Amazon EKS Blueprints Addon Terraform module

Terraform module which provisions an addon (Helm release), IAM role for service accounts (IRSA), and EKS Pod Identity.

Usage

Create Addon (Helm Release) w/ EKS Pod Identity

module "eks_blueprints_addon" {
  source = "aws-blueprints/eks-blueprints-addon/aws"

  chart         = "cni-metrics-helper"
  chart_version = "1.20.4"
  repository    = "https://aws.github.io/eks-charts"
  description   = "A Helm chart for CNI metrics helper"
  namespace     = "kube-system"

  values = [
    <<-EOT
      env:
        AWS_CLUSTER_ID: example
      serviceAccount:
        name: cni-metrics-helper
    EOT
  ]

  # IAM role
  role_name   = "cni-metrics-helper"
  policy_statements = {
    CloudWatchWrite = {
      actions = [
        "cloudwatch:PutMetricData"
      ]
      resources = ["*"]
    }
  }

  # EKS Pod Identity
  enable_pod_identity = true
  pod_identity_associations = {
    this = {
      cluster_name = "example"
      # namespace is inherited from chart
      service_account = "cni-metrics-helper"
    }
  }

  tags = {
    Environment = "dev"
  }
}

Create Addon (Helm Release) w/ IAM Role for Service Account (IRSA)

module "eks_blueprints_addon" {
  source = "aws-blueprints/eks-blueprints-addon/aws"

  chart         = "cni-metrics-helper"
  chart_version = "1.20.4"
  repository    = "https://aws.github.io/eks-charts"
  description   = "A Helm chart for CNI metrics helper"
  namespace     = "kube-system"

  values = [
    <<-EOT
      env:
        AWS_CLUSTER_ID: ${module.eks.cluster_name}
      serviceAccount:
        name: cni-metrics-helper
    EOT
  ]

  set = [
    {
      # Set the annotation for IRSA using the role created in this module
      name                  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
      value_is_iam_role_arn = true
    }
  ]

  # IAM role
  role_name   = "cni-metrics-helper"
  policy_statements = {
    CloudWatchWrite = {
      actions = [
        "cloudwatch:PutMetricData"
      ]
      resources = ["*"]
    }
  }

  # Trust policy for IRSA
  irsa_oidc_providers = {
    this = {
      provider_arn    = "oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
      # namespace is inherited from chart
      service_account = "cni-metrics-helpere"
    }
  }

  tags = {
    Environment = "dev"
  }
}

Create IAM Role for Service Account (IRSA) Only

module "eks_blueprints_addon" {
  source = "aws-blueprints/eks-blueprints-addon/aws"

  # Disable helm release
  create_release = false

  # IAM role for service account (IRSA)
  role_name     = "aws-vpc-cni-ipv4"
  role_policies = {
    AmazonEKS_CNI_Policy = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
  }

  irsa_oidc_providers = {
    this = {
      provider_arn    = "oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
      namespace       = "kube-system"
      service_account = "aws-node"
    }
  }

  tags = {
    Environment = "dev"
  }
}

Requirements

Name	Version
terraform	>= 1.11
aws	>= 6.0
helm	>= 3.1

Providers

Name	Version
aws	>= 6.0
helm	>= 3.1

Modules

No modules.

Resources

Name	Type
aws_eks_pod_identity_association.this	resource
aws_iam_policy.this	resource
aws_iam_role.this	resource
aws_iam_role_policy_attachment.additional	resource
aws_iam_role_policy_attachment.this	resource
helm_release.this	resource
aws_iam_policy_document.assume	data source
aws_iam_policy_document.this	data source

