Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

eks: add ephemeral aws_eks_cluster_auth resource #40660

Merged
merged 13 commits into from
Jan 16, 2025
Merged

eks: add ephemeral aws_eks_cluster_auth resource #40660

merged 13 commits into from
Jan 16, 2025

Conversation

bschaatsbergen
Copy link
Member

@bschaatsbergen bschaatsbergen commented Dec 20, 2024
edited
Loading

Fixes #40343

Since it’s common to configure the Kubernetes provider by injecting a temporary IAM-compatible token for authenticating to the EKS control-plane (currently done using data.aws_eks_cluster_auth.example.token).

Terraform (1.10) supports referencing ephemeral resource attributes directly in providers. Having an ephemeral variant available of aws_eks_cluster_auth would greatly improve the security posture of Terraform users working with Amazon EKS and the Kubernetes or Helm provider as the temporary obtained IAM token is no longer persisted to the state.

ephemeral "aws_eks_cluster_auth" "example" {
  name = data.aws_eks_cluster.example.id
}

provider "kubernetes" {
  host                   = data.aws_eks_cluster.example.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data)
  token                  = ephemeral.aws_eks_cluster_auth.example.token
}

provider "helm" {
  kubernetes {
    host                   = data.aws_eks_cluster.example.endpoint
    cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data)
    token                  = ephemeral.aws_eks_cluster_auth.example.token
  }
}

Test output:

 $ make testacc TESTARGS='-run=TestAccEKSClusterAuthEphemeral_basic' PKG=eks
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.23.3 test ./internal/service/eks/... -v -count 1 -parallel 20  -run=TestAccEKSClusterAuthEphemeral_basic -timeout 360m
2024/12/20 18:13:48 Initializing Terraform AWS Provider...
=== RUN   TestAccEKSClusterAuthEphemeral_basic
=== PAUSE TestAccEKSClusterAuthEphemeral_basic
=== CONT  TestAccEKSClusterAuthEphemeral_basic
--- PASS: TestAccEKSClusterAuthEphemeral_basic (11.50s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/eks        17.044s

@github-actions GitHub Actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added service/eks Issues and PRs that pertain to the eks service. needs-triage Waiting for first response or review from a maintainer. external-maintainer Contribution from a trusted external contributor. labels Dec 20, 2024
@github-actions github-actions bot added the generators Relates to code generators. label Dec 20, 2024
@github-actions github-actions bot added the tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. label Dec 20, 2024
@bschaatsbergen bschaatsbergen mentioned this pull request Dec 20, 2024
Closed
@bschaatsbergen
eks: remove redundant newline
cf38b07
@bschaatsbergen
eks: clean up ephemeral cluster auth resource implementation
414776f 
Add return statements in error paths, and reference the EKS cluster name using ValueString to ensure it produces a literal value. This avoids generating the underlying framework’s string literal, which includes quotes and leads to incorrect token generation.
@johnsonaj johnsonaj added new-ephemeral-resource Introduces a new ephemeral resource. and removed needs-triage Waiting for first response or review from a maintainer. labels Dec 23, 2024
@bschaatsbergen bschaatsbergen removed the external-maintainer Contribution from a trusted external contributor. label Dec 23, 2024
@github-actions github-actions bot added the external-maintainer Contribution from a trusted external contributor. label Dec 23, 2024
@bschaatsbergen bschaatsbergen marked this pull request as ready for review January 10, 2025 21:46
@bschaatsbergen bschaatsbergen requested a review from a team as a code owner January 10, 2025 21:46
@johnsonaj johnsonaj self-assigned this Jan 15, 2025
@github-actions github-actions bot added the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Jan 15, 2025
johnsonaj
johnsonaj previously approved these changes Jan 15, 2025
View reviewed changes
Copy link
Contributor

@johnsonaj johnsonaj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

% make testacc TESTARGS='-run=TestAccEKSClusterAuthEphemeral_basic' PKG=eks

make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.23.3 test ./internal/service/eks/... -v -count 1 -parallel 20  -run=TestAccEKSClusterAuthEphemeral_basic -timeout 360m -vet=off
2025/01/15 14:48:56 Initializing Terraform AWS Provider...
=== RUN   TestAccEKSClusterAuthEphemeral_basic
=== PAUSE TestAccEKSClusterAuthEphemeral_basic
=== CONT  TestAccEKSClusterAuthEphemeral_basic
--- PASS: TestAccEKSClusterAuthEphemeral_basic (10.05s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/eks	16.539s

@johnsonaj
Copy link
Contributor

@bschaatsbergen thank you for the contribution! 🎉

@johnsonaj johnsonaj merged commit 58d049d into hashicorp:main Jan 16, 2025
43 checks passed
@github-actions github-actions bot added this to the v5.84.0 milestone Jan 16, 2025
@bschaatsbergen bschaatsbergen deleted the e/aws-eks-cluster-auth branch January 16, 2025 00:21
@github-actions github-actions bot removed the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Jan 16, 2025
@github-actions GitHub Actions
Copy link

This functionality has been released in v5.84.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@FernandoMiguel
Copy link
Contributor

For folks using things like atlantis, where a output plan file is saved and applied later, is the token also saved to the output file or is it regenerated at apply stage?
One of the issues of the previous approach is that the token was saved and could be expired by the time one wants to apply.
Thanks

@lorengordon
Copy link
Contributor

For folks using things like atlantis, where a output plan file is saved and applied later, is the token also saved to the output file or is it regenerated at apply stage?
One of the issues of the previous approach is that the token was saved and could be expired by the time one wants to apply.
Thanks

If you use this ephemeral resource, then it should not be persisted to the saved plan, and should be regenerated on apply.

@ktham ktham mentioned this pull request Jan 24, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YakDriver YakDriver YakDriver approved these changes

@johnsonaj johnsonaj johnsonaj left review comments

Assignees

@johnsonaj johnsonaj

Labels
external-maintainer Contribution from a trusted external contributor. generators Relates to code generators. new-ephemeral-resource Introduces a new ephemeral resource. service/eks Issues and PRs that pertain to the eks service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
v5.84.0
Development

Successfully merging this pull request may close these issues.

[New ephemeral]: aws_eks_cluster_auth should be turned into an ephemeral resource
5 participants
@bschaatsbergen @johnsonaj @FernandoMiguel @lorengordon @YakDriver