Unable to add new access entry to existing eks cluster

sharmastudying652 · February 15, 2024, 10:07am

I am trying to add a new user to my access entry of the eks module , here is my configuration →

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> 4.0"

  name = local.name
  cidr = local.vpc_cidr

  azs             = local.azs
  private_subnets = local.private_subnets_cidrs
  public_subnets  = local.public_subnets_cidrs

  enable_nat_gateway = true
  single_nat_gateway = true
  enable_dns_hostnames = true
  create_igw = true

  public_subnet_tags = {
    "kubernetes.io/cluster/${local.name}" = "shared"
    "kubernetes.io/role/elb"             = 1
  }

  private_subnet_tags = {
    "kubernetes.io/cluster/${local.name}" = "shared"
    "kubernetes.io/role/internal-elb"    = 1
  }

  tags = local.tags


  map_public_ip_on_launch = true
}

module "eks" {
  source  = "terraform-aws-modules/eks/aws"

  cluster_name    = local.name
  cluster_version = "1.28"
  cluster_endpoint_public_access  = true
  cluster_endpoint_private_access = false

  vpc_id     = module.vpc.vpc_id
  subnet_ids = concat(module.vpc.private_subnets, module.vpc.public_subnets)
  cluster_security_group_additional_rules = {
    egress_nodes_ephemeral_ports_tcp = {
      description                = "To node 1025-65535"
      protocol                   = "tcp"
      from_port                  = 1025
      to_port                    = 65535
      type                       = "egress"
      source_node_security_group = true
    }
  }
  node_security_group_additional_rules = {
    ingress_self_all = {
      description = "Node to node all ports/protocols"
      protocol    = "-1"
      from_port   = 0
      to_port     = 0
      type        = "ingress"
      self        = true
    }
    egress_all = {
      description      = "Node all egress"
      protocol         = "-1"
      from_port        = 0
      to_port          = 0
      type             = "egress"
      cidr_blocks      = ["0.0.0.0/0"]
    }
  }
  cluster_addons = {
    coredns = {
      most_recent = true
    }
    kube-proxy = {
      most_recent = true
    }
    vpc-cni = {
      most_recent = true
    }
  }

  eks_managed_node_group_defaults = {
    ami_type       = "AL2_x86_64"
    instance_types = ["m5.large"]
    attach_cluster_primary_security_group = false
  }

  eks_managed_node_groups = {
    mongodb = {
      min_size       = 2
      max_size       = 4
      desired_size   = 2
      instance_types = ["r6a.xlarge", "r5a.xlarge"]
      capacity_type  = "SPOT"
      labels         = {
        Environment = "test"
        Deployment  = "mongodb"
        lifecycle   = "Ec2Spot"
        spot        = "true"
        node-class  = "worker-node"
        role        = "managed-nodes"
      }
      #      additional_security_group_ids = [aws_security_group.public.id]
      cluster_autoscaler_settings = {
        scale_down_utilization_threshold = 0.9
        scan_interval                    = "10s"
        policies                         = [
          {
            name  = "custom-policy"
            rules = [
              {
                action = "add"
                type   = "PodsViolatingConstraints"
              },
            ]
          },
        ]
      }
      taints = {
        dedicated = {
          key    = "spotInstance"
          value  = "true"
          effect = "PREFER_NO_SCHEDULE"
        }
      }
      tags = {
        Deployment = "mongodb"
      }
    }
    perconamongodb = {
      min_size       = 1
      max_size       = 4
      desired_size   = 1
      instance_types = ["t3a.2xlarge"]
      capacity_type  = "SPOT"
      labels         = {
        Environment = "test"
        Deployment  = "perconamongodb"
        lifecycle   = "Ec2spot"
        spot        = "true"
        node-class  = "worker-node"
        role        = "managed-nodes"
      }
      #      additional_security_group_ids = [aws_security_group.public.id]
      cluster_autoscaler_settings = {
        scale_down_utilization_threshold = 0.9
        scan_interval                    = "10s"
        policies                         = [
          {
            name  = "custom-policy"
            rules = [
              {
                action = "add"
                type   = "PodsViolatingConstraints"
              },
            ]
          },
        ]
      }
      taints = {
        dedicated = {
          key    = "perconaspotInstance"
          value  = "true"
          effect = "PREFER_NO_SCHEDULE"
        }
      }
      tags = {
        Deployment = "perconamongodb"
      }
    }
    copilot = {
      min_size       = 1
      max_size       = 3
      desired_size   = 1
      instance_types = ["t3a.large", "r5a.xlarge", "r6a.xlarge"]
      capacity_type  = "SPOT"
      labels         = {
        Environment = "test"
        Deployment  = "copilot"
        lifecycle   = "Ec2spot"
        spot        = "true"
        node-class  = "worker-node"
        role        = "managed-nodes"
      }
      #      additional_security_group_ids = [aws_security_group.public.id]
      cluster_autoscaler_settings = {
        scale_down_utilization_threshold = 0.9
        scan_interval                    = "10s"
        policies                         = [
          {
            name  = "custom-policy"
            rules = [
              {
                action = "add"
                type   = "PodsViolatingConstraints"
              },
            ]
          },
        ]
      }
      taints = {
        dedicated = {
          key    = "copilotspotInstance"
          value  = "true"
          effect = "PREFER_NO_SCHEDULE"
        }
      }
      tags = {
        Deployment = "copilot"
      }
    }
  }

