Skip to content

Latest commit

 

History

History
261 lines (222 loc) · 18.7 KB

File metadata and controls

261 lines (222 loc) · 18.7 KB

Amazon EKS Blueprints Addon Terraform module

Terraform module which provisions an addon (Helm release) and an IAM role for service accounts (IRSA).

Usage

Create Addon (Helm Release) w/ IAM Role for Service Account (IRSA)

module "eks_blueprints_addon" {
  source = "aws-ia/eks-blueprints-addon/aws"
  version = "~> 1.0" #ensure to update this to the latest/desired version

  chart            = "karpenter"
  chart_version    = "0.16.2"
  repository       = "https://charts.karpenter.sh/"
  description      = "Kubernetes Node Autoscaling: built for flexibility, performance, and simplicity"
  namespace        = "karpenter"
  create_namespace = true

  set = [
    {
      name  = "clusterName"
      value = "eks-blueprints-addon-example"
    },
    {
      name  = "clusterEndpoint"
      value = "https://EXAMPLED539D4633E53DE1B71EXAMPLE.gr7.us-west-2.eks.amazonaws.com"
    },
    {
      name  = "aws.defaultInstanceProfile"
      value = "arn:aws:iam::111111111111:instance-profile/KarpenterNodeInstanceProfile-complete"
    }
  ]

  set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"]
  # # Equivalent to the following but the ARN is only known internally to the module
  # set = [{
  #   name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
  #   value = iam_role_arn.this[0].arn
  # }]

  # IAM role for service account (IRSA)
  create_role = true
  role_name   = "karpenter-controller"
  role_policies = {
    karpenter = "arn:aws:iam::111111111111:policy/Karpenter_Controller_Policy-20221008165117447500000007"
  }

  oidc_providers = {
    this = {
      provider_arn = "oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
      # namespace is inherited from chart
      service_account = "karpenter"
    }
  }

  tags = {
    Environment = "dev"
  }
}

Create Addon (Helm Release) Only

module "eks_blueprints_addon" {
  source = "aws-ia/eks-blueprints-addon/aws"
  version = "~> 1.0" #ensure to update this to the latest/desired version

  chart         = "metrics-server"
  chart_version = "3.8.2"
  repository    = "https://kubernetes-sigs.github.io/metrics-server/"
  description   = "Metric server helm Chart deployment configuration"
  namespace     = "kube-system"

  values = [
    <<-EOT
      podDisruptionBudget:
        maxUnavailable: 1
      metrics:
        enabled: true
    EOT
  ]

  set = [
    {
      name  = "replicas"
      value = 3
    }
  ]
}

Create IAM Role for Service Account (IRSA) Only

module "eks_blueprints_addon" {
  source = "aws-ia/eks-blueprints-addon/aws"
  version = "~> 1.0" #ensure to update this to the latest/desired version

  # Disable helm release
  create_release = false

  # IAM role for service account (IRSA)
  create_role = true
  create_policy = false
  role_name   = "aws-vpc-cni-ipv4"
  role_policies = {
    AmazonEKS_CNI_Policy = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
  }

  oidc_providers = {
    this = {
      provider_arn    = "oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
      namespace       = "kube-system"
      service_account = "aws-node"
    }
  }

  tags = {
    Environment = "dev"
  }
}

Support & Feedback

Important

EKS Blueprints for Terraform is maintained by AWS Solution Architects. It is not part of an AWS service and support is provided as a best-effort by the EKS Blueprints community. To provide feedback, please use the issues templates provided. If you are interested in contributing to EKS Blueprints, see the Contribution guide.

Requirements

Name Version
terraform >= 1.0
aws >= 4.47
helm >= 2.9

Providers

Name Version
aws >= 4.47
helm >= 2.9

Modules

No modules.

Resources

Name Type
aws_iam_policy.this resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.additional resource
aws_iam_role_policy_attachment.this resource
helm_release.this resource
aws_caller_identity.current data source
aws_iam_policy_document.assume data source
aws_iam_policy_document.this data source
aws_partition.current data source

