feat!: Replace the use of aws-auth configmap with EKS cluster access entry (#2858)

* feat: Replace `resolve_conflicts` with `resolve_conflicts_on_create`/`delete`; raise MSV of AWS provider to `v5.0` to support

* fix: Replace dynamic DNS suffix for `sts:AssumeRole` API calls for static suffix

* feat: Add module tag

* feat: Align Karpenter permissions with Karpenter v1beta1/v0.32 permissions from upstream

* refactor: Move `aws-auth` ConfigMap functionality to its own sub-module

* chore: Update examples

* feat: Add state `moved` block for Karpenter Pod Identity role re-name

* fix: Correct variable `create` description

* feat: Add support for cluster access entries

* chore: Bump MSV of Terraform to `1.3`

* fix: Replace defunct kubectl provider with an updated forked equivalent

* chore: Update and validate examples for access entry; clean up provider usage

* docs: Correct double redundant variable descriptions

* feat: Add support for Cloudwatch log group class argument

* fix: Update usage tag placement, fix Karpenter event spelling, add upcoming changes section to upgrade guide

* feat: Update Karpenter module to generalize naming used and align policy with the upstream Karpenter policy

* feat: Add native support for Windows based managed nodegroups similar to AL2 and Bottlerocket

* feat: Update self-managed nodegroup module to use latest features of ASG

* docs: Update and simplify docs

* fix: Correct variable description for AMI types

* fix: Update upgrade guide with changes; rename Karpenter controller resource names to support migrating for users

* docs: Complete upgrade guide docs for migration and changes applied

* Update examples/karpenter/README.md

Co-authored-by: Anton Babenko <anton@antonbabenko.com>

* Update examples/outposts/README.md

Co-authored-by: Anton Babenko <anton@antonbabenko.com>

* Update modules/karpenter/README.md

Co-authored-by: Anton Babenko <anton@antonbabenko.com>

---------

Co-authored-by: Anton Babenko <anton@antonbabenko.com>

modules/karpenter/variables.tf

@@ -1,5 +1,5 @@
 variable "create" {
-  description = "Determines whether to create EKS managed node group or not"
+  description = "Controls if resources should be created (affects nearly all resources)"
   type        = bool
   default     = true
 }
@@ -17,92 +17,101 @@ variable "cluster_name" {
 }
 
 ################################################################################
-# IAM Role for Service Account (IRSA)
+# Karpenter controller IAM Role
 ################################################################################
 
-variable "create_irsa" {
-  description = "Determines whether an IAM role for service accounts is created"
+variable "create_iam_role" {
+  description = "Determines whether an IAM role is created"
   type        = bool
   default     = true
 }
 
-variable "irsa_name" {
-  description = "Name of IAM role for service accounts"
+variable "iam_role_name" {
+  description = "Name of the IAM role"
   type        = string
-  default     = null
+  default     = "KarpenterController"
 }
 
-variable "irsa_policy_name" {
-  description = "Name of IAM policy for service accounts"
-  type        = string
-  default     = null
-}
-
-variable "irsa_use_name_prefix" {
-  description = "Determines whether the IAM role for service accounts name (`irsa_name`) is used as a prefix"
+variable "iam_role_use_name_prefix" {
+  description = "Determines whether the name of the IAM role (`iam_role_name`) is used as a prefix"
   type        = bool
   default     = true
 }
 
-variable "irsa_path" {
-  description = "Path of IAM role for service accounts"
+variable "iam_role_path" {
+  description = "Path of the IAM role"
   type        = string
   default     = "/"
 }
 
-variable "irsa_description" {
-  description = "IAM role for service accounts description"
+variable "iam_role_description" {
+  description = "IAM role description"
   type        = string
-  default     = "Karpenter IAM role for service account"
+  default     = "Karpenter controller IAM role"
 }
 
-variable "irsa_max_session_duration" {
+variable "iam_role_max_session_duration" {
   description = "Maximum API session duration in seconds between 3600 and 43200"
   type        = number
   default     = null
 }
 
-variable "irsa_permissions_boundary_arn" {
-  description = "Permissions boundary ARN to use for IAM role for service accounts"
+variable "iam_role_permissions_boundary_arn" {
+  description = "Permissions boundary ARN to use for the IAM role"
   type        = string
   default     = null
 }
 
-variable "irsa_tags" {
-  description = "A map of additional tags to add the the IAM role for service accounts"
+variable "iam_role_tags" {
+  description = "A map of additional tags to add the the IAM role"
   type        = map(any)
   default     = {}
 }
 
-variable "policies" {
+variable "iam_policy_name" {
+  description = "Name of the IAM policy"
+  type        = string
+  default     = "KarpenterController"
+}
+
+variable "iam_policy_use_name_prefix" {
+  description = "Determines whether the name of the IAM policy (`iam_policy_name`) is used as a prefix"
+  type        = bool
+  default     = true
+}
+
+variable "iam_policy_path" {
+  description = "Path of the IAM policy"
+  type        = string
+  default     = "/"
+}
+
+variable "iam_policy_description" {
+  description = "IAM policy description"
+  type        = string
+  default     = "Karpenter controller IAM policy"
+}
+
+variable "iam_role_policies" {
   description = "Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format"
   type        = map(string)
   default     = {}
 }
 
