There does not appear to be a readily available and complete example of identity mapping of IAM roles for an existing EKS cluster using terraform.
Typically this would be achieved via eksctl:
eksctl get iamidentitymapping --cluster <clusterName> --region=<region>If using manage_aws_auth_configmap with the terraform-aws-eks module, the aws-auth config map can be managed as per this example.
This terraform searches for the existing EKS cluster via tags, and then creates a data source for the cluster and the aws-auth config map. Using distinct(concat()) ensures that the config map is only updated once, even when using terraform apply multiple times.
Before:
kubectl get configmap aws-auth -n kube-system -o yaml
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::999999999999:role/jamiemo-dev-NodeInstanceRole-QaTaYdYbA5Hg
username: system:node:{{EC2PrivateDNSName}}
mapUsers: |
[]
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-systemApply the example:
terraform init
terraform applyAfter:
kubectl get configmap aws-auth -n kube-system -o yaml
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::999999999999:role/jamiemo-dev-NodeInstanceRole-QaTaYdYbA5Hg
username: system:node:{{EC2PrivateDNSName}}
- groups:
- system:masters
rolearn: arn:aws:iam::999999999999:role/service-role
username: service-role
mapUsers: |
[]
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-systemDelete the aws-auth configmap state prior to destroying the deployment, to ensure the destroy is successful without deleting the aws-auth configmap mapRoles.
terraform state rm kubernetes_config_map_v1_data.aws_auth
terraform destroy