diff --git a/aws/platform/README.md b/aws/platform/README.md
index 99599928..ef5b717f 100644
--- a/aws/platform/README.md
+++ b/aws/platform/README.md
@@ -172,6 +172,7 @@ You can then use it to manually edit the aws-auth ConfigMap:
| [certificate\_issuer](#input\_certificate\_issuer) | YAML spec for certificate issuer; defaults to self-signed | `string` | `null` | no |
| [cluster\_autoscaler\_values](#input\_cluster\_autoscaler\_values) | Overrides to pass to the Helm chart | `list(string)` | `[]` | no |
| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
+| [custom\_groups](#input\_custom\_groups) | List of custom RBAC groups to be assigned to an IAM role for custom cluster privileges, | `map(list(string))` | `{}` | no |
| [custom\_roles](#input\_custom\_roles) | Additional IAM roles which have custom cluster privileges | `map(string)` | `{}` | no |
| [domain\_names](#input\_domain\_names) | Domains which are allowed in this cluster | `list(string)` | `[]` | no |
| [external\_dns\_enabled](#input\_external\_dns\_enabled) | Set to true to enable External DNS | `bool` | `false` | no |
diff --git a/aws/platform/main.tf b/aws/platform/main.tf
index d0928b77..ea4ccce0 100644
--- a/aws/platform/main.tf
+++ b/aws/platform/main.tf
@@ -102,6 +102,7 @@ module "auth_config_map" {
admin_roles = var.admin_roles
cluster_full_name = module.cluster_name.full
custom_roles = var.custom_roles
+ custom_groups = var.custom_groups
node_roles = concat(local.node_roles, var.node_roles)
}
diff --git a/aws/platform/modules/auth-config-map/README.md b/aws/platform/modules/auth-config-map/README.md
index e4c6412b..04bc9daa 100644
--- a/aws/platform/modules/auth-config-map/README.md
+++ b/aws/platform/modules/auth-config-map/README.md
@@ -33,6 +33,7 @@
|------|-------------|------|---------|:--------:|
| [admin\_roles](#input\_admin\_roles) | Role ARNs which have admin privileges within the cluster | `list(string)` | n/a | yes |
| [cluster\_full\_name](#input\_cluster\_full\_name) | Full name of the EKS cluster | `string` | n/a | yes |
+| [custom\_groups](#input\_custom\_groups) | RBAC groups to be assigned to an IAM role for custom privileges within the cluster | `map(list(string))` | `{}` | no |
| [custom\_roles](#input\_custom\_roles) | Role ARNs which have custom privileges within the cluster | `map(string)` | `{}` | no |
| [node\_roles](#input\_node\_roles) | Roles for EKS node groups in this cluster | `list(string)` | n/a | yes |
diff --git a/aws/platform/modules/auth-config-map/main.tf b/aws/platform/modules/auth-config-map/main.tf
index 12013a24..f8248f27 100644
--- a/aws/platform/modules/auth-config-map/main.tf
+++ b/aws/platform/modules/auth-config-map/main.tf
@@ -99,6 +99,14 @@ locals {
username = "user:{{SessionName}}"
}
],
+ [
+ for role, groups in var.custom_groups :
+ {
+ groups = groups
+ rolearn = role
+ username = "user:{{SessionName}}"
+ }
+ ],
[
for role in var.node_roles :
{
diff --git a/aws/platform/modules/auth-config-map/variables.tf b/aws/platform/modules/auth-config-map/variables.tf
index c03246b1..495c8295 100644
--- a/aws/platform/modules/auth-config-map/variables.tf
+++ b/aws/platform/modules/auth-config-map/variables.tf
@@ -19,6 +19,12 @@ variable "custom_roles" {
description = "Role ARNs which have custom privileges within the cluster"
}
+variable "custom_groups" {
+ type = map(list(string))
+ default = {}
+ description = "RBAC groups to be assigned to an IAM role for custom privileges within the cluster"
+}
+
variable "node_roles" {
type = list(string)
description = "Roles for EKS node groups in this cluster"
diff --git a/aws/platform/variables.tf b/aws/platform/variables.tf
index 0c7ae6eb..943b7b47 100644
--- a/aws/platform/variables.tf
+++ b/aws/platform/variables.tf
@@ -62,6 +62,12 @@ variable "cluster_name" {
description = "Name of the EKS cluster"
}
+variable "custom_groups" {
+ type = map(list(string))
+ description = "List of custom RBAC groups to be assigned to an IAM role for custom cluster privileges,"
+ default = {}
+}
+
variable "custom_roles" {
type = map(string)
description = "Additional IAM roles which have custom cluster privileges"