Inputs

Name	Description	Type	Default	Required
assume_role_condition_test	Name of the IAM condition operator to evaluate when assuming the role	string	"StringEquals"	no
atomic	If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used. Defaults to false	bool	null	no
chart	Chart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if repository is specified	string	""	no
chart_version	Specify the exact chart version to install. If this is not specified, the latest version is installed	string	null	no
cleanup_on_fail	Allow deletion of new resources created in this upgrade when upgrade fails. Defaults to false	bool	null	no
create	Controls if resources should be created (affects all resources)	bool	true	no
create_namespace	Create the namespace if it does not yet exist. Defaults to false	bool	null	no
create_policy	Whether to create an IAM policy that is attached to the IAM role created	bool	true	no
create_release	Determines whether the Helm release is created	bool	true	no
dependency_update	Runs helm dependency update before installing the chart. Defaults to false	bool	null	no
description	Set release description attribute (visible in the history)	string	null	no
devel	Use chart development versions, too. Equivalent to version '>0.0.0-0'. If version is set, this is ignored	bool	null	no
disable_crd_hooks	Prevent CRD hooks from, running, but run other hooks. See helm install --no-crd-hook	bool	null	no
disable_openapi_validation	If set, the installation process will not validate rendered templates against the Kubernetes OpenAPI Schema. Defaults to false	bool	null	no
disable_webhooks	Prevent hooks from running. Defaults to false	bool	null	no
enable_pod_identity	Whether to add a trust relationship for EKS Pod Identity (pods.eks.amazonaws.com)	bool	false	no
force_update	Force resource update through delete/recreate if needed. Defaults to false	bool	null	no
irsa_oidc_providers	Map of OIDC providers used to create the appropriate trust policy for IAM role for service account (IRSA). If not using IRSA, leave this as null	map(object({ provider_arn = string service_account = string namespace = optional(string) }))	null	no
keyring	Location of public keys used for verification. Used only if verify is true. Defaults to /.gnupg/pubring.gpg in the location set by home	string	null	no
lint	Run the helm chart linter during the plan. Defaults to false	bool	null	no
max_history	Maximum number of release versions stored per release. Defaults to 5	number	5	no
max_session_duration	Maximum CLI/API session duration in seconds between 3600 and 43200	number	null	no
name	Name of the Helm release	string	""	no
namespace	The namespace to install the release into. Defaults to default	string	null	no
override_policy_documents	List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid	list(string)	[]	no
pass_credentials	Pass credentials to all domains. Defaults to true	bool	true	no
pod_identity_association_defaults	Default values used across all EKS Pod Identity associations created unless a more specific value is provided	object({ cluster_name = optional(string) disable_session_tags = optional(bool) namespace = optional(string) service_account = optional(string) role_arn = optional(string) target_role_arn = optional(string) tags = optional(map(string), {}) })	{}	no
pod_identity_associations	Map of EKS Pod Identity associations to be created (map of maps)	map(object({ cluster_name = optional(string) disable_session_tags = optional(bool) namespace = optional(string) service_account = optional(string) role_arn = optional(string) target_role_arn = optional(string) tags = optional(map(string), {}) }))	{}	no
policy_description	IAM policy description	string	null	no
policy_name	Name of IAM policy	string	null	no
policy_name_use_prefix	Determines whether the IAM policy name (policy_name) is used as a prefix	bool	true	no
policy_path	Path of IAM policy	string	null	no
policy_statements	A map of IAM policy statements for custom permission usage	map(object({ sid = optional(string) actions = optional(list(string)) not_actions = optional(list(string)) effect = optional(string, "Allow") resources = optional(list(string)) not_resources = optional(list(string)) principals = optional(list(object({ type = string identifiers = list(string) }))) not_principals = optional(list(object({ type = string identifiers = list(string) }))) condition = optional(list(object({ test = string variable = string values = list(string) }))) }))	null	no
postrender	Configure a command to run after helm renders the manifest which can alter the manifest contents	object({ args = optional(list(string)) binary_path = string })	null	no
recreate_pods	Perform pods restart during upgrade/rollback. Defaults to false	bool	null	no
region	Region where the *regional resource(s) will be managed. Defaults to the Region set in the provider configuration. Currently only applies to the EKS Pod Identity association(s)	string	null	no
