error: You must be logged in to the server (Unauthorized) about teks HOT 7 CLOSED

@bainss : I think you should use the https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/variables.tf#L171

kubeconfig_aws_authenticator_additional_args = [                                   
    "-r",                                                                            
    "arn:aws:iam::${local.aws_account_id}:role/OrganizationAccountAccessRole",       
  ]

inside the eks terragrunt.hcl to generate a kubeconfig that reflect the assume role. Here it tries to use the kubeconfig with the main AWS profile.

from teks.

@ArchiFleKs: Thank you for the quick response, still seeing this after setting...

kubeconfig_aws_authenticator_additional_args = [ "-r",
"arn:aws:iam::${local.aws_account_id}:role/OrganizationAccountAccessRole","--region", ${local.aws_region}"]

from teks.

@bainss Can you you show the directory structure as well as the Terra grunt files ?

from teks.

└── live
└── prod
├── common_tags.yaml
├── common_values.yaml
├── eu-west-1
│   ├── eks
│   │   ├── kubeconfig
│   │   ├── manifests
│   │   │   ├── calico.yaml
│   │   │   ├── psp-default-clusterrole.yaml
│   │   │   ├── psp-default-clusterrolebinding.yaml
│   │   │   ├── psp-default.yaml
│   │   │   ├── psp-privileged-clusterrole.yaml
│   │   │   ├── psp-privileged-clusterrolebinding.yaml
│   │   │   ├── psp-privileged-node-rolebinding.yaml
│   │   │   └── psp-privileged.yaml
│   │   ├── manifests.tf
│   │   ├── providers.tf
│   │   └── terragrunt.hcl
│   ├── eks-addons
│   │   ├── examples
│   │   │   ├── keycloak-values.yaml
│   │   │   └── kong-values.yaml
│   │   ├── providers.tf
│   │   └── terragrunt.hcl
│   ├── eks-namespaces
│   │   ├── providers.tf
│   │   └── terragrunt.hcl
│   └── vpc
│   ├── provider.tf
│   └── terragrunt.hcl
└── terragrunt.hcl

from teks.

To walk you through a little bit of it, if you are using AWS Organization and you have a main account and then sub accounts with assume role:

• You execute Terraform/Terragrunt witht your main AWS_PROFILE
• Then inside each environment you should put the account_id here and also the role_name you can assume in this account from the main account, here
• Then you should put the same role name and account id into this:

kubeconfig_aws_authenticator_additional_args = [                                   
    "-r",                                                                            
    "arn:aws:iam::${local.aws_account_id}:role/OrganizationAccountAccessRole",       
  ]

But the role are custom to your configuration. Does the role you assume is called OrganizationAccountAccessRole ? If not it should reflect your own config

from teks.

live>prod>terragrunt.tcl

remote_state {
backend = "s3"

config = {
bucket = "${yamldecode(file("common_values.yaml"))["prefix"]}-tf-state-store-${yamldecode(file("common_tags.yaml"))["Env"]}-${yamldecode(file("common_values.yaml"))["aws_region"]}"
key = "${path_relative_to_include()}"
region = "${yamldecode(file("common_values.yaml"))["aws_region"]}"
encrypt = true
dynamodb_table = "${yamldecode(file("common_values.yaml"))["prefix"]}-tf-state-store-lock-${yamldecode(file("common_tags.yaml"))["Env"]}-${yamldecode(file("common_values.yaml"))["aws_region"]}"
}
}

live>prod>eu-west-1>eks>terragrunt.hcl
#iam_role = "arn:aws:iam::${yamldecode(file("common_values.yaml"))["aws_account_id"]}:role/administrator"

include {
path = "${find_in_parent_folders()}"
}

terraform {
source = "github.com/terraform-aws-modules/terraform-aws-eks?ref=v11.0.0"

before_hook "init" {
commands = ["init"]
execute = ["bash", "-c", "wget -O terraform-provider-kubectl https://github.com/gavinbunney/terraform-provider-kubectl/releases/download/v1.3.2/terraform-provider-kubectl-darwin-amd64 && chmod +x terraform-provider-kubectl"]
}

