Support oidc-idp for eks-cluster module (#13)

Author: posquit0

modules/eks-cluster/README.md

@@ -46,6 +46,7 @@ This module creates following resources.
 | [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster) | resource |
 | [aws_eks_fargate_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_fargate_profile) | resource |
+| [aws_eks_identity_provider_config.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_identity_provider_config) | resource |
 | [aws_iam_openid_connect_provider.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
 | [aws_resourcegroups_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource |
 | [aws_security_group_rule.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
@@ -75,6 +76,7 @@ This module creates following resources.
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | (Optional) Number of days to retain log events. Default retention - 90 days. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. | `number` | `90` | no |
 | <a name="input_log_types"></a> [log\_types](#input\_log\_types) | (Optional) A list of the desired control plane logging to enable. | `list(string)` | <pre>[<br>  "api",<br>  "audit",<br>  "authenticator",<br>  "controllerManager",<br>  "scheduler"<br>]</pre> | no |
 | <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
+| <a name="input_oidc_identity_providers"></a> [oidc\_identity\_providers](#input\_oidc\_identity\_providers) | (Optional) A list of OIDC Identity Providers to associate as an additional method for user authentication to your Kubernetes cluster. Each item of `oidc_identity_providers` block as defined below.<br>    (Required) `name` - A unique name for the Identity Provider Configuration.<br>    (Required) `issuer_url` - The OIDC Identity Provider issuer URL.<br>    (Required) `client_id` - The OIDC Identity Provider client ID.<br>    (Optional) `required_claims` - The key value pairs that describe required claims in the identity token.<br>    (Optional) `username_claim` - The JWT claim that the provider will use as the username.<br>    (Optional) `username_prefix` - A prefix that is prepended to username claims.<br>    (Optional) `groups_claim` - The JWT claim that the provider will use to return groups.<br>    (Optional) `groups_prefix` - A prefix that is prepended to group claims e.g., `oidc:`. | `any` | `[]` | no |
 | <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
 | <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
@@ -94,6 +96,7 @@ This module creates following resources.
 | <a name="output_ip_family"></a> [ip\_family](#output\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. |
 | <a name="output_logging"></a> [logging](#output\_logging) | The configurations of the control plane logging. |
 | <a name="output_name"></a> [name](#output\_name) | The name of the cluster. |
+| <a name="output_oidc_identity_providers"></a> [oidc\_identity\_providers](#output\_oidc\_identity\_providers) | A map of all associated OIDC Identity Providers to the cluster. |
 | <a name="output_oidc_provider_arn"></a> [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | The Amazon Resource Name (ARN) for the OpenID Connect identity provider. |
 | <a name="output_oidc_provider_url"></a> [oidc\_provider\_url](#output\_oidc\_provider\_url) | Issuer URL for the OpenID Connect identity provider. |
 | <a name="output_oidc_provider_urn"></a> [oidc\_provider\_urn](#output\_oidc\_provider\_urn) | Issuer URN for the OpenID Connect identity provider. |

modules/eks-cluster/oidc-providers.tf

@@ -0,0 +1,33 @@
+###################################################
+# Associations of OIDC Identity Provider
+###################################################
+
+resource "aws_eks_identity_provider_config" "this" {
+  for_each = {
+    for provider in var.oidc_identity_providers :
+    provider.name => provider
+  }
+
+  cluster_name = aws_eks_cluster.this.name
+
+  oidc {
+    identity_provider_config_name = each.key
+
+    issuer_url = each.value.issuer_url
+    client_id  = each.value.client_id
+
+    required_claims = try(each.value.required_claims, null)
+    username_claim  = try(each.value.username_claim, null)
+    username_prefix = try(each.value.username_prefix, null)
+    groups_claim    = try(each.value.groups_claim, null)
+    groups_prefix   = try(each.value.groups_prefix, null)
+  }
+
+  tags = merge(
+    {
+      "Name" = "${local.metadata.name}/${each.key}"
+    },
+    local.module_tags,
+    var.tags,
+  )
+}

modules/eks-cluster/outputs.tf

@@ -112,3 +112,22 @@ output "fargate_profiles" {
     }
   }
 }
+
+output "oidc_identity_providers" {
+  description = "A map of all associated OIDC Identity Providers to the cluster."
+  value = {
+    for name, provider in aws_eks_identity_provider_config.this :
+    name => {
+      arn        = provider.arn
+      status     = provider.status
+      name       = provider.oidc[0].identity_provider_config_name
+      issuer_url = provider.oidc[0].issuer_url
+
+      required_claims = provider.oidc[0].required_claims
+      username_claim  = provider.oidc[0].username_claim
+      username_prefix = provider.oidc[0].username_prefix
+      groups_claim    = provider.oidc[0].groups_claim
+      groups_prefix   = provider.oidc[0].groups_prefix
+    }
+  }
+}

modules/eks-cluster/variables.tf

@@ -131,6 +131,22 @@ variable "fargate_profiles" {
   default     = []
 }
 
+variable "oidc_identity_providers" {
+  description = <<EOF
+  (Optional) A list of OIDC Identity Providers to associate as an additional method for user authentication to your Kubernetes cluster. Each item of `oidc_identity_providers` block as defined below.
+    (Required) `name` - A unique name for the Identity Provider Configuration.
+    (Required) `issuer_url` - The OIDC Identity Provider issuer URL.
+    (Required) `client_id` - The OIDC Identity Provider client ID.
+    (Optional) `required_claims` - The key value pairs that describe required claims in the identity token.
+    (Optional) `username_claim` - The JWT claim that the provider will use as the username.
+    (Optional) `username_prefix` - A prefix that is prepended to username claims.
+    (Optional) `groups_claim` - The JWT claim that the provider will use to return groups.
+    (Optional) `groups_prefix` - A prefix that is prepended to group claims e.g., `oidc:`.
+  EOF
+  type        = any
+  default     = []
+}
+
 variable "tags" {
   description = "(Optional) A map of tags to add to all resources."
   type        = map(string)