release_timeouts	Customize the helm_release resource timeouts for create, read, update, and delete operations	object({ create = optional(string) read = optional(string) update = optional(string) delete = optional(string) })	null	no
render_subchart_notes	If set, render subchart notes along with the parent. Defaults to true	bool	null	no
replace	Re-use the given name, only if that name is a deleted release which remains in the history. This is unsafe in production. Defaults to false	bool	null	no
repository	Repository URL where to locate the requested chart	string	null	no
repository_ca_file	The Repositories CA File	string	null	no
repository_cert_file	The repositories cert file	string	null	no
repository_key_file	The repositories cert key file	string	null	no
repository_password	Password for HTTP basic authentication against the repository	string	null	no
repository_username	Username for HTTP basic authentication against the repository	string	null	no
reset_values	When upgrading, reset the values to the ones built into the chart. Defaults to false	bool	null	no
reuse_values	When upgrading, reuse the last release's values and merge in any overrides. If reset_values is specified, this is ignored. Defaults to false	bool	null	no
role_description	IAM Role description	string	null	no
role_name	Name of IAM role	string	null	no
role_name_use_prefix	Determines whether the IAM role name (role_name) is used as a prefix	bool	true	no
role_path	Path of IAM role	string	"/"	no
role_permissions_boundary_arn	Permissions boundary ARN to use for IAM role	string	null	no
role_policies	Policies to attach to the IAM role in {'static_name' = 'policy_arn'} format	map(string)	{}	no
set	Value block with custom values to be merged with the values yaml	list(object({ name = string type = optional(string) value_is_iam_role_arn = optional(bool, false) value = optional(string) # optional for case where value_is_iam_role_arn = true }))	null	no
set_list	Value block with custom list values to be merged with the values yaml	list(object({ name = string value = list(string) }))	null	no
set_sensitive	Value block with custom sensitive values to be merged with the values yaml that won't be exposed in the plan's diff	list(object({ name = string type = optional(string) value = string }))	null	no
set_wo	Custom values to be merged with the values. This is the same as set but write-only	list(object({ name = string type = optional(string) value = string }))	null	no
set_wo_revision	The current revision of the write-only set_wo attribute. Incrementing this integer value will cause Terraform to update the write-only value	number	null	no
skip_crds	If set, no CRDs will be installed. By default, CRDs are installed if not already present. Defaults to false	bool	null	no
source_policy_documents	List of IAM policy documents that are merged together into the exported document. Statements must have unique sids	list(string)	[]	no
tags	A map of tags to add to all resources	map(string)	{}	no
take_ownership	If set, allows Helm to adopt existing resources not marked as managed by the release. Defaults to false	bool	null	no
timeout	Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks). Defaults to 300 seconds	number	null	no
trust_policy_conditions	A list of conditions to add to the role trust policy	list(object({ test = string values = list(string) variable = string }))	[]	no
upgrade_install	If true, the provider will install the release at the specified version even if a release not controlled by the provider is present: this is equivalent to running 'helm upgrade --install' with the Helm CLI. Defaults to true	bool	true	no
values	List of values in raw yaml to pass to helm. Values will be merged, in order, as Helm does with multiple -f options	list(string)	null	no
verify	Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart. For more information see the Helm Documentation. Defaults to false	bool	null	no
wait	Will wait until all resources are in a ready state before marking the release as successful. If set to true, it will wait for as long as timeout. If set to null fallback on 300s timeout. Defaults to false	bool	false	no
wait_for_jobs	If wait is enabled, will wait until all Jobs have been completed before marking the release as successful. It will wait for as long as timeout. Defaults to false	bool	null	no

Outputs

Name	Description
app_version	The version number of the application being deployed
chart	The name of the chart
iam_policy	The policy document
iam_policy_arn	The ARN assigned by AWS to this policy
iam_role_arn	ARN of IAM role
iam_role_name	Name of IAM role
iam_role_path	Path of IAM role
iam_role_unique_id	Unique ID of IAM role
name	Name is the name of the release
namespace	Name of Kubernetes namespace
pod_identity_associations	Map of Pod Identity associations created
revision	Version is an int32 which represents the version of the release
values	The compounded values from values and set* attributes
version	A SemVer 2 conformant version string of the chart

Community

• Contributing

License

Apache-2.0 Licensed. See LICENSE.