feat: Add support for pod identity association on EKS addons (#3203)

2026-01-17 09:07:20 +01:00 · 2024-11-08 21:56:56 +00:00
parent d2e6262188
commit a224334fc8
23 changed files with 97 additions and 39 deletions
--- a/README.md
+++ b/README.md
@@ -70,7 +70,6 @@ module "eks" {
  access_entries = {
    # One access entry with a policy associated
    example = {
      kubernetes_groups = []
      principal_arn     = "arn:aws:iam::123456789012:role/something"
      policy_associations = {
@@ -175,7 +174,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.74 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.75 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9 |
 | <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 3.0 |
@@ -183,7 +182,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.74 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.75 |
 | <a name="provider_time"></a> [time](#provider\_time) | >= 0.9 |
 | <a name="provider_tls"></a> [tls](#provider\_tls) | >= 3.0 |
--- a/examples/eks-managed-node-group/versions.tf
+++ b/examples/eks-managed-node-group/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 5.74"
+      version = ">= 5.75"
    }
  }
 }
--- a/examples/karpenter/README.md
+++ b/examples/karpenter/README.md
@@ -89,7 +89,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.74 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.75 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.7 |
 | <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | >= 2.0 |
@@ -97,8 +97,8 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.74 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.75 |
-| <a name="provider_aws.virginia"></a> [aws.virginia](#provider\_aws.virginia) | >= 5.74 |
+| <a name="provider_aws.virginia"></a> [aws.virginia](#provider\_aws.virginia) | >= 5.75 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | >= 2.7 |
 | <a name="provider_kubectl"></a> [kubectl](#provider\_kubectl) | >= 2.0 |
--- a/examples/karpenter/versions.tf
+++ b/examples/karpenter/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 5.74"
+      version = ">= 5.75"
    }
    helm = {
      source  = "hashicorp/helm"
--- a/examples/self-managed-node-group/versions.tf
+++ b/examples/self-managed-node-group/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 5.74"
+      version = ">= 5.75"
    }
  }
 }
--- a/main.tf
+++ b/main.tf
@@ -496,8 +496,18 @@ resource "aws_eks_addon" "this" {
  cluster_name = aws_eks_cluster.this[0].name
  addon_name   = try(each.value.name, each.key)
-  addon_version               = coalesce(try(each.value.addon_version, null), data.aws_eks_addon_version.this[each.key].version)
+  addon_version        = coalesce(try(each.value.addon_version, null), data.aws_eks_addon_version.this[each.key].version)
-  configuration_values        = try(each.value.configuration_values, null)
+  configuration_values = try(each.value.configuration_values, null)
  dynamic "pod_identity_association" {
    for_each = try(each.value.pod_identity_association, [])
    content {
      role_arn        = pod_identity_association.value.role_arn
      service_account = pod_identity_association.value.service_account
    }
  }
  preserve                    = try(each.value.preserve, true)
  resolve_conflicts_on_create = try(each.value.resolve_conflicts_on_create, "OVERWRITE")
  resolve_conflicts_on_update = try(each.value.resolve_conflicts_on_update, "OVERWRITE")
@@ -525,8 +535,18 @@ resource "aws_eks_addon" "before_compute" {
  cluster_name = aws_eks_cluster.this[0].name
  addon_name   = try(each.value.name, each.key)
-  addon_version               = coalesce(try(each.value.addon_version, null), data.aws_eks_addon_version.this[each.key].version)
+  addon_version        = coalesce(try(each.value.addon_version, null), data.aws_eks_addon_version.this[each.key].version)
-  configuration_values        = try(each.value.configuration_values, null)
+  configuration_values = try(each.value.configuration_values, null)
  dynamic "pod_identity_association" {
    for_each = try(each.value.pod_identity_association, [])
    content {
      role_arn        = pod_identity_association.value.role_arn
      service_account = pod_identity_association.value.service_account
    }
  }
  preserve                    = try(each.value.preserve, true)
  resolve_conflicts_on_create = try(each.value.resolve_conflicts_on_create, "OVERWRITE")
  resolve_conflicts_on_update = try(each.value.resolve_conflicts_on_update, "OVERWRITE")
--- a/modules/eks-managed-node-group/README.md
+++ b/modules/eks-managed-node-group/README.md
@@ -64,13 +64,13 @@ module "eks_managed_node_group" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.74 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.75 |
 ## Providers
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.74 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.75 |
 ## Modules
--- a/modules/eks-managed-node-group/versions.tf
+++ b/modules/eks-managed-node-group/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 5.74"
+      version = ">= 5.75"
    }
  }
 }
--- a/modules/fargate-profile/README.md
+++ b/modules/fargate-profile/README.md
@@ -29,13 +29,13 @@ module "fargate_profile" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.74 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.75 |
 ## Providers
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.74 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.75 |
 ## Modules
--- a/modules/fargate-profile/versions.tf
+++ b/modules/fargate-profile/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 5.74"
+      version = ">= 5.75"
    }
  }
 }
--- a/modules/karpenter/README.md
+++ b/modules/karpenter/README.md
@@ -86,13 +86,13 @@ module "karpenter" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.74 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.75 |
 ## Providers
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.74 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.75 |
 ## Modules
--- a/modules/karpenter/versions.tf
+++ b/modules/karpenter/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 5.74"
