diff --git a/modules/eks-cluster/README.md b/modules/eks-cluster/README.md
index 8354a03..5183905 100644
--- a/modules/eks-cluster/README.md
+++ b/modules/eks-cluster/README.md
@@ -26,7 +26,7 @@ This module creates following resources.
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 5.24.0 |
+| [aws](#provider\_aws) | 5.25.0 |
## Modules
@@ -34,8 +34,7 @@ This module creates following resources.
|------|--------|---------|
| [oidc\_provider](#module\_oidc\_provider) | tedilabs/account/aws//modules/iam-oidc-identity-provider | ~> 0.27.0 |
| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
-| [role\_\_control\_plane](#module\_role\_\_control\_plane) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 |
-| [role\_\_fargate\_profile](#module\_role\_\_fargate\_profile) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 |
+| [role](#module\_role) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 |
| [role\_\_node](#module\_role\_\_node) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 |
| [security\_group\_\_control\_plane](#module\_security\_group\_\_control\_plane) | tedilabs/network/aws//modules/security-group | 0.24.0 |
| [security\_group\_\_node](#module\_security\_group\_\_node) | tedilabs/network/aws//modules/security-group | 0.24.0 |
@@ -58,6 +57,9 @@ This module creates following resources.
|------|-------------|------|---------|:--------:|
| [name](#input\_name) | (Required) Name of the EKS cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores. | `string` | n/a | yes |
| [subnet\_ids](#input\_subnet\_ids) | (Required) A list of subnets to creates cross-account elastic network interfaces to allow communication between your worker nodes and the Kubernetes control plane. Must be in at least two different availability zones. | `list(string)` | n/a | yes |
+| [cluster\_role](#input\_cluster\_role) | (Optional) The ARN (Amazon Resource Name) of the IAM Role for the EKS cluster role. Only required if `default_cluster_role.enabled` is `false`. | `string` | `null` | no |
+| [default\_cluster\_role](#input\_default\_cluster\_role) | (Optional) A configuration for the default IAM role for EKS cluster. Use `cluster_role` if `default_cluster_role.enabled` is `false`. `default_cluster_role` as defined below.
(Optional) `enabled` - Whether to create the default cluster role. Defaults to `true`.
(Optional) `name` - The name of the default cluster role. Defaults to `eks-${var.name}-cluster`.
(Optional) `path` - The path of the default cluster role. Defaults to `/`.
(Optional) `description` - The description of the default cluster role.
(Optional) `policies` - A list of IAM policy ARNs to attach to the default cluster role. `AmazonEKSClusterPolicy` is always attached. Defaults to `[]`.
(Optional) `inline_policies` - A Map of inline IAM policies to attach to the default cluster role. (`name` => `policy`). | object({
enabled = optional(bool, true)
name = optional(string)
path = optional(string, "/")
description = optional(string, "Managed by Terraform.")
policies = optional(list(string), [])
inline_policies = optional(map(string), {})
}) | `{}` | no |
+| [default\_node\_role](#input\_default\_node\_role) | (Optional) A configuration for the default IAM role for EKS nodes. `default_node_role` as defined below.
(Optional) `enabled` - Whether to create the default node role. Defaults to `false`.
(Optional) `name` - The name of the default node role. Defaults to `eks-${var.name}-node`.
(Optional) `path` - The path of the default node role. Defaults to `/`.
(Optional) `description` - The description of the default node role.
(Optional) `policies` - A list of IAM policy ARNs to attach to the default node role. `AmazonEKSWorkerNodePolicy`, `AmazonEKS_CNI_Policy`, `AmazonEC2ContainerRegistryReadOnly` are always attached. Defaults to `[]`.
(Optional) `inline_policies` - A Map of inline IAM policies to attach to the default node role. (`name` => `policy`). | object({
enabled = optional(bool, false)
name = optional(string)
path = optional(string, "/")
description = optional(string, "Managed by Terraform.")
policies = optional(list(string), [])
inline_policies = optional(map(string), {})
}) | `{}` | no |
| [endpoint\_private\_access](#input\_endpoint\_private\_access) | (Optional) Indicates whether or not the Amazon EKS private API server endpoint is enabled. | `bool` | `true` | no |
| [endpoint\_private\_access\_cidrs](#input\_endpoint\_private\_access\_cidrs) | (Optional) A list of allowed CIDR to communicate to the Amazon EKS private API server endpoint. | `list(string)` | `[]` | no |
| [endpoint\_private\_access\_source\_security\_group\_ids](#input\_endpoint\_private\_access\_source\_security\_group\_ids) | (Optional) A list of allowed source security group to communicate to the Amazon EKS private API server endpoint. | `list(string)` | `[]` | no |
@@ -83,8 +85,10 @@ This module creates following resources.
