feat(eks-addon): support aws v6

posquit0 · posquit0 · commit 4d1a071083dd · 2025-11-17T02:35:57.000+09:00
diff --git a/modules/eks-addon/README.md b/modules/eks-addon/README.md
@@ -9,20 +9,20 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.10 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.42 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.12 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.50.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.21.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
+| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.12.0 |
 
 ## Resources
 
@@ -44,10 +44,10 @@ This module creates following resources.
 | <a name="input_conflict_resolution_strategy_on_create"></a> [conflict\_resolution\_strategy\_on\_create](#input\_conflict\_resolution\_strategy\_on\_create) | (Optional) How to resolve field value conflicts when migrating a self-managed add-on to an EKS add-on. Valid values are `NONE` and `OVERWRITE`. Defaults to `OVERWRITE`.<br/>    `NONE` - If the self-managed version of the add-on is installed on the cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.<br/>    `OVERWRITE` - If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value. | `string` | `"OVERWRITE"` | no |
 | <a name="input_conflict_resolution_strategy_on_update"></a> [conflict\_resolution\_strategy\_on\_update](#input\_conflict\_resolution\_strategy\_on\_update) | (Optional) How to resolve field value conflicts for an EKS add-on if you've changed a value from the EKS default value. Valid values are `NONE`, `OVERWRITE` and `PRESERVE`. Defaults to `OVERWRITE`.<br/>    `NONE` - Amazon EKS doesn't change the value. The update might fail.<br/>    `OVERWRITE` - Amazon EKS overwrites the changed value back to the Amazon EKS default value.<br/>    `PRESERVE` - Amazon EKS preserves the value. If you choose this option, we recommend that you test any field and value changes on a non-production cluster before updating the add-on on the production cluster. | `string` | `"OVERWRITE"` | no |
 | <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
+| <a name="input_pod_identity_associations"></a> [pod\_identity\_associations](#input\_pod\_identity\_associations) | (Optional) A list of configurations for EKS Pod Identity associations for the add-on. Each block of `pod_identity_association` as defined below.<br/>    (Required) `service_account` - The name of the Kubernetes service account to associate with the IAM role.<br/>    (Required) `iam_role` - The ARN (Amazon Resource Name) of the IAM role to associate with the Kubernetes service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account. | <pre>list(object({<br/>    service_account = string<br/>    iam_role        = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_preserve_on_delete"></a> [preserve\_on\_delete](#input\_preserve\_on\_delete) | (Optional) Whether to preserve the created Kubernetes resources on the cluster when deleting the EKS add-on. Defaults to `false`. | `bool` | `false` | no |
-| <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
-| <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
-| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
+| <a name="input_region"></a> [region](#input\_region) | (Optional) The region in which to create the module resources. If not provided, the module resources will be created in the provider's configured region. | `string` | `null` | no |
+| <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | (Optional) A configurations of Resource Group for this module. `resource_group` as defined below.<br/>    (Optional) `enabled` - Whether to create Resource Group to find and group AWS resources which are created by this module. Defaults to `true`.<br/>    (Optional) `name` - The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. If not provided, a name will be generated using the module name and instance name.<br/>    (Optional) `description` - The description of Resource Group. Defaults to `Managed by Terraform.`. | <pre>object({<br/>    enabled     = optional(bool, true)<br/>    name        = optional(string, "")<br/>    description = optional(string, "Managed by Terraform.")<br/>  })</pre> | `{}` | no |
 | <a name="input_service_account_role"></a> [service\_account\_role](#input\_service\_account\_role) | (Optional) The ARN (Amazon Resource Name) of the IAM Role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
 | <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | (Optional) How long to wait for the EKS Fargate Profile to be created/updated/deleted. | <pre>object({<br/>    create = optional(string, "20m")<br/>    update = optional(string, "20m")<br/>    delete = optional(string, "40m")<br/>  })</pre> | `{}` | no |
@@ -58,6 +58,7 @@ This module creates following resources.
 |------|-------------|
 | <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the EKS add-on. |
 | <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | The name of the EKS cluster. |
+| <a name="output_configuration"></a> [configuration](#output\_configuration) | The set of configuration values for the add-on. |
 | <a name="output_conflict_resolution_strategy_on_create"></a> [conflict\_resolution\_strategy\_on\_create](#output\_conflict\_resolution\_strategy\_on\_create) | How to resolve field value conflicts when migrating a self-managed add-on to an EKS add-on. |
 | <a name="output_conflict_resolution_strategy_on_update"></a> [conflict\_resolution\_strategy\_on\_update](#output\_conflict\_resolution\_strategy\_on\_update) | How to resolve field value conflicts for an EKS add-on if you've changed a value from the EKS default value. |
 | <a name="output_created_at"></a> [created\_at](#output\_created\_at) | Date and time in RFC3339 format that the EKS add-on was created. |
@@ -66,6 +67,9 @@ This module creates following resources.
 | <a name="output_is_latest"></a> [is\_latest](#output\_is\_latest) | Whether the EKS add-on version is the latest available. |
 | <a name="output_latest_version"></a> [latest\_version](#output\_latest\_version) | The latest version of the EKS add-on compatible with the EKS cluster version. |
 | <a name="output_name"></a> [name](#output\_name) | The name of the EKS add-on. |
+| <a name="output_pod_identity_associations"></a> [pod\_identity\_associations](#output\_pod\_identity\_associations) | The list of pod identity associations for the EKS add-on. |
+| <a name="output_region"></a> [region](#output\_region) | The AWS region this module resources resides in. |
+| <a name="output_resource_group"></a> [resource\_group](#output\_resource\_group) | The resource group created to manage resources in this module. |
 | <a name="output_service_account_role"></a> [service\_account\_role](#output\_service\_account\_role) | The ARN (Amazon Resource Name) of the IAM Role to bind to the add-on's service account |
 | <a name="output_updated_at"></a> [updated\_at](#output\_updated\_at) | Date and time in RFC3339 format that the EKS add-on was updated. |
 | <a name="output_version"></a> [version](#output\_version) | The version of the EKS add-on. |
diff --git a/modules/eks-addon/main.tf b/modules/eks-addon/main.tf
@@ -20,19 +20,32 @@ locals {
 ###################################################
 
