Home

Awesome

Amazon EKS Blueprints Addon Terraform module

Terraform module which provisions an addon (Helm release) and an IAM role for service accounts (IRSA).

Usage

Create Addon (Helm Release) w/ IAM Role for Service Account (IRSA)

module "eks_blueprints_addon" {
  source = "aws-ia/eks-blueprints-addon/aws"
  version = "~> 1.0" #ensure to update this to the latest/desired version

  chart            = "karpenter"
  chart_version    = "0.16.2"
  repository       = "https://charts.karpenter.sh/"
  description      = "Kubernetes Node Autoscaling: built for flexibility, performance, and simplicity"
  namespace        = "karpenter"
  create_namespace = true

  set = [
    {
      name  = "clusterName"
      value = "eks-blueprints-addon-example"
    },
    {
      name  = "clusterEndpoint"
      value = "https://EXAMPLED539D4633E53DE1B71EXAMPLE.gr7.us-west-2.eks.amazonaws.com"
    },
    {
      name  = "aws.defaultInstanceProfile"
      value = "arn:aws:iam::111111111111:instance-profile/KarpenterNodeInstanceProfile-complete"
    }
  ]

  set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"]
  # # Equivalent to the following but the ARN is only known internally to the module
  # set = [{
  #   name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
  #   value = iam_role_arn.this[0].arn
  # }]

  # IAM role for service account (IRSA)
  create_role = true
  role_name   = "karpenter-controller"
  role_policies = {
    karpenter = "arn:aws:iam::111111111111:policy/Karpenter_Controller_Policy-20221008165117447500000007"
  }

  oidc_providers = {
    this = {
      provider_arn = "oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
      # namespace is inherited from chart
      service_account = "karpenter"
    }
  }

  tags = {
    Environment = "dev"
  }
}

Create Addon (Helm Release) Only

module "eks_blueprints_addon" {
  source = "aws-ia/eks-blueprints-addon/aws"
  version = "~> 1.0" #ensure to update this to the latest/desired version

  chart         = "metrics-server"
  chart_version = "3.8.2"
  repository    = "https://kubernetes-sigs.github.io/metrics-server/"
  description   = "Metric server helm Chart deployment configuration"
  namespace     = "kube-system"

  values = [
    <<-EOT
      podDisruptionBudget:
        maxUnavailable: 1
      metrics:
        enabled: true
    EOT
  ]

  set = [
    {
      name  = "replicas"
      value = 3
    }
  ]
}

Create IAM Role for Service Account (IRSA) Only

module "eks_blueprints_addon" {
  source = "aws-ia/eks-blueprints-addon/aws"
  version = "~> 1.0" #ensure to update this to the latest/desired version

  # Disable helm release
  create_release = false

  # IAM role for service account (IRSA)
  create_role = true
  create_policy = false
  role_name   = "aws-vpc-cni-ipv4"
  role_policies = {
    AmazonEKS_CNI_Policy = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
  }

  oidc_providers = {
    this = {
      provider_arn    = "oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
      namespace       = "kube-system"
      service_account = "aws-node"
    }
  }

  tags = {
    Environment = "dev"
  }
}

Support & Feedback

[!IMPORTANT] EKS Blueprints for Terraform is maintained by AWS Solution Architects. It is not part of an AWS service and support is provided as a best-effort by the EKS Blueprints community. To provide feedback, please use the issues templates provided. If you are interested in contributing to EKS Blueprints, see the Contribution guide.

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

Requirements

NameVersion
<a name="requirement_terraform"></a> terraform>= 1.0
<a name="requirement_aws"></a> aws>= 4.47
<a name="requirement_helm"></a> helm>= 2.9

Providers

NameVersion
<a name="provider_aws"></a> aws>= 4.47
<a name="provider_helm"></a> helm>= 2.9

Modules

No modules.

