Improve eks-iam-access module using eks-access-entry module (#54)

Author: posquit0

modules/eks-iam-access/README.md

@@ -15,22 +15,19 @@ This module creates following resources.
 
 ## Providers
 
-| Name | Version |
-|------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.50.0 |
+No providers.
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_node"></a> [node](#module\_node) | ../eks-access-entry | n/a |
 | <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
+| <a name="module_user"></a> [user](#module\_user) | ../eks-access-entry | n/a |
 
 ## Resources
 
-| Name | Type |
-|------|------|
-| [aws_eks_access_entry.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_entry) | resource |
-| [aws_eks_access_entry.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_entry) | resource |
+No resources.
 
 ## Inputs
 
@@ -44,7 +41,7 @@ This module creates following resources.
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
 | <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | (Optional) How long to wait for the EKS Cluster to be created/updated/deleted. | <pre>object({<br>    create = optional(string, "30m")<br>    update = optional(string, "60m")<br>    delete = optional(string, "15m")<br>  })</pre> | `{}` | no |
-| <a name="input_user_access_entries"></a> [user\_access\_entries](#input\_user\_access\_entries) | (Optional) A list of configurations for EKS access entries for users (IAM roles, users) that are allowed to access the EKS cluster. Each item of `user_access_entries` block as defined below.<br>    (Required) `name` - A unique name for the access entry. This value is only used internally within Terraform code.<br>    (Required) `principal` - The ARN of one, and only one, existing IAM principal to grant access to Kubernetes objects on the cluster. An IAM principal can't be included in more than one access entry.<br>    (Optional) `username` - The username to authenticate to Kubernetes with. We recommend not specifying a username and letting Amazon EKS specify it for you. Defaults to the IAM principal ARN.<br>    (Optional) `groups` - A set of groups within the Kubernetes cluster. | <pre>list(object({<br>    name      = string<br>    principal = string<br>    username  = optional(string)<br>    groups    = optional(set(string), [])<br>  }))</pre> | `[]` | no |
+| <a name="input_user_access_entries"></a> [user\_access\_entries](#input\_user\_access\_entries) | (Optional) A list of configurations for EKS access entries for users (IAM roles, users) that are allowed to access the EKS cluster. Each item of `user_access_entries` block as defined below.<br>    (Required) `name` - A unique name for the access entry. This value is only used internally within Terraform code.<br>    (Required) `principal` - The ARN of one, and only one, existing IAM principal to grant access to Kubernetes objects on the cluster. An IAM principal can't be included in more than one access entry.<br>    (Optional) `kubernetes_username` - The username to authenticate to Kubernetes with. We recommend not specifying a username and letting Amazon EKS specify it for you. Defaults to the IAM principal ARN.<br>    (Optional) `kubernetes_groups` - A set of groups within the Kubernetes cluster.<br>    (Optional) `kubernetes_permissions` - A list of permissions for EKS access entry to the EKS cluster. Each item of `kubernetes_permissions` block as defined below.<br>      (Required) `policy` - The ARN of the access policy that you're associating.<br>      (Optional) `scope` - The type of access scope that you're associating. Valid values are `NAMESPACE`, `CLUSTER`. Defaults to `CLUSTER`.<br>      (Optional) `namespaces` - A set of namespaces to which the access scope applies. You can enter plain text namespaces, or wildcard namespaces such as `dev-*`. | <pre>list(object({<br>    name                = string<br>    principal           = string<br>    kubernetes_username = optional(string)<br>    kubernetes_groups   = optional(set(string), [])<br>    kubernetes_permissions = optional(list(object({<br>      policy     = string<br>      scope      = optional(string, "CLUSTER")<br>      namespaces = optional(set(string), [])<br>    })), [])<br>  }))</pre> | `[]` | no |
 
 ## Outputs
 

modules/eks-iam-access/main.tf

@@ -20,17 +20,23 @@ locals {
 ###################################################
 
 # INFO: Not supported attributes
-# - `user_name`
+# - `kubernetes_username`
 # - `kubernetes_groups`
-resource "aws_eks_access_entry" "node" {
+module "node" {
   for_each = {
     for entry in var.node_access_entries :
     entry.name => entry
   }
 
-  cluster_name  = var.cluster_name
-  type          = each.value.type
-  principal_arn = each.value.principal
+  source = "../eks-access-entry"
+
+  name         = each.key
+  cluster_name = var.cluster_name
+  type         = each.value.type
+  principal    = each.value.principal
+
+  resource_group_enabled = false
+  module_tags_enabled    = false
 
   tags = merge(
     {
@@ -46,18 +52,31 @@ resource "aws_eks_access_entry" "node" {
 # User Access Entries
 ###################################################
 