  authentication_mode = "API_AND_CONFIG_MAP"
  enable_cluster_creator_admin_permissions = true
  access_entries = {
      devansh = {
        kubernetes_group = []
        principal_arn     = "arn:aws:iam::XXXXXXXXXX:user/abc"

        policy_associations = {
          admin = {
            policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
            access_scope = {
              namespaces = []
              type       = "cluster"
            }
          }
          }
        }
      prathmesh = {
        kubernetes_group = []
        principal_arn     = "arn:aws:iam::XXXXXXXXX:user/xyz"

        policy_associations = {
          admin = {
            policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
            access_scope = {
              namespaces = []
              type       = "cluster"
            }
          }
          }
        }
    }
  enable_irsa = true

  tags = local.tags
}

when I try to add a new user using this config , I get this error →

module.eks.aws_eks_access_entry.this["cluster_creator"]: Creating...
╷
│ Error: creating EKS Access Entry (mongodb-cluster:arn:aws:iam::645193536862:user/vatsal.sharma): operation error EKS: CreateAccessEntry, https response error StatusCode: 409, RequestID: 7c376cd9-1baa-48f2-9748-09f03c8244bb, ResourceInUseException: The specified access entry resource is already in use on this cluster.
│ 
│   with module.eks.aws_eks_access_entry.this["cluster_creator"],
│   on .terraform/modules/eks/main.tf line 185, in resource "aws_eks_access_entry" "this":
│  185: resource "aws_eks_access_entry" "this" {
│ 
╵

I already have tthis user added to my cluster, and wahnt to add user xyz but get tthis eror everytime I try

parmou · March 14, 2024, 12:13pm

Hey, it’s happening because you have enable_cluster_creator_admin_permissions = true.

From the docs:

When enabling authentication_mode = "API_AND_CONFIG_MAP" , EKS will automatically create an access entry for the IAM role(s) used by managed nodegroup(s) and Fargate profile(s). There are no additional actions required by users. For self-managed nodegroups and the Karpenter sub-module, this project automatically adds the access entry on behalf of users so there are no additional actions required by users.

https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest#cluster-access-entry

joe.bowbeer · August 13, 2024, 3:11pm

Should add something to the FAQ?

github.com/terraform-aws-modules/terraform-aws-eks

ConfigMap "aws-auth": Unauthorized

opened 09:03PM - 29 Jul 24 UTC

sabinayakc

question

## Description When setting up a new cluster using the `eks auth module` with… `manage_aws_auth_configmap = true` , I get the following error message. ``` Error: Have got the following error while validating the existence of the ConfigMap "aws-auth": Unauthorized with module.auth-config.kubernetes_config_map_v1_data.aws_auth[0] on .terraform/modules/auth-config/modules/aws-auth/main.tf line 31, in resource "kubernetes_config_map_v1_data" "aws_auth": resource "kubernetes_config_map_v1_data" "aws_auth" { ``` - [ X] ✋ I have searched the open/closed issues and my issue is not listed. ## ⚠️ Note ## Versions - Module version [Required]: `v20.8.5` - Terraform version: 1.7.5 - Provider version(s): 5.58.0 ## Reproduction Code [Required] ``` module "eks" { source = "terraform-aws-modules/eks/aws//modules/aws-auth" version = "~> 20.0" manage_aws_auth_configmap = true aws_auth_roles = [ { rolearn = "xxxxx" username = "role1" groups = ["system:masters"] }, ] } ``` Steps to reproduce the behavior: - Create a simple eks cluster managed node group from the example. - Add the auth module - Terraform Apply ### Expected Result - Auth Config Map created > Note: I am using Terraform Cloud. ### Terminal Output Screenshot(s) <img width="735" alt="image" src="https://github.com/user-attachments/assets/880b8c65-e4a8-4cee-a6ee-cddbb26c9db7">

Topic		Replies	Views
How to set access control using terraform-aws-eks AWS	0	564	October 28, 2024
AWS EKS - Terraform: Error configmap "aws-auth" does not exist AWS	14	8379	July 7, 2023
Amazon EKS: Unauthorized AWS k8s	2	9022	November 19, 2020
AWS-EKS module is giving error configmap \"aws-auth\" does not exist Kubernetes	3	1773	July 10, 2023
NodeCreationFailure: Instances failed to join the kubernetes cluster Terraform	0	2002	July 6, 2022

Unable to add new access entry to existing eks cluster

Related topics