+      version = ">= 5.75"
    }
  }
 }
--- a/modules/self-managed-node-group/README.md
+++ b/modules/self-managed-node-group/README.md
@@ -43,13 +43,13 @@ module "self_managed_node_group" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.74 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.75 |
 ## Providers
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.74 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.75 |
 ## Modules
--- a/modules/self-managed-node-group/versions.tf
+++ b/modules/self-managed-node-group/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 5.74"
+      version = ">= 5.75"
    }
  }
 }
--- a/tests/eks-managed-node-group/README.md
+++ b/tests/eks-managed-node-group/README.md
@@ -18,18 +18,19 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.74 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.75 |
 ## Providers
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.74 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.75 |
 ## Modules
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_aws_vpc_cni_ipv6_pod_identity"></a> [aws\_vpc\_cni\_ipv6\_pod\_identity](#module\_aws\_vpc\_cni\_ipv6\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.6 |
 | <a name="module_disabled_eks"></a> [disabled\_eks](#module\_disabled\_eks) | ../.. | n/a |
 | <a name="module_disabled_eks_managed_node_group"></a> [disabled\_eks\_managed\_node\_group](#module\_disabled\_eks\_managed\_node\_group) | ../../modules/eks-managed-node-group | n/a |
 | <a name="module_ebs_kms_key"></a> [ebs\_kms\_key](#module\_ebs\_kms\_key) | terraform-aws-modules/kms/aws | ~> 2.1 |
--- a/tests/eks-managed-node-group/main.tf
+++ b/tests/eks-managed-node-group/main.tf
@@ -45,6 +45,10 @@ module "eks" {
    coredns = {
      most_recent = true
    }
    eks-pod-identity-agent = {
      before_compute = true
      most_recent    = true
    }
    kube-proxy = {
      most_recent = true
    }
@@ -58,6 +62,10 @@ module "eks" {
          WARM_PREFIX_TARGET       = "1"
        }
      })
      pod_identity_association = [{
        role_arn        = module.aws_vpc_cni_ipv6_pod_identity.iam_role_arn
        service_account = "aws-node"
      }]
    }
  }
@@ -366,8 +374,7 @@ module "eks" {
  access_entries = {
    # One access entry with a policy associated
    ex-single = {
-      kubernetes_groups = []
+      principal_arn = aws_iam_role.this["single"].arn
      principal_arn     = aws_iam_role.this["single"].arn
      policy_associations = {
        single = {
@@ -382,8 +389,7 @@ module "eks" {
    # Example of adding multiple policies to a single access entry
    ex-multiple = {
-      kubernetes_groups = []
+      principal_arn = aws_iam_role.this["multiple"].arn
      principal_arn     = aws_iam_role.this["multiple"].arn
      policy_associations = {
        ex-one = {
@@ -489,6 +495,18 @@ module "vpc" {
  tags = local.tags
 }
 module "aws_vpc_cni_ipv6_pod_identity" {
  source  = "terraform-aws-modules/eks-pod-identity/aws"
  version = "~> 1.6"
  name = "aws-vpc-cni-ipv6"
  attach_aws_vpc_cni_policy = true
  aws_vpc_cni_enable_ipv6   = true
  tags = local.tags
 }
 module "ebs_kms_key" {
  source  = "terraform-aws-modules/kms/aws"
  version = "~> 2.1"
--- a/tests/eks-managed-node-group/versions.tf
+++ b/tests/eks-managed-node-group/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 5.74"
+      version = ">= 5.75"
    }
  }
 }
--- a/tests/fargate-profile/README.md
+++ b/tests/fargate-profile/README.md
@@ -18,13 +18,13 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.74 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.75 |
 ## Providers
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.74 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.75 |
 ## Modules
--- a/tests/fargate-profile/versions.tf
+++ b/tests/fargate-profile/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 5.74"
+      version = ">= 5.75"
    }
  }
 }
--- a/tests/self-managed-node-group/README.md
+++ b/tests/self-managed-node-group/README.md
@@ -18,18 +18,19 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.74 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.75 |
 ## Providers
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.74 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.75 |
 ## Modules
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_aws_vpc_cni_ipv4_pod_identity"></a> [aws\_vpc\_cni\_ipv4\_pod\_identity](#module\_aws\_vpc\_cni\_ipv4\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.6 |
 | <a name="module_disabled_self_managed_node_group"></a> [disabled\_self\_managed\_node\_group](#module\_disabled\_self\_managed\_node\_group) | ../../modules/self-managed-node-group | n/a |
 | <a name="module_ebs_kms_key"></a> [ebs\_kms\_key](#module\_ebs\_kms\_key) | terraform-aws-modules/kms/aws | ~> 2.0 |
 | <a name="module_eks"></a> [eks](#module\_eks) | ../.. | n/a |
--- a/tests/self-managed-node-group/main.tf
+++ b/tests/self-managed-node-group/main.tf
@@ -41,11 +41,18 @@ module "eks" {
    coredns = {
      most_recent = true
    }
    eks-pod-identity-agent = {
      most_recent = true
    }
    kube-proxy = {
      most_recent = true
    }
    vpc-cni = {
      most_recent = true
      pod_identity_association = [{
        role_arn        = module.aws_vpc_cni_ipv4_pod_identity.iam_role_arn
        service_account = "aws-node"
      }]
    }
  }
@@ -388,6 +395,18 @@ module "vpc" {
  tags = local.tags
 }
 module "aws_vpc_cni_ipv4_pod_identity" {
  source  = "terraform-aws-modules/eks-pod-identity/aws"
  version = "~> 1.6"
  name = "aws-vpc-cni-ipv4"
  attach_aws_vpc_cni_policy = true
  aws_vpc_cni_enable_ipv4   = true
  tags = local.tags
 }
 data "aws_ami" "eks_default" {
  most_recent = true
  owners      = ["amazon"]
--- a/tests/self-managed-node-group/versions.tf
+++ b/tests/self-managed-node-group/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 5.74"
+      version = ">= 5.75"
    }
  }
 }
--- a/versions.tf
+++ b/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 5.74"
+      version = ">= 5.75"
    }
    tls = {
      source  = "hashicorp/tls"