-resource "aws_eks_access_entry" "user" {
+module "user" {
   for_each = {
     for entry in var.user_access_entries :
     entry.name => entry
   }
 
-  cluster_name  = var.cluster_name
-  type          = "STANDARD"
-  principal_arn = each.value.principal
+  source = "../eks-access-entry"
+
+  name         = each.key
+  cluster_name = var.cluster_name
+  type         = "STANDARD"
+  principal    = each.value.principal
+
+  kubernetes_username = each.value.kubernetes_username
+  kubernetes_groups   = each.value.kubernetes_groups
+  kubernetes_permissions = [
+    for permission in each.value.kubernetes_permissions : {
+      policy     = permission.policy
+      scope      = permission.scope
+      namespaces = permission.namespaces
+    }
+  ]
 
-  user_name         = each.value.username
-  kubernetes_groups = each.value.groups
+  resource_group_enabled = false
+  module_tags_enabled    = false
 
   tags = merge(
     {

modules/eks-iam-access/outputs.tf

@@ -8,15 +8,15 @@ output "node_access_entries" {
   The list of configurations for EKS access entries for nodes (EC2 instances, Fargate).
   EOF
   value = {
-    for name, entry in aws_eks_access_entry.node :
+    for name, entry in module.node :
     name => {
-      arn        = entry.access_entry_arn
-      type       = entry.type
-      principal  = entry.principal_arn
-      username   = entry.user_name
-      groups     = entry.kubernetes_groups
-      created_at = entry.created_at
-      updated_at = entry.modified_at
+      arn                 = entry.arn
+      type                = entry.type
+      principal           = entry.principal
+      kubernetes_username = entry.kubernetes_username
+      kubernetes_groups   = entry.kubernetes_groups
+      created_at          = entry.created_at
+      updated_at          = entry.updated_at
     }
   }
 }
@@ -26,15 +26,16 @@ output "user_access_entries" {
   The list of configurations for EKS access entries for users (IAM roles, users).
   EOF
   value = {
-    for name, entry in aws_eks_access_entry.user :
+    for name, entry in module.user :
     name => {
-      arn        = entry.access_entry_arn
-      type       = entry.type
-      principal  = entry.principal_arn
-      username   = entry.user_name
-      groups     = entry.kubernetes_groups
-      created_at = entry.created_at
-      updated_at = entry.modified_at
+      arn                    = entry.arn
+      type                   = entry.type
+      principal              = entry.principal
+      kubernetes_username    = entry.kubernetes_username
+      kubernetes_groups      = entry.kubernetes_groups
+      kubernetes_permissions = entry.kubernetes_permissions
+      created_at             = entry.created_at
+      updated_at             = entry.updated_at
     }
   }
 }

modules/eks-iam-access/variables.tf

@@ -33,14 +33,23 @@ variable "user_access_entries" {
   (Optional) A list of configurations for EKS access entries for users (IAM roles, users) that are allowed to access the EKS cluster. Each item of `user_access_entries` block as defined below.
     (Required) `name` - A unique name for the access entry. This value is only used internally within Terraform code.
     (Required) `principal` - The ARN of one, and only one, existing IAM principal to grant access to Kubernetes objects on the cluster. An IAM principal can't be included in more than one access entry.
-    (Optional) `username` - The username to authenticate to Kubernetes with. We recommend not specifying a username and letting Amazon EKS specify it for you. Defaults to the IAM principal ARN.
-    (Optional) `groups` - A set of groups within the Kubernetes cluster.
+    (Optional) `kubernetes_username` - The username to authenticate to Kubernetes with. We recommend not specifying a username and letting Amazon EKS specify it for you. Defaults to the IAM principal ARN.
+    (Optional) `kubernetes_groups` - A set of groups within the Kubernetes cluster.
+    (Optional) `kubernetes_permissions` - A list of permissions for EKS access entry to the EKS cluster. Each item of `kubernetes_permissions` block as defined below.
+      (Required) `policy` - The ARN of the access policy that you're associating.
+      (Optional) `scope` - The type of access scope that you're associating. Valid values are `NAMESPACE`, `CLUSTER`. Defaults to `CLUSTER`.
+      (Optional) `namespaces` - A set of namespaces to which the access scope applies. You can enter plain text namespaces, or wildcard namespaces such as `dev-*`.
   EOF
   type = list(object({
-    name      = string
-    principal = string
-    username  = optional(string)
-    groups    = optional(set(string), [])
+    name                = string
+    principal           = string
+    kubernetes_username = optional(string)
+    kubernetes_groups   = optional(set(string), [])
+    kubernetes_permissions = optional(list(object({
+      policy     = string
+      scope      = optional(string, "CLUSTER")
+      namespaces = optional(set(string), [])
+    })), [])
   }))
   default  = []
   nullable = false