mirror of
https://github.com/ysoftdevs/terraform-aws-eks.git
synced 2026-02-22 10:37:42 +01:00
85 lines
2.8 KiB
Markdown
85 lines
2.8 KiB
Markdown
|
|
### IRSA Integration
|
|
|
|
An [IAM role for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) module has been created to work in conjunction with this module. The [`iam-role-for-service-accounts`](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-role-for-service-accounts-eks) module has a set of pre-defined IAM policies for common addons. Check [`policy.tf`](https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/modules/iam-role-for-service-accounts-eks/policies.tf) for a list of the policies currently supported. One example of this integration is shown below, and more can be found in the [`iam-role-for-service-accounts`](https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/examples/iam-role-for-service-accounts-eks/main.tf) example directory:
|
|
|
|
```hcl
|
|
module "eks" {
|
|
source = "terraform-aws-modules/eks/aws"
|
|
|
|
cluster_name = "example"
|
|
cluster_version = "1.24"
|
|
|
|
cluster_addons = {
|
|
vpc-cni = {
|
|
resolve_conflicts = "OVERWRITE"
|
|
service_account_role_arn = module.vpc_cni_irsa.iam_role_arn
|
|
}
|
|
}
|
|
|
|
vpc_id = "vpc-1234556abcdef"
|
|
subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
|
|
|
|
eks_managed_node_group_defaults = {
|
|
# We are using the IRSA created below for permissions
|
|
# However, we have to provision a new cluster with the policy attached FIRST
|
|
# before we can disable. Without this initial policy,
|
|
# the VPC CNI fails to assign IPs and nodes cannot join the new cluster
|
|
iam_role_attach_cni_policy = true
|
|
}
|
|
|
|
eks_managed_node_groups = {
|
|
default = {}
|
|
}
|
|
|
|
tags = {
|
|
Environment = "dev"
|
|
Terraform = "true"
|
|
}
|
|
}
|
|
|
|
module "vpc_cni_irsa" {
|
|
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
|
|
|
|
role_name = "vpc_cni"
|
|
attach_vpc_cni_policy = true
|
|
vpc_cni_enable_ipv4 = true
|
|
|
|
oidc_providers = {
|
|
main = {
|
|
provider_arn = module.eks.oidc_provider_arn
|
|
namespace_service_accounts = ["kube-system:aws-node"]
|
|
}
|
|
}
|
|
|
|
tags = {
|
|
Environment = "dev"
|
|
Terraform = "true"
|
|
}
|
|
}
|
|
|
|
module "karpenter_irsa" {
|
|
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
|
|
|
|
role_name = "karpenter_controller"
|
|
attach_karpenter_controller_policy = true
|
|
|
|
karpenter_controller_cluster_id = module.eks.cluster_id
|
|
karpenter_controller_node_iam_role_arns = [
|
|
module.eks.eks_managed_node_groups["default"].iam_role_arn
|
|
]
|
|
|
|
oidc_providers = {
|
|
main = {
|
|
provider_arn = module.eks.oidc_provider_arn
|
|
namespace_service_accounts = ["karpenter:karpenter"]
|
|
}
|
|
}
|
|
|
|
tags = {
|
|
Environment = "dev"
|
|
Terraform = "true"
|
|
}
|
|
}
|
|
```
|