Managing access EKS using AWS IAM groups

EKS has a limitation for granting IAM groups access to clusters. The only two supported options are IAM roles and direct user mapping to EKS group, there is a github issue for this.

I’m using the default EKS module provided by HashiCorp, This is my cluster configuration

module "eks" {
  source = "git@github.com:terraform-aws-modules/terraform-aws-eks.git?ref=v12.2.0"
  cluster_name    = "staging"
  cluster_version = "1.17"
  subnets         = []
  vpc_id          = []
  worker_groups = [
    {
      instance_type = "t3.xlarge"
      asg_max_size  = 5
    }
  ]
}

The modules expose some variables to grant new permission to new users and IAM profiles. But you need to map groups and it is not supported by default. You can achieve this by using Terraform aws_iam_group data, and for loop. it is supported since Terraform version 0.12.

data "aws_iam_group" "developers" {
  group_name = "developers"
}

locals {
  k8s_devs = [
    for user in data.aws_iam_group.developers.users :
    {
      userarn = user.arn
      username = user.user_name
      groups = [
        "system:masters"]
    }
  ]
}

So the final code should be something like this.

module "eks" {
  source = "git@github.com:terraform-aws-modules/terraform-aws-eks.git?ref=v12.2.0"
  cluster_name    = "staging"
  cluster_version = "1.17"
  subnets         = []
  vpc_id          = []
  worker_groups = [
    {
      instance_type = "t3.xlarge"
      asg_max_size  = 5
    }
  ]
map_users = local.k8s_devs
}

Note: you need to run terraform apply each time you need to add/remove from these groups