Skip to content

terraform-aws-modules/terraform-aws-eks-pod-identity

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

50 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

AWS EKS Pod Identity Terraform module

Terraform module which creates Amazon EKS Pod Identity roles.

SWUbanner

Usage

See examples directory for working examples to reference:

Custom IAM Role

You can attach custom permissions/policies in a number of different ways:

module "custom_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "custom"

  trust_policy_conditions = [
    {
      test     = "StringEquals"
      variable = "aws:PrincipalOrgID"
      values   = ["o-1234567890"]
    }
  ]

  trust_policy_statements = [
    {
      sid       = "Test"
      actions   = ["sts:AssumeRole"]
      resources = ["arn:aws:iam::1234567890:role/Test*"]
    }
  ]

  attach_custom_policy      = true
  source_policy_documents   = [data.aws_iam_policy_document.source.json]
  override_policy_documents = [data.aws_iam_policy_document.override.json]

  policy_statements = [
    {
      sid       = "S3"
      actions   = ["s3:List*"]
      resources = ["*"]
    }
  ]

  additional_policy_arns = {
    AmazonEKS_CNI_Policy = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
    additional           = aws_iam_policy.additional.arn
  }

  tags = {
    Environment = "dev"
  }
}
module "aws_gateway_controller_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-gateway-controller"

  attach_aws_gateway_controller_policy = true

  tags = {
    Environment = "dev"
  }
}
module "cert_manager_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "cert-manager"

  attach_cert_manager_policy    = true
  cert_manager_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"]

  tags = {
    Environment = "dev"
  }
}
module "aws_cloudwatch_observability_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-cloudwatch-observability"

  attach_aws_cloudwatch_observability_policy = true

  tags = {
    Environment = "dev"
  }
}
module "cluster_autoscaler_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "cluster-autoscaler"

  attach_cluster_autoscaler_policy = true
  cluster_autoscaler_cluster_names = ["foo"]

  tags = {
    Environment = "dev"
  }
}
module "aws_ebs_csi_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-ebs-csi"

  attach_aws_ebs_csi_policy = true
  aws_ebs_csi_kms_arns      = ["arn:aws:kms:*:*:key/1234abcd-12ab-34cd-56ef-1234567890ab"]

  tags = {
    Environment = "dev"
  }
}
module "aws_efs_csi_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-efs-csi"

  attach_aws_efs_csi_policy = true

  tags = {
    Environment = "dev"
  }
}
module "external_dns_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "external-dns"

  attach_external_dns_policy    = true
  external_dns_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"]

  tags = {
    Environment = "dev"
  }
}
module "external_secrets_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "external-secrets"

  attach_external_secrets_policy        = true
  external_secrets_ssm_parameter_arns   = ["arn:aws:ssm:*:*:parameter/foo"]
  external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:*:*:secret:bar"]
  external_secrets_kms_key_arns         = ["arn:aws:kms:*:*:key/1234abcd-12ab-34cd-56ef-1234567890ab"]
  external_secrets_create_permission    = true

  tags = {
    Environment = "dev"
  }
}
module "aws_fsx_lustre_csi_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-fsx-lustre-csi"

  attach_aws_fsx_lustre_csi_policy     = true
  aws_fsx_lustre_csi_service_role_arns = ["arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"]

  tags = {
    Environment = "dev"
  }
}
module "aws_lb_controller_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-lbc"

  attach_aws_lb_controller_policy = true

  tags = {
    Environment = "dev"
  }
}
module "aws_lb_controller_targetgroup_binding_only_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-lbc-targetgroup-binding-only"

  attach_aws_lb_controller_targetgroup_binding_only_policy = true
  aws_lb_controller_targetgroup_arns                       = ["arn:aws:elasticloadbalancing:*:*:targetgroup/foo/bar"]

  tags = {
    Environment = "dev"
  }
}
module "aws_appmesh_controller_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-appmesh-controller"

  attach_aws_appmesh_controller_policy = true

  tags = {
    Environment = "dev"
  }
}
module "aws_appmesh_envoy_proxy_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-appmesh-envoy-proxy"

  attach_aws_appmesh_envoy_proxy_policy = true

  tags = {
    Environment = "dev"
  }
}
module "amazon_managed_service_prometheus_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "amazon-managed-service-prometheus"

  attach_amazon_managed_service_prometheus_policy  = true
  amazon_managed_service_prometheus_workspace_arns = ["arn:aws:prometheus:*:*:workspace/foo"]

