add validation for access entry

CMS-Enterprise · Jun 11, 2024 · b6cd285 · b6cd285
1 parent fa57b1b
commit b6cd285
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 15 deletions.
diff --git a/eks.tf b/eks.tf
@@ -2,6 +2,7 @@ module "eks" {
   source  = "terraform-aws-modules/eks/aws"
   version = "20.11.0"
 
+  access_entries                               = var.eks_access_entries
   authentication_mode                          = "API_AND_CONFIG_MAP"
   cloudwatch_log_group_class                   = "STANDARD"
   cloudwatch_log_group_kms_key_id              = module.cloudwatch_kms.key_arn
@@ -41,21 +42,6 @@ module "eks" {
   tags                                         = merge(var.eks_cluster_tags, { Name = local.cluster_name })
   vpc_id                                       = data.aws_vpc.vpc.id
 
-  access_entries = merge(var.eks_access_entries, {
-    main = {
-      principal_arn = "arn:${data.aws_caller_identity.current.provider}:iam::${data.aws_caller_identity.current.account_id}:role/ct-ado-batcave-application-admin"
-      type          = "STANDARD"
-      policy_associations = {
-        admin = {
-          policy_arn = "arn:${data.aws_caller_identity.current.provider}:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
-          access_scope = {
-            type = "cluster"
-          }
-        }
-      }
-    }
-  })
-
   cluster_addons = {
     coredns = {
       most_recent = true

diff --git a/variables.tf b/variables.tf
@@ -79,6 +79,11 @@ variable "eks_access_entries" {
     }))
   }))
   default = {}
+
+  validation {
+    condition     = !contains(keys(var.eks_access_entries), "cluster_creator")
+    error_message = "The access entry name 'cluster_creator' is not allowed"
+  }
 }
 
 variable "eks_cluster_tags" {