AWS Amazon EKS Identity Provider Config
This page shows how to write Terraform and CloudFormation for Amazon EKS Identity Provider Config and write them securely.
aws_eks_identity_provider_config (Terraform)
The Identity Provider Config in Amazon EKS can be configured in Terraform with the resource name aws_eks_identity_provider_config. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
The following arguments are supported:
cluster_name– (Required) Name of the EKS Cluster.oidc- (Required) Nested attribute containing OpenID Connect identity provider information for the cluster. Detailed below.tags- (Optional) Key-value map of resource tags. If configured with a providerdefault_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
oidc Configuration Block
client_id– (Required) Client ID for the OpenID Connect identity provider.groups_claim- (Optional) The JWT claim that the provider will use to return groups.groups_prefix- (Optional) A prefix that is prepended to group claims e.g.,oidc:.identity_provider_config_name– (Required) The name of the identity provider config.issuer_url- (Required) Issuer URL for the OpenID Connect identity provider.required_claims- (Optional) The key value pairs that describe required claims in the identity token.username_claim- (Optional) The JWT claim that the provider will use as the username.username_prefix- (Optional) A prefix that is prepended to username claims.
In addition to all arguments above, the following attributes are exported:
arn- Amazon Resource Name (ARN) of the EKS Identity Provider Configuration.id- EKS Cluster name and EKS Identity Provider Configuration name separated by a colon (:).status- Status of the EKS Identity Provider Configuration.tags_all- A map of tags assigned to the resource, including those inherited from the providerdefault_tagsconfiguration block.
Explanation in Terraform Registry
Manages an EKS Identity Provider Configuration.
Tips: Best Practices for The Other AWS Amazon EKS Resources
In addition to the aws_eks_cluster, AWS Amazon EKS has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_eks_cluster
Ensure public access for AWS EKS cluster endpoint is disabled
It is better to disable public access for the AWS EKS cluster endpoint. To reduce the security risks, it is recommended to disable public access and to use VPC to connect to the cluster.
AWS::EKS::Cluster Provider (CloudFormation)
The Cluster Provider in EKS can be configured in CloudFormation with the resource name AWS::EKS::Cluster Provider. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
KeyArn
Amazon Resource Name (ARN) or alias of the KMS key. The KMS key must be symmetric, created in the same region as the cluster, and if the KMS key was created in a different account, the user must have access to the KMS key. For more information, see Allowing Users in Other Accounts to Use a KMS key in the AWS Key Management Service Developer Guide.
Required: No
Type: String
Update requires: No interruption
Explanation in CloudFormation Registry
Identifies the AWS Key Management Service (AWS KMS) key used to encrypt the secrets.
