Add EKS cluster auth token data resource continued #7438
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ghost
added
size/L
bflad
added
dependencies
bflad
reviewed
Feb 4, 2019
There was a problem hiding this comment.
Hi @mbarrien 👋 Thanks for continuing this work! I left a few smaller things below for review but the larger items are:
- This is still missing Terraform website documentation for the new data source (sidebar link in
website/aws.erband a newwebsite/docs/d/eks_cluster_auth.html.markdownpage as noted in https://github.com/terraform-providers/terraform-provider-aws/blob/master/.github/CONTRIBUTING.md#new-resource) - We are vendoring our Go module dependencies in this repository until Go module caching becomes more stable and prevalent. This will also fix the TravisCI failures. Please run the following:
go mod tidy
go mod vendor
Please reach out if you have any questions or issues. Thanks!
bflad
added
the
waiting-response
This allows Terraform to authenticate with an EKS cluster via the
Kubernetes provider:
```hcl
resource "aws_eks_cluster" "foo" {
name = "foo"
}
data "aws_eks_cluster_auth" "foo_auth" {
name = "foo"
}
provider "kubernetes" {
host = "${aws_eks_cluster.foo.endpoint}"
cluster_ca_certificate = "${base64decode(aws_eks_cluster.foo.certificate_authority.0.data)}"
token = "${data.aws_eks_cluster_auth.foo_auth.token}"
}
```
The auth logic was extracted from
https://github.com/heptio/aws-iam-authenticator because of lack of
documentation from AWS. Basically, the token is a signed URL for the
GetCallerIdentity action with a custom header. The URL is then base64
encoded and prefixed with vendor string.
mbarrien
force-pushed
the
eks-cluster-auth
branch
from
85ddb7d
to
19b4eb0
Compare
ghost
added
size/XXL
|
All suggestions done. Please re-review. |
ghost
removed
the
waiting-response
|
Looks like the build is currently failing according to TravisCI: |
mbarrien
force-pushed
the
eks-cluster-auth
branch
from
19b4eb0
to
28a811f
Compare
|
Fixed, and added a missing file. |
|
I'm going to hate raining on my own parade here, but since token gets written to the data source state, this essentially means that a valid authentication token can get written to a tfstate file. This can be a security risk. (That said, other solutions like the following also suffer from the same issue.) data "external" "aws-iam-authenticator" {
program = ["sh", "-c", "result=$(aws-iam-authenticator token -i '${var.name}' --token-only) && echo {\\\"token\\\":\\\"$${result}\\\"}"]
} |
alexsomesan
reviewed
Feb 6, 2019
bflad
approved these changes
Feb 6, 2019
There was a problem hiding this comment.
Looks good to me, thanks so much @mbarrien and @evilmarty!!! 🚀
--- PASS: TestAccAWSEksClusterAuthDataSource_basic (3.95s)
|
This has been released in version 1.58.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
bflad
added a commit
that referenced
this pull request
Jan 31, 2020
…kg/token to internal implementation Reference: #11697 Reference: #8453 Reference: #7438 Reference: #4904 Including the Kubernetes ecosystem dependency rather than hard copying the implementation was originally for a few concerns as noted in #4904 (comment). Since its introduction, the upstream implementation has remained stable with respects to the GetWithSTS token generator implementation we use. However, changes to the surrounding upstream package code and its broad transitive dependencies have prevented a clear upgrade path since github.com/kubernetes-sigs/aws-iam-authenticator@v0.4.0 (now re-verified with v0.5.0), where Terraform AWS Provider builds cannot succeed on solaris/amd64: ```console $ gox -os='linux darwin windows freebsd openbsd solaris' -arch='386 amd64 arm' -osarch='!darwin/arm !darwin/386' -ldflags '-s -w -X aws/version.ProviderVersion=99.99.99 -X aws/version.ProtocolVersion=4' -output 'results/{{.OS}}_{{.Arch}}/terraform-provider-aws_v99.99.99_x4' . ... 1 errors occurred: --> solaris/amd64 error: exit status 2 Stderr: # github.com/gofrs/flock ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:28:22: undefined: syscall.LOCK_EX ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:39:22: undefined: syscall.LOCK_SH ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:56:12: undefined: syscall.Flock ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:66:12: undefined: syscall.Flock ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:96:12: undefined: syscall.Flock ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:96:42: undefined: syscall.LOCK_UN ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:118:21: undefined: syscall.LOCK_EX ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:130:21: undefined: syscall.LOCK_SH ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:149:9: undefined: syscall.Flock ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:149:44: undefined: syscall.LOCK_NB ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:149:44: too many errors ``` This issue is non-obvious to contributors and maintainers as we do not perform cross-compilation build testing in CI during pull requests since it is very time prohibitive. Rather than leave this single data source's dependency in an unstable state, instead we opt to hard copy the relevant upstream Go package and prune that package to only the code we use, removing many unnecessary dependencies. Updated via: ```console $ go mod tidy $ go mod vendor ``` Output from acceptance testing: ``` --- PASS: TestAccAWSEksClusterAuthDataSource_basic (15.00s) ```
bflad
added a commit
that referenced
this pull request
Feb 4, 2020
…kg/token to internal implementation (#11822) * deps: Migrate from github.com/kubernetes-sigs/aws-iam-authenticator/pkg/token to internal implementation Reference: #11697 Reference: #8453 Reference: #7438 Reference: #4904 Including the Kubernetes ecosystem dependency rather than hard copying the implementation was originally for a few concerns as noted in #4904 (comment). Since its introduction, the upstream implementation has remained stable with respects to the GetWithSTS token generator implementation we use. However, changes to the surrounding upstream package code and its broad transitive dependencies have prevented a clear upgrade path since github.com/kubernetes-sigs/aws-iam-authenticator@v0.4.0 (now re-verified with v0.5.0), where Terraform AWS Provider builds cannot succeed on solaris/amd64: ```console $ gox -os='linux darwin windows freebsd openbsd solaris' -arch='386 amd64 arm' -osarch='!darwin/arm !darwin/386' -ldflags '-s -w -X aws/version.ProviderVersion=99.99.99 -X aws/version.ProtocolVersion=4' -output 'results/{{.OS}}_{{.Arch}}/terraform-provider-aws_v99.99.99_x4' . ... 1 errors occurred: --> solaris/amd64 error: exit status 2 Stderr: # github.com/gofrs/flock ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:28:22: undefined: syscall.LOCK_EX ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:39:22: undefined: syscall.LOCK_SH ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:56:12: undefined: syscall.Flock ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:66:12: undefined: syscall.Flock ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:96:12: undefined: syscall.Flock ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:96:42: undefined: syscall.LOCK_UN ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:118:21: undefined: syscall.LOCK_EX ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:130:21: undefined: syscall.LOCK_SH ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:149:9: undefined: syscall.Flock ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:149:44: undefined: syscall.LOCK_NB ../../../../go/pkg/mod/github.com/gofrs/flock@v0.7.0/flock_unix.go:149:44: too many errors ``` This issue is non-obvious to contributors and maintainers as we do not perform cross-compilation build testing in CI during pull requests since it is very time prohibitive. Rather than leave this single data source's dependency in an unstable state, instead we opt to hard copy the relevant upstream Go package and prune that package to only the code we use, removing many unnecessary dependencies. Updated via: ```console $ go mod tidy $ go mod vendor ``` Output from acceptance testing: ``` --- PASS: TestAccAWSEksClusterAuthDataSource_basic (15.00s) ``` * internal/service/eks/token: Fix linting issues from upstream code Previously: ``` aws/internal/service/eks/token/token.go:74:8: `conjuction` is a misspelling of `conjunction` (misspell) // in conjuction with CloudTrail to determine the identity of the individual ^ aws/internal/service/eks/token/token_test.go:144:20: S1019: should use make([]byte, maxTokenLenBytes + 1) instead (gosimple) b := make([]byte, maxTokenLenBytes+1, maxTokenLenBytes+1) ^ ```
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a continuation of #4904 to create the aws_eks_cluster_auth data source for authentication tokens. This PR keeps the same interface (removing the duration flag), and on the backend uses the aws-iam-authenticator's token library directly instead of rolling our own implementation. It is also rebased against the head of master, so it includes the changeover to go modules mentioned in the predecessor PR.
Note that we had to specify a non-tagged version of aws-iam-authenticator; the most recent tagged version lacks the GetWithSTS api that we rely on. go.mod/go.sum reflects this.
Output from acceptance testing: