[Enhancement]: Simplify user management with aws_eks_access_entry and aws_eks_access_policy_association

[JulesClaussen]

Description

Hello team,

The EKS resource aws_eks_access_policy_association along with aws_eks_access_entry is quite cumbersome.
As a user, an ideal scenario would be:

• I create an aws_eks_access_entry for each of my user, and add them into a kubernetes_group
• I associate a kubernetes_group to a policy association

That would facilitate a lot the user management. Another solution would be to allow multiple policy arns and/or principal_arns with one policy association.
And finally, I believe there should be a datasource to pull the policy by names. Something like:

data "aws_eks_access_policy" "admin-policy" {
  name = "AmazonEKSAdminPolicy"
}

That would greatly improve readability, and be more robust in case of updates.
Thanks!

Affected Resource(s) and/or Data Source(s)

• aws_eks_access_entry
• aws_eks_access_policy_association

Potential Terraform Configuration

data "aws_eks_access_policy" "admin" {
  name = "AmazonEKSAdminPolicy"
}

resource "aws_eks_access_entry" "admins" {
  cluster_name   = module.eks.cluster_name
  principal_arns = ["arn-1", "arn-2", "arn-3"]
  kubernetes_groups = ["admins"]
  type           = "STANDARD"
}

#Solution 1:
resource "aws_eks_access_policy_association" "admins" {
  cluster_name  = module.eks.cluster_name
  policy_arn    = data.aws_eks_access_policy.admin
  principal_arns = aws_eks_access_entry.admins.principal_arns
  access_scope {
    type = "cluster"
  }
}

#Solution 2. That could be a new resource like aws_eks_access_policy_group_association:
resource "aws_eks_access_policy_association" "admins" {
  cluster_name  = module.eks.cluster_name
  policy_arn    = data.aws_eks_access_policy.admin
  kubernetes_groups = ["admins"]
  access_scope {
    type = "cluster"
  }
}

References

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_entry
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_policy_association

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.