Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Save the cluster creator role #168

Closed
nitrocode opened this issue Sep 15, 2022 · 2 comments · Fixed by #206
Closed

Save the cluster creator role #168

nitrocode opened this issue Sep 15, 2022 · 2 comments · Fixed by #206

Comments

@nitrocode
Copy link
Member

nitrocode commented Sep 15, 2022
edited
Loading

Have a question? Please checkout our Slack Community or visit our Slack Archive.

Slack Community

Describe the Feature

Save the cluster creator role in SSM and add to the cluster as a tag

Use Case

If the user is locked out and the cloudtrail event is missing, an aws support ticket needs to be creator to find the ClusterCreator event to dig out the iam role, then the iam role can be assumed to update the kube config map to get access again.

Describe Ideal Solution

Save the cluster creator role in SSM and add to the cluster as a tag. If we get the value of the tag from SSM and put a lifecycle ignore changes on the SSM param value, then subsequent applies by a different role will not update the SSM value.

Alternatives Considered

N/A

Additional Context
@nnsense
Copy link
Contributor

nnsense commented Jun 4, 2023

In all honesty, it's not really a requirement the majority would expect to find in a shared module, it seems more like a personal needing to me, most of us aren't relying at all to that initial role.
First and foremost, you should deploy using a pipeline which should be set with a pre-definied role, so you shouldn't wonder what it was, also because you usually want to set a specific role with the right permission to deploy not a multitude of roles. If you have a a number of devs deploying clusters, then you can use something like terragrunt to set a tag for you:

createdby = split("/", get_aws_caller_identity_arn())[1]

Or you can use plain terraform with data "aws_caller_identity" "current" {} to get the arn and set it as a tag.

Anyway, in my opinion the best choice is to add a predefined role using the map_additional_iam_roles feature of this module, first you're not exposing anything as a tag. and second getting the exact role might be challenging if there an "assume_role" in the mix.

@Gowiem
Copy link
Member

Gowiem commented Oct 5, 2023

I think this is a smart move to implement 👍 Would definitely save a bunch of people who aren't sophisticated terraform / EKS operators from losing track of the role / user that created their cluster.

@Nuru Nuru mentioned this issue Mar 4, 2024
Merged
@Nuru Nuru closed this as completed in #206 Mar 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use AWS API for EKS authentication and authorization cloudposse/terraform-aws-eks-cluster
3 participants
@Gowiem @nnsense @nitrocode