Merge pull request #57 from kbst/add-support-for-aws-subaccounts

pst · web-flow · commit 4e008fb8b8b8 · 2019-06-13T20:01:54.000+02:00
EKS: Add support for cross account roles
diff --git a/aws/_modules/eks/cluster_services.tf b/aws/_modules/eks/cluster_services.tf
@@ -8,9 +8,11 @@ module "cluster_services" {
   template_string = "${file("${path.module}/templates/kubeconfig.tpl")}"
 
   template_vars = {
-    cluster_name     = "${aws_eks_cluster.current.name}"
-    cluster_endpoint = "${aws_eks_cluster.current.endpoint}"
-    cluster_ca       = "${aws_eks_cluster.current.certificate_authority.0.data}"
+    cluster_name       = "${aws_eks_cluster.current.name}"
+    cluster_endpoint   = "${aws_eks_cluster.current.endpoint}"
+    cluster_ca         = "${aws_eks_cluster.current.certificate_authority.0.data}"
+    caller_id_arn      = "${local.caller_id_arn}"
+    caller_id_arn_type = "${local.caller_id_arn_type}"
 
     # hack, because modules can't have depends_on
     # prevent a race between kubernetes provider and cluster services/kustomize
diff --git a/aws/_modules/eks/provider.tf b/aws/_modules/eks/provider.tf
@@ -1,8 +1,24 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_arn" "current" {
+  arn = "${data.aws_caller_identity.current.arn}"
+}
+
+locals {
+  resource_split     = "${split("/", data.aws_arn.current.resource)}"
+  caller_id_arn_type = "${replace(element(local.resource_split, 0), "assumed-role", "role")}"
+  caller_id_name     = "${element(local.resource_split, 1)}"
+
+  caller_id_arn = "arn:aws:iam::${data.aws_arn.current.account}:${local.caller_id_arn_type}/${local.caller_id_name}"
+}
+
 data "external" "aws_iam_authenticator" {
   program = ["sh", "${path.module}/provider_authenticator.sh"]
 
   query {
-    cluster_name = "${aws_eks_cluster.current.name}"
+    cluster_name       = "${aws_eks_cluster.current.name}"
+    caller_id_arn      = "${local.caller_id_arn}"
+    caller_id_arn_type = "${local.caller_id_arn_type}"
   }
 }
 
diff --git a/aws/_modules/eks/provider_authenticator.sh b/aws/_modules/eks/provider_authenticator.sh
@@ -2,10 +2,13 @@
 set -e
 
 # Extract cluster name from STDIN
-eval "$(jq -r '@sh "CLUSTER_NAME=\(.cluster_name)"')"
+eval "$(jq -r '@sh "CLUSTER_NAME=\(.cluster_name) CALLER_ID_ARN=\(.caller_id_arn) CALLER_ID_ARN_TYPE=\(.caller_id_arn_type)"')"
 
 # Retrieve token with Heptio Authenticator
 TOKEN=$(aws-iam-authenticator token -i $CLUSTER_NAME | jq -r .status.token)
+if [ $CALLER_ID_ARN_TYPE = "role" ]; then
+  TOKEN=$(aws-iam-authenticator token -i $CLUSTER_NAME --role $CALLER_ID_ARN | jq -r .status.token)
+fi
 
 # Output token as JSON
 jq -n --arg token "$TOKEN" '{"token": $token}'
diff --git a/aws/_modules/eks/templates/kubeconfig.tpl b/aws/_modules/eks/templates/kubeconfig.tpl
@@ -22,3 +22,7 @@ users:
         - "token"
         - "-i"
         - "${cluster_name}"
+        %{ if caller_id_arn_type == "role" }
+        - "--role"
+        - "${caller_id_arn}"
+        %{ endif }
diff --git a/common/cluster_services/kubectl_apply.sh b/common/cluster_services/kubectl_apply.sh
@@ -2,11 +2,7 @@
 
 set -e
 
-if [ "$(uname -s)" == "Darwin" ]; then
-    echo "${KUBECONFIG_DATA}" | base64 -D > $KUBECONFIG
-elif [ "$(expr substr $(uname -s) 1 5)" == "Linux" ]; then
-    echo "${KUBECONFIG_DATA}" | base64 -d > $KUBECONFIG
-fi
+echo "${KUBECONFIG_DATA}" | base64 --decode > $KUBECONFIG
 
 if [ -s $1 ]
 then
