terraform-aws-eks-blueprints icon indicating copy to clipboard operation
terraform-aws-eks-blueprints copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

[Teams]How can someone in my team run terraform apply from his mac?

Open niv1612 opened this issue 3 years ago • 2 comments

  • [V] ✋ I have searched the open/closed issues and my issue is not listed.

I'm using Teams module to manage our users in EKS. It works fine when accessing the cluster but when someone from my team wants to add a new module to our TF code - it's not possible because of a lack of permissions. I need to run 'terraform apply' instead of them because I created the cluster and their user is inside a role with least privilege access.

  • The problem occurs with the platform_teams (admin access)
  • When using Teams module, it creates a new role with Trust relationships to users.
  • When you create the cluster, your user is the only one that can view/change the cluster without using the administrator role.
  • If someone else wants to view/change via terraform the cluster - they need to use the role. But because the role has only access to the EKS cluster - you will get an error when trying to perform 'terraform apply' because you don't have access to KMS (for example).

Provide a link to the example/module related to the question

Teams

Additional context

niv1612 avatar Sep 20 '22 08:09 niv1612

Hey! The original design for teams was to help easily configuring cluster access to users/teams and not for terraform users who seek to apply changes to the infrastructure outside the cluster. I see this as a feature requests where we should allow users to pass existing policies to the created platform role, or allow to pass existing platform role as you may end using the same role for creating clusters resources and AWS infrastructure resources as-well. We're working on the next design iteration for Teams (see https://github.com/aws-ia/terraform-aws-eks-blueprints/issues/842), I recommend you to share any other feature requests you'd like to have there as-well.

As of now, one of the workaround that you can do is to add the missing policies that you need to the existing role.

Zvikan avatar Sep 20 '22 15:09 Zvikan

Depends on https://github.com/aws/containers-roadmap/issues/185

askulkarni2 avatar Dec 17 '22 00:12 askulkarni2

Closing this out for now. As linked above, EKS is working on improved support for vending access into EKS clusters, and the new teams module is now available here https://github.com/aws-ia/terraform-aws-eks-blueprints-teams - we will continue to support the current implementation here and will provide an upgrade/migration guide before removing it from the project

bryantbiggs avatar Mar 17 '23 17:03 bryantbiggs