EKS-MULTI-ADDONS (#459)

bcarranza · web-flow · commit 5939067c80d2 · 2024-01-31T09:44:56.000-08:00
diff --git a/terraform-modules/aws/eks/main.tf b/terraform-modules/aws/eks/main.tf
@@ -11,6 +11,21 @@ terraform {
   }
 }
 
+locals {
+  cluster_addons_iam = { 
+    for k, v in var.cluster_addons : k => {
+      name                          = v.name
+      addon_version                 = v.addon_version
+      resolve_conflicts_on_create   = v.resolve_conflicts_on_create
+      resolve_conflicts_on_update   = v.resolve_conflicts_on_update
+      preserve                      = v.preserve
+      timeouts                      = v.timeouts
+      service_account_role_arn      = (k == "aws-ebs-csi-driver" ? data.aws_iam_role.eks_csi_driver.arn : k == "vpc-cni" ? data.aws_iam_role.eks_cni_driver.arn : null)
+    }
+  }
+}
+
+
 data "aws_eks_cluster" "cluster" {
   name = module.eks.cluster_id
 }
@@ -19,6 +34,14 @@ data "aws_eks_cluster_auth" "cluster" {
   name = module.eks.cluster_id
 }
 
+data "aws_iam_role" "eks_csi_driver" {
+  name = aws_iam_role.eks_ebs_csi_driver.name
+}
+
+data "aws_iam_role" "eks_cni_driver" {
+  name = aws_iam_role.eks_cni_driver.name
+}
+
 provider "kubernetes" {
   host                   = data.aws_eks_cluster.cluster.endpoint
   cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
@@ -46,13 +69,7 @@ that it's using this module.
 https://aws.amazon.com/blogs/containers/amazon-ebs-csi-driver-is-now-generally-available-in-amazon-eks-add-ons/
 */
 
-resource "aws_eks_addon" "csi_driver" {
-  cluster_name             = module.eks.cluster_id
-  addon_name               = "aws-ebs-csi-driver"
-  addon_version            = "v1.11.4-eksbuild.1"
-  service_account_role_arn = aws_iam_role.eks_ebs_csi_driver.arn
-}
-
+# IAM CSI Role
 data "aws_iam_policy_document" "csi" {
   statement {
     actions = ["sts:AssumeRoleWithWebIdentity"]
@@ -81,6 +98,37 @@ resource "aws_iam_role_policy_attachment" "amazon_ebs_csi_driver" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
 }
 
+# IAM CNI
+data "aws_iam_policy_document" "cni" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(module.eks.oidc_provider, "https://", "")}:sub"
+      values   = ["system:serviceaccount:kube-system:aws-node"]
+    }
+
+    principals {
+      identifiers = [module.eks.oidc_provider_arn]
+      type        = "Federated"
+    }
+  }
+}
+
+resource "aws_iam_role" "eks_cni_driver" {
+  assume_role_policy = data.aws_iam_policy_document.cni.json
+  name               = "eks-cni-driver"
+}
+
+resource "aws_iam_role_policy_attachment" "amazon_cni_driver" {
+  role       = aws_iam_role.eks_cni_driver.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+}
+
+
+
 
 module "eks" {
   source           = "terraform-aws-modules/eks/aws"
@@ -124,4 +172,6 @@ module "eks" {
   aws_auth_users = var.aws_auth_users
 
   aws_auth_accounts = var.aws_auth_accounts
+
+  cluster_addons = local.cluster_addons_iam 
 }
diff --git a/terraform-modules/aws/eks/variables.tf b/terraform-modules/aws/eks/variables.tf
@@ -243,4 +243,13 @@ variable "cluster_kms_enable_rotation" {
   type        = bool
   default     = true
   description = "(Optional) Specifies whether key rotation is enabled. Defaults to true."
+}
+
+################################################################################
+# EKS Addons
+################################################################################
+variable "cluster_addons" {
+  description = "Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with `name`"
+  type        = any
+  default     = {}
 }