  tags = {
    Environment = "dev"
  }
}
module "mountpoint_s3_csi_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "mountpoint-s3-csi"

  attach_mountpoint_s3_csi_policy    = true
  mountpoint_s3_csi_bucket_arns      = ["arn:aws:s3:::mountpoint-s3"]
  mountpoint_s3_csi_bucket_path_arns = ["arn:aws:s3:::mountpoint-s3/example/*"]

  tags = {
    Environment = "dev"
  }
}
module "aws_node_termination_handler_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-node-termination-handler"

  attach_aws_node_termination_handler_policy  = true
  aws_node_termination_handler_sqs_queue_arns = ["arn:aws:sqs:*:*:eks-node-termination-handler"]

  tags = {
    Environment = "dev"
  }
}
module "aws_privateca_issuer_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-privateca-issuer"

  attach_aws_privateca_issuer_policy = true
  aws_privateca_issuer_acmca_arns    = ["arn:aws:acm-pca:*:*:certificate-authority/foo"]

  tags = {
    Environment = "dev"
  }
}
module "velero_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "velero"

  attach_velero_policy       = true
  velero_s3_bucket_arns      = ["arn:aws:s3:::velero-backups"]
  velero_s3_bucket_path_arns = ["arn:aws:s3:::velero-backups/example/*"]

  tags = {
    Environment = "dev"
  }
}
module "aws_vpc_cni_ipv4_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-vpc-cni-ipv4"

  attach_aws_vpc_cni_policy = true
  aws_vpc_cni_enable_ipv4   = true

  tags = {
    Environment = "dev"
  }
}
module "aws_vpc_cni_ipv6_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-vpc-cni-ipv6"

  attach_aws_vpc_cni_policy = true
  aws_vpc_cni_enable_ipv6   = true

  tags = {
    Environment = "dev"
  }
}

Examples

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

Requirements

Name Version
terraform >= 1.3.2
aws >= 5.30

Providers

Name Version
aws >= 5.30

Modules

No modules.

Resources

Name Type
aws_eks_pod_identity_association.this resource
aws_iam_policy.amazon_managed_service_prometheus resource
aws_iam_policy.appmesh_controller resource
aws_iam_policy.appmesh_envoy_proxy resource
aws_iam_policy.aws_gateway_controller resource
aws_iam_policy.aws_privateca_issuer resource
aws_iam_policy.cert_manager resource
aws_iam_policy.cluster_autoscaler resource
aws_iam_policy.custom resource
aws_iam_policy.ebs_csi resource
aws_iam_policy.efs_csi resource
aws_iam_policy.external_dns resource
aws_iam_policy.external_secrets resource
aws_iam_policy.fsx_lustre_csi resource
aws_iam_policy.lb_controller resource
aws_iam_policy.lb_controller_targetgroup_only resource
aws_iam_policy.mountpoint_s3_csi resource
aws_iam_policy.node_termination_handler resource
aws_iam_policy.velero resource
aws_iam_policy.vpc_cni resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.amazon_managed_service_prometheus resource
aws_iam_role_policy_attachment.appmesh_controller resource
aws_iam_role_policy_attachment.appmesh_envoy_proxy resource
aws_iam_role_policy_attachment.aws_cloudwatch_observability resource
aws_iam_role_policy_attachment.aws_gateway_controller resource
aws_iam_role_policy_attachment.aws_privateca_issuer resource
aws_iam_role_policy_attachment.cert_manager resource
aws_iam_role_policy_attachment.cluster_autoscaler resource
aws_iam_role_policy_attachment.custom resource
aws_iam_role_policy_attachment.ebs_csi resource
aws_iam_role_policy_attachment.efs_csi resource
aws_iam_role_policy_attachment.external_dns resource
aws_iam_role_policy_attachment.external_secrets resource
aws_iam_role_policy_attachment.fsx_lustre_csi resource
aws_iam_role_policy_attachment.lb_controller resource
aws_iam_role_policy_attachment.lb_controller_targetgroup_only resource
aws_iam_role_policy_attachment.mountpoint_s3_csi resource
aws_iam_role_policy_attachment.node_termination_handler resource
aws_iam_role_policy_attachment.this resource
aws_iam_role_policy_attachment.velero resource
aws_iam_role_policy_attachment.vpc_cni resource
aws_iam_policy_document.amazon_managed_service_prometheus data source
aws_iam_policy_document.appmesh_controller data source
aws_iam_policy_document.appmesh_envoy_proxy data source
aws_iam_policy_document.assume data source
aws_iam_policy_document.aws_gateway_controller data source
aws_iam_policy_document.aws_privateca_issuer data source
aws_iam_policy_document.base data source
aws_iam_policy_document.cert_manager data source
aws_iam_policy_document.cluster_autoscaler data source
aws_iam_policy_document.ebs_csi data source
aws_iam_policy_document.efs_csi data source
aws_iam_policy_document.external_dns data source
aws_iam_policy_document.external_secrets data source
aws_iam_policy_document.fsx_lustre_csi data source
aws_iam_policy_document.lb_controller data source
aws_iam_policy_document.lb_controller_targetgroup_only data source
aws_iam_policy_document.mountpoint_s3_csi data source
aws_iam_policy_document.node_termination_handler data source
aws_iam_policy_document.velero data source
aws_iam_policy_document.vpc_cni data source
aws_partition.current data source