Inputs

Name Description Type Default Required
allow_self_assume_role Determines whether to allow the role to be assume itself bool false no
assume_role_condition_test Name of the IAM condition operator to evaluate when assuming the role string "StringEquals" no
atomic If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used. Defaults to false bool null no
chart Chart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if repository is specified string "" no
chart_version Specify the exact chart version to install. If this is not specified, the latest version is installed string null no
cleanup_on_fail Allow deletion of new resources created in this upgrade when upgrade fails. Defaults to false bool null no
create Controls if resources should be created (affects all resources) bool true no
create_namespace Create the namespace if it does not yet exist. Defaults to false bool null no
create_policy Whether to create an IAM policy that is attached to the IAM role created bool true no
create_release Determines whether the Helm release is created bool true no
create_role Determines whether to create an IAM role bool false no
dependency_update Runs helm dependency update before installing the chart. Defaults to false bool null no
description Set release description attribute (visible in the history) string null no
devel Use chart development versions, too. Equivalent to version '>0.0.0-0'. If version is set, this is ignored bool null no
disable_openapi_validation If set, the installation process will not validate rendered templates against the Kubernetes OpenAPI Schema. Defaults to false bool null no
disable_webhooks Prevent hooks from running. Defaults to false bool null no
force_update Force resource update through delete/recreate if needed. Defaults to false bool null no
keyring Location of public keys used for verification. Used only if verify is true. Defaults to /.gnupg/pubring.gpg in the location set by home string null no
lint Run the helm chart linter during the plan. Defaults to false bool null no
max_history Maximum number of release versions stored per release. Defaults to 0 (no limit) number null no
max_session_duration Maximum CLI/API session duration in seconds between 3600 and 43200 number null no
name Name of the Helm release string "" no
namespace The namespace to install the release into. Defaults to default string null no
oidc_providers Map of OIDC providers where each provider map should contain the provider_arn, and service_accounts any {} no
override_policy_documents List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid list(string) [] no
policy_description IAM policy description string null no
policy_name Name of IAM policy string null no
policy_name_use_prefix Determines whether the IAM policy name (policy_name) is used as a prefix bool true no
policy_path Path of IAM policy string null no
policy_statements List of IAM policy statements any [] no
postrender Configure a command to run after helm renders the manifest which can alter the manifest contents any {} no
recreate_pods Perform pods restart during upgrade/rollback. Defaults to false bool null no
render_subchart_notes If set, render subchart notes along with the parent. Defaults to true bool null no
replace Re-use the given name, only if that name is a deleted release which remains in the history. This is unsafe in production. Defaults to false bool null no
repository Repository URL where to locate the requested chart string null no
repository_ca_file The Repositories CA File string null no
repository_cert_file The repositories cert file string null no
repository_key_file The repositories cert key file string null no
repository_password Password for HTTP basic authentication against the repository string null no
repository_username Username for HTTP basic authentication against the repository string null no
reset_values When upgrading, reset the values to the ones built into the chart. Defaults to false bool null no
reuse_values When upgrading, reuse the last release's values and merge in any overrides. If reset_values is specified, this is ignored. Defaults to false bool null no
role_description IAM Role description string null no
role_name Name of IAM role string null no
role_name_use_prefix Determines whether the IAM role name (role_name) is used as a prefix bool true no
role_path Path of IAM role string "/" no
role_permissions_boundary_arn Permissions boundary ARN to use for IAM role string null no
role_policies Policies to attach to the IAM role in {'static_name' = 'policy_arn'} format map(string) {} no
set Value block with custom values to be merged with the values yaml any [] no
set_irsa_names Value annotations name where IRSA role ARN created by module will be assigned to the value list(string) [] no
set_sensitive Value block with custom sensitive values to be merged with the values yaml that won't be exposed in the plan's diff any [] no
skip_crds If set, no CRDs will be installed. By default, CRDs are installed if not already present. Defaults to false bool null no
source_policy_documents List of IAM policy documents that are merged together into the exported document. Statements must have unique sids list(string) [] no
tags A map of tags to add to all resources map(string) {} no
timeout Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks). Defaults to 300 seconds number null no
values List of values in raw yaml to pass to helm. Values will be merged, in order, as Helm does with multiple -f options list(string) null no
verify Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart. For more information see the Helm Documentation. Defaults to false bool null no
wait Will wait until all resources are in a ready state before marking the release as successful. If set to true, it will wait for as long as timeout. If set to null fallback on 300s timeout. Defaults to false bool false no
wait_for_jobs If wait is enabled, will wait until all Jobs have been completed before marking the release as successful. It will wait for as long as timeout. Defaults to false bool null no

Outputs

Name Description
app_version The version number of the application being deployed
chart The name of the chart
iam_policy The policy document
iam_policy_arn The ARN assigned by AWS to this policy
iam_role_arn ARN of IAM role
iam_role_name Name of IAM role
iam_role_path Path of IAM role
iam_role_unique_id Unique ID of IAM role
name Name is the name of the release
namespace Name of Kubernetes namespace
revision Version is an int32 which represents the version of the release
values The compounded values from values and set* attributes
version A SemVer 2 conformant version string of the chart

Community

License

Apache-2.0 Licensed. See LICENSE.