From 0c1385a477063d244e07293e27df9066804da759 Mon Sep 17 00:00:00 2001
From: Yong Wen Chua <lawliet89@users.noreply.github.com>
Date: Thu, 14 Apr 2022 12:33:05 +0800
Subject: [PATCH 1/2] Use K8S Provider to manage AWS Auth ConfirMap

`kubernetes_config_map_v1_data`
See https://github.com/terraform-aws-modules/terraform-aws-eks/pull/1999
---
 .tflint.hcl                          |  2 +-
 README.md                            |  6 ++--
 aws_auth.tf                          | 50 ----------------------------
 k8s_provider.tf                      |  5 +++
 main.tf                              |  9 ++++-
 modules/self_managed_nodes/README.md |  2 +-
 modules/self_managed_nodes/main.tf   |  5 +--
 versions.tf                          |  6 ++--
 8 files changed, 23 insertions(+), 62 deletions(-)
 delete mode 100644 aws_auth.tf
 create mode 100644 k8s_provider.tf

diff --git a/.tflint.hcl b/.tflint.hcl
index a6aa618d..e6e4db94 100644
--- a/.tflint.hcl
+++ b/.tflint.hcl
@@ -1,6 +1,6 @@
 plugin "aws" {
   enabled = true
-  version = "0.12.0"
+  version = "0.13.2"
   source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
 
diff --git a/README.md b/README.md
index f095b502..30a3074b 100644
--- a/README.md
+++ b/README.md
@@ -35,21 +35,20 @@ provision additional node groups.
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
-| <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.1 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~> 2.10 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
-| <a name="provider_null"></a> [null](#provider\_null) | ~> 3.1 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 4.13.1 |
-| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 18.7.2 |
+| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 18.20.0 |
 | <a name="module_kms_ebs"></a> [kms\_ebs](#module\_kms\_ebs) | app.terraform.io/sph/kms/aws | ~> 0.1.0 |
 | <a name="module_kms_secret"></a> [kms\_secret](#module\_kms\_secret) | app.terraform.io/sph/kms/aws | ~> 0.1.0 |
 | <a name="module_node_groups"></a> [node\_groups](#module\_node\_groups) | ./modules/self_managed_nodes | n/a |
@@ -73,7 +72,6 @@ provision additional node groups.
 | [aws_iam_role_policy_attachment.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.workers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_service_linked_role.autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role) | resource |
-| [null_resource.apply](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_ami.eks_default_bottlerocket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
diff --git a/aws_auth.tf b/aws_auth.tf
deleted file mode 100644
index 311f67cb..00000000
--- a/aws_auth.tf
+++ /dev/null
@@ -1,50 +0,0 @@
-locals {
-  kubeconfig = yamlencode({
-    apiVersion      = "v1"
-    kind            = "Config"
-    current-context = "terraform"
-    clusters = [{
-      name = module.eks.cluster_id
-      cluster = {
-        certificate-authority-data = module.eks.cluster_certificate_authority_data
-        server                     = module.eks.cluster_endpoint
-      }
-    }]
-    contexts = [{
-      name = "terraform"
-      context = {
-        cluster = module.eks.cluster_id
-        user    = "terraform"
-      }
-    }]
-    users = [{
-      name = "terraform"
-      user = {
-        token = data.aws_eks_cluster_auth.this.token
-      }
-    }]
-  })
-
-  aws_auth = templatefile("${path.module}/templates/aws_auth.yaml.tpl", {
-    worker_roles = [aws_iam_role.workers.arn]
-    role_mapping = var.role_mapping
-    user_mapping = var.user_mapping
-  })
-}
-
-resource "null_resource" "apply" {
-  triggers = {
-    cmd_patch = <<-EOT
-      kubectl create configmap aws-auth -n kube-system --kubeconfig <(echo $KUBECONFIG | base64 --decode)
-      kubectl patch configmap/aws-auth --patch "${local.aws_auth}" -n kube-system --kubeconfig <(echo $KUBECONFIG | base64 --decode)
-    EOT
-  }
-
-  provisioner "local-exec" {
-    interpreter = ["/bin/bash", "-c"]
-    environment = {
-      KUBECONFIG = base64encode(local.kubeconfig)
-    }
-    command = self.triggers.cmd_patch
-  }
-}
diff --git a/k8s_provider.tf b/k8s_provider.tf
new file mode 100644
index 00000000..4c46170a
--- /dev/null
+++ b/k8s_provider.tf
@@ -0,0 +1,5 @@
+provider "kubernetes" {
+  host                   = module.eks.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+  token                  = data.aws_eks_cluster_auth.this.token
+}
diff --git a/main.tf b/main.tf
index 611ab876..c13f93de 100644
--- a/main.tf
+++ b/main.tf
@@ -1,6 +1,6 @@
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 18.7.2"
+  version = "~> 18.20.0"
 
