EKS clusters should configure access entries automatically instead of aws-auth configmap #111
Description
Problem
When EKS clusters are created, admin access is currently configured via the aws-auth ConfigMap patch. However, with API_AND_CONFIG_MAP authentication mode, we should be creating EKS access entries directly instead.
Currently, when a new cluster comes up:
- The aws-auth ConfigMap is patched with role mappings
- Users cannot access the cluster until this patch is applied
- If using API mode, access entries must be manually created
Expected Behavior
The cluster creation process should automatically create access entries for:
admin.posit.teamrole withAmazonEKSClusterAdminPolicy- SSO PowerUser role (
AWSReservedSSO_PowerUser_*) withAmazonEKSClusterAdminPolicy - Node role with appropriate node policies
Context
This was discovered when accessing partners01-staging - required manual access entry creation:
aws eks create-access-entry --cluster-name <cluster> --principal-arn <role-arn>
aws eks associate-access-policy --cluster-name <cluster> --principal-arn <role-arn> \
--policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy \
--access-scope type=clusterNote: SSO role ARNs have a special path format (aws-reserved/sso.amazonaws.com/<region>/) that differs from how they appear in the aws-auth ConfigMap.
Checklist
- Update EKS cluster Pulumi resource to create access entries for admin roles
- Remove or deprecate aws-auth ConfigMap patching
- Handle SSO role ARN format (
aws-reserved/sso.amazonaws.com/<region>/path) - Test on new cluster creation