Merge pull request #37 from gruntwork-io/yori-token-as-data-source

EKS token as data source

README.md

@@ -107,6 +107,36 @@ The `configure` subcommand of `kubergrunt eks` assumes you will be using this me
 cluster provided by EKS. If you wish to use `aws-iam-authenticator` instead, replace the auth info clause of the `kubectl`
 config context.
 
+This subcommand also supports outputting the token in a format that is consumable by terraform as an [external data
+source](https://www.terraform.io/docs/providers/external/data_source.html) when you pass in the `--as-tf-data` CLI arg.
+You can then pass the token directly into the `kubernetes` provider configuration. For example:
+
+```hcl
+# NOTE: Terraform does not allow you to interpolate resources in a provider config. We work around this by using the
+# template_file data source as a means to compute the resource interpolations.
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "${data.template_file.kubernetes_cluster_endpoint.rendered}"
+  cluster_ca_certificate = "${base64decode(data.template_file.kubernetes_cluster_ca.rendered)}"
+  token                  = "${lookup(data.external.kubernetes_token.result, "token_data")}"
+}
+
+data "template_file" "kubernetes_cluster_endpoint" {
+  template = "${module.eks_cluster.eks_cluster_endpoint}"
+}
+
+data "template_file" "kubernetes_cluster_ca" {
+  template = "${module.eks_cluster.eks_cluster_certificate_authority}"
+}
+
+data "external" "kubernetes_token" {
+  program = ["kubergrunt", "--loglevel", "error", "eks", "token", "--as-tf-data", "--cluster-id", "${module.eks_cluster.eks_cluster_name}"]
+}
+```
+
+This will configure the `kubernetes` provider in Terraform without setting up kubeconfig, allowing you to do everything
+in Terraform without side effects to your local machine.
+
 
 #### deploy
 

cmd/eks.go

@@ -1,7 +1,9 @@
 package main
 
 import (
+	"encoding/json"
 	"fmt"
+	"os"
 	"time"
 
 	"github.com/gruntwork-io/gruntwork-cli/entrypoint"
@@ -32,10 +34,6 @@ var (
 		Name:  KubeconfigFlagName,
 		Usage: "The path to the kubectl config file to setup. Defaults to ~/.kube/config",
 	}
-	clusterIDFlag = cli.StringFlag{
-		Name:  "cluster-id, i",
-		Usage: "The name of the EKS cluster for which to retrieve an auth token for.",
-	}
 
 	clusterRegionFlag = cli.StringFlag{
 		Name:  "region",
@@ -60,6 +58,16 @@ var (
 		Value: 15 * time.Second,
 		Usage: "The amount of time to sleep between retries as duration (e.g 10m = 10 minutes) for retry loops during the command. The total amount of time this command will try is based on max-retries and sleep-between-retries. Defaults to 15 seconds.",
 	}
+
+	// Token related flags
+	clusterIDFlag = cli.StringFlag{
+		Name:  "cluster-id, i",
+		Usage: "The name of the EKS cluster for which to retrieve an auth token for.",
+	}
+	tokenAsTFDataFlag = cli.BoolFlag{
+		Name:  "as-tf-data",
+		Usage: "Output the EKS authentication token in a format compatible for use as an external data source in Terraform.",
+	}
 )
 
 // SetupEksCommand creates the cli.Command entry for the eks subcommand of kubergrunt
@@ -99,6 +107,7 @@ func SetupEksCommand() cli.Command {
 				Action:      getAuthToken,
 				Flags: []cli.Flag{
 					clusterIDFlag,
+					tokenAsTFDataFlag,
 				},
 			},
 			cli.Command{
@@ -206,6 +215,7 @@ func getAuthToken(cliContext *cli.Context) error {
 	if err != nil {
 		return errors.WithStackTrace(err)
 	}
+	tokenAsTFData := cliContext.Bool(tokenAsTFDataFlag.Name)
 
 	gen, err := token.NewGenerator(false)
 	if err != nil {
@@ -215,9 +225,21 @@ func getAuthToken(cliContext *cli.Context) error {
 	if err != nil {
 		return errors.WithStackTrace(err)
 	}
-	out := gen.FormatJSON(tok)
-	// `kubectl` will parse the JSON from stdout to read in what token to use for authenticating with the cluster.
-	fmt.Println(out)
+	if tokenAsTFData {
+		// When using as a terraform data source, we need to return the token itself.
+		tokenData := struct {
+			TokenData string `json:"token_data"`
+		}{TokenData: tok.Token}
+		bytesOut, err := json.Marshal(tokenData)
+		if err != nil {
+			return err
+		}
+		os.Stdout.Write(bytesOut)
+	} else {
+		out := gen.FormatJSON(tok)
+		// `kubectl` will parse the JSON from stdout to read in what token to use for authenticating with the cluster.
+		fmt.Println(out)
+	}
 	return nil
 }