Inputs

Name Description Type Default Required
additional_policy_arns ARNs of additional policies to attach to the IAM role map(string) {} no
amazon_managed_service_prometheus_policy_name Custom name of the Amazon Managed Service for Prometheus IAM policy string null no
amazon_managed_service_prometheus_workspace_arns List of AMP Workspace ARNs to read and write metrics list(string) [] no
appmesh_controller_policy_name Custom name of the AppMesh Controller IAM policy string null no
appmesh_envoy_proxy_policy_name Custom name of the AppMesh Envoy Proxy IAM policy string null no
association_defaults Default values used across all Pod Identity associations created unless a more specific value is provided any {} no
associations Map of Pod Identity associations to be created (map of maps) any {} no
attach_amazon_managed_service_prometheus_policy Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role bool false no
attach_aws_appmesh_controller_policy Determines whether to attach the AppMesh Controller policy to the role bool false no
attach_aws_appmesh_envoy_proxy_policy Determines whether to attach the AppMesh Envoy Proxy policy to the role bool false no
attach_aws_cloudwatch_observability_policy Determines whether to attach the AWS Cloudwatch Observability IAM policy to the role bool false no
attach_aws_ebs_csi_policy Determines whether to attach the EBS CSI IAM policy to the role bool false no
attach_aws_efs_csi_policy Determines whether to attach the EFS CSI IAM policy to the role bool false no
attach_aws_fsx_lustre_csi_policy Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role bool false no
attach_aws_gateway_controller_policy Determines whether to attach the AWS Gateway Controller IAM policy to the role bool false no
attach_aws_lb_controller_policy Determines whether to attach the AWS Load Balancer Controller policy to the role bool false no
attach_aws_lb_controller_targetgroup_binding_only_policy Determines whether to attach the AWS Load Balancer Controller policy for the TargetGroupBinding only bool false no
attach_aws_node_termination_handler_policy Determines whether to attach the Node Termination Handler policy to the role bool false no
attach_aws_privateca_issuer_policy Determines whether to attach the AWS Private CA Issuer IAM policy to the role bool false no
attach_aws_vpc_cni_policy Determines whether to attach the VPC CNI IAM policy to the role bool false no
attach_cert_manager_policy Determines whether to attach the Cert Manager IAM policy to the role bool false no
attach_cluster_autoscaler_policy Determines whether to attach the Cluster Autoscaler IAM policy to the role bool false no
attach_custom_policy Determines whether to attach the custom IAM policy to the role bool false no
attach_external_dns_policy Determines whether to attach the External DNS IAM policy to the role bool false no
attach_external_secrets_policy Determines whether to attach the External Secrets policy to the role bool false no
attach_mountpoint_s3_csi_policy Determines whether to attach the Mountpoint S3 CSI IAM policy to the role bool false no
attach_velero_policy Determines whether to attach the Velero IAM policy to the role bool false no
aws_ebs_csi_kms_arns KMS key ARNs to allow EBS CSI to manage encrypted volumes list(string) [] no
aws_ebs_csi_policy_name Custom name of the EBS CSI IAM policy string null no
aws_efs_csi_policy_name Custom name of the EFS CSI IAM policy string null no
aws_fsx_lustre_csi_policy_name Custom name of the FSx for Lustre CSI Driver IAM policy string null no
aws_fsx_lustre_csi_service_role_arns Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles list(string) [] no
aws_gateway_controller_policy_name Custom name of the AWS Gateway Controller IAM policy string null no
aws_lb_controller_policy_name Custom name of the AWS Load Balancer Controller IAM policy string null no
aws_lb_controller_targetgroup_arns List of Target groups ARNs using Load Balancer Controller list(string) [] no
aws_lb_controller_targetgroup_only_policy_name Custom name of the AWS Load Balancer Controller IAM policy for the TargetGroupBinding only string null no
aws_node_termination_handler_policy_name Custom name of the Node Termination Handler IAM policy string null no
