Skip to content

Commit

Permalink
EKS-MULTI-ADDONS (#459)
Browse files Browse the repository at this point in the history
  • Loading branch information
@bcarranza
bcarranza authored Jan 31, 2024
1 parent 78e10d0 commit 5939067
Show file tree
Hide file tree
Showing 2 changed files with 66 additions and 7 deletions.
64 changes: 57 additions & 7 deletions terraform-modules/aws/eks/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,21 @@ terraform {
}
}

locals {
cluster_addons_iam = {
for k, v in var.cluster_addons : k => {
name = v.name
addon_version = v.addon_version
resolve_conflicts_on_create = v.resolve_conflicts_on_create
resolve_conflicts_on_update = v.resolve_conflicts_on_update
preserve = v.preserve
timeouts = v.timeouts
service_account_role_arn = (k == "aws-ebs-csi-driver" ? data.aws_iam_role.eks_csi_driver.arn : k == "vpc-cni" ? data.aws_iam_role.eks_cni_driver.arn : null)
}
}
}


data "aws_eks_cluster" "cluster" {
name = module.eks.cluster_id
}
Expand All @@ -19,6 +34,14 @@ data "aws_eks_cluster_auth" "cluster" {
name = module.eks.cluster_id
}

data "aws_iam_role" "eks_csi_driver" {
name = aws_iam_role.eks_ebs_csi_driver.name
}

data "aws_iam_role" "eks_cni_driver" {
name = aws_iam_role.eks_cni_driver.name
}

provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
Expand Down Expand Up @@ -46,13 +69,7 @@ that it's using this module.
https://aws.amazon.com/blogs/containers/amazon-ebs-csi-driver-is-now-generally-available-in-amazon-eks-add-ons/
*/

resource "aws_eks_addon" "csi_driver" {
cluster_name = module.eks.cluster_id
addon_name = "aws-ebs-csi-driver"
addon_version = "v1.11.4-eksbuild.1"
service_account_role_arn = aws_iam_role.eks_ebs_csi_driver.arn
}

# IAM CSI Role
data "aws_iam_policy_document" "csi" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
Expand Down Expand Up @@ -81,6 +98,37 @@ resource "aws_iam_role_policy_attachment" "amazon_ebs_csi_driver" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
}

# IAM CNI
data "aws_iam_policy_document" "cni" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
effect = "Allow"

condition {
test = "StringEquals"
variable = "${replace(module.eks.oidc_provider, "https://", "")}:sub"
values = ["system:serviceaccount:kube-system:aws-node"]
}

principals {
identifiers = [module.eks.oidc_provider_arn]
type = "Federated"
}
}
}

resource "aws_iam_role" "eks_cni_driver" {
assume_role_policy = data.aws_iam_policy_document.cni.json
name = "eks-cni-driver"
}

resource "aws_iam_role_policy_attachment" "amazon_cni_driver" {
role = aws_iam_role.eks_cni_driver.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
}




module "eks" {
source = "terraform-aws-modules/eks/aws"
Expand Down Expand Up @@ -124,4 +172,6 @@ module "eks" {
aws_auth_users = var.aws_auth_users

aws_auth_accounts = var.aws_auth_accounts

cluster_addons = local.cluster_addons_iam
}
9 changes: 9 additions & 0 deletions terraform-modules/aws/eks/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -243,4 +243,13 @@ variable "cluster_kms_enable_rotation" {
type = bool
default = true
description = "(Optional) Specifies whether key rotation is enabled. Defaults to true."
}

################################################################################
# EKS Addons
################################################################################
variable "cluster_addons" {
description = "Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with `name`"
type = any
default = {}
}

0 comments on commit 5939067

Please sign in to comment.