|------|-------------|
| [arn](#output\_arn) | The ARN of the cluster. |
| [ca\_cert](#output\_ca\_cert) | The base64 encoded certificate data required to communicate with your cluster. Add this to the `certificate-authority-data` section of the `kubeconfig` file for your cluster. |
+| [cluster\_role](#output\_cluster\_role) | The IAM Role for the EKS cluster. |
+| [default\_cluster\_role](#output\_default\_cluster\_role) | The default IAM Role for the EKS cluster. |
+| [default\_node\_role](#output\_default\_node\_role) | The default IAM Role for the EKS node. |
| [endpoint](#output\_endpoint) | The endpoint for the Kubernetes API server. |
-| [iam\_roles](#output\_iam\_roles) | IAM Roles for the EKS cluster. |
| [irsa\_oidc\_provider](#output\_irsa\_oidc\_provider) | The configurations of the OIDC provider for IRSA (IAM Roles for Service Accounts).
`arn` - The ARN assigned by AWS for this provider.
`url` - The URL of the identity provider.
`urn` - The URN of the identity provider.
`audiences` - A list of audiences (also known as client IDs) for the IAM OIDC provider. |
| [kubernetes\_network\_config](#output\_kubernetes\_network\_config) | The configurations of Kubernetes network.
`service_ipv4_cidr` - The CIDR block which is assigned to Kubernetes service IP addresses.
`ip_family` - The IP family used to assign Kubernetes pod and service addresses. |
| [logging](#output\_logging) | The configurations of the control plane logging. |
diff --git a/modules/eks-cluster/eks-control-plane.tf b/modules/eks-cluster/eks-control-plane.tf
index 3fee62d..8c60dd2 100644
--- a/modules/eks-cluster/eks-control-plane.tf
+++ b/modules/eks-cluster/eks-control-plane.tf
@@ -22,9 +22,12 @@ locals {
# TODO:
# - `outpost_config`
resource "aws_eks_cluster" "this" {
- name = var.name
- version = var.kubernetes_version
- role_arn = module.role__control_plane.arn
+ name = var.name
+ version = var.kubernetes_version
+ role_arn = (var.default_cluster_role.enabled
+ ? module.role[0].arn
+ : var.cluster_role
+ )
enabled_cluster_log_types = var.log_types
@@ -68,7 +71,6 @@ resource "aws_eks_cluster" "this" {
)
depends_on = [
- module.role__control_plane,
aws_cloudwatch_log_group.this,
]
}
diff --git a/modules/eks-cluster/iam.tf b/modules/eks-cluster/iam.tf
index 5ee6d7e..9469b7c 100644
--- a/modules/eks-cluster/iam.tf
+++ b/modules/eks-cluster/iam.tf
@@ -2,13 +2,18 @@
# IAM Role for Control Plane
###################################################
-module "role__control_plane" {
+module "role" {
+ count = var.default_cluster_role.enabled ? 1 : 0
+
source = "tedilabs/account/aws//modules/iam-role"
version = "~> 0.28.0"
- name = "eks-${local.metadata.name}-control-plane"
- path = "/"
- description = "Role for the EKS cluster(${local.metadata.name}) control plane"
+ name = coalesce(
+ var.default_cluster_role.name,
+ "eks-${local.metadata.name}-cluster",
+ )
+ path = var.default_cluster_role.path
+ description = var.default_cluster_role.description
trusted_service_policies = [
{
@@ -16,10 +21,11 @@ module "role__control_plane" {
}
]
- policies = [
- "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
- "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController",
- ]
+ policies = concat(
+ ["arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"],
+ var.default_cluster_role.policies,
+ )
+ inline_policies = var.default_cluster_role.inline_policies
force_detach_policies = true
resource_group_enabled = false
@@ -37,12 +43,17 @@ module "role__control_plane" {
###################################################
module "role__node" {
+ count = var.default_node_role.enabled ? 1 : 0
+
source = "tedilabs/account/aws//modules/iam-role"
version = "~> 0.28.0"
- name = "eks-${local.metadata.name}-node"
- path = "/"
- description = "Role for the EKS cluster(${local.metadata.name}) nodes"
+ name = coalesce(
+ var.default_node_role.name,
+ "eks-${local.metadata.name}-node",
+ )
+ path = var.default_node_role.path
