Awesome

Amazon EKS Blueprints Addon Terraform module

Terraform module which provisions an addon (Helm release) and an IAM role for service accounts (IRSA).

Usage

Create Addon (Helm Release) w/ IAM Role for Service Account (IRSA)

module "eks_blueprints_addon" {
  source = "aws-ia/eks-blueprints-addon/aws"
  version = "~> 1.0" #ensure to update this to the latest/desired version

  chart            = "karpenter"
  chart_version    = "0.16.2"
  repository       = "https://charts.karpenter.sh/"
  description      = "Kubernetes Node Autoscaling: built for flexibility, performance, and simplicity"
  namespace        = "karpenter"
  create_namespace = true

  set = [
    {
      name  = "clusterName"
      value = "eks-blueprints-addon-example"
    },
    {
      name  = "clusterEndpoint"
      value = "https://EXAMPLED539D4633E53DE1B71EXAMPLE.gr7.us-west-2.eks.amazonaws.com"
    },
    {
      name  = "aws.defaultInstanceProfile"
      value = "arn:aws:iam::111111111111:instance-profile/KarpenterNodeInstanceProfile-complete"
    }
  ]

  set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"]
  # # Equivalent to the following but the ARN is only known internally to the module
  # set = [{
  #   name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
  #   value = iam_role_arn.this[0].arn
  # }]

  # IAM role for service account (IRSA)
  create_role = true
  role_name   = "karpenter-controller"
  role_policies = {
    karpenter = "arn:aws:iam::111111111111:policy/Karpenter_Controller_Policy-20221008165117447500000007"
  }

  oidc_providers = {
    this = {
      provider_arn = "oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
      # namespace is inherited from chart
      service_account = "karpenter"
    }
  }

  tags = {
    Environment = "dev"
  }
}

Create Addon (Helm Release) Only

module "eks_blueprints_addon" {
  source = "aws-ia/eks-blueprints-addon/aws"
  version = "~> 1.0" #ensure to update this to the latest/desired version

  chart         = "metrics-server"
  chart_version = "3.8.2"
  repository    = "https://kubernetes-sigs.github.io/metrics-server/"
  description   = "Metric server helm Chart deployment configuration"
  namespace     = "kube-system"

  values = [
    <<-EOT
      podDisruptionBudget:
        maxUnavailable: 1
      metrics:
        enabled: true
    EOT
  ]

  set = [
    {
      name  = "replicas"
      value = 3
    }
  ]
}

Create IAM Role for Service Account (IRSA) Only

module "eks_blueprints_addon" {
  source = "aws-ia/eks-blueprints-addon/aws"
  version = "~> 1.0" #ensure to update this to the latest/desired version

  # Disable helm release
  create_release = false

  # IAM role for service account (IRSA)
  create_role = true
  create_policy = false
  role_name   = "aws-vpc-cni-ipv4"
  role_policies = {
    AmazonEKS_CNI_Policy = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
  }

  oidc_providers = {
    this = {
      provider_arn    = "oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
      namespace       = "kube-system"
      service_account = "aws-node"
    }
  }

  tags = {
    Environment = "dev"
  }
}

Support & Feedback

[!IMPORTANT] EKS Blueprints for Terraform is maintained by AWS Solution Architects. It is not part of an AWS service and support is provided as a best-effort by the EKS Blueprints community. To provide feedback, please use the issues templates provided. If you are interested in contributing to EKS Blueprints, see the Contribution guide.

Requirements

Name	Version
<a name="requirement_terraform"></a> terraform	>= 1.0
<a name="requirement_aws"></a> aws	>= 4.47
<a name="requirement_helm"></a> helm	>= 2.9

Providers

Name	Version
<a name="provider_aws"></a> aws	>= 4.47
<a name="provider_helm"></a> helm	>= 2.9

Modules

No modules.

