feat: Add EKS Fargate support (#1067)

Co-authored-by: Simon Gurcke <simon@gurcke.de> Co-authored-by: Daniel Piddock <33028589+dpiddockcmp@users.noreply.github.com>
2026-01-18 09:38:33 +01:00 · 2020-11-07 23:03:12 +01:00
parent 571da60aea
commit 0d77e30075
14 changed files with 460 additions and 2 deletions
--- a/modules/fargate/README.md
+++ b/modules/fargate/README.md
@@ -0,0 +1,54 @@
+# eks `fargate` submodule
+
+Helper submodule to create and manage resources related to `aws_eks_fargate_profile`.
+
+## Assumptions
+* Designed for use by the parent module and not directly by end users
+
+## `fargate_profile` keys
+`fargate_profile` is a map of maps. Key of first level will be used as unique value for `for_each` resources and in the `aws_eks_fargate_profile` name. Inner map can take the below values.
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| name | Fargate profile name | `string` | Auto generated in the following format `[cluster_name]-fargate-[fargate_profile_map_key]`| no |
+| namespace | Kubernetes namespace for selection | `string` | n/a | yes |
+| labels | Key-value map of Kubernetes labels for selection | `map(string)` | `{}` | no |
+| tags | Key-value map of resource tags. Will be merged with root module tags. | `map(string)` | `var.tags` | no |
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| cluster\_name | Name of the EKS cluster. | `string` | n/a | yes |
+| create\_eks | Controls if EKS resources should be created (it affects almost all resources) | `bool` | `true` | no |
+| create\_fargate\_pod\_execution\_role | Controls if the the IAM Role that provides permissions for the EKS Fargate Profile should be created. | `bool` | `true` | no |
+| eks\_depends\_on | List of references to other resources this submodule depends on. | `any` | `null` | no |
+| fargate\_pod\_execution\_role\_name | The IAM Role that provides permissions for the EKS Fargate Profile. | `string` | `null` | no |
+| fargate\_profiles | Fargate profiles to create. See `fargate_profile` keys section in README.md for more details | `any` | `{}` | no |
+| iam\_path | IAM roles will be created on this path. | `string` | `"/"` | no |
+| iam\_policy\_arn\_prefix | IAM policy prefix with the correct AWS partition. | `string` | n/a | yes |
+| subnets | A list of subnets for the EKS Fargate profiles. | `list(string)` | `[]` | no |
+| tags | A map of tags to add to all resources. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| aws\_auth\_roles | Roles for use in aws-auth ConfigMap |
+| fargate\_profile\_arns | Amazon Resource Name (ARN) of the EKS Fargate Profiles. |
+| fargate\_profile\_ids | EKS Cluster name and EKS Fargate Profile names separated by a colon (:). |
+| iam\_role\_arn | IAM role ARN for EKS Fargate pods |
+| iam\_role\_name | IAM role name for EKS Fargate pods |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
--- a/modules/fargate/data.tf
+++ b/modules/fargate/data.tf
@@ -0,0 +1,17 @@
+data "aws_iam_policy_document" "eks_fargate_pod_assume_role" {
+  count = local.create_eks && var.create_fargate_pod_execution_role ? 1 : 0
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["eks-fargate-pods.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_role" "custom_fargate_iam_role" {
+  count = local.create_eks && ! var.create_fargate_pod_execution_role ? 1 : 0
+  name  = var.fargate_pod_execution_role_name
+}
--- a/modules/fargate/fargate.tf
+++ b/modules/fargate/fargate.tf
@@ -0,0 +1,29 @@
+resource "aws_iam_role" "eks_fargate_pod" {
+  count              = local.create_eks && var.create_fargate_pod_execution_role ? 1 : 0
+  name_prefix        = format("%s-fargate", var.cluster_name)
+  assume_role_policy = data.aws_iam_policy_document.eks_fargate_pod_assume_role[0].json
+  tags               = var.tags
+  path               = var.iam_path
+}
+
+resource "aws_iam_role_policy_attachment" "eks_fargate_pod" {
+  count      = local.create_eks && var.create_fargate_pod_execution_role ? 1 : 0
+  policy_arn = "${var.iam_policy_arn_prefix}/AmazonEKSFargatePodExecutionRolePolicy"
+  role       = aws_iam_role.eks_fargate_pod[0].name
+}
+
