Creates an IAM role which can be assumed by AWS EKS ServiceAccounts with optional policies for commonly used controllers/custom resources within EKS. The optional policies supported include:
- Cert-Manager
- Cluster Autoscaler
- EBS CSI Driver
- EFS CSI Driver
- External DNS
- External Secrets
- FSx for Lustre CSI Driver
- Karpenter
- Load Balancer Controller
- App Mesh Controller
- Managed Service for Prometheus
- Mountpoint S3 CSI Driver
- Node Termination Handler
- Velero
- VPC CNI
This module is intended to be used with AWS EKS. For details of how a ServiceAccount in EKS can assume an IAM role, see the EKS documentation.
This module supports multiple ServiceAccounts across multiple clusters and/or namespaces. This allows for a single IAM role to be used when an application may span multiple clusters (e.g. for DR) or multiple namespaces (e.g. for canary deployments). For example, to create an IAM role named my-app that can be assumed from the ServiceAccount named my-app-staging in the namespace default and canary in a cluster in us-east-1; and also the ServiceAccount name my-app-staging in the namespace default in a cluster in ap-southeast-1, the configuration would be:
module "iam_eks_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "my-app"
role_policy_arns = {
policy = "arn:aws:iam::012345678901:policy/myapp"
}
oidc_providers = {
one = {
provider_arn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
namespace_service_accounts = ["default:my-app-staging", "canary:my-app-staging"]
}
two = {
provider_arn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.ap-southeast-1.amazonaws.com/id/5C54DDF35ER54476848E7333374FF09G"
namespace_service_accounts = ["default:my-app-staging"]
}
}
}This module has been designed in conjunction with the terraform-aws-eks module to easily integrate with it:
module "vpc_cni_irsa_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "vpc-cni"
attach_vpc_cni_policy = true
vpc_cni_enable_ipv4 = true
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["default:my-app", "canary:my-app"]
}
}
}
module "karpenter_irsa_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "karpenter_controller"
attach_karpenter_controller_policy = true
karpenter_controller_cluster_name = module.eks.cluster_name
karpenter_controller_node_iam_role_arns = [module.eks.eks_managed_node_groups["default"].iam_role_arn]
attach_vpc_cni_policy = true
vpc_cni_enable_ipv4 = true
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["default:my-app", "canary:my-app"]
}
}
}
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "~> 20.4"
cluster_name = "my-cluster"
cluster_version = "1.29"
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
eks_managed_node_groups = {
default = {}
}
}| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.0 |
| Name | Version |
|---|---|
| aws | >= 4.0 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allow_self_assume_role | Determines whether to allow the role to be assume itself | bool |
false |
no |
| amazon_managed_service_prometheus_workspace_arns | List of AMP Workspace ARNs to read and write metrics | list(string) |
[ |
no |
| assume_role_condition_test | Name of the IAM condition operator to evaluate when assuming the role | string |
"StringEquals" |
no |
| attach_amazon_managed_service_prometheus_policy | Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role | bool |
false |
no |
| attach_appmesh_controller_policy | Determines whether to attach the Appmesh Controller policy to the role | bool |
false |
no |
| attach_appmesh_envoy_proxy_policy | Determines whether to attach the Appmesh envoy proxy policy to the role | bool |
false |
no |
| attach_aws_gateway_controller_policy | Determines whether to attach the AWS Gateway Controller IAM policy to the role | bool |
false |
no |
| attach_cert_manager_policy | Determines whether to attach the Cert Manager IAM policy to the role | bool |
false |
no |
| attach_cloudwatch_observability_policy | Determines whether to attach the Amazon CloudWatch Observability IAM policies to the role | bool |
false |
no |
| attach_cluster_autoscaler_policy | Determines whether to attach the Cluster Autoscaler IAM policy to the role | bool |
false |
no |
| attach_ebs_csi_policy | Determines whether to attach the EBS CSI IAM policy to the role | bool |
false |
no |
| attach_efs_csi_policy | Determines whether to attach the EFS CSI IAM policy to the role | bool |
false |
no |
| attach_external_dns_policy | Determines whether to attach the External DNS IAM policy to the role | bool |
false |
no |
| attach_external_secrets_policy | Determines whether to attach the External Secrets policy to the role | bool |
false |
no |
| attach_fsx_lustre_csi_policy | Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role | bool |
false |
no |
| attach_karpenter_controller_policy | Determines whether to attach the Karpenter Controller policy to the role | bool |
false |
no |
| attach_load_balancer_controller_policy | Determines whether to attach the Load Balancer Controller policy to the role | bool |
false |
no |
| attach_load_balancer_controller_targetgroup_binding_only_policy | Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only | bool |
false |
no |
| attach_mountpoint_s3_csi_policy | Determines whether to attach the Mountpoint S3 CSI IAM policy to the role | bool |