Resources

NameType
aws_iam_policy.thisresource
aws_iam_role.thisresource
aws_iam_role_policy_attachment.additionalresource
aws_iam_role_policy_attachment.thisresource
helm_release.thisresource
aws_caller_identity.currentdata source
aws_iam_policy_document.assumedata source
aws_iam_policy_document.thisdata source
aws_partition.currentdata source

Inputs

NameDescriptionTypeDefaultRequired
<a name="input_allow_self_assume_role"></a> allow_self_assume_roleDetermines whether to allow the role to be assume itselfboolfalseno
<a name="input_assume_role_condition_test"></a> assume_role_condition_testName of the IAM condition operator to evaluate when assuming the rolestring"StringEquals"no
<a name="input_atomic"></a> atomicIf set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used. Defaults to falseboolnullno
<a name="input_chart"></a> chartChart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if repository is specifiedstring""no
<a name="input_chart_version"></a> chart_versionSpecify the exact chart version to install. If this is not specified, the latest version is installedstringnullno
<a name="input_cleanup_on_fail"></a> cleanup_on_failAllow deletion of new resources created in this upgrade when upgrade fails. Defaults to falseboolnullno
<a name="input_create"></a> createControls if resources should be created (affects all resources)booltrueno
<a name="input_create_namespace"></a> create_namespaceCreate the namespace if it does not yet exist. Defaults to falseboolnullno
<a name="input_create_policy"></a> create_policyWhether to create an IAM policy that is attached to the IAM role createdbooltrueno
<a name="input_create_release"></a> create_releaseDetermines whether the Helm release is createdbooltrueno
<a name="input_create_role"></a> create_roleDetermines whether to create an IAM roleboolfalseno
<a name="input_dependency_update"></a> dependency_updateRuns helm dependency update before installing the chart. Defaults to falseboolnullno
<a name="input_description"></a> descriptionSet release description attribute (visible in the history)stringnullno
<a name="input_devel"></a> develUse chart development versions, too. Equivalent to version '>0.0.0-0'. If version is set, this is ignoredboolnullno
<a name="input_disable_openapi_validation"></a> disable_openapi_validationIf set, the installation process will not validate rendered templates against the Kubernetes OpenAPI Schema. Defaults to falseboolnullno
<a name="input_disable_webhooks"></a> disable_webhooksPrevent hooks from running. Defaults to falseboolnullno
<a name="input_force_update"></a> force_updateForce resource update through delete/recreate if needed. Defaults to falseboolnullno
<a name="input_keyring"></a> keyringLocation of public keys used for verification. Used only if verify is true. Defaults to /.gnupg/pubring.gpg in the location set by homestringnullno
<a name="input_lint"></a> lintRun the helm chart linter during the plan. Defaults to falseboolnullno
<a name="input_max_history"></a> max_historyMaximum number of release versions stored per release. Defaults to 0 (no limit)numbernullno
<a name="input_max_session_duration"></a> max_session_durationMaximum CLI/API session duration in seconds between 3600 and 43200numbernullno
<a name="input_name"></a> nameName of the Helm releasestring""no
<a name="input_namespace"></a> namespaceThe namespace to install the release into. Defaults to defaultstringnullno
<a name="input_oidc_providers"></a> oidc_providersMap of OIDC providers where each provider map should contain the provider_arn, and service_accountsany{}no
<a name="input_override_policy_documents"></a> override_policy_documentsList of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sidlist(string)[]no
<a name="input_policy_description"></a> policy_descriptionIAM policy descriptionstringnullno
<a name="input_policy_name"></a> policy_nameName of IAM policystringnullno
<a name="input_policy_name_use_prefix"></a> policy_name_use_prefixDetermines whether the IAM policy name (policy_name) is used as a prefixbooltrueno
<a name="input_policy_path"></a> policy_pathPath of IAM policystringnullno
<a name="input_policy_statements"></a> policy_statementsList of IAM policy statementsany[]no
<a name="input_postrender"></a> postrenderConfigure a command to run after helm renders the manifest which can alter the manifest contentsany{}no
<a name="input_recreate_pods"></a> recreate_podsPerform pods restart during upgrade/rollback. Defaults to falseboolnullno
<a name="input_render_subchart_notes"></a> render_subchart_notesIf set, render subchart notes along with the parent. Defaults to trueboolnullno
