From 5939067c80d291a0288c453fae564692cc41d520 Mon Sep 17 00:00:00 2001 From: Bayron Carranza Date: Wed, 31 Jan 2024 11:44:56 -0600 Subject: [PATCH] EKS-MULTI-ADDONS (#459) --- terraform-modules/aws/eks/main.tf | 64 +++++++++++++++++++++++--- terraform-modules/aws/eks/variables.tf | 9 ++++ 2 files changed, 66 insertions(+), 7 deletions(-) diff --git a/terraform-modules/aws/eks/main.tf b/terraform-modules/aws/eks/main.tf index e42bd27b3..e1b8621c8 100644 --- a/terraform-modules/aws/eks/main.tf +++ b/terraform-modules/aws/eks/main.tf @@ -11,6 +11,21 @@ terraform { } } +locals { + cluster_addons_iam = { + for k, v in var.cluster_addons : k => { + name = v.name + addon_version = v.addon_version + resolve_conflicts_on_create = v.resolve_conflicts_on_create + resolve_conflicts_on_update = v.resolve_conflicts_on_update + preserve = v.preserve + timeouts = v.timeouts + service_account_role_arn = (k == "aws-ebs-csi-driver" ? data.aws_iam_role.eks_csi_driver.arn : k == "vpc-cni" ? data.aws_iam_role.eks_cni_driver.arn : null) + } + } +} + + data "aws_eks_cluster" "cluster" { name = module.eks.cluster_id } @@ -19,6 +34,14 @@ data "aws_eks_cluster_auth" "cluster" { name = module.eks.cluster_id } +data "aws_iam_role" "eks_csi_driver" { + name = aws_iam_role.eks_ebs_csi_driver.name +} + +data "aws_iam_role" "eks_cni_driver" { + name = aws_iam_role.eks_cni_driver.name +} + provider "kubernetes" { host = data.aws_eks_cluster.cluster.endpoint cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) @@ -46,13 +69,7 @@ that it's using this module. https://aws.amazon.com/blogs/containers/amazon-ebs-csi-driver-is-now-generally-available-in-amazon-eks-add-ons/ */ -resource "aws_eks_addon" "csi_driver" { - cluster_name = module.eks.cluster_id - addon_name = "aws-ebs-csi-driver" - addon_version = "v1.11.4-eksbuild.1" - service_account_role_arn = aws_iam_role.eks_ebs_csi_driver.arn -} - +# IAM CSI Role data "aws_iam_policy_document" "csi" { statement { actions = ["sts:AssumeRoleWithWebIdentity"] @@ -81,6 +98,37 @@ resource "aws_iam_role_policy_attachment" "amazon_ebs_csi_driver" { policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" } +# IAM CNI +data "aws_iam_policy_document" "cni" { + statement { + actions = ["sts:AssumeRoleWithWebIdentity"] + effect = "Allow" + + condition { + test = "StringEquals" + variable = "${replace(module.eks.oidc_provider, "https://", "")}:sub" + values = ["system:serviceaccount:kube-system:aws-node"] + } + + principals { + identifiers = [module.eks.oidc_provider_arn] + type = "Federated" + } + } +} + +resource "aws_iam_role" "eks_cni_driver" { + assume_role_policy = data.aws_iam_policy_document.cni.json + name = "eks-cni-driver" +} + +resource "aws_iam_role_policy_attachment" "amazon_cni_driver" { + role = aws_iam_role.eks_cni_driver.name + policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" +} + + + module "eks" { source = "terraform-aws-modules/eks/aws" @@ -124,4 +172,6 @@ module "eks" { aws_auth_users = var.aws_auth_users aws_auth_accounts = var.aws_auth_accounts + + cluster_addons = local.cluster_addons_iam } diff --git a/terraform-modules/aws/eks/variables.tf b/terraform-modules/aws/eks/variables.tf index 93741382c..57f4e9643 100644 --- a/terraform-modules/aws/eks/variables.tf +++ b/terraform-modules/aws/eks/variables.tf @@ -243,4 +243,13 @@ variable "cluster_kms_enable_rotation" { type = bool default = true description = "(Optional) Specifies whether key rotation is enabled. Defaults to true." +} + +################################################################################ +# EKS Addons +################################################################################ +variable "cluster_addons" { + description = "Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with `name`" + type = any + default = {} } \ No newline at end of file