terraform-aws-eks
terraform-aws-eks copied to clipboard
terraform-aws-modules
dynamic number of access_entires
Description
Hey is more question than bug report.
Is there any way to make access_entires to EKS API based auth dynamically. My problem is that depends on input vars i sometimes want to create 1 acess_entires sometime 2 access_entries.
i tried below for now
- this one works, cuz it's no dynamic π
access_entries = {
main_sso = {
kubernetes_groups = ["system:masters"]
principal_arn = "arn:"
policy_associations = {
admin = {
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
access_scope = {
type = "cluster"
}
}
}
}
}
- i tried to EKS module pass variable with map π΄ variable
access_entries = {
main_sso = {
kubernetes_groups = ["system:masters"]
principal_arn = "arn"
policy_associations = {
admin = {
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
access_scope = {
type = "cluster"
}
}
}
}
}
and in EKS module
access_entries = var.access_entries
but getting error
Error: Invalid function argument
on /tmp/terraform-data-dir/modules/eks/main.tf line 178, in locals:
178: association_access_scope_namespaces = lookup(pol_val.access_scope, "namespaces", [])
- tried put to local variable π₯ and later in EKS module
access_entries = [for key, value in local.combined_access_entries : {
kubernetes_groups = value.kubernetes_groups
principal_arn = value.principal_arn
policy_associations = value.policy_associations
}]
but getting error
Error: Error in function call
on /tmp/terraform-data-dir/modules/eks/main.tf line 159, in locals:
159: merged_access_entries = merge(
160: { for k, v in local.bootstrap_cluster_creator_admin_permissions : k => v if var.enable_cluster_creator_admin_permissions },
161: var.access_entries,
162: )
βββββββββββββββββ
β while calling merge(maps...)
β local.bootstrap_cluster_creator_admin_permissions is object with 1 attribute "cluster_creator"
β var.access_entries is tuple with 1 element
β var.enable_cluster_creator_admin_permissions is false
Call to function "merge" failed: arguments must be maps or objects, got
"tuple".
i didn't saw any example in the internet that shows it possible to do that way. Is it even possible to achieve my goal using this module?
Here's an example that works for me:
data "aws_iam_roles" "admins" {
name_regex = "AWSReservedSSO_AdministratorAccess.*"
path_prefix = "/aws-reserved/sso.amazonaws.com/"
}
data "aws_iam_roles" "editors" {
name_regex = "AWSReservedSSO_EditorAccess.*"
path_prefix = "/aws-reserved/sso.amazonaws.com/"
}
variable "additional_access_entries" {
description = "Additional access entries for the EKS cluster"
type = map(object({
kubernetes_groups = optional(list(string))
principal_arn = string
policy_associations = map(object({
policy_arn = string
access_scope = object({
namespaces = optional(list(string))
type = string
})
}))
}))
default = {}
}
...
access_entries = merge({
sso_admins = {
principal_arn = tolist(data.aws_iam_roles.admins.arns)[0]
policy_associations = {
admin = {
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
access_scope = {
type = "cluster"
}
}
}
}
sso_editors = {
principal_arn = tolist(data.aws_iam_roles.editors.arns)[0]
policy_associations = {
admin = {
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
access_scope = {
type = "cluster"
}
}
}
}},
var.additional_access_entries
)
...
I'm going to lock this issue because it has been closed for 30 days β³. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}