Resources

Name	Type
aws_iam_policy.this	resource
aws_iam_role.this	resource
aws_iam_role_policy_attachment.additional	resource
aws_iam_role_policy_attachment.this	resource
helm_release.this	resource
aws_caller_identity.current	data source
aws_iam_policy_document.assume	data source
aws_iam_policy_document.this	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
<a name="input_allow_self_assume_role"></a> allow_self_assume_role	Determines whether to allow the role to be assume itself	`bool`	`false`	no
<a name="input_assume_role_condition_test"></a> assume_role_condition_test	Name of the IAM condition operator to evaluate when assuming the role	`string`	`"StringEquals"`	no
<a name="input_atomic"></a> atomic	If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used. Defaults to `false`	`bool`	`null`	no
<a name="input_chart"></a> chart	Chart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if `repository` is specified	`string`	`""`	no
<a name="input_chart_version"></a> chart_version	Specify the exact chart version to install. If this is not specified, the latest version is installed	`string`	`null`	no
<a name="input_cleanup_on_fail"></a> cleanup_on_fail	Allow deletion of new resources created in this upgrade when upgrade fails. Defaults to `false`	`bool`	`null`	no
<a name="input_create"></a> create	Controls if resources should be created (affects all resources)	`bool`	`true`	no
<a name="input_create_namespace"></a> create_namespace	Create the namespace if it does not yet exist. Defaults to `false`	`bool`	`null`	no
<a name="input_create_policy"></a> create_policy	Whether to create an IAM policy that is attached to the IAM role created	`bool`	`true`	no
<a name="input_create_release"></a> create_release	Determines whether the Helm release is created	`bool`	`true`	no
<a name="input_create_role"></a> create_role	Determines whether to create an IAM role	`bool`	`false`	no
<a name="input_dependency_update"></a> dependency_update	Runs helm dependency update before installing the chart. Defaults to `false`	`bool`	`null`	no
<a name="input_description"></a> description	Set release description attribute (visible in the history)	`string`	`null`	no
<a name="input_devel"></a> devel	Use chart development versions, too. Equivalent to version '>0.0.0-0'. If version is set, this is ignored	`bool`	`null`	no
<a name="input_disable_openapi_validation"></a> disable_openapi_validation	If set, the installation process will not validate rendered templates against the Kubernetes OpenAPI Schema. Defaults to `false`	`bool`	`null`	no
<a name="input_disable_webhooks"></a> disable_webhooks	Prevent hooks from running. Defaults to `false`	`bool`	`null`	no
<a name="input_force_update"></a> force_update	Force resource update through delete/recreate if needed. Defaults to `false`	`bool`	`null`	no
<a name="input_keyring"></a> keyring	Location of public keys used for verification. Used only if verify is true. Defaults to `/.gnupg/pubring.gpg` in the location set by `home`	`string`	`null`	no
<a name="input_lint"></a> lint	Run the helm chart linter during the plan. Defaults to `false`	`bool`	`null`	no
<a name="input_max_history"></a> max_history	Maximum number of release versions stored per release. Defaults to `0` (no limit)	`number`	`null`	no
<a name="input_max_session_duration"></a> max_session_duration	Maximum CLI/API session duration in seconds between 3600 and 43200	`number`	`null`	no
<a name="input_name"></a> name	Name of the Helm release	`string`	`""`	no
<a name="input_namespace"></a> namespace	The namespace to install the release into. Defaults to `default`	`string`	`null`	no
<a name="input_oidc_providers"></a> oidc_providers	Map of OIDC providers where each provider map should contain the `provider_arn`, and `service_accounts`	`any`	`{}`	no
<a name="input_override_policy_documents"></a> override_policy_documents	List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid`	`list(string)`	`[]`	no
<a name="input_policy_description"></a> policy_description	IAM policy description	`string`	`null`	no
<a name="input_policy_name"></a> policy_name	Name of IAM policy	`string`	`null`	no
<a name="input_policy_name_use_prefix"></a> policy_name_use_prefix	Determines whether the IAM policy name (`policy_name`) is used as a prefix	`bool`	`true`	no
<a name="input_policy_path"></a> policy_path	Path of IAM policy	`string`	`null`	no
<a name="input_policy_statements"></a> policy_statements	List of IAM policy statements	`any`	`[]`	no
<a name="input_postrender"></a> postrender	Configure a command to run after helm renders the manifest which can alter the manifest contents	`any`	`{}`	no
<a name="input_recreate_pods"></a> recreate_pods	Perform pods restart during upgrade/rollback. Defaults to `false`	`bool`	`null`	no
<a name="input_render_subchart_notes"></a> render_subchart_notes	If set, render subchart notes along with the parent. Defaults to `true`	`bool`	`null`	no