+ description = var.default_node_role.description
trusted_service_policies = [
{
@@ -50,12 +61,15 @@ module "role__node" {
}
]
- policies = [
- "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
- # TODO: https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html
- "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
- "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
- ]
+ policies = concat(
+ [
+ "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
+ # TODO: https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html
+ "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
+ ],
+ var.default_node_role.policies,
+ )
+ inline_policies = var.default_node_role.inline_policies
instance_profile = {
enabled = true
@@ -70,34 +84,3 @@ module "role__node" {
var.tags,
)
}
-
-
-###################################################
-# IAM Role for Fargate Profiles
-###################################################
-
-module "role__fargate_profile" {
- source = "tedilabs/account/aws//modules/iam-role"
- version = "~> 0.28.0"
-
- name = "eks-${local.metadata.name}-fargate-profile"
- path = "/"
- description = "Role for the EKS cluster(${local.metadata.name}) Fargate profiles"
-
- trusted_service_policies = [
- {
- services = ["eks-fargate-pods.amazonaws.com"]
- }
- ]
-
- policies = ["arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"]
-
- force_detach_policies = true
- resource_group_enabled = false
- module_tags_enabled = false
-
- tags = merge(
- local.module_tags,
- var.tags,
- )
-}
diff --git a/modules/eks-cluster/migrations.tf b/modules/eks-cluster/migrations.tf
index ae77ead..4522e33 100644
--- a/modules/eks-cluster/migrations.tf
+++ b/modules/eks-cluster/migrations.tf
@@ -1,4 +1,16 @@
-# 2023-11-10
+# 2023-11-10: Add variable to decide whether to create IAM role for EKS node
+moved {
+ from = module.role__node
+ to = module.role__node[0]
+}
+
+# 2023-11-10: Add variable to decide whether to create IAM role for EKS cluster
+moved {
+ from = module.role__control_plane
+ to = module.role[0]
+}
+
+# 2023-11-10: Migrate OIDC provider from resource to module
moved {
from = aws_iam_openid_connect_provider.this
to = module.oidc_provider.aws_iam_openid_connect_provider.this
diff --git a/modules/eks-cluster/outputs.tf b/modules/eks-cluster/outputs.tf
index daa4218..716b4c6 100644
--- a/modules/eks-cluster/outputs.tf
+++ b/modules/eks-cluster/outputs.tf
@@ -75,13 +75,19 @@ output "security_group_ids" {
}
}
-output "iam_roles" {
- description = "IAM Roles for the EKS cluster."
- value = {
- control_plane = module.role__control_plane
- node = module.role__node
- fargate_profile = module.role__fargate_profile
- }
+output "cluster_role" {
+ description = "The IAM Role for the EKS cluster."
+ value = aws_eks_cluster.this.role_arn
+}
+
+output "default_cluster_role" {
+ description = "The default IAM Role for the EKS cluster."
+ value = one(module.role)
+}
+
+output "default_node_role" {
+ description = "The default IAM Role for the EKS node."
+ value = one(module.role__node)
}
output "irsa_oidc_provider" {
diff --git a/modules/eks-cluster/variables.tf b/modules/eks-cluster/variables.tf
index ea9baff..d6703a8 100644
--- a/modules/eks-cluster/variables.tf
+++ b/modules/eks-cluster/variables.tf
@@ -76,6 +76,61 @@ variable "endpoint_private_access_source_security_group_ids" {
nullable = false
}
+variable "default_cluster_role" {
+ description = < `policy`).
+ EOF
+ type = object({
+ enabled = optional(bool, true)
+ name = optional(string)
+ path = optional(string, "/")
+ description = optional(string, "Managed by Terraform.")
+
+ policies = optional(list(string), [])
+ inline_policies = optional(map(string), {})
+ })
+ default = {}
+ nullable = false
+}
+
+variable "cluster_role" {
+ description = < `policy`).
+ EOF
+ type = object({
+ enabled = optional(bool, false)
+ name = optional(string)
+ path = optional(string, "/")
+ description = optional(string, "Managed by Terraform.")
