feat(aws-auth): aws-auth module for aws iam and kubernetes rbac mappi…

…ng (#225)

* feat(aws-auth): aws-auth module for aws iam and kubernetes rbac mapping

* feat(aws-auth): required providers definition

* fix(aws-auth): updata aws-auth module test code

modules/aws-auth/README.md

@@ -0,0 +1,20 @@
+# AWS-AUTH configamp for Amazon IAM and Kubernetes RBAC mapping
+
+```
+provider "kubernetes" {
+  host                   = module.eks.kubeauth["host"]
+  token                  = module.eks.kubeauth["token"]
+  cluster_ca_certificate = module.eks.kubeauth["ca"]
+}
+
+### aws auth
+module "aws-auth" {
+  source = "Young-ook/eks/aws//modules/aws-auth"
+  aws_auth_roles = [
+    {
+      rolearn = "role_arn_you_want_to_add"
+      groups  = ["system:masters"]
+    },
+  ]
+}
+```

modules/aws-auth/defaults.tf

@@ -0,0 +1,3 @@
+### default variables
+
+locals {}

modules/aws-auth/labels.tf

@@ -0,0 +1,5 @@
+locals {
+  default-tags = merge(
+    { "terraform.io" = "managed" },
+  )
+}

modules/aws-auth/main.tf

@@ -0,0 +1,26 @@
+## kubernetes aws-auth configmap
+
+data "kubernetes_config_map" "aws-auth" {
+  metadata {
+    name      = "aws-auth"
+    namespace = "kube-system"
+  }
+}
+
+locals {
+  merged_aws_auth = {
+    mapRoles    = yamlencode(concat(yamldecode(data.kubernetes_config_map.aws-auth.data.mapRoles), var.aws_auth_roles))
+    mapUsers    = yamlencode(var.aws_auth_users)
+    mapAccounts = yamlencode(var.aws_auth_accounts)
+  }
+}
+
+resource "kubernetes_config_map_v1_data" "aws-auth" {
+  depends_on = [data.kubernetes_config_map.aws-auth]
+  force      = true
+  metadata {
+    name      = "aws-auth"
+    namespace = "kube-system"
+  }
+  data = local.merged_aws_auth
+}

modules/aws-auth/outputs.tf

@@ -0,0 +1,6 @@
+### output variables
+
+output "configmap" {
+  description = "Modified aws-auth configmap data"
+  value       = local.merged_aws_auth
+}

modules/aws-auth/tests/defaults/main.tf

@@ -0,0 +1,41 @@
+terraform {
+  required_providers {
+    test = {
+      source = "terraform.io/builtin/test"
+    }
+  }
+}
+
+provider "kubernetes" {
+  alias                  = "aws-auth"
+  host                   = module.eks.kubeauth.host
+  token                  = module.eks.kubeauth.token
+  cluster_ca_certificate = module.eks.kubeauth.ca
+}
+
+### vpc
+module "vpc" {
+  source  = "Young-ook/vpc/aws"
+  version = "1.0.3"
+}
+
+### eks
+module "eks" {
+  source             = "Young-ook/eks/aws"
+  version            = "2.0.0"
+  kubernetes_version = "1.24"
+  subnets            = slice(values(module.vpc.subnets["public"]), 0, 3)
+  managed_node_groups = [
+    {
+      name          = "default"
+      desired_size  = 1
+      instance_type = "t3.medium"
+    },
+  ]
+}
+
+module "main" {
+  depends_on = [module.eks]
+  providers  = { kubernetes = kubernetes.aws-auth }
+  source     = "../../"
+}

modules/aws-auth/variables.tf

@@ -0,0 +1,19 @@
+### access control
+
+variable "aws_auth_roles" {
+  description = "List of role maps to add to the aws-auth configmap"
+  type        = list(any)
+  default     = []
+}
+
+variable "aws_auth_users" {
+  description = "List of user maps to add to the aws-auth configmap"
+  type        = list(any)
+  default     = []
+}
+
+variable "aws_auth_accounts" {
+  description = "List of account maps to add to the aws-auth configmap"
+  type        = list(any)
+  default     = []
+}

modules/aws-auth/versions.tf

@@ -0,0 +1,10 @@
+### requirements
+
+terraform {
+  required_providers {
+    kubernetes = {
+      source                = "hashicorp/kubernetes"
+      version               = ">= 2.0"
+    }
+  }
+}