "aws_instances" "instances" {
  instance_tags = {
    foo = "bar"
  }
}

data "aws_instance" "instances" {
  for_each    = toset(data.aws_instances.instances.ids)
  instance_id = each.value
}

    Would give us something like:

    data "aws_eks_clusters" "clusters" {
  cluster_tags = {
    foo = "bar"
  }
}

data "aws_eks_cluster" "instances" {
  for_each    = toset(data.aws_eks_clusters.clusters.names)
  name         = each.value
}
    Vince-Chenal picture Vince-Chenal on 16 Sep 2020
    👍2

    @Vince-Chenal I can push a PR for review, some of the tests still need to be verified though.

    As for the suggestion, it seems what you're proposing would have to make an additional API call unnecessarily.

    data.aws_eks_clusters

    1. List EKS Clusters
    2. Describe each EKS Cluster
    3. Filter each EKS cluster based on what has been input in data.aws_eks_clusters
    4. Return to user

    data.aws_eks_cluster

    1. Describe EKS cluster again

    We can skip the additional call altogether by returning everything that had already been described at the end of step 4.

    It seems to me aws_instance was perhaps written at a time when complex objects couldn't be returned? Hence why a small number of attributes are returned in flat lists.

    jdheyburn picture jdheyburn on 17 Sep 2020

    I've added a draft PR @Vince-Chenal, just need to publish the output of acceptance testing. Once they've passed I'll open it ready for review.

    jdheyburn picture jdheyburn on 17 Sep 2020
    👍2
    Was this page helpful?
    0 / 5 - 0 ratings

    Related issues

    hashibot picture hashibot  路  3Comments
    hashibot picture hashibot  路  3Comments
    hashibot picture hashibot  路  3Comments
    ghost picture ghost  路  3Comments
    blaltarriba picture blaltarriba  路  3Comments