diff --git a/README.md b/README.md
index 6db85afa..628a3c46 100644
--- a/README.md
+++ b/README.md
@@ -444,6 +444,7 @@ Available targets:
| [cluster\_log\_retention\_period](#input\_cluster\_log\_retention\_period) | Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. | `number` | `0` | no |
| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
} | no |
| [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
+| [eks\_cluster\_service\_role\_arn](#input\_eks\_cluster\_service\_role\_arn) | The ARN of an externally created EKS service role to use, or leave blank to create one | `string` | `null` | no |
| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| [enabled\_cluster\_log\_types](#input\_enabled\_cluster\_log\_types) | A list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [`api`, `audit`, `authenticator`, `controllerManager`, `scheduler`] | `list(string)` | `[]` | no |
| [endpoint\_private\_access](#input\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default to AWS EKS resource and it is false | `bool` | `false` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 39f318bf..e2ac1e73 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -67,6 +67,7 @@
| [cluster\_log\_retention\_period](#input\_cluster\_log\_retention\_period) | Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. | `number` | `0` | no |
| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
} | no |
| [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
+| [eks\_cluster\_service\_role\_arn](#input\_eks\_cluster\_service\_role\_arn) | The ARN of an externally created EKS service role to use, or leave blank to create one | `string` | `null` | no |
| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| [enabled\_cluster\_log\_types](#input\_enabled\_cluster\_log\_types) | A list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [`api`, `audit`, `authenticator`, `controllerManager`, `scheduler`] | `list(string)` | `[]` | no |
| [endpoint\_private\_access](#input\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default to AWS EKS resource and it is false | `bool` | `false` | no |
diff --git a/iam.tf b/iam.tf
index 1fa18f33..75a5f7c1 100644
--- a/iam.tf
+++ b/iam.tf
@@ -12,8 +12,14 @@ data "aws_iam_policy_document" "assume_role" {
}
}
+locals {
+ eks_service_role = var.eks_cluster_service_role_arn != null ? var.eks_cluster_service_role_arn : join("", aws_iam_role.default.*.arn)
+
+ create_eks_service_role = local.enabled && var.eks_cluster_service_role_arn == null
+}
+
resource "aws_iam_role" "default" {
- count = local.enabled ? 1 : 0
+ count = local.create_eks_service_role ? 1 : 0
name = module.label.id
assume_role_policy = join("", data.aws_iam_policy_document.assume_role.*.json)
tags = module.label.tags
@@ -21,13 +27,13 @@ resource "aws_iam_role" "default" {
}
resource "aws_iam_role_policy_attachment" "amazon_eks_cluster_policy" {
- count = local.enabled ? 1 : 0
+ count = local.create_eks_service_role ? 1 : 0
policy_arn = format("arn:%s:iam::aws:policy/AmazonEKSClusterPolicy", join("", data.aws_partition.current.*.partition))
role = join("", aws_iam_role.default.*.name)
}
resource "aws_iam_role_policy_attachment" "amazon_eks_service_policy" {
- count = local.enabled ? 1 : 0
+ count = local.create_eks_service_role ? 1 : 0
policy_arn = format("arn:%s:iam::aws:policy/AmazonEKSServicePolicy", join("", data.aws_partition.current.*.partition))
role = join("", aws_iam_role.default.*.name)
}
@@ -37,7 +43,7 @@ resource "aws_iam_role_policy_attachment" "amazon_eks_service_policy" {
# Because of that, on a new AWS account (where load balancers have not been provisioned yet, `nginx-ingress` fails to provision a load balancer
data "aws_iam_policy_document" "cluster_elb_service_role" {
- count = local.enabled ? 1 : 0
+ count = local.create_eks_service_role ? 1 : 0
statement {
effect = "Allow"
@@ -53,7 +59,7 @@ data "aws_iam_policy_document" "cluster_elb_service_role" {
}
resource "aws_iam_role_policy" "cluster_elb_service_role" {
- count = local.enabled ? 1 : 0
+ count = local.create_eks_service_role ? 1 : 0
name = module.label.id
role = join("", aws_iam_role.default.*.name)
policy = join("", data.aws_iam_policy_document.cluster_elb_service_role.*.json)
diff --git a/main.tf b/main.tf
index d636e473..8ff5991f 100644
--- a/main.tf
+++ b/main.tf
@@ -6,7 +6,7 @@ locals {
provider_key_arn = local.enabled && var.cluster_encryption_config_enabled && var.cluster_encryption_config_kms_key_id == "" ? join("", aws_kms_key.cluster.*.arn) : var.cluster_encryption_config_kms_key_id
}
- security_group_enabled = module.this.enabled && var.security_group_enabled
+ security_group_enabled = local.enabled && var.security_group_enabled
}
module "label" {
@@ -48,7 +48,7 @@ resource "aws_eks_cluster" "default" {
count = local.enabled ? 1 : 0
name = module.label.id
tags = module.label.tags
- role_arn = join("", aws_iam_role.default.*.arn)
+ role_arn = local.eks_service_role
version = var.kubernetes_version
enabled_cluster_log_types = var.enabled_cluster_log_types
diff --git a/outputs.tf b/outputs.tf
index d135ac0a..df2a2a87 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -55,7 +55,7 @@ output "eks_cluster_managed_security_group_id" {
output "eks_cluster_role_arn" {
description = "ARN of the EKS cluster IAM role"
- value = join("", aws_iam_role.default.*.arn)
+ value = local.eks_service_role
}
output "kubernetes_config_map_id" {
diff --git a/variables.tf b/variables.tf
index 0764be3c..3926e963 100644
--- a/variables.tf
+++ b/variables.tf
@@ -56,6 +56,12 @@ variable "security_groups" {
description = "A list of Security Group IDs to associate with EKS cluster."
}
+variable "eks_cluster_service_role_arn" {
+ type = string
+ description = "The ARN of an externally created EKS service role to use, or leave blank to create one"
+ default = null
+}
+
variable "workers_role_arns" {
type = list(string)
description = "List of Role ARNs of the worker nodes"