false |
no |
| attach_node_termination_handler_policy | Determines whether to attach the Node Termination Handler policy to the role | bool |
false |
no |
| attach_velero_policy | Determines whether to attach the Velero IAM policy to the role | bool |
false |
no |
| attach_vpc_cni_policy | Determines whether to attach the VPC CNI IAM policy to the role | bool |
false |
no |
| cert_manager_hosted_zone_arns | Route53 hosted zone ARNs to allow Cert manager to manage records | list(string) |
[ |
no |
| cluster_autoscaler_cluster_ids | [Deprecated - use cluster_autoscaler_cluster_names] List of cluster names to appropriately scope permissions within the Cluster Autoscaler IAM policy |
list(string) |
[] |
no |
| cluster_autoscaler_cluster_names | List of cluster names to appropriately scope permissions within the Cluster Autoscaler IAM policy | list(string) |
[] |
no |
| create_role | Whether to create a role | bool |
true |
no |
| ebs_csi_kms_cmk_ids | KMS CMK IDs to allow EBS CSI to manage encrypted volumes | list(string) |
[] |
no |
| enable_karpenter_instance_profile_creation | Determines whether Karpenter will be allowed to create the IAM instance profile (v1beta1/v0.32+) | bool |
false |
no |
| external_dns_hosted_zone_arns | Route53 hosted zone ARNs to allow External DNS to manage records | list(string) |
[ |
no |
| external_secrets_kms_key_arns | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | list(string) |
[ |
no |
| external_secrets_secrets_manager_arns | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | list(string) |
[ |
no |
| external_secrets_secrets_manager_create_permission | Determins whether External Secrets may use secretsmanager:CreateSecret | bool |
false |
no |
| external_secrets_ssm_parameter_arns | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | list(string) |
[ |
no |
| force_detach_policies | Whether policies should be detached from this role when destroying | bool |
true |
no |
| fsx_lustre_csi_service_role_arns | Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles | list(string) |
[ |
no |
| karpenter_controller_cluster_id | [Deprecated - use karpenter_controller_cluster_name] The name of the cluster where the Karpenter controller is provisioned/managing |
string |
"*" |
no |
| karpenter_controller_cluster_name | The name of the cluster where the Karpenter controller is provisioned/managing | string |
"*" |
no |
| karpenter_controller_node_iam_role_arns | List of node IAM role ARNs Karpenter can use to launch nodes | list(string) |
[ |
no |
| karpenter_controller_ssm_parameter_arns | List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter | list(string) |
[ |
no |
| karpenter_sqs_queue_arn | (Optional) ARN of SQS used by Karpenter when native node termination handling is enabled | string |
null |
no |
| karpenter_subnet_account_id | Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account | string |
"" |
no |
| karpenter_tag_key | Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner |
string |
"karpenter.sh/discovery" |
no |
| load_balancer_controller_targetgroup_arns | List of Target groups ARNs using Load Balancer Controller | list(string) |
[ |
no |
| max_session_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | number |
null |
no |
| mountpoint_s3_csi_bucket_arns | S3 bucket ARNs to allow Mountpoint S3 CSI to list buckets | list(string) |
[] |
no |
| mountpoint_s3_csi_kms_arns | KMS Key ARNs to allow Mountpoint S3 CSI driver to download and upload Objects of a S3 bucket using aws:kms SSE |
list(string) |
[] |
no |
| mountpoint_s3_csi_path_arns | S3 path ARNs to allow Mountpoint S3 CSI driver to manage items at the provided path(s). This is required if attach_mountpoint_s3_csi_policy = true |
list(string) |
[] |
no |
| node_termination_handler_sqs_queue_arns | List of SQS ARNs that contain node termination events | list(string) |
[ |
no |
| oidc_providers | Map of OIDC providers where each provider map should contain the provider_arn and namespace_service_accounts |
any |
{} |
no |
| policy_name_prefix | IAM policy name prefix | string |
"AmazonEKS_" |
no |
| role_description | IAM Role description | string |
null |
no |
| role_name | Name of IAM role | string |
null |
no |
| role_name_prefix | IAM role name prefix | string |
null |
no |
| role_path | Path of IAM role | string |
"/" |
no |
| role_permissions_boundary_arn | Permissions boundary ARN to use for IAM role | string |
null |
no |
| role_policy_arns | ARNs of any policies to attach to the IAM role | map(string) |
{} |
no |
| tags | A map of tags to add the the IAM role | map(any) |
{} |
no |
| velero_s3_bucket_arns | List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources | list(string) |
[ |
no |
| vpc_cni_enable_cloudwatch_logs | Determines whether to enable VPC CNI permission to create CloudWatch Log groups and publish network policy events | bool |
false |
no |
| vpc_cni_enable_ipv4 | Determines whether to enable IPv4 permissions for VPC CNI policy | bool |
false |
no |
| vpc_cni_enable_ipv6 | Determines whether to enable IPv6 permissions for VPC CNI policy | bool |
false |
no |
| Name | Description |
|---|---|
| iam_role_arn | ARN of IAM role |
| iam_role_name | Name of IAM role |
| iam_role_path | Path of IAM role |
| iam_role_unique_id | Unique ID of IAM role |