 resource "aws_eks_addon" "this" {
+  region = var.region
+
   cluster_name = var.cluster_name
 
   addon_name    = var.name
   addon_version = var.addon_version
 
-  configuration_values = var.configuration
-
-  service_account_role_arn = var.service_account_role
-
+  configuration_values        = var.configuration
   resolve_conflicts_on_create = var.conflict_resolution_strategy_on_create
   resolve_conflicts_on_update = var.conflict_resolution_strategy_on_update
   preserve                    = var.preserve_on_delete
 
+
+  ## Auth
+  service_account_role_arn = var.service_account_role
+
+  dynamic "pod_identity_association" {
+    for_each = var.pod_identity_associations
+    iterator = association
+
+    content {
+      service_account = association.value.service_account
+      role_arn        = association.value.iam_role
+    }
+  }
+
   timeouts {
     create = var.timeouts.create
     update = var.timeouts.update
@@ -54,15 +67,21 @@ resource "aws_eks_addon" "this" {
 ###################################################
 
 data "aws_eks_cluster" "this" {
+  region = var.region
+
   name = aws_eks_addon.this.cluster_name
 }
 
 data "aws_eks_addon_version" "default" {
+  region = var.region
+
   addon_name         = var.name
   kubernetes_version = data.aws_eks_cluster.this.version
 }
 
 data "aws_eks_addon_version" "latest" {
+  region = var.region
+
   addon_name         = var.name
   kubernetes_version = data.aws_eks_cluster.this.version
   most_recent        = true
diff --git a/modules/eks-addon/outputs.tf b/modules/eks-addon/outputs.tf
@@ -1,3 +1,8 @@
+output "region" {
+  description = "The AWS region this module resources resides in."
+  value       = aws_eks_addon.this.region
+}
+
 output "id" {
   description = "The ID of the EKS add-on."
   value       = aws_eks_addon.this.id
@@ -38,9 +43,9 @@ output "is_latest" {
   value       = aws_eks_addon.this.addon_version == data.aws_eks_addon_version.latest.version
 }
 
-output "service_account_role" {
-  description = "The ARN (Amazon Resource Name) of the IAM Role to bind to the add-on's service account"
-  value       = aws_eks_addon.this.service_account_role_arn
+output "configuration" {
+  description = "The set of configuration values for the add-on."
+  value       = aws_eks_addon.this.configuration_values
 }
 
 output "conflict_resolution_strategy_on_create" {
@@ -53,6 +58,22 @@ output "conflict_resolution_strategy_on_update" {
   value       = aws_eks_addon.this.resolve_conflicts_on_update
 }
 