<a name="input_replace"></a> replaceRe-use the given name, only if that name is a deleted release which remains in the history. This is unsafe in production. Defaults to falseboolnullno
<a name="input_repository"></a> repositoryRepository URL where to locate the requested chartstringnullno
<a name="input_repository_ca_file"></a> repository_ca_fileThe Repositories CA Filestringnullno
<a name="input_repository_cert_file"></a> repository_cert_fileThe repositories cert filestringnullno
<a name="input_repository_key_file"></a> repository_key_fileThe repositories cert key filestringnullno
<a name="input_repository_password"></a> repository_passwordPassword for HTTP basic authentication against the repositorystringnullno
<a name="input_repository_username"></a> repository_usernameUsername for HTTP basic authentication against the repositorystringnullno
<a name="input_reset_values"></a> reset_valuesWhen upgrading, reset the values to the ones built into the chart. Defaults to falseboolnullno
<a name="input_reuse_values"></a> reuse_valuesWhen upgrading, reuse the last release's values and merge in any overrides. If reset_values is specified, this is ignored. Defaults to falseboolnullno
<a name="input_role_description"></a> role_descriptionIAM Role descriptionstringnullno
<a name="input_role_name"></a> role_nameName of IAM rolestringnullno
<a name="input_role_name_use_prefix"></a> role_name_use_prefixDetermines whether the IAM role name (role_name) is used as a prefixbooltrueno
<a name="input_role_path"></a> role_pathPath of IAM rolestring"/"no
<a name="input_role_permissions_boundary_arn"></a> role_permissions_boundary_arnPermissions boundary ARN to use for IAM rolestringnullno
<a name="input_role_policies"></a> role_policiesPolicies to attach to the IAM role in {'static_name' = 'policy_arn'} formatmap(string){}no
<a name="input_set"></a> setValue block with custom values to be merged with the values yamlany[]no
<a name="input_set_irsa_names"></a> set_irsa_namesValue annotations name where IRSA role ARN created by module will be assigned to the valuelist(string)[]no
<a name="input_set_sensitive"></a> set_sensitiveValue block with custom sensitive values to be merged with the values yaml that won't be exposed in the plan's diffany[]no
<a name="input_skip_crds"></a> skip_crdsIf set, no CRDs will be installed. By default, CRDs are installed if not already present. Defaults to falseboolnullno
<a name="input_source_policy_documents"></a> source_policy_documentsList of IAM policy documents that are merged together into the exported document. Statements must have unique sidslist(string)[]no
<a name="input_tags"></a> tagsA map of tags to add to all resourcesmap(string){}no
<a name="input_timeout"></a> timeoutTime in seconds to wait for any individual kubernetes operation (like Jobs for hooks). Defaults to 300 secondsnumbernullno
<a name="input_values"></a> valuesList of values in raw yaml to pass to helm. Values will be merged, in order, as Helm does with multiple -f optionslist(string)nullno
<a name="input_verify"></a> verifyVerify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart. For more information see the Helm Documentation. Defaults to falseboolnullno
<a name="input_wait"></a> waitWill wait until all resources are in a ready state before marking the release as successful. If set to true, it will wait for as long as timeout. If set to null fallback on 300s timeout. Defaults to falseboolfalseno
<a name="input_wait_for_jobs"></a> wait_for_jobsIf wait is enabled, will wait until all Jobs have been completed before marking the release as successful. It will wait for as long as timeout. Defaults to falseboolnullno

Outputs

NameDescription
<a name="output_app_version"></a> app_versionThe version number of the application being deployed
<a name="output_chart"></a> chartThe name of the chart
<a name="output_iam_policy"></a> iam_policyThe policy document
<a name="output_iam_policy_arn"></a> iam_policy_arnThe ARN assigned by AWS to this policy
<a name="output_iam_role_arn"></a> iam_role_arnARN of IAM role
<a name="output_iam_role_name"></a> iam_role_nameName of IAM role
<a name="output_iam_role_path"></a> iam_role_pathPath of IAM role
<a name="output_iam_role_unique_id"></a> iam_role_unique_idUnique ID of IAM role
<a name="output_name"></a> nameName is the name of the release
<a name="output_namespace"></a> namespaceName of Kubernetes namespace
<a name="output_revision"></a> revisionVersion is an int32 which represents the version of the release
<a name="output_values"></a> valuesThe compounded values from values and set* attributes
<a name="output_version"></a> versionA SemVer 2 conformant version string of the chart
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

Community

License

Apache-2.0 Licensed. See LICENSE.