   cluster_name    = var.cluster_name
   cluster_version = var.cluster_version
@@ -63,4 +63,11 @@ module "eks" {
   enable_irsa = true
 
   create_node_security_group = true
+
+  # aws-auth configmap
+  manage_aws_auth_configmap               = true
+  aws_auth_node_iam_role_arns_non_windows = [aws_iam_role.workers.arn]
+  aws_auth_roles                          = var.role_mapping
+  aws_auth_users                          = var.user_mapping
+  aws_auth_accounts                       = []
 }
diff --git a/modules/self_managed_nodes/README.md b/modules/self_managed_nodes/README.md
index 42b536b0..3bcd56eb 100644
--- a/modules/self_managed_nodes/README.md
+++ b/modules/self_managed_nodes/README.md
@@ -53,7 +53,7 @@ the type of images:
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_self_managed_group"></a> [self\_managed\_group](#module\_self\_managed\_group) | terraform-aws-modules/eks/aws//modules/self-managed-node-group | ~> 18.7.2 |
+| <a name="module_self_managed_group"></a> [self\_managed\_group](#module\_self\_managed\_group) | terraform-aws-modules/eks/aws//modules/self-managed-node-group | ~> 18.20.0 |
 
 ## Resources
 
diff --git a/modules/self_managed_nodes/main.tf b/modules/self_managed_nodes/main.tf
index 57c6d5ca..f77c9478 100644
--- a/modules/self_managed_nodes/main.tf
+++ b/modules/self_managed_nodes/main.tf
@@ -40,7 +40,7 @@ locals {
 
 module "self_managed_group" {
   source  = "terraform-aws-modules/eks/aws//modules/self-managed-node-group"
-  version = "~> 18.7.2"
+  version = "~> 18.20.0"
 
   for_each = local.self_managed_node_groups
 
@@ -157,5 +157,6 @@ module "self_managed_group" {
   security_group_rules           = try(each.value.security_group_rules, local.self_managed_node_group_defaults.security_group_rules, {})
   security_group_tags            = try(each.value.security_group_tags, local.self_managed_node_group_defaults.security_group_tags, {})
 
-  tags = merge(var.tags, try(each.value.tags, local.self_managed_node_group_defaults.tags, {}))
+  tags             = merge(var.tags, try(each.value.tags, local.self_managed_node_group_defaults.tags, {}))
+  use_default_tags = true
 }
diff --git a/versions.tf b/versions.tf
index d8d412ad..08f4be71 100644
--- a/versions.tf
+++ b/versions.tf
@@ -5,9 +5,9 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 4.0"
     }
-    null = {
-      source  = "hashicorp/null"
-      version = "~> 3.1"
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.10"
     }
   }
 }

From d1c2cf4cf544bed632771b3f7579b2d2a140d7c4 Mon Sep 17 00:00:00 2001
From: Yong Wen Chua <lawliet89@users.noreply.github.com>
Date: Thu, 14 Apr 2022 12:42:38 +0800
Subject: [PATCH 2/2] Loosen versions

---
 README.md   | 6 +++---
 versions.tf | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 30a3074b..d877e563 100644
--- a/README.md
+++ b/README.md
@@ -34,14 +34,14 @@ provision additional node groups.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
-| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~> 2.10 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.10 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
 
 ## Modules
 
diff --git a/versions.tf b/versions.tf
index 08f4be71..847bd964 100644
--- a/versions.tf
+++ b/versions.tf
@@ -3,11 +3,11 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = ">= 4.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = "~> 2.10"
+      version = ">= 2.10"
     }
   }
 }