+output "service_account_role" {
+  description = "The ARN (Amazon Resource Name) of the IAM Role to bind to the add-on's service account"
+  value       = aws_eks_addon.this.service_account_role_arn
+}
+
+output "pod_identity_associations" {
+  description = "The list of pod identity associations for the EKS add-on."
+  value = [
+    for association in aws_eks_addon.this.pod_identity_association :
+    {
+      service_account = association.service_account
+      role_arn        = association.role_arn
+    }
+  ]
+}
+
 output "created_at" {
   description = "Date and time in RFC3339 format that the EKS add-on was created."
   value       = aws_eks_addon.this.created_at
@@ -63,14 +84,6 @@ output "updated_at" {
   value       = aws_eks_addon.this.modified_at
 }
 
-# output "debug" {
-#   value = {
-#     for k, v in aws_eks_addon.this :
-#     k => v
-#     if !contains(["id", "arn", "cluster_name", "addon_name", "addon_version", "service_account_role_arn", "resolve_conflicts_on_create", "resolve_conflicts_on_update", "created_at", "modified_at", "tags", "tags_all"], k)
-#   }
-# }
-
 output "resource_group" {
   description = "The resource group created to manage resources in this module."
   value = merge(
@@ -86,3 +99,11 @@ output "resource_group" {
     )
   )
 }
+
+# output "debug" {
+#   value = {
+#     for k, v in aws_eks_addon.this :
+#     k => v
+#     if !contains(["id", "arn", "cluster_name", "addon_name", "addon_version", "service_account_role_arn", "resolve_conflicts_on_create", "resolve_conflicts_on_update", "created_at", "modified_at", "tags", "tags_all", "timeouts", "region", "preserve", "configuration_values", "pod_identity_association"], k)
+#   }
+# }
diff --git a/modules/eks-addon/resource-group.tf b/modules/eks-addon/resource-group.tf
@@ -16,6 +16,8 @@ module "resource_group" {
 
   count = (var.resource_group.enabled && var.module_tags_enabled) ? 1 : 0
 
+  region = var.region
+
   name        = local.resource_group_name
   description = var.resource_group.description
 
diff --git a/modules/eks-addon/variables.tf b/modules/eks-addon/variables.tf
@@ -1,3 +1,10 @@
+variable "region" {
+  description = "(Optional) The region in which to create the module resources. If not provided, the module resources will be created in the provider's configured region."
+  type        = string
+  default     = null
+  nullable    = true
+}
+
 variable "cluster_name" {
   description = "(Required) The name of the Amazon EKS cluster to add the EKS add-on to."
   type        = string
@@ -24,15 +31,6 @@ variable "configuration" {
   nullable    = true
 }
 
-variable "service_account_role" {
-  description = <<EOF
-  (Optional) The ARN (Amazon Resource Name) of the IAM Role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role.
-  EOF
-  type        = string
-  default     = null
-  nullable    = true
-}
-
 variable "conflict_resolution_strategy_on_create" {
   description = <<EOF
   (Optional) How to resolve field value conflicts when migrating a self-managed add-on to an EKS add-on. Valid values are `NONE` and `OVERWRITE`. Defaults to `OVERWRITE`.
@@ -76,6 +74,29 @@ variable "preserve_on_delete" {
   nullable    = false
 }
 
+variable "service_account_role" {
+  description = <<EOF
+  (Optional) The ARN (Amazon Resource Name) of the IAM Role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role.
+  EOF
+  type        = string
+  default     = null
+  nullable    = true
+}
+
+variable "pod_identity_associations" {
+  description = <<EOF
+  (Optional) A list of configurations for EKS Pod Identity associations for the add-on. Each block of `pod_identity_association` as defined below.
+    (Required) `service_account` - The name of the Kubernetes service account to associate with the IAM role.
+    (Required) `iam_role` - The ARN (Amazon Resource Name) of the IAM role to associate with the Kubernetes service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.
+  EOF
+  type = list(object({
+    service_account = string
+    iam_role        = string
+  }))
+  default  = []
+  nullable = false
+}
+
 variable "timeouts" {
   description = "(Optional) How long to wait for the EKS Fargate Profile to be created/updated/deleted."
   type = object({
@@ -106,9 +127,6 @@ variable "module_tags_enabled" {
 # Resource Group
 ###################################################
 
-
-
-
 variable "resource_group" {
   description = <<EOF
   (Optional) A configurations of Resource Group for this module. `resource_group` as defined below.
diff --git a/modules/eks-addon/versions.tf b/modules/eks-addon/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.6"
+  required_version = ">= 1.12"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.42"
+      version = ">= 6.12"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,10 @@`
`1`	`1`	`terraform {`
`2`		`- required_version = ">= 1.6"`
	`2`	`+ required_version = ">= 1.12"`
`3`	`3`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = ">= 5.42"`
	`7`	`+ version = ">= 6.12"`
`8`	`8`	`}`
`9`	`9`	`}`
`10`	`10`	`}`