From a224334fc8000dc8728971dff8adad46ceb7a8a1 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Fri, 8 Nov 2024 21:56:56 +0000 Subject: [PATCH] feat: Add support for pod identity association on EKS addons (#3203) --- README.md | 5 ++-- examples/eks-managed-node-group/versions.tf | 2 +- examples/karpenter/README.md | 6 ++--- examples/karpenter/versions.tf | 2 +- examples/self-managed-node-group/versions.tf | 2 +- main.tf | 28 +++++++++++++++++--- modules/eks-managed-node-group/README.md | 4 +-- modules/eks-managed-node-group/versions.tf | 2 +- modules/fargate-profile/README.md | 4 +-- modules/fargate-profile/versions.tf | 2 +- modules/karpenter/README.md | 4 +-- modules/karpenter/versions.tf | 2 +- modules/self-managed-node-group/README.md | 4 +-- modules/self-managed-node-group/versions.tf | 2 +- tests/eks-managed-node-group/README.md | 5 ++-- tests/eks-managed-node-group/main.tf | 26 +++++++++++++++--- tests/eks-managed-node-group/versions.tf | 2 +- tests/fargate-profile/README.md | 4 +-- tests/fargate-profile/versions.tf | 2 +- tests/self-managed-node-group/README.md | 5 ++-- tests/self-managed-node-group/main.tf | 19 +++++++++++++ tests/self-managed-node-group/versions.tf | 2 +- versions.tf | 2 +- 23 files changed, 97 insertions(+), 39 deletions(-) diff --git a/README.md b/README.md index b272a6475d..5a074b966d 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,6 @@ module "eks" { access_entries = { # One access entry with a policy associated example = { - kubernetes_groups = [] principal_arn = "arn:aws:iam::123456789012:role/something" policy_associations = { @@ -175,7 +174,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3.2 | -| [aws](#requirement\_aws) | >= 5.74 | +| [aws](#requirement\_aws) | >= 5.75 | | [time](#requirement\_time) | >= 0.9 | | [tls](#requirement\_tls) | >= 3.0 | @@ -183,7 +182,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.74 | +| [aws](#provider\_aws) | >= 5.75 | | [time](#provider\_time) | >= 0.9 | | [tls](#provider\_tls) | >= 3.0 | diff --git a/examples/eks-managed-node-group/versions.tf b/examples/eks-managed-node-group/versions.tf index 3cc97fa038..0099e6baaf 100644 --- a/examples/eks-managed-node-group/versions.tf +++ b/examples/eks-managed-node-group/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.74" + version = ">= 5.75" } } } diff --git a/examples/karpenter/README.md b/examples/karpenter/README.md index b621a36591..15d51bcdb9 100644 --- a/examples/karpenter/README.md +++ b/examples/karpenter/README.md @@ -89,7 +89,7 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3.2 | -| [aws](#requirement\_aws) | >= 5.74 | +| [aws](#requirement\_aws) | >= 5.75 | | [helm](#requirement\_helm) | >= 2.7 | | [kubectl](#requirement\_kubectl) | >= 2.0 | @@ -97,8 +97,8 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.74 | -| [aws.virginia](#provider\_aws.virginia) | >= 5.74 | +| [aws](#provider\_aws) | >= 5.75 | +| [aws.virginia](#provider\_aws.virginia) | >= 5.75 | | [helm](#provider\_helm) | >= 2.7 | | [kubectl](#provider\_kubectl) | >= 2.0 | diff --git a/examples/karpenter/versions.tf b/examples/karpenter/versions.tf index 0c0cc6c763..5caab8394a 100644 --- a/examples/karpenter/versions.tf +++ b/examples/karpenter/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.74" + version = ">= 5.75" } helm = { source = "hashicorp/helm" diff --git a/examples/self-managed-node-group/versions.tf b/examples/self-managed-node-group/versions.tf index 3cc97fa038..0099e6baaf 100644 --- a/examples/self-managed-node-group/versions.tf +++ b/examples/self-managed-node-group/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.74" + version = ">= 5.75" } } } diff --git