fix: update code

README.md

@@ -9,10 +9,11 @@ A basic Terraform module for creating and managing Amazon EKS (Elastic Kubernete
 - **Fargate Profiles**: Supported via `fargate_profiles` and Fargate IAM role creation
 - **AutoMode**: Placeholder wiring only; no AutoMode-specific resources yet
 - **IRSA Support**: OIDC provider setup for IAM Roles for Service Accounts
-- **EKS Capabilities**: Managed ACK, KRO, and ArgoCD capabilities (optional, default: disabled)
+- **EKS Capabilities**: Managed ACK and KRO capabilities (optional, default: disabled)
   - **ACK**: AWS Controllers for Kubernetes - create AWS resources via Kubernetes manifests
   - **KRO**: Kube Resource Orchestrator - platform engineering abstractions
-  - **ArgoCD**: GitOps capability for continuous deployment
+  - **ArgoCD**: Scaffolded only (requires AWS Identity Center setup)
+- **Access Management**: Automatic EKS access entry creation for cluster admins when capabilities are enabled
 - **Optional Addons**:
   - EBS CSI Driver (optional, default: disabled)
   - AWS Load Balancer Controller (optional, default: disabled)
@@ -97,14 +98,29 @@ module "eks" {
   # Enable EKS Capabilities for platform engineering
   enable_ack_capability    = true  # AWS Controllers for Kubernetes
   enable_kro_capability    = true  # Kube Resource Orchestrator
-  enable_argocd_capability = true  # ArgoCD GitOps
+  # enable_argocd_capability = false  # Not supported yet - requires Identity Center
+
+  # Grant cluster admin access to IAM users/roles
+  cluster_admin_arns = [
+    "arn:aws:iam::123456789012:user/admin-user",
+    "arn:aws:iam::123456789012:role/admin-role"
+  ]
 
   tags = {
     Environment = "production"
   }
 }
 ```
 
+**Note**: When capabilities are enabled, the cluster uses `API_AND_CONFIG_MAP` authentication mode. You must specify `cluster_admin_arns` to grant access to IAM users/roles for kubectl access.
+
+  tags = {
+    Environment = "production"
+  }
+}
+
+```
+
 ### Fargate Example
 
 ```hcl
@@ -177,7 +193,7 @@ module "eks" {
 
 - **[examples/basic](examples/basic/)** - Basic EKS cluster with EC2 node groups
 - **[examples/ebs-web-app](examples/ebs-web-app/)** - Web application with EBS persistent volume
-- **[examples/eks-capabilities](examples/eks-capabilities/)** - Complete platform engineering example with ACK, KRO, and ArgoCD capabilities
+- **[examples/eks-capabilities](examples/eks-capabilities/)** - Complete platform engineering example with ACK and KRO capabilities (ArgoCD scaffolded but not supported)
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements

access-entries.tf

@@ -0,0 +1,101 @@
+# =============================================================================
+# User Access Entries
+# Grant cluster admin access to specified IAM users/roles
+# =============================================================================
+
+locals {
+  # Determine if user access entries should be created
+  # Only create when:
+  # 1. cluster_admin_arns is not empty, AND
+  # 2. Either capabilities are enabled OR authentication mode is not CONFIG_MAP
+  create_user_access_entries = length(var.cluster_admin_arns) > 0 && (
+    var.enable_ack_capability ||
+    var.enable_kro_capability ||
+    var.enable_argocd_capability ||
+    var.cluster_authentication_mode != "CONFIG_MAP"
+  )
+}
+
+resource "aws_eks_access_entry" "cluster_admins" {
+  for_each = local.create_user_access_entries ? toset(var.cluster_admin_arns) : []
+
+  cluster_name  = aws_eks_cluster.this.name
+  principal_arn = each.value
+  type          = "STANDARD"
+
+  depends_on = [
+    aws_eks_cluster.this
+  ]
+}
+
+resource "aws_eks_access_policy_association" "cluster_admin_policy" {
+  for_each = local.create_user_access_entries ? toset(var.cluster_admin_arns) : []
+
+  cluster_name  = aws_eks_cluster.this.name
+  principal_arn = each.value
+  policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+
+  access_scope {
+    type = "cluster"
+  }
+
+  depends_on = [
+    aws_eks_access_entry.cluster_admins
+  ]
+}
+
+# =============================================================================
+# EC2 Node Access Entry
+# Required when using API or API_AND_CONFIG_MAP authentication mode
+# =============================================================================
+
+locals {
+  # Determine if access entries are needed for EC2 nodes
+  ec2_needs_access_entry = contains(var.compute_mode, "ec2") && (
+    var.enable_ack_capability ||
+    var.enable_kro_capability ||
+    var.enable_argocd_capability ||
+    var.cluster_authentication_mode != "CONFIG_MAP"
+  )
+}
+
+resource "aws_eks_access_entry" "ec2_nodes" {
+  count = local.ec2_needs_access_entry ? 1 : 0
+
+  cluster_name  = aws_eks_cluster.this.name
+  principal_arn = aws_iam_role.eks_nodes[0].arn
+  type          = "EC2_LINUX"
+
+  depends_on = [
+    aws_eks_cluster.this,
+    aws_iam_role.eks_nodes[0]
+  ]
+}
+
+# =============================================================================
+# Fargate Pod Access Entry
+# Required when using API or API_AND_CONFIG_MAP authentication mode
+# =============================================================================
+
+locals {
+  # Determine if access entries are needed for Fargate pods
+  fargate_needs_access_entry = contains(var.compute_mode, "fargate") && (
+    var.enable_ack_capability ||
+    var.enable_kro_capability ||
+    var.enable_argocd_capability ||
+    var.cluster_authentication_mode != "CONFIG_MAP"
+  )
+}
+
+resource "aws_eks_access_entry" "fargate_pods" {
+  count = local.fargate_needs_access_entry ? 1 : 0
+
+  cluster_name  = aws_eks_cluster.this.name
+  principal_arn = aws_iam_role.eks_fargate[0].arn
+  type          = "FARGATE_LINUX"
+
+  depends_on = [
+    aws_eks_cluster.this,
+    aws_iam_role.eks_fargate[0]
+  ]
+}

addons.tf

@@ -128,7 +128,9 @@ resource "aws_eks_addon" "ebs_csi_driver" {
   service_account_role_arn    = aws_iam_role.ebs_csi_driver[0].arn
 
   depends_on = [
-    aws_iam_role_policy.ebs_csi_driver[0]
+    aws_iam_role_policy.ebs_csi_driver[0],
+    # Wait for nodes to be available since EBS CSI driver runs as pods
+    aws_eks_node_group.default,
   ]
 
   tags = var.tags
@@ -154,7 +156,9 @@ resource "kubernetes_storage_class" "ebs_csi_default" {
   }
 
   depends_on = [
-    aws_eks_addon.ebs_csi_driver[0]
+    aws_eks_addon.ebs_csi_driver[0],
+    # Wait for access entries to be created and propagated if they exist
+    aws_eks_access_policy_association.cluster_admin_policy
   ]
 }
 
@@ -300,7 +304,9 @@ resource "kubernetes_service_account" "aws_lb_controller" {
     aws_eks_cluster.this,
     aws_iam_role_policy_attachment.aws_lb_controller[0],
     aws_iam_role_policy_attachment.aws_lb_controller_ec2[0],
-    aws_iam_role_policy.aws_lb_controller_waf[0]
+    aws_iam_role_policy.aws_lb_controller_waf[0],
+    # Wait for access entries to be created and propagated if they exist
+    aws_eks_access_policy_association.cluster_admin_policy
   ]
 }
 

capabilities-iam.tf

@@ -69,33 +69,40 @@ resource "aws_iam_role" "kro_capability" {
 
 # Note: KRO capability roles don't require managed policies - AWS manages permissions internally
 
-# ArgoCD Capability Role
-data "aws_iam_policy_document" "argocd_capability_assume_role" {
-  count = var.enable_argocd_capability ? 1 : 0
-
-  statement {
-    effect = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["capabilities.eks.amazonaws.com"]
-    }
-
-    actions = [
-      "sts:AssumeRole",
-      "sts:TagSession"
-    ]
-  }
-}
-
-resource "aws_iam_role" "argocd_capability" {
-  count = var.enable_argocd_capability ? 1 : 0
-
-  name               = var.argocd_capability_role_arn != null ? null : "${var.cluster_name}-argocd-capability-role"
-  name_prefix        = var.argocd_capability_role_arn != null ? null : null
-  assume_role_policy = data.aws_iam_policy_document.argocd_capability_assume_role[0].json
-  tags               = var.tags
-}
+# =============================================================================
+# ArgoCD Capability Role (SCAFFOLDED - NOT SUPPORTED YET)
+# =============================================================================
+# ArgoCD capability requires AWS Identity Center configuration
+# This is scaffolded for future implementation but not currently supported
+# Uncomment and configure Identity Center before enabling
+# =============================================================================
 