-variable "irsa_tag_key" {
-  description = "Tag key (`{key = value}`) applied to resources launched by Karpenter through the Karpenter provisioner"
-  type        = string
-  default     = "karpenter.sh/discovery"
-}
-
-variable "irsa_tag_values" {
-  description = "Tag values (`{key = value}`) applied to resources launched by Karpenter through the Karpenter provisioner. Defaults to cluster name when not set."
+variable "ami_id_ssm_parameter_arns" {
+  description = "List of SSM Parameter ARNs that Karpenter controller is allowed read access (for retrieving AMI IDs)"
   type        = list(string)
   default     = []
 }
 
-variable "irsa_ssm_parameter_arns" {
-  description = "List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter"
-  type        = list(string)
-  # https://github.com/aws/karpenter/blob/ed9473a9863ca949b61b9846c8b9f33f35b86dbd/pkg/cloudprovider/aws/ami.go#L105-L123
-  default = ["arn:aws:ssm:*:*:parameter/aws/service/*"]
-}
+################################################################################
+# IAM Role for Service Account (IRSA)
+################################################################################
 
-variable "irsa_subnet_account_id" {
-  description = "Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account"
-  type        = string
-  default     = ""
+variable "enable_irsa" {
+  description = "Determines whether to enable support IAM role for service account"
+  type        = bool
+  default     = false
 }
 
 variable "irsa_oidc_provider_arn" {
@@ -123,12 +132,6 @@ variable "irsa_assume_role_condition_test" {
   default     = "StringEquals"
 }
 
-variable "enable_karpenter_instance_profile_creation" {
-  description = "Determines whether Karpenter will be allowed to create the IAM instance profile (v1beta1) or if Terraform will (v1alpha1)"
-  type        = bool
-  default     = false
-}
-
 ################################################################################
 # Node Termination Queue
 ################################################################################
@@ -164,81 +167,97 @@ variable "queue_kms_data_key_reuse_period_seconds" {
 }
 
 ################################################################################
-# Node IAM Role & Instance Profile
+# Node IAM Role
 ################################################################################
 
-variable "create_iam_role" {
+variable "create_node_iam_role" {
   description = "Determines whether an IAM role is created or to use an existing IAM role"
   type        = bool
   default     = true
 }
 
 variable "cluster_ip_family" {
-  description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`"
+  description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. Note: If `ipv6` is specified, the `AmazonEKS_CNI_IPv6_Policy` must exist in the account. This policy is created by the EKS module with `create_cni_ipv6_iam_policy = true`"
   type        = string
   default     = null
 }
 
-variable "iam_role_arn" {
+variable "node_iam_role_arn" {
   description = "Existing IAM role ARN for the IAM instance profile. Required if `create_iam_role` is set to `false`"
   type        = string
   default     = null
 }
 
-variable "iam_role_name" {
+variable "node_iam_role_name" {
   description = "Name to use on IAM role created"
   type        = string
   default     = null
 }
 
-variable "iam_role_use_name_prefix" {
+variable "node_iam_role_use_name_prefix" {
   description = "Determines whether the IAM role name (`iam_role_name`) is used as a prefix"
   type        = bool
   default     = true
 }
 
-variable "iam_role_path" {
+variable "node_iam_role_path" {
   description = "IAM role path"
   type        = string
   default     = "/"
 }
 
-variable "iam_role_description" {
+variable "node_iam_role_description" {
   description = "Description of the role"
   type        = string
   default     = null
 }
 
-variable "iam_role_max_session_duration" {
+variable "node_iam_role_max_session_duration" {
   description = "Maximum API session duration in seconds between 3600 and 43200"
   type        = number
   default     = null
 }
 
-variable "iam_role_permissions_boundary" {
+variable "node_iam_role_permissions_boundary" {
   description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
   type        = string
   default     = null
 }
 
-variable "iam_role_attach_cni_policy" {
+variable "node_iam_role_attach_cni_policy" {
   description = "Whether to attach the `AmazonEKS_CNI_Policy`/`AmazonEKS_CNI_IPv6_Policy` IAM policy to the IAM IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster"
   type        = bool
   default     = true
 }
 
-variable "iam_role_additional_policies" {
+variable "node_iam_role_additional_policies" {
   description = "Additional policies to be added to the IAM role"
   type        = map(string)
   default     = {}
 }
 
-variable "iam_role_tags" {
+variable "node_iam_role_tags" {
   description = "A map of additional tags to add to the IAM role created"
   type        = map(string)
   default     = {}
 }
 
+################################################################################
+# Access Entry
+################################################################################
+
+variable "create_access_entry" {
+  description = "Determines whether an access entry is created for the IAM role used by the node IAM role"
+  type        = bool
+  default     = true
+}
+
+variable "access_entry_type" {
+  description = "Type of the access entry. `EC2_LINUX`, `FARGATE_LINUX`, or `EC2_WINDOWS`; defaults to `EC2_LINUX`"
+  type        = string
+  default     = "EC2_LINUX"
+}
+
 ################################################################################
 # Node IAM Instance Profile
 ################################################################################
@@ -246,7 +265,7 @@ variable "iam_role_tags" {
 variable "create_instance_profile" {
   description = "Whether to create an IAM instance profile"
   type        = bool
-  default     = true
+  default     = false
 }
 
 ################################################################################