Tweaked the way that role based access works for Heptio auth

cluster.tf

@@ -61,3 +61,7 @@ resource "aws_iam_role" "admin" {
 
   assume_role_policy = "${data.aws_iam_policy_document.admin.json}"
 }
+
+resource "aws_iam_group" "admin" {
+  name = "${var.cluster_name}-eks-kubernetes-admin"
+}

data.tf

@@ -55,6 +55,7 @@ data "aws_iam_policy_document" "admin" {
 
       identifiers = [
         "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:group/${var.cluster_name}-eks-kubernetes-admin",
         "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/Steamhaus",
       ]
     }
@@ -69,6 +70,7 @@ data "template_file" "kubeconfig" {
     endpoint            = "${aws_eks_cluster.cluster.endpoint}"
     region              = "${data.aws_region.current.name}"
     cluster_auth_base64 = "${aws_eks_cluster.cluster.certificate_authority.0.data}"
+    admin_role_arn      = "${aws_iam_role.admin.arn}"
   }
 }
 
@@ -78,6 +80,7 @@ data "template_file" "config_map_aws_auth" {
   vars {
     role_arn           = "${aws_iam_role.workers.arn}"
     admin_role_arn     = "${aws_iam_role.admin.arn}"
+    steamhaus_role_arn = "${var.steamhaus_role_arn}"
   }
 }
 

templates/config-map-aws-auth.yaml.tpl

@@ -14,3 +14,7 @@ data:
       username: kubernetes-admin
       groups:
         - system:masters
+    - rolearn: ${steamhaus_role_arn}
+      username: steamhaus-admin
+      groups:
+        - system:masters

templates/kubeconfig.tpl

@@ -25,3 +25,5 @@ users:
         - "token"
         - "-i"
         - "${cluster_name}"
+        #- "-r"
+        #- "${admin_role_arn}"

variables.tf

@@ -55,3 +55,7 @@ variable "alt_dns_cluster_ip" {
   description = "Alternate DNS cluster IP address on different (non 10.x.x.x) range - this is a fallback"
   default     = "172.20.0.10"
 }
+
+variable "steamhaus_role_arn" {
+  description = "Role ARN within the account for Steamhaus federated access"
+}