Add flag to optionally not attach AmazonEKS_CNI_Policy to nodegroups (#76)

* Add flag to optionally not attach AmazonEKS_CNI_Policy to nodegroups

* Auto Format

Co-authored-by: cloudpossebot <[email protected]>

Author: cvittoriasona

README.md

@@ -315,6 +315,7 @@ Available targets:
 | <a name="input_update_timeout"></a> [update\_timeout](#input\_update\_timeout) | If provided, it will increase or decrease the timeout for updating the node group https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group#timeouts"<br>  It would be necessary on node groups with a lot of nodes. Because the changing this node groups would take a lot of time | `string` | `"60m"` | no |
 | <a name="input_userdata_override_base64"></a> [userdata\_override\_base64](#input\_userdata\_override\_base64) | Many features of this module rely on the `bootstrap.sh` provided with Amazon Linux, and this module<br>may generate "user data" that expects to find that script. If you want to use an AMI that is not<br>compatible with the Amazon Linux `bootstrap.sh` initialization, then use `userdata_override_base64` to provide<br>your own (Base64 encoded) user data. Use "" to prevent any user data from being set.<br><br>Setting `userdata_override_base64` disables `kubernetes_taints`, `kubelet_additional_options`,<br>`before_cluster_joining_userdata`, `after_cluster_joining_userdata`, and `bootstrap_additional_options`. | `string` | `null` | no |
 | <a name="input_worker_role_autoscale_iam_enabled"></a> [worker\_role\_autoscale\_iam\_enabled](#input\_worker\_role\_autoscale\_iam\_enabled) | If true, the worker IAM role will be authorized to perform autoscaling operations. Not recommended.<br>Use [EKS IAM role for cluster autoscaler service account](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) instead. | `bool` | `false` | no |
+| <a name="input_worker_role_cni_iam_enabled"></a> [worker\_role\_cni\_iam\_enabled](#input\_worker\_role\_cni\_iam\_enabled) | If true, the worker IAM role will be authorized to perform CNI operations. Defaults to true for ease of use.<br>Recommended to use [EKS IAM role for aws-node service account](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html) instead. | `bool` | `true` | no |
 
 ## Outputs
 

docs/terraform.md

@@ -110,6 +110,7 @@
 | <a name="input_update_timeout"></a> [update\_timeout](#input\_update\_timeout) | If provided, it will increase or decrease the timeout for updating the node group https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group#timeouts"<br>  It would be necessary on node groups with a lot of nodes. Because the changing this node groups would take a lot of time | `string` | `"60m"` | no |
 | <a name="input_userdata_override_base64"></a> [userdata\_override\_base64](#input\_userdata\_override\_base64) | Many features of this module rely on the `bootstrap.sh` provided with Amazon Linux, and this module<br>may generate "user data" that expects to find that script. If you want to use an AMI that is not<br>compatible with the Amazon Linux `bootstrap.sh` initialization, then use `userdata_override_base64` to provide<br>your own (Base64 encoded) user data. Use "" to prevent any user data from being set.<br><br>Setting `userdata_override_base64` disables `kubernetes_taints`, `kubelet_additional_options`,<br>`before_cluster_joining_userdata`, `after_cluster_joining_userdata`, and `bootstrap_additional_options`. | `string` | `null` | no |
 | <a name="input_worker_role_autoscale_iam_enabled"></a> [worker\_role\_autoscale\_iam\_enabled](#input\_worker\_role\_autoscale\_iam\_enabled) | If true, the worker IAM role will be authorized to perform autoscaling operations. Not recommended.<br>Use [EKS IAM role for cluster autoscaler service account](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) instead. | `bool` | `false` | no |
+| <a name="input_worker_role_cni_iam_enabled"></a> [worker\_role\_cni\_iam\_enabled](#input\_worker\_role\_cni\_iam\_enabled) | If true, the worker IAM role will be authorized to perform CNI operations. Defaults to true for ease of use.<br>Recommended to use [EKS IAM role for aws-node service account](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html) instead. | `bool` | `true` | no |
 
 ## Outputs
 

iam.tf

@@ -68,7 +68,7 @@ resource "aws_iam_role_policy_attachment" "amazon_eks_worker_node_autoscale_poli
 }
 
 resource "aws_iam_role_policy_attachment" "amazon_eks_cni_policy" {
-  count      = local.enabled ? 1 : 0
+  count      = (local.enabled && var.worker_role_cni_iam_enabled) ? 1 : 0
   policy_arn = format("%s/%s", local.aws_policy_prefix, "AmazonEKS_CNI_Policy")
   role       = join("", aws_iam_role.default.*.name)
 }

variables.tf

@@ -19,6 +19,15 @@ variable "worker_role_autoscale_iam_enabled" {
     EOT
 }
 
+variable "worker_role_cni_iam_enabled" {
+  type        = bool
+  default     = true
+  description = <<-EOT
+    If true, the worker IAM role will be authorized to perform CNI operations. Defaults to true for ease of use.
+    Recommended to use [EKS IAM role for aws-node service account](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html) instead.
+    EOT
+}
+
 variable "cluster_name" {
   type        = string
   description = "The name of the EKS cluster"