Add support for specifying identityMappings in config

[aclevername]

Description

#874

Edit:
Updated to include being able to specify identitymappings to be created during cluster creation #1695

# An example of ClusterConfig with identityMapping:
---
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: cluster-27
  region: us-west-2

iam:
  identityMappings:
    - arn: arn:aws:iam::123456:role/testing
      groups:
      - system:masters
      username: admin

eksctl ./eksctl get iamidentitymapping -f examples/27-iamidentitymapping.yaml
[ℹ]  eksctl version 0.37.0-dev+5a87dad4.2021-01-19T14:36:34Z
[ℹ]  using region us-west-2
ARN                                                                                             USERNAME                                GROUPS
arn:aws:iam::<redacted>>:role/eks-nodegroup.cluster-api-provider-aws.sigs.k8s.io               system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes
arn:aws:iam::<redacted>>:role/eksctl-jk-nodegroup-ng-c292c102-NodeInstanceRole-1MKGUGJLQF6TA   system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes

eksctl ./eksctl create iamidentitymapping -f examples/27-iamidentitymapping.yaml
[ℹ]  eksctl version 0.37.0-dev+5a87dad4.2021-01-19T14:36:34Z
[ℹ]  using region us-west-2
[ℹ]  adding identity "arn:aws:iam::123456:role/testing" to auth ConfigMap

eksctl ./eksctl get iamidentitymapping -f examples/27-iamidentitymapping.yaml
[ℹ]  eksctl version 0.37.0-dev+5a87dad4.2021-01-19T14:36:34Z
[ℹ]  using region us-west-2
ARN                                                                                             USERNAME                                GROUPS
arn:aws:iam::<redacted>>:role/eks-nodegroup.cluster-api-provider-aws.sigs.k8s.io               system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes
arn:aws:iam::<redacted>>:role/eksctl-jk-nodegroup-ng-c292c102-NodeInstanceRole-1MKGUGJLQF6TA   system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes
arn:aws:iam::123456:role/testing                                                                admin                                   system:masters

eksctl ./eksctl delete iamidentitymapping -f examples/27-iamidentitymapping.yaml
[ℹ]  eksctl version 0.37.0-dev+5a87dad4.2021-01-19T14:36:34Z
[ℹ]  using region us-west-2
[ℹ]  removing identity "arn:aws:iam::123456:role/testing" from auth ConfigMap (username = "admin", groups = ["system:masters"])

eksctl ./eksctl get iamidentitymapping -f examples/27-iamidentitymapping.yaml
[ℹ]  eksctl version 0.37.0-dev+5a87dad4.2021-01-19T14:36:34Z
[ℹ]  using region us-west-2
ARN                                                                                             USERNAME                                GROUPS
arn:aws:iam::<redacted>>:role/eks-nodegroup.cluster-api-provider-aws.sigs.k8s.io               system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes
arn:aws:iam::<redacted>>:role/eksctl-jk-nodegroup-ng-c292c102-NodeInstanceRole-1MKGUGJLQF6TA   system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes

Cluster creation time:

[ℹ]  eksctl version 0.37.0-dev+975130a8.2021-01-19T15:09:38Z
[ℹ]  using region us-west-2
[ℹ]  setting availability zones to [us-west-2d us-west-2b us-west-2a]
[ℹ]  subnets for us-west-2d - public:192.168.0.0/19 private:192.168.96.0/19
[ℹ]  subnets for us-west-2b - public:192.168.32.0/19 private:192.168.128.0/19
[ℹ]  subnets for us-west-2a - public:192.168.64.0/19 private:192.168.160.0/19
[ℹ]  using Kubernetes version 1.18
[ℹ]  creating EKS cluster "jk-im" in "us-west-2" region with
...
[ℹ]  creating IAMIdentityMappings
[ℹ]  adding identity "arn:aws:iam::123456:role/testing" to auth ConfigMap
[ℹ]  kubectl command should work with "/Users/jake/.kube/config", try 'kubectl get nodes'
[✔]  EKS cluster "jk-im" in "us-west-2" region is ready

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the userdocs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes
• (Core team) Added labels for change area (e.g. area/nodegroup), target version (e.g. version/0.12.0) and kind (e.g. kind/improvement)

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[Legion2]

Is it possible to update/add/remove users and groups from the identity mapping after the initial create operation?

[aclevername]

Is it possible to update/add/remove users and groups from the identity mapping after the initial create operation?

hey @Legion2 👋 , we don't support updating atm, but you can delete and re-create

[Legion2]

when eksctl create iamidentitymapping --cluster <...> is called without a cluster file and without any option it should provide a better error message that:
failed to create identity mapping : expected a valid arn but got empty string

[Legion2]

When deleting all mappings, a missing mapping should not stop the deletion of the remaining mappings.

[Legion2]

@aclevername are you going to finish this PR or what is blocking it?

[aclevername]

Closing. We are expecting an new API from AWS to handle cluster permissions, so we could implement this feature but it would likely be replaced very soon by this new API. I think it makes sense to halt any new development on iamidentitymappings functionality