Skip to content

An example Terraform repo that is a companion to the SuperOrbital blog post about AWS auth with EKS Kubernetes clusters.

Notifications You must be signed in to change notification settings

superorbital/aws-eks-auth-examples

Repository files navigation

aws-eks-auth-examples README

NOTE: The Terraform code in this repo is intended to accompany the linked article, which takes a hands-on deep-dive into the various options that are avaliable to control access between AWS and EKS clusters.

This will spin up an EKS cluster in AWS that can be used to explore authentication and authorization options.

NOTE: This is for example only. Spinning this up will cost you money and there are no guarantees that this is secure, so use this with appropriate caution.

Usage

You will need at least one, but preferably two AWS accounts that you have full access to, and you will also need to have the AWS CLI. the Terraform CLI, and most likely kubectl installed.

To do most of the examples, you only need a single account and profile, but if you are going to try and do them all then you will need 2 AWS accounts and two profiles, very similar to these:

  • ~/.aws/config
[profile aws-auth-account-one]
region=us-west-2
output=yaml-stream

[profile aws-auth-account-two]
region=us-west-2
output=yaml-stream
  • ~/.aws/credentials
[aws-auth-account-one]
aws_access_key_id=REDACTED_ACCESS_KEY
aws_secret_access_key=REDACTED_SECRET_ACCESS_KEY

[aws-auth-account-two]
aws_access_key_id=REDACTED_ACCESS_KEY
aws_secret_access_key=REDACTED_SECRET_ACCESS_KEY

If you have two AWS accounts to work with, then you should uncomment all the Terraform code in second-account.tf. However, if you have only one account then go ahead and leave it commented out, so that everything else will continue to work as expected.

You will also need to know the username for your IAM user in account one (e.g. ajohnson), so that you can pass this information to Terraform.

NOTE: There are other ways to configure these credentials, but this is the easiest way to explain and document. If you are familiar enough with all of this, feel free to tweak things to your liking.

Once these profiles are in place and configured with valid credentials then you should be able to spin up the infrastructure with:

terraform init
terraform plan -var dev_role_id=$(aws --profile aws-auth-account-one iam get-user --output text --query 'User.UserName')
terraform apply -var dev_role_id=$(aws --profile aws-auth-account-one iam get-user --output text --query 'User.UserName')

NOTE: It can easily take 15-20 minutes for the whole environment to spin up or down.

When you are done you should tear down the infrastructure with:

terraform destroy

Contributing

Pre-Commit Hooks

Install

Local Install (macOS)
  • IMPORTANT: All developers committing any code to this repo, should have these pre-commit hooks installed locally. Github actions may also run these at some point, but it is generally faster and easier to run them locally, in most cases.
brew install pre-commit terraform-docs tfenv tflint tfsec checkov terrascan infracost tfupdate minamijoyo/hcledit/hcledit jq shellcheck shfmt git-secrets

mkdir -p ${HOME}/.git-template/hooks
git config --global init.templateDir ${HOME}/.git-template
  • Close and reopen your terminal
  • Make sure that you run these commands from the root of this git repo!
cd aws-eks-auth-examples
pre-commit init-templatedir -t pre-commit ${HOME}/.git-template
pre-commit install
  • Test it
pre-commit run -a
git diff

Checks

See:

Configuring Hooks

Requirements

Name Version
terraform >= 1.5.7
aws ~> 5.44
kubernetes ~> 2.28

Providers

Name Version
aws ~> 5.44

Inputs

Name Description Type Required
cluster_name Kubernetes cluster name string no
create_access_entries Should we create the access entries? bool no
create_test_users Should we create the test IAM users and keys? bool no
dev_role_id AWS IAM username for the primary user/owner string no
k8s_version Kubernetes cluster version string no
setup_cross_account_sts Should we setup the cross account STS components? bool no
setup_irsa Should we setup the IRSA components? bool no
setup_pod_identity Should we setup the Pod Identity components? bool no
vpc_cidr AWS VPC CIDR string no

Outputs

Name Description
aws_iam_keys_user_one UserOne's AWS access and secret key.
aws_iam_keys_user_three UserThree's AWS access and secret key.
aws_iam_keys_user_two UserTwo's AWS access and secret key.
ec2_irsa_role_arn The role ARN that needs to be added to Kubernetes Service Account annotations for IRSA.

About

An example Terraform repo that is a companion to the SuperOrbital blog post about AWS auth with EKS Kubernetes clusters.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages