Use Kubernetes provider

[gdurandvadas]

I have issues

I'm submitting a...

• bug report
• feature request
• support request - read the FAQ first!
• kudos, thank you, warm fuzzy

What is the current behavior?

Currently the whole solution is tied to a local terraform run, meaning, it not possible to use this module in Terraform Cloud.

What's the expected behavior?

By using Kubernetes provider it could be run anywhere without dependencies.

Example:

module "kubernetes" {
  source       = "../.."
  cluster_name = local.cluster_name
  subnets      = module.vpc.private_subnets
  vpc_id = module.vpc.vpc_id

  worker_groups = [
    {
      name                          = "worker-group-1"
      instance_type                 = "t2.small"
      additional_userdata           = "echo foo bar"
      asg_desired_capacity          = 2
      additional_security_group_ids = [aws_security_group.worker_group_mgmt_one.id]
    },
  ]
}

data "aws_eks_cluster_auth" "this" {
  depends_on  = [module.kubernetes]
  name        = local.cluster_name
}

# Wait for EKS Endpoint to be available
resource "null_resource" "delay" {
  provisioner "local-exec" {
    command = "sleep 60"
  }
}

provider "kubernetes" {
  version                = "~> v1.9.0"
  host                   = module.kubernetes.cluster_endpoint
  cluster_ca_certificate = "${base64decode(module.kubernetes.cluster_certificate_authority_data)}"
  #token                  = data.aws_eks_cluster_auth.this.token
  load_config_file       = false
  # Token workaround
  exec {
    api_version = "client.authentication.k8s.io/v1alpha1"
    args        = ["token", "-i", "${local.cluster_name}"]
    command     = "aws-iam-authenticator"
  }
}

resource "kubernetes_config_map" "aws-auth" {
  metadata {
    name = "aws-auth"
    namespace = "kube-system"
  }

  data = {
    mapRoles = <<ROLES
- rolearn: ${module.kubernetes.worker_iam_role_arn}
  username: system:node:{{EC2PrivateDNSName}}
  groups:
    - system:bootstrappers
    - system:nodes
- rolearn: "arn:aws:iam::${data.aws_caller_identity.this.account_id}:role/OrganizationAccountAccessRole"
  username: admin
  groups:
    - system:masters
ROLES
    mapUsers = <<USERS
- userarn: ${data.aws_caller_identity.this.arn}
  username: terraform
  groups:
    - system:masters
USERS
  }
}

Regarding the usage of the aws_eks_cluster_auth, there are some inconsistency regarding the token, I've open a issue in the terraform-aws-provider
hashicorp/terraform-provider-aws#10362

Are you able to fix this problem and submit a PR? Link here if you have already.

Environment details

• Affected module version: v6.0.1
• OS: MacOS 10.14.6
• Terraform version: v0.12.9

Any other relevant info

[dpiddockcmp]

Hi. This is being discussed in a PR: #355

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[barryib]

#355 is now merged, but there is still an issue with the EKS endpoint discussed in #621 and with a possible fix #639

[barryib]

Closing this. We're now using kubernetes provider.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.