Support map users and roles to multiple groups

[nauxliu]

PR o'clock

Description

Please explain the changes you made here and link to any relevant issues.

Checklist

• terraform fmt and terraform validate both work from the root and examples/* directories
• CI tests are passing
• I've added my change to CHANGELOG.md and highlighted any breaking changes
• README.md has been updated after any changes to variables and outputs. See https://github.com/terraform-aws-modules/terraform-aws-eks/#doc-generation

[max-rocket-internet]

Can someone test this? I don't have a complex environment running TF 0.12 yet 😅

[max-rocket-internet]

@nauxliu I tried to test this today without rebasing using examples/basic and it gives an error:

Error: Invalid default value for variable

  on variables.tf line 19, in variable "map_roles":
  19:   default = [
  20:     {
  21:       rolearn  = "arn:aws:iam::66666666666:role/role1"
  22:       username = "role1"
  23:       groups   = ["system:masters"]
  24:     },
  25:   ]

This default value is not compatible with the variable's type constraint:
element 0: element "groups": string required.


Error: Invalid default value for variable

  on variables.tf line 32, in variable "map_users":
  32:   default = [
  33:     {
  34:       userarn  = "arn:aws:iam::66666666666:user/user1"
  35:       username = "user1"
  36:       groups   = ["system:masters"]
  37:     },
  38:     {
  39:       userarn  = "arn:aws:iam::66666666666:user/user2"
  40:       username = "user2"
  41:       groups   = ["system:masters"]
  42:     },
  43:   ]

This default value is not compatible with the variable's type constraint:
element 0: element "groups": string required.

Can you update the type in examples/*/variables.tf?

[max-rocket-internet]

Super nice

[max-rocket-internet]

Resolves #441

[nauxliu]

@max-rocket-internet Fixed

[max-rocket-internet]

@nauxliu

When I run from examples/launch_templates after clean apply, then checking out your branch, I get:

module.eks.local_file.config_map_aws_auth[0]: Creating...
module.eks.local_file.config_map_aws_auth[0]: Creation complete after 0s [id=1a9e3335dd2a4891150585b3dbe09476b60ee47e]
module.eks.null_resource.update_config_map_aws_auth[0]: Creating...
module.eks.null_resource.update_config_map_aws_auth[0]: Provisioning with 'local-exec'...
module.eks.null_resource.update_config_map_aws_auth[0] (local-exec): Executing: ["/bin/sh" "-c" "for i in `seq 1 10`; do \\\necho \"apiVersion: v1\npreferences: {}\nkind: Config\n\nclusters:\n- cluster:\n    server: https://E742E1CEEA120385A4C148017D16CA23.yl4.us-west-2.eks.amazonaws.com\n    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1EZ3hNekE1TWpneE0xb1hEVEk1TURneE1EQTVNamd4TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSytxCngyVnUxY3lBT3pmQUFWZ1hlNWlNUis4cjVhV01hOTlGbmtXeVdPaVVEbjRGSjdqa3lwMWpqTnMxRHhua05oMC8KYmYrQmUwc1VhQ0hZZUxMV1ZreEV1dHRrTWVKQ0pLVkwrSExyZzRjZXRLZDZlVWZmYW5wR085SXhzSG1ObkZEVgpRd1ZybmVZMUloeDR1MHFtSFc4TGRvNjZhcFRSeDhBaGdEa2Y3Uk0wR1ZsWi9OVXFIaXZlbmVjalBDamU3b2tYCjVCbWhxb1FGdlVWa0FHU0xPOUVIRkRmSEtTSlk4NVFHS3gyWXd5aXk2YlBOcTQ2dTAwY1pLbk9HcDM4ZG9GeloKcXEvRkJiSW94Yk5wMnpEYkJZb3E4TW42Y2tsczJkRnk1OTNzRkZobDUrdVNWcGxlTU9uRVJIWGZ5ZllJV1BGdgpjQTZRNWpqSmplNHN3cTV5OEhNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDYmpQMjhIZWFmUzkxY0dqc2pFcURXSE9RdzUKR0FTS01lUDNCaTdBL1NWRjVWR09mVXlxakVwWHU3ZERHT2xhSStHTWZkK2FqRlZoeTlWczJNcmlvdHhHeFc2MApDZjd3UFBRYlRiTWJmTERPNVpIbnpJUTJZVE5laUpFcnJNbEtUWXZXUFpUWjdkbjRyTy9nd2k1VEp1OGpyRytLCmxVSU5Zdy80cU4rTitHNk9KZ0J2MlYyRmc5Ymxoa0gycmEwVHBaRTV6eEZMb1ZFMFZuMzdrL1VueE1FZmFmcHQKRFFscWd1dlFwQitEelp6bE16UzZkQkVMeUtnZGkyV20wWDNNd0VjY1BwSS9TMFNZN0lPOXJ0M01ycE9IWkRuUQpVdjF1TUE2NmpKYit2RXpUMXlrSzVBVmRXQWFsYnpYelp1RVFDM0hoSUIrWmI0b0xpcFhUNVpwMDhPaz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\n  name: eks_test-eks-lt-RlUJSLIq\n\ncontexts:\n- context:\n    cluster: eks_test-eks-lt-RlUJSLIq\n    user: eks_test-eks-lt-RlUJSLIq\n  name: eks_test-eks-lt-RlUJSLIq\n\ncurrent-context: eks_test-eks-lt-RlUJSLIq\n\nusers:\n- name: eks_test-eks-lt-RlUJSLIq\n  user:\n    exec:\n      apiVersion: client.authentication.k8s.io/v1alpha1\n      command: aws-iam-authenticator\n      args:\n        - \"token\"\n        - \"-i\"\n        - \"test-eks-lt-RlUJSLIq\"\n\n\n\" > kube_config.yaml & \\\necho \"apiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: aws-auth\n  namespace: kube-system\ndata:\n  mapRoles: |\n    - rolearn: arn:aws:iam::051129233020:role/test-eks-lt-RlUJSLIq20190813093053160600000005\n      username: system:node:{{EC2PrivateDNSName}}\n      groups:\n        - system:bootstrappers\n        - system:nodes\n\n  []\n  \n  mapUsers: |\n  []\n  \n  mapAccounts: |\n  []\n  \n\" > aws_auth_configmap.yaml & \\\nkubectl apply -f aws_auth_configmap.yaml --kubeconfig kube_config.yaml && break || \\\nsleep 10; \\\ndone; \\\nrm aws_auth_configmap.yaml kube_config.yaml;\n"]
module.eks.null_resource.update_config_map_aws_auth[0] (local-exec): error: error parsing aws_auth_configmap.yaml: error converting YAML to JSON: yaml: line 16: could not find expected ':'
module.eks.null_resource.update_config_map_aws_auth[0]: Still creating... [10s elapsed]

[nauxliu]

@max-rocket-internet Sorry about that, I will take a look tomorrow and try to apply the example to make sure it works.

[nauxliu]

@max-rocket-internet I applied to example and my production cluster, I'm confident this is resolved.

[max-rocket-internet]

Thanks @nauxliu

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.