README.md

EKS Capability Module

Configuration in this directory creates the AWS resources required by EKS capabilities

Usage

ACK

module "ack_eks_capability" {
  source = "terraform-aws-modules/eks/aws//modules/capability"

  name         = "example-ack"
  cluster_name = "example"
  type         = "ACK"

  # IAM Role/Policy
  iam_role_policies = {
    AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess"
  }

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

ArgoCD

module "argocd_eks_capability" {
  source = "terraform-aws-modules/eks/aws//modules/capability"

  name         = "example-argocd"
  cluster_name = "example"
  type         = "ARGOCD"

  configuration = {
      argo_cd = {
        aws_idc = {
          idc_instance_arn = "arn:aws:sso:::instance/ssoins-1234567890abcdef0"
        }
        namespace = "argocd"
        rbac_role_mapping = [{
          role = "ADMIN"
          identity = [{
            id   = "686103e0-f051-7068-b225-e6392b959d9e"
            type = "SSO_GROUP"
          }]
        }]
      }
  }

  # IAM Role/Policy
  iam_policy_statements = {
    ECRRead = {
      actions = [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
      ]
      resources = ["*"]
    }
  }

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

KRO

module "kro_eks_capability" {
  source = "terraform-aws-modules/eks/aws//modules/capability"

  name         = "example-kro"
  cluster_name = "example"
  type         = "KRO"

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

Requirements

Name	Version
terraform	>= 1.5.7
aws	>= 6.33
time	>= 0.9

Providers

Name	Version
aws	>= 6.33
time	>= 0.9

Modules

No modules.

Resources

Name	Type
aws_eks_capability.this	resource
aws_iam_policy.this	resource
aws_iam_role.this	resource
aws_iam_role_policy_attachment.additional	resource
aws_iam_role_policy_attachment.this	resource
time_sleep.this	resource
aws_iam_policy_document.assume_role	data source
aws_iam_policy_document.this	data source
aws_service_principal.capabilities_eks	data source

Inputs

Name	Description	Type	Default	Required
cluster_name	The name of the EKS cluster	string	""	no
configuration	Configuration for the capability	object({ argo_cd = optional(object({ aws_idc = object({ idc_instance_arn = string idc_region = optional(string) }) namespace = optional(string) network_access = optional(object({ vpce_ids = optional(list(string)) })) rbac_role_mapping = optional(list(object({ identity = list(object({ id = string type = string })) role = string }))) })) })	null	no
create	Controls if resources should be created (affects nearly all resources)	bool	true	no
create_iam_role	Determines whether an IAM role is created	bool	true	no
delete_propagation_policy	The propagation policy to use when deleting the capability. Valid values: RETAIN	string	"RETAIN"	no
iam_policy_description	IAM policy description	string	null	no
iam_policy_name	Name of the IAM policy	string	null	no
iam_policy_path	Path of the IAM policy	string	null	no
iam_policy_statements	A map of IAM policy statements - used for adding specific IAM permissions as needed	map(object({ sid = optional(string) actions = optional(list(string)) not_actions = optional(list(string)) effect = optional(string) resources = optional(list(string)) not_resources = optional(list(string)) principals = optional(list(object({ type = string identifiers = list(string) }))) not_principals = optional(list(object({ type = string identifiers = list(string) }))) condition = optional(list(object({ test = string values = list(string) variable = string }))) }))	null	no
iam_policy_use_name_prefix	Determines whether the name of the IAM policy (iam_policy_name) is used as a prefix	bool	true	no
iam_role_arn	The ARN of the IAM role that provides permissions for the capability	string	null	no
iam_role_description	IAM role description	string	null	no
iam_role_max_session_duration	Maximum API session duration in seconds between 3600 and 43200	number	null	no
iam_role_name	Name of the IAM role	string	null	no
iam_role_override_assume_policy_documents	A list of IAM policy documents to override the default assume role policy document for the Karpenter controller IAM role	list(string)	[]	no
iam_role_path	Path of the IAM role	string	null	no
iam_role_permissions_boundary_arn	Permissions boundary ARN to use for the IAM role	string	null	no
iam_role_policies	Policies to attach to the IAM role in {'static_name' = 'policy_arn'} format	map(string)	{}	no
iam_role_source_assume_policy_documents	A list of IAM policy documents to use as a source for the assume role policy document for the Karpenter controller IAM role	list(string)	[]	no
iam_role_tags	A map of additional tags to add the the IAM role	map(string)	{}	no
iam_role_use_name_prefix	Determines whether the name of the IAM role (iam_role_name) is used as a prefix	bool	true	no
name	The name of the capability to add to the cluster	string	""	no
region	Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration	string	null	no
tags	A map of tags to add to all resources	map(string)	{}	no
timeouts	Create, update, and delete timeout configurations for the capability	object({ create = optional(string) update = optional(string) delete = optional(string) })	null	no
type	Type of the capability. Valid values: ACK, KRO, ARGOCD	string	""	no
wait_duration	Duration to wait between creating the IAM role/policy and creating the capability	string	"20s"	no

Outputs

Name	Description
argocd_server_url	URL of the Argo CD server
arn	The ARN of the EKS Capability
iam_role_arn	The Amazon Resource Name (ARN) specifying the IAM role
iam_role_name	The name of the IAM role
iam_role_unique_id	Stable and unique string identifying the IAM role
version	The version of the EKS Capability

License

Apache 2 Licensed. See LICENSE for full details.