[New Resource]: Add EKS cluster IAM access management API resources

[seifrajhi]

Description

AWS Announced new EKS feature that simplifies controls for IAM cluster access management, and AWS SDK Go v2 has been released including this feature.

As a prerequisite the authenticationMode of the cluster should be either API or API_AND_CONFIG_MAP

Requested Resource(s) and/or Data Source(s)

1- access_entry

resource "access_entry" "foo" {
  cluster_name = "my_cluster"
  iam_principal_arn = "IAM_PRINCIPAL_ARN"
}

2- access_policy_association

resource "access_policy_association" "bar" {
  cluster_name = "my_cluster"
  iam_principal_arn = "IAM_PRINCIPAL_ARN"
  iam_policy_arn = "arn:aws:eks::aws:cluster-access-policy/XXXX"
}

where XXXX = AmazonEKSAdminPolicy , AmazonEKSClusterAdminPolicy , AmazonEKSEditPolicy or AmazonEKSViewPolicy

Potential Terraform Configuration

No response

References

1- Announcement: https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-eks-controls-iam-cluster-access-management/

2- Blog post: https://aws.amazon.com/blogs/containers/a-deep-dive-into-simplified-amazon-eks-access-management-controls/

3- AWS SDK go v2 CHANGELOG: https://github.com/aws/aws-sdk-go-v2/blob/main/service/eks/CHANGELOG.md#v1360-2023-12-18

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[sidewinder12s]

Likely also need to update the cluster config resources to support setting the authenticationMode right?

[seifrajhi]

Hey @sidewinder12s,

Yes, I have mentioned that in the issue description:

As a prerequisite the authenticationMode of the cluster should be either API or API_AND_CONFIG_MAP

[bryantbiggs]

cc @wellsiau-aws / @meetreks - if you want to open the PR now

[wellsiau-aws]

@meetreks and @sasidhar-aws is actively working on this

[gothrek22]

Access entry requires a lot more params, most of them optional, compared to what's requested here. I.e.:

resource aws_eks_access_entry example {
  iam_role = arn:aws:iam::012345678910:role/MyRole
  username = "my-other-username" (optional)
  kubernetes_groups = "my-other-group" (optional)
  type = "" (optional, options are: 
    EC2_LINUX
    EC2_WINDOWS
    FARGATE_LINUX
    STANDARD
  )
}

As entries for node bootstrap also need to be supported. Same with authenticationMode, which needs a note that it's a one way street if you go from API_AND_CONFIG_MAP to API. And that should be a new optional param within aws_eks_cluster imho. Wit the default of CONFIG_MAP. That way it's backwards compatible.

Here's a good doc on what is covered by this change: aws/containers-roadmap#185 (comment)

[github-actions]

This functionality has been released in v5.33.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[stevehipwell]

FYI there are comments on #35037 suggesting that this hasn't been implemented correctly.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.