Comments (7)
@bainss : I think you should use the https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/variables.tf#L171
kubeconfig_aws_authenticator_additional_args = [
"-r",
"arn:aws:iam::${local.aws_account_id}:role/OrganizationAccountAccessRole",
]
inside the eks
terragrunt.hcl to generate a kubeconfig that reflect the assume role. Here it tries to use the kubeconfig with the main AWS profile.
from teks.
@ArchiFleKs: Thank you for the quick response, still seeing this after setting...
kubeconfig_aws_authenticator_additional_args = [ "-r",
"arn:aws:iam::${local.aws_account_id}:role/OrganizationAccountAccessRole","--region", ${local.aws_region}"]
from teks.
@bainss Can you you show the directory structure as well as the Terra grunt files ?
from teks.
└── live
└── prod
├── common_tags.yaml
├── common_values.yaml
├── eu-west-1
│ ├── eks
│ │ ├── kubeconfig
│ │ ├── manifests
│ │ │ ├── calico.yaml
│ │ │ ├── psp-default-clusterrole.yaml
│ │ │ ├── psp-default-clusterrolebinding.yaml
│ │ │ ├── psp-default.yaml
│ │ │ ├── psp-privileged-clusterrole.yaml
│ │ │ ├── psp-privileged-clusterrolebinding.yaml
│ │ │ ├── psp-privileged-node-rolebinding.yaml
│ │ │ └── psp-privileged.yaml
│ │ ├── manifests.tf
│ │ ├── providers.tf
│ │ └── terragrunt.hcl
│ ├── eks-addons
│ │ ├── examples
│ │ │ ├── keycloak-values.yaml
│ │ │ └── kong-values.yaml
│ │ ├── providers.tf
│ │ └── terragrunt.hcl
│ ├── eks-namespaces
│ │ ├── providers.tf
│ │ └── terragrunt.hcl
│ └── vpc
│ ├── provider.tf
│ └── terragrunt.hcl
└── terragrunt.hcl
from teks.
To walk you through a little bit of it, if you are using AWS Organization and you have a main account and then sub accounts with assume role:
- You execute Terraform/Terragrunt witht your main AWS_PROFILE
- Then inside each environment you should put the
account_id
here and also the role_name you can assume in this account from the main account, here - Then you should put the same role name and account id into this:
kubeconfig_aws_authenticator_additional_args = [
"-r",
"arn:aws:iam::${local.aws_account_id}:role/OrganizationAccountAccessRole",
]
But the role are custom to your configuration. Does the role you assume is called OrganizationAccountAccessRole
? If not it should reflect your own config
from teks.
live>prod>terragrunt.tcl
remote_state {
backend = "s3"
config = {
bucket = "${yamldecode(file("common_values.yaml"))["prefix"]}-tf-state-store-${yamldecode(file("common_tags.yaml"))["Env"]}-${yamldecode(file("common_values.yaml"))["aws_region"]}"
key = "${path_relative_to_include()}"
region = "${yamldecode(file("common_values.yaml"))["aws_region"]}"
encrypt = true
dynamodb_table = "${yamldecode(file("common_values.yaml"))["prefix"]}-tf-state-store-lock-${yamldecode(file("common_tags.yaml"))["Env"]}-${yamldecode(file("common_values.yaml"))["aws_region"]}"
}
}
live>prod>eu-west-1>eks>terragrunt.hcl
#iam_role = "arn:aws:iam::${yamldecode(file("common_values.yaml"))["aws_account_id"]}:role/administrator"
include {
path = "${find_in_parent_folders()}"
}
terraform {
source = "github.com/terraform-aws-modules/terraform-aws-eks?ref=v11.0.0"
before_hook "init" {
commands = ["init"]
execute = ["bash", "-c", "wget -O terraform-provider-kubectl https://github.com/gavinbunney/terraform-provider-kubectl/releases/download/v1.3.2/terraform-provider-kubectl-darwin-amd64 && chmod +x terraform-provider-kubectl"]
}
after_hook "kubeconfig" {
commands = ["apply"]
execute = ["bash", "-c", "terraform output kubeconfig 2>/dev/null > ${get_terragrunt_dir()}/kubeconfig"]
}
after_hook "kube-system-label" {
commands = ["apply"]
execute = ["bash", "-c", "kubectl --kubeconfig ${get_terragrunt_dir()}/kubeconfig label ns kube-system name=kube-system --overwrite"]
}
after_hook "remove-default-psp" {
commands = ["apply"]
execute = ["bash", "-c", "kubectl --kubeconfig ${get_terragrunt_dir()}/kubeconfig delete psp eks.privileged || true"]
}
after_hook "remove-default-psp-clusterrolebindind" {