+
+ policies = optional(list(string), [])
+ inline_policies = optional(map(string), {})
+ })
+ default = {}
+ nullable = false
+}
+
variable "log_types" {
description = "(Optional) A set of the desired control plane logging to enable."
type = set(string)
diff --git a/modules/eks-fargate-profile/README.md b/modules/eks-fargate-profile/README.md
index a8c0608..c50ddb1 100644
--- a/modules/eks-fargate-profile/README.md
+++ b/modules/eks-fargate-profile/README.md
@@ -42,7 +42,7 @@ This module creates following resources.
| [cluster\_name](#input\_cluster\_name) | (Required) The name of the Amazon EKS cluster to apply the Fargate profile to. | `string` | n/a | yes |
| [name](#input\_name) | (Required) The name of Fargate Profile. | `string` | n/a | yes |
| [subnets](#input\_subnets) | (Required) The IDs of subnets to launch your pods into. At this time, pods running on Fargate are not assigned public IP addresses, so only private subnets (with no direct route to an Internet Gateway) are accepted | `list(string)` | n/a | yes |
-| [default\_pod\_execution\_role](#input\_default\_pod\_execution\_role) | (Optional) A configuration for the default pod execution role to use for pods that match the selectors in the Fargate profile. Only one of `default_pod_execution_role.role` or `pod_execution_role` can be specified. `default_pod_execution_role` as defined below.
(Optional) `enabled` - Whether to create the default pod execution role. Defaults to `true`.
(Optional) `name` - The name of the default pod execution role. Defaults to `eks-${var.cluster_name}-fargate-profile-${var.name}`.
(Optional) `path` - The path of the default pod execution role. Defaults to `/`.
(Optional) `description` - The description of the default pod execution role. | object({
enabled = optional(bool, true)
name = optional(string)
path = optional(string, "/")
description = optional(string, "Managed by Terraform.")
}) | `{}` | no |
+| [default\_pod\_execution\_role](#input\_default\_pod\_execution\_role) | (Optional) A configuration for the default pod execution role to use for pods that match the selectors in the Fargate profile. Use `pod_execution_role` if `default_pod_execution_role.enabled` is `false`. `default_pod_execution_role` as defined below.
(Optional) `enabled` - Whether to create the default pod execution role. Defaults to `true`.
(Optional) `name` - The name of the default pod execution role. Defaults to `eks-${var.cluster_name}-fargate-profile-${var.name}`.
(Optional) `path` - The path of the default pod execution role. Defaults to `/`.
(Optional) `description` - The description of the default pod execution role.
(Optional) `policies` - A list of IAM policy ARNs to attach to the default pod execution role. `AmazonEKSFargatePodExecutionRolePolicy` is always attached. Defaults to `[]`.
(Optional) `inline_policies` - A Map of inline IAM policies to attach to the default pod execution role. (`name` => `policy`). | object({
enabled = optional(bool, true)
name = optional(string)
path = optional(string, "/")
description = optional(string, "Managed by Terraform.")
policies = optional(list(string), [])
inline_policies = optional(map(string), {})
}) | `{}` | no |
| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
| [pod\_execution\_role](#input\_pod\_execution\_role) | (Optional) The ARN (Amazon Resource Name) of the IAM Role that provides permissions for the EKS Fargate Profile. Only required if `default_pod_execution_role.enabled` is `false`. | `string` | `null` | no |
| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
diff --git a/modules/eks-fargate-profile/iam.tf b/modules/eks-fargate-profile/iam.tf
index 0396424..4cbded8 100644
--- a/modules/eks-fargate-profile/iam.tf
+++ b/modules/eks-fargate-profile/iam.tf
@@ -21,7 +21,11 @@ module "role" {
}
]
- policies = ["arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"]
+ policies = concat(
+ ["arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"],
+ var.default_pod_execution_role.policies,
+ )
+ inline_policies = var.default_pod_execution_role.inline_policies
force_detach_policies = true
resource_group_enabled = false
diff --git a/modules/eks-fargate-profile/variables.tf b/modules/eks-fargate-profile/variables.tf
index 5e070eb..3d58c1b 100644
--- a/modules/eks-fargate-profile/variables.tf
+++ b/modules/eks-fargate-profile/variables.tf
@@ -18,17 +18,22 @@ variable "subnets" {
variable "default_pod_execution_role" {
description = < `policy`).
EOF
type = object({
enabled = optional(bool, true)
name = optional(string)
path = optional(string, "/")
description = optional(string, "Managed by Terraform.")
+
+ policies = optional(list(string), [])
+ inline_policies = optional(map(string), {})
})
default = {}
nullable = false