-# Note: ArgoCD capability roles don't require managed policies - AWS manages permissions internally
-# ArgoCD also requires configuration which should be provided via the capability resource
+# data "aws_iam_policy_document" "argocd_capability_assume_role" {
+#   count = var.enable_argocd_capability ? 1 : 0
+#
+#   statement {
+#     effect = "Allow"
+#
+#     principals {
+#       type        = "Service"
+#       identifiers = ["capabilities.eks.amazonaws.com"]
+#     }
+#
+#     actions = [
+#       "sts:AssumeRole",
+#       "sts:TagSession"
+#     ]
+#   }
+# }
+#
+# resource "aws_iam_role" "argocd_capability" {
+#   count = var.enable_argocd_capability ? 1 : 0
+#
+#   name               = var.argocd_capability_role_arn != null ? null : "${var.cluster_name}-argocd-capability-role"
+#   name_prefix        = var.argocd_capability_role_arn != null ? null : null
+#   assume_role_policy = data.aws_iam_policy_document.argocd_capability_assume_role[0].json
+#   tags               = var.tags
+# }
+#
+# # Note: ArgoCD capability roles don't require managed policies - AWS manages permissions internally
+# # ArgoCD also requires configuration which should be provided via the capability resource

capabilities.tf

@@ -43,27 +43,33 @@ resource "aws_eks_capability" "kro" {
   tags = var.tags
 }
 
-resource "aws_eks_capability" "argocd" {
-  count = var.enable_argocd_capability ? 1 : 0
-
-  cluster_name    = aws_eks_cluster.this.name
-  capability_name = "ARGOCD"
-  type            = "ARGOCD"
-
-  # ArgoCD requires a role ARN
-  # Use provided role ARN or create one automatically
-  role_arn = var.argocd_capability_role_arn != null ? var.argocd_capability_role_arn : aws_iam_role.argocd_capability[0].arn
-
-  # Note: ArgoCD capability requires AWS Identity Center configuration
-  # This is typically done via AWS Console or requires additional setup
-  # For now, this resource will fail if Identity Center is not configured
-  # Users should configure Identity Center before enabling ArgoCD capability
-
-  delete_propagation_policy = "RETAIN"
-
-  depends_on = [
-    aws_eks_cluster.this
-  ]
+# =============================================================================
+# ArgoCD Capability (SCAFFOLDED - NOT SUPPORTED YET)
+# =============================================================================
+# ArgoCD capability requires AWS Identity Center configuration
+# This is scaffolded for future implementation but not currently supported
+# Uncomment and configure Identity Center before enabling
+# =============================================================================
 
-  tags = var.tags
-}
+# resource "aws_eks_capability" "argocd" {
+#   count = var.enable_argocd_capability ? 1 : 0
+#
+#   cluster_name    = aws_eks_cluster.this.name
+#   capability_name = "ARGOCD"
+#   type            = "ARGOCD"
+#
+#   # ArgoCD requires a role ARN
+#   # Use provided role ARN or create one automatically
+#   role_arn = var.argocd_capability_role_arn != null ? var.argocd_capability_role_arn : aws_iam_role.argocd_capability[0].arn
+#
+#   # ArgoCD requires configuration parameter with Identity Center details
+#   configuration = var.argocd_capability_configuration != null ? var.argocd_capability_configuration : jsonencode({})
+#
+#   delete_propagation_policy = "RETAIN"
+#
+#   depends_on = [
+#     aws_eks_cluster.this
+#   ]
+#
+#   tags = var.tags
+# }

docs/README.md

@@ -0,0 +1,7 @@
+# terraform-aws-eks-basic Documentation
+
+This directory contains detailed documentation for the module's design decisions, architecture, and operational guides.
+
+## Contents
+
+- [Authentication Modes](authentication.md) - EKS authentication modes and access entry management