aws_node_termination_handler_sqs_queue_arns List of SQS ARNs that contain node termination events list(string) [] no
aws_privateca_issuer_acmca_arns List of ACM Private CA ARNs to issue certificates from list(string) [] no
aws_privateca_issuer_policy_name Custom name of the AWS Private CA Issuer IAM policy string null no
aws_vpc_cni_enable_cloudwatch_logs Determines whether to enable VPC CNI permission to create CloudWatch Log groups and publish network policy events bool false no
aws_vpc_cni_enable_ipv4 Determines whether to enable IPv4 permissions for VPC CNI policy bool false no
aws_vpc_cni_enable_ipv6 Determines whether to enable IPv6 permissions for VPC CNI policy bool false no
aws_vpc_cni_policy_name Custom name of the VPC CNI IAM policy string null no
cert_manager_hosted_zone_arns Route53 hosted zone ARNs to allow Cert manager to manage records list(string) [] no
cert_manager_policy_name Custom name of the Cert Manager IAM policy string null no
cluster_autoscaler_cluster_names List of cluster names to appropriately scope permissions within the Cluster Autoscaler IAM policy list(string) [] no
cluster_autoscaler_policy_name Custom name of the Cluster Autoscaler IAM policy string null no
create Determines whether resources will be created (affects all resources) bool true no
custom_policy_description Description of the custom IAM policy string "Custom IAM Policy" no
description IAM Role description string null no
external_dns_hosted_zone_arns Route53 hosted zone ARNs to allow External DNS to manage records list(string) [] no
external_dns_policy_name Custom name of the External DNS IAM policy string null no
external_secrets_create_permission Determines whether External Secrets has permission to create/delete secrets bool false no
external_secrets_kms_key_arns List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets list(string) [] no
external_secrets_policy_name Custom name of the External Secrets IAM policy string null no
external_secrets_secrets_manager_arns List of Secrets Manager ARNs that contain secrets to mount using External Secrets list(string) [] no
external_secrets_ssm_parameter_arns List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets list(string) [] no
max_session_duration Maximum CLI/API session duration in seconds between 3600 and 43200 number null no
mountpoint_s3_csi_bucket_arns List of S3 Bucket ARNs that Mountpoint S3 CSI needs access to list list(string) [] no
mountpoint_s3_csi_bucket_path_arns S3 path ARNs to allow Mountpoint S3 CSI driver to manage items at the provided path(s). This is required if attach_mountpoint_s3_csi_policy = true list(string) [] no
mountpoint_s3_csi_policy_name Custom name of the Mountpoint S3 CSI IAM policy string null no
name Name of IAM role string "" no
override_policy_documents List of IAM policy documents that are merged together into the exported document list(string) [] no
path Path of IAM role string "/" no
permissions_boundary_arn Permissions boundary ARN to use for IAM role string null no
policy_name_prefix IAM policy name prefix string "AmazonEKS_" no
policy_statements A list of IAM policy statements for custom permission usage any [] no
source_policy_documents List of IAM policy documents that are merged together into the exported document list(string) [] no
tags A map of tags to add to all resources map(string) {} no
trust_policy_conditions A list of conditions to add to the role trust policy any [] no
trust_policy_statements A list of IAM policy statements for the role trust policy any [] no
use_name_prefix Determines whether the role name and policy name(s) are used as a prefix string true no
velero_policy_name Custom name of the Velero IAM policy string null no
velero_s3_bucket_arns List of S3 Bucket ARNs that Velero needs access to list list(string) [] no
velero_s3_bucket_path_arns S3 path ARNs to allow Velero to manage items at the provided path(s). This is required if attach_mountpoint_s3_csi_policy = true list(string) [] no

Outputs

Name Description
associations Map of Pod Identity associations created
iam_policy_arn The ARN assigned by AWS to this policy
iam_policy_id The policy's ID
iam_policy_name Name of IAM policy
iam_role_arn ARN of IAM role
iam_role_name Name of IAM role
iam_role_path Path of IAM role
iam_role_unique_id Unique ID of IAM role

License

Apache-2.0 Licensed. See LICENSE.