a/main.tf b/main.tf index 0b62869c24..037de7b5d8 100644 --- a/main.tf +++ b/main.tf @@ -496,8 +496,18 @@ resource "aws_eks_addon" "this" { cluster_name = aws_eks_cluster.this[0].name addon_name = try(each.value.name, each.key) - addon_version = coalesce(try(each.value.addon_version, null), data.aws_eks_addon_version.this[each.key].version) - configuration_values = try(each.value.configuration_values, null) + addon_version = coalesce(try(each.value.addon_version, null), data.aws_eks_addon_version.this[each.key].version) + configuration_values = try(each.value.configuration_values, null) + + dynamic "pod_identity_association" { + for_each = try(each.value.pod_identity_association, []) + + content { + role_arn = pod_identity_association.value.role_arn + service_account = pod_identity_association.value.service_account + } + } + preserve = try(each.value.preserve, true) resolve_conflicts_on_create = try(each.value.resolve_conflicts_on_create, "OVERWRITE") resolve_conflicts_on_update = try(each.value.resolve_conflicts_on_update, "OVERWRITE") @@ -525,8 +535,18 @@ resource "aws_eks_addon" "before_compute" { cluster_name = aws_eks_cluster.this[0].name addon_name = try(each.value.name, each.key) - addon_version = coalesce(try(each.value.addon_version, null), data.aws_eks_addon_version.this[each.key].version) - configuration_values = try(each.value.configuration_values, null) + addon_version = coalesce(try(each.value.addon_version, null), data.aws_eks_addon_version.this[each.key].version) + configuration_values = try(each.value.configuration_values, null) + + dynamic "pod_identity_association" { + for_each = try(each.value.pod_identity_association, []) + + content { + role_arn = pod_identity_association.value.role_arn + service_account = pod_identity_association.value.service_account + } + } + preserve = try(each.value.preserve, true) resolve_conflicts_on_create = try(each.value.resolve_conflicts_on_create, "OVERWRITE") resolve_conflicts_on_update = try(each.value.resolve_conflicts_on_update, "OVERWRITE") diff --git a/modules/eks-managed-node-group/README.md b/modules/eks-managed-node-group/README.md index ace9106c3d..23df973444 100644 --- a/modules/eks-managed-node-group/README.md +++ b/modules/eks-managed-node-group/README.md @@ -64,13 +64,13 @@ module "eks_managed_node_group" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3.2 | -| [aws](#requirement\_aws) | >= 5.74 | +| [aws](#requirement\_aws) | >= 5.75 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.74 | +| [aws](#provider\_aws) | >= 5.75 | ## Modules diff --git a/modules/eks-managed-node-group/versions.tf b/modules/eks-managed-node-group/versions.tf index 3cc97fa038..0099e6baaf 100644 --- a/modules/eks-managed-node-group/versions.tf +++ b/modules/eks-managed-node-group/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.74" + version = ">= 5.75" } } } diff --git a/modules/fargate-profile/README.md b/modules/fargate-profile/README.md index 732cd7b455..a7b12553ff 100644 --- a/modules/fargate-profile/README.md +++ b/modules/fargate-profile/README.md @@ -29,13 +29,13 @@ module "fargate_profile" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3.2 | -| [aws](#requirement\_aws) | >= 5.74 | +| [aws](#requirement\_aws) | >= 5.75 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.74 | +| [aws](#provider\_aws) | >= 5.75 | ## Modules diff --git a/modules/fargate-profile/versions.tf b/modules/fargate-profile/versions.tf index 3cc97fa038..0099e6baaf 100644 --- a/modules/fargate-profile/versions.tf +++ b/modules/fargate-profile/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.74" + version = ">= 5.75" } } } diff --git a/modules/karpenter/README.md