From 23f29ccd8727cc1fbe8f19ab6b3b71dd37316a00 Mon Sep 17 00:00:00 2001 From: Nuru Date: Thu, 20 Jun 2024 08:09:27 -0700 Subject: [PATCH] [eks/cluster] Fix AWS SSO support (#1072) --- modules/eks/cluster/CHANGELOG.md | 15 +++++++++++++-- modules/eks/cluster/aws-sso.tf | 11 ++++++++++- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/modules/eks/cluster/CHANGELOG.md b/modules/eks/cluster/CHANGELOG.md index 6ba400649..bef5b7e2f 100644 --- a/modules/eks/cluster/CHANGELOG.md +++ b/modules/eks/cluster/CHANGELOG.md @@ -1,4 +1,13 @@ -## Release 1.466.1 +## Release 1.468.0 + +PR [#1072](https://github.com/cloudposse/terraform-aws-components/pull/1072) + +Bugfix: + +- Correctly map AWS SSO Permission Sets referenced by `aws_sso_permission_sets_rbac` to IAM Role ARNs. +- Broken in Release 1.431.1: Update to use AWS Auth API + +## Release 1.467.0 PR [#1071](https://github.com/cloudposse/terraform-aws-components/pull/1071) @@ -34,7 +43,9 @@ script. This support should be considered an `alpha` version, as it may change when support for Amazon Linux 2023 is added, and does not work with Bottlerocket. -## Breaking Changes: Components PR [#1033](https://github.com/cloudposse/terraform-aws-components/pull/1033) +## Release 1.431.1: Breaking Changes + +Components PR [#1033](https://github.com/cloudposse/terraform-aws-components/pull/1033) ### Major Breaking Changes diff --git a/modules/eks/cluster/aws-sso.tf b/modules/eks/cluster/aws-sso.tf index 48a398b0f..5e2eaf36f 100644 --- a/modules/eks/cluster/aws-sso.tf +++ b/modules/eks/cluster/aws-sso.tf @@ -4,7 +4,7 @@ locals { aws_sso_access_entry_map = { - for role in var.aws_sso_permission_sets_rbac : data.aws_iam_roles.sso_roles[role.aws_sso_permission_set] => { + for role in var.aws_sso_permission_sets_rbac : tolist(data.aws_iam_roles.sso_roles[role.aws_sso_permission_set].arns)[0] => { kubernetes_groups = role.groups } } @@ -14,4 +14,13 @@ data "aws_iam_roles" "sso_roles" { for_each = toset(var.aws_sso_permission_sets_rbac[*].aws_sso_permission_set) name_regex = format("AWSReservedSSO_%s_.*", each.value) path_prefix = "/aws-reserved/sso.amazonaws.com/" + + lifecycle { + postcondition { + condition = length(self.arns) == 1 + error_message = length(self.arns) == 0 ? "Could not find Role ARN for the AWS SSO permission set: ${each.value}" : ( + "Found more than one (${length(self.arns)}) Role ARN for the AWS SSO permission set: ${each.value}" + ) + } + } }