after_hook "kubeconfig" {
commands = ["apply"]
execute = ["bash", "-c", "terraform output kubeconfig 2>/dev/null > ${get_terragrunt_dir()}/kubeconfig"]
}

after_hook "kube-system-label" {
commands = ["apply"]
execute = ["bash", "-c", "kubectl --kubeconfig ${get_terragrunt_dir()}/kubeconfig label ns kube-system name=kube-system --overwrite"]
}

after_hook "remove-default-psp" {
commands = ["apply"]
execute = ["bash", "-c", "kubectl --kubeconfig ${get_terragrunt_dir()}/kubeconfig delete psp eks.privileged || true"]
}
after_hook "remove-default-psp-clusterrolebindind" {
commands = ["apply"]
execute = ["bash", "-c", "kubectl --kubeconfig ${get_terragrunt_dir()}/kubeconfig delete clusterrolebinding eks:podsecuritypolicy:authenticated || true"]
}
after_hook "remove-default-psp-clusterrole" {
commands = ["apply"]
execute = ["bash", "-c", "kubectl --kubeconfig ${get_terragrunt_dir()}/kubeconfig delete clusterrole eks:podsecuritypolicy:privileged || true"]
}
}

locals {
aws_region = yamldecode(file("${find_in_parent_folders("common_values.yaml")}"))["aws_region"]
env = yamldecode(file("${find_in_parent_folders("common_tags.yaml")}"))["Env"]
aws_account_id = yamldecode(file("${find_in_parent_folders("common_values.yaml")}"))["aws_account_id"]
custom_tags = yamldecode(file("${find_in_parent_folders("common_tags.yaml")}"))
prefix = yamldecode(file("${find_in_parent_folders("common_values.yaml")}"))["prefix"]
cluster_name = "eks-${local.prefix}-${local.env}"
}

dependency "vpc" {
config_path = "../vpc"

mock_outputs = {
vpc_id = "vpc-00000000"
private_subnets = [
"subnet-00000000",
"subnet-00000001",
"subnet-00000002",
]
}
}

inputs = {

aws = {
"region" = local.aws_region
}

psp_privileged_ns = [
"istio-system"
]

tags = merge(
local.custom_tags
)

cluster_name = local.cluster_name
subnets = dependency.vpc.outputs.private_subnets
vpc_id = dependency.vpc.outputs.vpc_id
write_kubeconfig = false
enable_irsa = true

kubeconfig_aws_authenticator_additional_args = [ "-r",
"arn:aws:iam::${local.aws_account_id}:role/OrganizationAccountAccessRole","--region", ${local.aws_region}"]

cluster_version = "1.15"
cluster_enabled_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]

manage_worker_autoscaling_policy = false

worker_groups_launch_template = [
{
name = "default-${local.aws_region}a"
instance_type = "t3.medium"
asg_min_size = 1
asg_max_size = 3
asg_desired_capacity = 1
subnets = [dependency.vpc.outputs.private_subnets[0]]
autoscaling_enabled = true
root_volume_size = 50
tags = [
{
key = "CLUSTER_ID"
value = local.cluster_name
propagate_at_launch = true
},
]
},
{
name = "default-${local.aws_region}b"
instance_type = "t3.medium"
asg_min_size = 0
asg_max_size = 3
asg_desired_capacity = 0
subnets = [dependency.vpc.outputs.private_subnets[1]]
autoscaling_enabled = true
root_volume_size = 50
tags = [
{
key = "CLUSTER_ID"
value = local.cluster_name
propagate_at_launch = true
},
]
},
{
name = "default-${local.aws_region}c"
instance_type = "t3.medium"
asg_min_size = 0
asg_max_size = 3
asg_desired_capacity = 0
subnets = [dependency.vpc.outputs.private_subnets[2]]
autoscaling_enabled = true
root_volume_size = 50
tags = [
{
key = "CLUSTER_ID"
value = local.cluster_name
propagate_at_launch = true
},
]
},
]
}

from teks.

If you are running this only inside the same account you do not need to use assume role.

from teks.