b/modules/karpenter/README.md index 2ca911d156..ef2be2099c 100644 --- a/modules/karpenter/README.md +++ b/modules/karpenter/README.md @@ -86,13 +86,13 @@ module "karpenter" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3.2 | -| [aws](#requirement\_aws) | >= 5.74 | +| [aws](#requirement\_aws) | >= 5.75 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.74 | +| [aws](#provider\_aws) | >= 5.75 | ## Modules diff --git a/modules/karpenter/versions.tf b/modules/karpenter/versions.tf index 3cc97fa038..0099e6baaf 100644 --- a/modules/karpenter/versions.tf +++ b/modules/karpenter/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.74" + version = ">= 5.75" } } } diff --git a/modules/self-managed-node-group/README.md b/modules/self-managed-node-group/README.md index d2c53be59a..7c76477049 100644 --- a/modules/self-managed-node-group/README.md +++ b/modules/self-managed-node-group/README.md @@ -43,13 +43,13 @@ module "self_managed_node_group" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3.2 | -| [aws](#requirement\_aws) | >= 5.74 | +| [aws](#requirement\_aws) | >= 5.75 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.74 | +| [aws](#provider\_aws) | >= 5.75 | ## Modules diff --git a/modules/self-managed-node-group/versions.tf b/modules/self-managed-node-group/versions.tf index 3cc97fa038..0099e6baaf 100644 --- a/modules/self-managed-node-group/versions.tf +++ b/modules/self-managed-node-group/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.74" + version = ">= 5.75" } } } diff --git a/tests/eks-managed-node-group/README.md b/tests/eks-managed-node-group/README.md index 39af8f08ed..b1f4ab1398 100644 --- a/tests/eks-managed-node-group/README.md +++ b/tests/eks-managed-node-group/README.md @@ -18,18 +18,19 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3.2 | -| [aws](#requirement\_aws) | >= 5.74 | +| [aws](#requirement\_aws) | >= 5.75 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.74 | +| [aws](#provider\_aws) | >= 5.75 | ## Modules | Name | Source | Version | |------|--------|---------| +| [aws\_vpc\_cni\_ipv6\_pod\_identity](#module\_aws\_vpc\_cni\_ipv6\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.6 | | [disabled\_eks](#module\_disabled\_eks) | ../.. | n/a | | [disabled\_eks\_managed\_node\_group](#module\_disabled\_eks\_managed\_node\_group) | ../../modules/eks-managed-node-group | n/a | | [ebs\_kms\_key](#module\_ebs\_kms\_key) | terraform-aws-modules/kms/aws | ~> 2.1 | diff --git a/tests/eks-managed-node-group/main.tf b/tests/eks-managed-node-group/main.tf index 7292e765dc..8a4d48c7f0 100644 --- a/tests/eks-managed-node-group/main.tf +++ b/tests/eks-managed-node-group/main.tf @@ -45,6 +45,10 @@ module "eks" { coredns = { most_recent = true } + eks-pod-identity-agent = { + before_compute = true + most_recent = true + } kube-proxy = { most_recent = true } @@ -58,6 +62,10 @@ module "eks" { WARM_PREFIX_TARGET = "1" } }) + pod_identity_association = [{ + role_arn = module.aws_vpc_cni_ipv6_pod_identity.iam_role_arn + service_account = "aws-node" + }] } } @@ -366,8 +374,7 @@ module "eks" { access_entries = { # One access entry with a policy associated ex-single = { - kubernetes_groups = [] - principal_arn = aws_iam_role.this["single"].arn + principal_arn = aws_iam_role.this["single"].arn policy_associations = { single = { @@ -382,8 +389,7 @@ module "eks" { # Example of adding multiple policies to a single access entry ex-multiple = { - kubernetes_groups = [] - principal_arn = aws_iam_role.this["multiple"].arn + principal_arn = aws_iam_role.this["multiple"].arn policy_associations = { ex-one = { @@ -489,6 +495,18 @@ module "vpc" { tags = local.tags } +module "aws_vpc_cni_ipv6_pod_identity" { + source = "terraform-aws-modules/eks-pod-identity/aws" + version = "~> 1.6" + + name = "aws-vpc-cni-ipv6" + + attach_aws_vpc_cni_policy = true + aws_vpc_cni_enable_ipv6 = true + + tags = local.tags +} + module "ebs_kms_key" { source = "terraform-aws-modules/kms/aws" version = "~> 2.1" diff --git a/tests/eks-managed-node-group/versions.tf b/tests/eks-managed-node-group/versions.tf index 3cc97fa038..0099e6baaf 100644 --- a/tests/eks-managed-node-group/versions.tf +++ b/tests/eks-managed-node-group/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.74" + version = ">= 5.75" } } } diff --git a/tests/fargate-profile/README.md b/tests/fargate-profile/README.md index a7af7cd080..a50029c722 100644 --- a/tests/fargate-profile/README.md +++ b/tests/fargate-profile/README.md @@ -18,13 +18,13 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3.2 | -| [aws](#requirement\_aws) | >= 5.74 | +| [aws](#requirement\_aws) | >= 5.75 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.74 | +| [aws](#provider\_aws) | >= 5.75 | ## Modules diff --git a/tests/fargate-profile/versions.tf b/tests/fargate-profile/versions.tf index 3cc97fa038..0099e6baaf 100644 --- a/tests/fargate-profile/versions.tf +++ b/tests/fargate-profile/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.74" + version = ">= 5.75" } } } diff --git a/tests/self-managed-node-group/README.md b/tests/self-managed-node-group/README.md index 0691b7aa0b..1587f7c177 100644 --- a/tests/self-managed-node-group/README.md +++ b/tests/self-managed-node-group/README.md @@ -18,18 +18,19 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3.2 | -| [aws](#requirement\_aws) | >= 5.74 | +| [aws](#requirement\_aws) | >= 5.75 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.74 | +| [aws](#provider\_aws) | >= 5.75 | ## Modules | Name | Source | Version | |------|--------|---------| +| [aws\_vpc\_cni\_ipv4\_pod\_identity](#module\_aws\_vpc\_cni\_ipv4\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.6 | | [disabled\_self\_managed\_node\_group](#module\_disabled\_self\_managed\_node\_group) | ../../modules/self-managed-node-group | n/a | | [ebs\_kms\_key](#module\_ebs\_kms\_key) | terraform-aws-modules/kms/aws | ~> 2.0 | | [eks](#module\_eks) | ../.. | n/a | diff --git a/tests/self-managed-node-group/main.tf b/tests/self-managed-node-group/main.tf index dee3274dc4..afe7aac9a1 100644 --- a/tests/self-managed-node-group/main.tf +++ b/tests/self-managed-node-group/main.tf @@ -41,11 +41,18 @@ module "eks" { coredns = { most_recent = true } + eks-pod-identity-agent = { + most_recent = true + } kube-proxy = { most_recent = true } vpc-cni = { most_recent = true + pod_identity_association = [{ + role_arn = module.aws_vpc_cni_ipv4_pod_identity.iam_role_arn + service_account = "aws-node" + }] } } @@ -388,6 +395,18 @@ module "vpc" { tags = local.tags } +module "aws_vpc_cni_ipv4_pod_identity" { + source = "terraform-aws-modules/eks-pod-identity/aws" + version = "~> 1.6" + + name = "aws-vpc-cni-ipv4" + + attach_aws_vpc_cni_policy = true + aws_vpc_cni_enable_ipv4 = true + + tags = local.tags +} + data "aws_ami" "eks_default" { most_recent = true owners = ["amazon"] diff --git a/tests/self-managed-node-group/versions.tf b/tests/self-managed-node-group/versions.tf index 3cc97fa038..0099e6baaf 100644 --- a/tests/self-managed-node-group/versions.tf +++ b/tests/self-managed-node-group/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.74" + version = ">= 5.75" } } } diff --git a/versions.tf b/versions.tf index 090ca7b00b..fc9dadd253 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.74" + version = ">= 5.75" } tls = { source = "hashicorp/tls"