<a name="input_replace"></a> replace	Re-use the given name, only if that name is a deleted release which remains in the history. This is unsafe in production. Defaults to `false`	`bool`	`null`	no
<a name="input_repository"></a> repository	Repository URL where to locate the requested chart	`string`	`null`	no
<a name="input_repository_ca_file"></a> repository_ca_file	The Repositories CA File	`string`	`null`	no
<a name="input_repository_cert_file"></a> repository_cert_file	The repositories cert file	`string`	`null`	no
<a name="input_repository_key_file"></a> repository_key_file	The repositories cert key file	`string`	`null`	no
<a name="input_repository_password"></a> repository_password	Password for HTTP basic authentication against the repository	`string`	`null`	no
<a name="input_repository_username"></a> repository_username	Username for HTTP basic authentication against the repository	`string`	`null`	no
<a name="input_reset_values"></a> reset_values	When upgrading, reset the values to the ones built into the chart. Defaults to `false`	`bool`	`null`	no
<a name="input_reuse_values"></a> reuse_values	When upgrading, reuse the last release's values and merge in any overrides. If `reset_values` is specified, this is ignored. Defaults to `false`	`bool`	`null`	no
<a name="input_role_description"></a> role_description	IAM Role description	`string`	`null`	no
<a name="input_role_name"></a> role_name	Name of IAM role	`string`	`null`	no
<a name="input_role_name_use_prefix"></a> role_name_use_prefix	Determines whether the IAM role name (`role_name`) is used as a prefix	`bool`	`true`	no
<a name="input_role_path"></a> role_path	Path of IAM role	`string`	`"/"`	no
<a name="input_role_permissions_boundary_arn"></a> role_permissions_boundary_arn	Permissions boundary ARN to use for IAM role	`string`	`null`	no
<a name="input_role_policies"></a> role_policies	Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format	`map(string)`	`{}`	no
<a name="input_set"></a> set	Value block with custom values to be merged with the values yaml	`any`	`[]`	no
<a name="input_set_irsa_names"></a> set_irsa_names	Value annotations name where IRSA role ARN created by module will be assigned to the `value`	`list(string)`	`[]`	no
<a name="input_set_sensitive"></a> set_sensitive	Value block with custom sensitive values to be merged with the values yaml that won't be exposed in the plan's diff	`any`	`[]`	no
<a name="input_skip_crds"></a> skip_crds	If set, no CRDs will be installed. By default, CRDs are installed if not already present. Defaults to `false`	`bool`	`null`	no
<a name="input_source_policy_documents"></a> source_policy_documents	List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s	`list(string)`	`[]`	no
<a name="input_tags"></a> tags	A map of tags to add to all resources	`map(string)`	`{}`	no
<a name="input_timeout"></a> timeout	Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks). Defaults to `300` seconds	`number`	`null`	no
<a name="input_values"></a> values	List of values in raw yaml to pass to helm. Values will be merged, in order, as Helm does with multiple `-f` options	`list(string)`	`null`	no
<a name="input_verify"></a> verify	Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart. For more information see the Helm Documentation. Defaults to `false`	`bool`	`null`	no
<a name="input_wait"></a> wait	Will wait until all resources are in a ready state before marking the release as successful. If set to `true`, it will wait for as long as `timeout`. If set to `null` fallback on `300s` timeout. Defaults to `false`	`bool`	`false`	no
<a name="input_wait_for_jobs"></a> wait_for_jobs	If wait is enabled, will wait until all Jobs have been completed before marking the release as successful. It will wait for as long as `timeout`. Defaults to `false`	`bool`	`null`	no

Outputs

Name	Description
<a name="output_app_version"></a> app_version	The version number of the application being deployed
<a name="output_chart"></a> chart	The name of the chart
<a name="output_iam_policy"></a> iam_policy	The policy document
<a name="output_iam_policy_arn"></a> iam_policy_arn	The ARN assigned by AWS to this policy
<a name="output_iam_role_arn"></a> iam_role_arn	ARN of IAM role
<a name="output_iam_role_name"></a> iam_role_name	Name of IAM role
<a name="output_iam_role_path"></a> iam_role_path	Path of IAM role
<a name="output_iam_role_unique_id"></a> iam_role_unique_id	Unique ID of IAM role
<a name="output_name"></a> name	Name is the name of the release
<a name="output_namespace"></a> namespace	Name of Kubernetes namespace
<a name="output_revision"></a> revision	Version is an int32 which represents the version of the release
<a name="output_values"></a> values	The compounded values from `values` and `set*` attributes
<a name="output_version"></a> version	A SemVer 2 conformant version string of the chart

Community

License

Apache-2.0 Licensed. See LICENSE.