Support map users and roles to multiple groups (#424)

* Support map users and roles to multiple groups

* Simplify code by rename `user_arn` to `userarn`, `role_arn` to `rolearn`

* Next version should be 6.x because PR this is a breaking change.

* Update example variables.tf

* Change indent to 2

* Fix map-aws-auth.yaml maybe invalid yaml.

Author: nauxliu

CHANGELOG.md

@@ -7,7 +7,7 @@ project adheres to [Semantic Versioning](http://semver.org/).
 
 ## Next release
 
-## [[v5.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.1.0...HEAD)] - 2019-08-??]
+## [[v6.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.1.0...HEAD)] - 2019-08-??]
 
 ### Added
 
@@ -19,6 +19,7 @@ project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Changed
 
+ - Support map users and roles to multiple groups (by @nauxliu)
  - Fixed errors sometimes happening during destroy due to usage of coalesce() in local.tf (by @petrikero)
  - Write your awesome change here (by @you)
 

aws_auth.tf

@@ -95,46 +95,8 @@ data "template_file" "config_map_aws_auth" {
         ),
       ),
     )
-    map_users    = join("", data.template_file.map_users.*.rendered)
-    map_roles    = join("", data.template_file.map_roles.*.rendered)
-    map_accounts = join("", data.template_file.map_accounts.*.rendered)
+    map_users    = yamlencode(var.map_users),
+    map_roles    = yamlencode(var.map_roles),
+    map_accounts = yamlencode(var.map_accounts)
   }
 }
-
-data "template_file" "map_users" {
-  count = length(var.map_users)
-  template = file(
-    "${path.module}/templates/config-map-aws-auth-map_users.yaml.tpl",
-  )
-
-  vars = {
-    user_arn = var.map_users[count.index]["user_arn"]
-    username = var.map_users[count.index]["username"]
-    group    = var.map_users[count.index]["group"]
-  }
-}
-
-data "template_file" "map_roles" {
-  count = length(var.map_roles)
-  template = file(
-    "${path.module}/templates/config-map-aws-auth-map_roles.yaml.tpl",
-  )
-
-  vars = {
-    role_arn = var.map_roles[count.index]["role_arn"]
-    username = var.map_roles[count.index]["username"]
-    group    = var.map_roles[count.index]["group"]
-  }
-}
-
-data "template_file" "map_accounts" {
-  count = length(var.map_accounts)
-  template = file(
-    "${path.module}/templates/config-map-aws-auth-map_accounts.yaml.tpl",
-  )
-
-  vars = {
-    account_number = var.map_accounts[count.index]
-  }
-}
-

examples/basic/variables.tf

@@ -14,31 +14,39 @@ variable "map_accounts" {
 
 variable "map_roles" {
   description = "Additional IAM roles to add to the aws-auth configmap."
-  type        = list(map(string))
+  type = list(object({
+    rolearn  = string
+    username = string
+    groups   = list(string)
+  }))
 
   default = [
     {
-      role_arn = "arn:aws:iam::66666666666:role/role1"
+      rolearn  = "arn:aws:iam::66666666666:role/role1"
       username = "role1"
-      group    = "system:masters"
+      groups   = ["system:masters"]
     },
   ]
 }
 
 variable "map_users" {
   description = "Additional IAM users to add to the aws-auth configmap."
-  type        = list(map(string))
+  type = list(object({
+    userarn  = string
+    username = string
+    groups   = list(string)
+  }))
 
   default = [
     {
-      user_arn = "arn:aws:iam::66666666666:user/user1"
+      userarn  = "arn:aws:iam::66666666666:user/user1"
       username = "user1"
-      group    = "system:masters"
+      groups   = ["system:masters"]
     },
     {
-      user_arn = "arn:aws:iam::66666666666:user/user2"
+      userarn  = "arn:aws:iam::66666666666:user/user2"
       username = "user2"
-      group    = "system:masters"
+      groups   = ["system:masters"]
     },
   ]
 }

templates/config-map-aws-auth-map_accounts.yaml.tpl

@@ -6,8 +6,14 @@ metadata:
 data:
   mapRoles: |
 ${worker_role_arn}
-${map_roles}
+  %{if chomp(map_roles) != "[]" }
+    ${indent(4, map_roles)}
+  %{ endif }
+  %{if chomp(map_users) != "[]" }
   mapUsers: |
-${map_users}
+    ${indent(4, map_users)}
+  %{ endif }
+  %{if chomp(map_accounts) != "[]" }
   mapAccounts: |
-${map_accounts}
+    ${indent(4, map_accounts)}
+  %{ endif }

templates/config-map-aws-auth-map_roles.yaml.tpl

@@ -62,14 +62,22 @@ variable "map_accounts" {
 
 variable "map_roles" {
   description = "Additional IAM roles to add to the aws-auth configmap. See examples/basic/variables.tf for example format."
-  type        = list(map(string))
-  default     = []
+  type = list(object({
+    rolearn  = string
+    username = string
+    groups   = list(string)
+  }))
+  default = []
 }
 
 variable "map_users" {
   description = "Additional IAM users to add to the aws-auth configmap. See examples/basic/variables.tf for example format."
-  type        = list(map(string))
-  default     = []
+  type = list(object({
+    userarn  = string
+    username = string
+    groups   = list(string)
+  }))
+  default = []
 }
 
 variable "subnets" {