+resource "aws_eks_fargate_profile" "this" {
+  for_each               = local.create_eks ? local.fargate_profiles_expanded : {}
+  cluster_name           = var.cluster_name
+  fargate_profile_name   = lookup(each.value, "name", format("%s-fargate-%s", var.cluster_name, replace(each.key, "_", "-")))
+  pod_execution_role_arn = local.pod_execution_role_arn
+  subnet_ids             = var.subnets
+  tags                   = each.value.tags
+
+  selector {
+    namespace = each.value.namespace
+    labels    = lookup(each.value, "labels", null)
+  }
+
+  depends_on = [var.eks_depends_on]
+}
--- a/modules/fargate/locals.tf
+++ b/modules/fargate/locals.tf
@@ -0,0 +1,10 @@
+locals {
+  create_eks              = var.create_eks && length(var.fargate_profiles) > 0
+  pod_execution_role_arn  = var.create_fargate_pod_execution_role ? element(concat(aws_iam_role.eks_fargate_pod.*.arn, list("")), 0) : element(concat(data.aws_iam_role.custom_fargate_iam_role.*.arn, list("")), 0)
+  pod_execution_role_name = var.create_fargate_pod_execution_role ? element(concat(aws_iam_role.eks_fargate_pod.*.name, list("")), 0) : element(concat(data.aws_iam_role.custom_fargate_iam_role.*.name, list("")), 0)
+
+  fargate_profiles_expanded = { for k, v in var.fargate_profiles : k => merge(
+    { tags = var.tags },
+    v,
+  ) if var.create_eks }
+}
--- a/modules/fargate/outputs.tf
+++ b/modules/fargate/outputs.tf
@@ -0,0 +1,27 @@
+output "fargate_profile_ids" {
+  description = "EKS Cluster name and EKS Fargate Profile names separated by a colon (:)."
+  value       = [for f in aws_eks_fargate_profile.this : f.id]
+}
+
+output "fargate_profile_arns" {
+  description = "Amazon Resource Name (ARN) of the EKS Fargate Profiles."
+  value       = [for f in aws_eks_fargate_profile.this : f.arn]
+}
+
+output "iam_role_name" {
+  description = "IAM role name for EKS Fargate pods"
+  value       = local.pod_execution_role_name
+}
+
+output "iam_role_arn" {
+  description = "IAM role ARN for EKS Fargate pods"
+  value       = local.pod_execution_role_arn
+}
+
+output "aws_auth_roles" {
+  description = "Roles for use in aws-auth ConfigMap"
+  value = [{
+    worker_role_arn = local.pod_execution_role_arn
+    platform        = "fargate"
+  }]
+}
--- a/modules/fargate/variables.tf
+++ b/modules/fargate/variables.tf
@@ -0,0 +1,59 @@
+variable "cluster_name" {
+  description = "Name of the EKS cluster."
+  type        = string
+}
+
+variable "create_eks" {
+  description = "Controls if EKS resources should be created (it affects almost all resources)"
+  type        = bool
+  default     = true
+}
+
+variable "iam_path" {
+  description = "IAM roles will be created on this path."
+  type        = string
+  default     = "/"
+}
+
+variable "iam_policy_arn_prefix" {
+  description = "IAM policy prefix with the correct AWS partition."
+  type        = string
+}
+
+variable "create_fargate_pod_execution_role" {
+  description = "Controls if the the IAM Role that provides permissions for the EKS Fargate Profile should be created."
+  type        = bool
+  default     = true
+}
+
+variable "fargate_pod_execution_role_name" {
+  description = "The IAM Role that provides permissions for the EKS Fargate Profile."
+  type        = string
+  default     = null
+}
+
+variable "fargate_profiles" {
+  description = "Fargate profiles to create. See `fargate_profile` keys section in README.md for more details"
+  type        = any
+  default     = {}
+}
+
+variable "subnets" {
+  description = "A list of subnets for the EKS Fargate profiles."
+  type        = list(string)
+  default     = []
+}
+
+variable "tags" {
+  description = "A map of tags to add to all resources."
+  type        = map(string)
+  default     = {}
+}
+
+# Hack for a homemade `depends_on` https://discuss.hashicorp.com/t/tips-howto-implement-module-depends-on-emulation/2305/2
+# Will be removed in Terraform 0.13 with the support of module's `depends_on` https://github.com/hashicorp/terraform/issues/10462
+variable "eks_depends_on" {
+  description = "List of references to other resources this submodule depends on."
+  type        = any
+  default     = null
+}