commands = ["apply"]
execute = ["bash", "-c", "kubectl --kubeconfig ${get_terragrunt_dir()}/kubeconfig delete clusterrolebinding eks:podsecuritypolicy:authenticated || true"]
}
after_hook "remove-default-psp-clusterrole" {
commands = ["apply"]
execute = ["bash", "-c", "kubectl --kubeconfig ${get_terragrunt_dir()}/kubeconfig delete clusterrole eks:podsecuritypolicy:privileged || true"]
}
}
locals {
aws_region = yamldecode(file("${find_in_parent_folders("common_values.yaml")}"))["aws_region"]
env = yamldecode(file("${find_in_parent_folders("common_tags.yaml")}"))["Env"]
aws_account_id = yamldecode(file("${find_in_parent_folders("common_values.yaml")}"))["aws_account_id"]
custom_tags = yamldecode(file("${find_in_parent_folders("common_tags.yaml")}"))
prefix = yamldecode(file("${find_in_parent_folders("common_values.yaml")}"))["prefix"]
cluster_name = "eks-${local.prefix}-${local.env}"
}
dependency "vpc" {
config_path = "../vpc"
mock_outputs = {
vpc_id = "vpc-00000000"
private_subnets = [
"subnet-00000000",
"subnet-00000001",
"subnet-00000002",
]
}
}
inputs = {
aws = {
"region" = local.aws_region
}
psp_privileged_ns = [
"istio-system"
]
tags = merge(
local.custom_tags
)
cluster_name = local.cluster_name
subnets = dependency.vpc.outputs.private_subnets
vpc_id = dependency.vpc.outputs.vpc_id
write_kubeconfig = false
enable_irsa = true
kubeconfig_aws_authenticator_additional_args = [ "-r",
"arn:aws:iam::${local.aws_account_id}:role/OrganizationAccountAccessRole","--region", ${local.aws_region}"]
cluster_version = "1.15"
cluster_enabled_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
manage_worker_autoscaling_policy = false
worker_groups_launch_template = [
{
name = "default-${local.aws_region}a"
instance_type = "t3.medium"
asg_min_size = 1
asg_max_size = 3
asg_desired_capacity = 1
subnets = [dependency.vpc.outputs.private_subnets[0]]
autoscaling_enabled = true
root_volume_size = 50
tags = [
{
key = "CLUSTER_ID"
value = local.cluster_name
propagate_at_launch = true
},
]
},
{
name = "default-${local.aws_region}b"
instance_type = "t3.medium"
asg_min_size = 0
asg_max_size = 3
asg_desired_capacity = 0
subnets = [dependency.vpc.outputs.private_subnets[1]]
autoscaling_enabled = true
root_volume_size = 50
tags = [
{
key = "CLUSTER_ID"
value = local.cluster_name
propagate_at_launch = true
},
]
},
{
name = "default-${local.aws_region}c"
instance_type = "t3.medium"
asg_min_size = 0
asg_max_size = 3
asg_desired_capacity = 0
subnets = [dependency.vpc.outputs.private_subnets[2]]
autoscaling_enabled = true
root_volume_size = 50
tags = [
{
key = "CLUSTER_ID"
value = local.cluster_name
propagate_at_launch = true
},
]
},
]
}
from teks.
If you are running this only inside the same account you do not need to use assume role.
from teks.
Related Issues (20)
- "cert-manager" has no deployed releases HOT 2
- Custom VPC endponts list and the module resources? HOT 2
- Error: Invalid Configuration for Read-Only Attribute HOT 6
- Terragrunt Structure for China and Gov Cloud HOT 3
- block_device_mappings.0.ebs.0.kms_key_id" (arn:::aws) is an invalid ARN: arn: not enough sections HOT 2
- Multi Cloud Support HOT 2
- VPC dependency datasources error HOT 1
- setting `aws_account_id` doesn't ensure all resources are created in that account HOT 3
- Issue creating KMS key HOT 6
- Installing loki fails because of ingress value seemingly incorrect HOT 3
- Issue with version 18.30 of terraform-aws-eks
- getting this error in nginx after deploy cert-manager and ingress tls HOT 7
- Dependency Dashboard
- how to manage secrets in terragrunt HOT 5
- Thanos Query not able to fetch data from Thanos Store HOT 13
- demo cluster is not working HOT 4
- Issue with the eks-asg-tags.tf HOT 10
- Couldn't find EKS resource HOT 1
- Not able to create aws eks cluster HOT 2
- New AWS account has no iam role AWSServiceRoleForAutoScaling HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from teks.