use a data source instead of aws cli

Author: clstokes

terraform/aws/aws-eks-operator/README.md

@@ -17,19 +17,17 @@ This example creates the following:
 
 ## Prerequisites
 
-- The configuration as-is uses currently only works on macOS or Linux clients. Remove or comment out the `null_resource` provisioners that deploy `tailscale-api-server-ha-proxy.yaml` for the [high availability API server proxy](https://tailscale.com/kb/1437/kubernetes-operator-api-server-proxy#configuring-a-high-availability-api-server-proxy) to run from other platforms.
-- Requires the [AWS CLI](https://aws.amazon.com/cli/) for initial authentication to the created AWS EKS cluster.
-- Create a [Tailscale OAuth Client](https://tailscale.com/kb/1215/oauth-clients#setting-up-an-oauth-client) with appropriate scopes
-- Ensure you have AWS CLI configured with appropriate permissions for EKS
-- Install `kubectl` for cluster access after deployment
+- Follow the [Kubernetes Operator prerequisites](https://tailscale.com/kb/1236/kubernetes-operator#prerequisites).
+- For the [high availability API server proxy](https://tailscale.com/kb/1437/kubernetes-operator-api-server-proxy#configuring-a-high-availability-api-server-proxy):
+    - The configuration as-is uses currently only works on macOS or Linux clients. Remove or comment out the `null_resource` provisioners that deploy `tailscale-api-server-ha-proxy.yaml`  to run from other platforms.
+    - Requires the [kubectl CLI](https://kubernetes.io/docs/reference/kubectl/) and [AWS CLI](https://aws.amazon.com/cli/).
+
 
 ## To use
 
 Follow the documentation to configure the Terraform providers:
 
 - [AWS](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
-- [Kubernetes](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs)
-- [Helm](https://registry.terraform.io/providers/hashicorp/helm/latest/docs)
 
 ### Configure variables
 
@@ -59,7 +57,7 @@ Check that the Tailscale operator is running:
 
 ```shell
 kubectl get pods -n tailscale
-kubectl logs -n tailscale -l app.kubernetes.io/name=tailscale-operator
+kubectl logs -n tailscale -l app.kubernetes.io/name=$(terraform output -raw operator_name)
 ```
 
 #### Verify connectivity via the [API server proxy](https://tailscale.com/kb/1437/kubernetes-operator-api-server-proxy)

terraform/aws/aws-eks-operator/data.tf

@@ -3,3 +3,7 @@ data "aws_region" "current" {}
 data "aws_eks_cluster_versions" "latest" {
   default_only = true
 }
+
+data "aws_eks_cluster_auth" "this" {
+  name = module.eks.cluster_name
+}

terraform/aws/aws-eks-operator/main.tf

@@ -18,7 +18,7 @@ locals {
 
   # Tailscale Operator configuration
   namespace_name                = "tailscale"
-  operator_name                 = "${local.name}-${random_string.operator_name_suffix.result}"
+  operator_name                 = "${local.name}-${random_integer.operator_name_suffix.result}"
   operator_version              = "1.92.4"
   tailscale_oauth_client_id     = var.tailscale_oauth_client_id
   tailscale_oauth_client_secret = var.tailscale_oauth_client_secret
@@ -28,11 +28,9 @@ locals {
 }
 
 # This isn't required but helps avoid conflicts and Let's Encrypt throttling to make testing and iterating easier.
-resource "random_string" "operator_name_suffix" {
-  length  = 3
-  numeric = false
-  special = false
-  upper   = false
+resource "random_integer" "operator_name_suffix" {
+  min = 100
+  max = 999
 }
 
 # Remove this to use your own VPC.
@@ -94,6 +92,10 @@ resource "kubernetes_namespace_v1" "tailscale_operator" {
       "pod-security.kubernetes.io/enforce" = "privileged"
     }
   }
+
+  depends_on = [
+    module.eks,
+  ]
 }
 
 #

terraform/aws/aws-eks-operator/versions.tf

@@ -26,27 +26,19 @@ terraform {
 }
 
 provider "kubernetes" {
-  alias                  = "this"
+  alias = "this"
+
   host                   = module.eks.cluster_endpoint
   cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
-
-  exec {
-    api_version = "client.authentication.k8s.io/v1"
-    command     = "aws"
-    args        = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
-  }
+  token                  = data.aws_eks_cluster_auth.this.token
 }
 
 provider "helm" {
   alias = "this"
+
   kubernetes = {
     host                   = module.eks.cluster_endpoint
     cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
-
-    exec = {
-      api_version = "client.authentication.k8s.io/v1"
-      command     = "aws"
-      args        = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
-    }
+    token                  = data.aws_eks_cluster_auth.this.token
   }
 }