search

terraform-aws-modules / terraform-aws-eks

Terraform module to create Amazon Elastic Kubernetes (EKS) resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/eks/aws
Apache License 2.0
4.47k stars 4.08k forks source link

Custom IAM roles for cluster and workers #282

Closed erks closed 5 years ago

erks commented 5 years ago

Support custom IAM roles for cluster and workers

I'm submitting a...

What is the current behavior?

Some organizations have restricted access to IAM resources and cannot create or update them directly. The workflow is that IAM resources are created by a separate team, then another team uses them to create and maintain the clusters/workers. Currently, this module requires a full IAM permission to be granted for a user setting up an EKS cluster/workers.

If this is a bug, how to reproduce? Please include a code sample if relevant.

N/A

What's the expected behavior?

This module accepts custom IAM roles as inputs and uses those during the provisioning process without creating or updating any IAM resources directly.

Are you able to fix this problem and submit a PR? Link here if you have already.

https://github.com/terraform-aws-modules/terraform-aws-eks/pull/338

Environment details

Any other relevant info

None.

max-rocket-internet commented 5 years ago

I think other people have requested this.

Is it possible to just import the pre-existing IAM resources so your terraform apply is not actually calling the IAM API?

EDIT: No it's not due to https://github.com/terraform-aws-modules/terraform-aws-eks/issues/88

th31nitiate commented 5 years ago

I currently agree with the need for this and I am now having to fork this so that I can add IAM logging roles.

I will attempt to modulation and then perform a PR if possible

RothAndrew commented 5 years ago

+1 on this. My team has run into this issue as well. We initially gave all of our DevSecOps people the "Power User" role, but Power User doesn't include IAM, so it didn't work.

eperdeme commented 5 years ago

You can use IAM boundaries to add IAM limitations but allow teams in your business to create IAM roles.

We use this feature to deny all teams from creating VPC* functions and enforce via boundary that any role they create, must inherit the boundary. It works really well to 'delegate' IAM creation but with enforced boundaries.

rottenbytes commented 5 years ago

I faced the same problem. forked and patched. I opened a PR : https://github.com/terraform-aws-modules/terraform-aws-eks/pull/308

erks commented 5 years ago

Since https://github.com/terraform-aws-modules/terraform-aws-eks/pull/308 doesn't fully solve my use case (still require IAM write access), I took a stab at it here: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/338. Please take a look.

max-rocket-internet commented 5 years ago

Can those who are interested in this feature test the PR from @erks?

github-actions[bot] commented 1 year ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.