feat(eks-cluster): support pod identity associations

Author: posquit0

modules/eks-cluster/README.md

@@ -4,6 +4,7 @@ This module creates following resources.
 
 - `aws_eks_cluster`
 - `aws_eks_identity_provider_config` (optional)
+- `aws_eks_pod_identity_association` (optional)
 - `aws_ec2_tag` (optional)
 - `aws_iam_role`
 - `aws_iam_role_policy`
@@ -47,6 +48,7 @@ This module creates following resources.
 | [aws_ec2_tag.cluster_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
 | [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster) | resource |
 | [aws_eks_identity_provider_config.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_identity_provider_config) | resource |
+| [aws_eks_pod_identity_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_pod_identity_association) | resource |
 | [aws_vpc_security_group_ingress_rule.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [aws_vpc_security_group_ingress_rule.pod](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudwatch_log_group) | data source |
@@ -77,6 +79,7 @@ This module creates following resources.
 | <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
 | <a name="input_oidc_identity_providers"></a> [oidc\_identity\_providers](#input\_oidc\_identity\_providers) | (Optional) A list of OIDC Identity Providers to associate as an additional method for user authentication to your Kubernetes cluster. Each item of `oidc_identity_providers` block as defined below.<br/>    (Required) `name` - A unique name for the Identity Provider Configuration.<br/>    (Required) `issuer_url` - The OIDC Identity Provider issuer URL.<br/>    (Required) `client_id` - The OIDC Identity Provider client ID.<br/>    (Optional) `required_claims` - The key value pairs that describe required claims in the identity token.<br/>    (Optional) `username_claim` - The JWT claim that the provider will use as the username.<br/>    (Optional) `username_prefix` - A prefix that is prepended to username claims.<br/>    (Optional) `groups_claim` - The JWT claim that the provider will use to return groups.<br/>    (Optional) `groups_prefix` - A prefix that is prepended to group claims e.g., `oidc:`. | <pre>list(object({<br/>    name       = string<br/>    issuer_url = string<br/>    client_id  = string<br/><br/>    required_claims = optional(map(string), {})<br/>    username_claim  = optional(string)<br/>    username_prefix = optional(string)<br/>    groups_claim    = optional(string)<br/>    groups_prefix   = optional(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_outpost_config"></a> [outpost\_config](#input\_outpost\_config) | (Optional) A configuration of the outpost for the EKS cluster. `outpost_config` as defined below.<br/>    (Required) `outposts` - A set of the Outpost ARNs that you want to use for your local Amazon EKS cluster on Outposts.<br/>    (Required) `control_plane` - A configuration of the local EKS control plane node on Outposts. `control_plane` as defined below.<br/>      (Required) `instance_type` - The Amazon EC2 instance type that you want to use for your local Amazon EKS cluster on Outposts. The instance type that you specify is used for all Kubernetes control plane instances. The instance type can't be changed after cluster creation. Choose an instance type based on the number of nodes that your cluster will have.<br/>        - 1–20 nodes, then we recommend specifying a large instance type.<br/>        - 21–100 nodes, then we recommend specifying an xlarge instance type.<br/>        - 101–250 nodes, then we recommend specifying a 2xlarge instance type.<br/>      (Optional) `placement_group` - The name of the placement group for the Kubernetes control plane instances. This setting can't be changed after cluster creation. | <pre>object({<br/>    outposts = set(string)<br/>    control_plane = object({<br/>      instance_type   = string<br/>      placement_group = optional(string)<br/>    })<br/>  })</pre> | `null` | no |
+| <a name="input_pod_identity_associations"></a> [pod\_identity\_associations](#input\_pod\_identity\_associations) | (Optional) A list of Pod Identity Associations to create for the EKS cluster. Each item of `pod_identity_associations` block as defined below.<br/>    (Required) `namespace` - The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.<br/>    (Required) `service_account` - The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.<br/>    (Required) `role` - The ARN (Amazon Resource Name) of the IAM Role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.<br/>    (Optional) `target_role` - The ARN (Amazon Resource Name) of the IAM Role to be chained to the the IAM role specified as `role`.<br/>    (Optional) `session_tagging_enabled` - Whether to enable the automatic sessions tags that are appended by EKS Pod Identity. EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to AWS resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. Defaults to `true`.<br/>    (Optional) `tags` - A map of tags to add to the Pod Identity Association. | <pre>list(object({<br/>    namespace               = string<br/>    service_account         = string<br/>    role                    = string<br/>    target_role             = optional(string)<br/>    session_tagging_enabled = optional(bool, true)<br/>    tags                    = optional(map(string), {})<br/>  }))</pre> | `[]` | no |
 | <a name="input_region"></a> [region](#input\_region) | (Optional) The region in which to create the module resources. If not provided, the module resources will be created in the provider's configured region. | `string` | `null` | no |
 | <a name="input_remote_network_config"></a> [remote\_network\_config](#input\_remote\_network\_config) | (Optional) A configuration of remote network for the EKS Hybrid nodes. `remote_network_config` as defined below.<br/>    (Optional) `node_ipv4_cidrs` - A set of IPv4 CIDR blocks for the EKS Hybrid nodes.<br/>    (Optional) `pod_ipv4_cidrs` - A set of IPv4 CIDR blocks for the pods running on the EKS Hybrid nodes. | <pre>object({<br/>    node_ipv4_cidrs = optional(set(string), [])<br/>    pod_ipv4_cidrs  = optional(set(string), [])<br/>  })</pre> | `{}` | no |
 | <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | (Optional) A configurations of Resource Group for this module. `resource_group` as defined below.<br/>    (Optional) `enabled` - Whether to create Resource Group to find and group AWS resources which are created by this module. Defaults to `true`.<br/>    (Optional) `name` - The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. If not provided, a name will be generated using the module name and instance name.<br/>    (Optional) `description` - The description of Resource Group. Defaults to `Managed by Terraform.`. | <pre>object({<br/>    enabled     = optional(bool, true)<br/>    name        = optional(string, "")<br/>    description = optional(string, "Managed by Terraform.")<br/>  })</pre> | `{}` | no |
@@ -110,6 +113,7 @@ This module creates following resources.
 | <a name="output_oidc_identity_providers"></a> [oidc\_identity\_providers](#output\_oidc\_identity\_providers) | A map of all associated OIDC Identity Providers to the cluster. |
 | <a name="output_outpost_config"></a> [outpost\_config](#output\_outpost\_config) | The configurations of the outpost for the EKS cluster.<br/>    `outposts` - The list of the Outposts ARNs.<br/>    `control_plane` - The configurations of the local EKS control plane node on Outposts.<br/>      `instance_type` - The EC2 instance type of the local EKS control plane node on Outposts.<br/>      `placement_group` - The name of the placement group for the EKS control plane node on Outposts. |
 | <a name="output_platform_version"></a> [platform\_version](#output\_platform\_version) | The platform version for the cluster. |
+| <a name="output_pod_identity_associations"></a> [pod\_identity\_associations](#output\_pod\_identity\_associations) | A map of all created Pod Identity Associations. |
 | <a name="output_region"></a> [region](#output\_region) | The AWS region this module resources resides in. |
 | <a name="output_remote_network_config"></a> [remote\_network\_config](#output\_remote\_network\_config) | The configurations of remote network for the EKS Hybrid nodes.<br/>    `node_ipv4_cidrs` - A set of IPv4 CIDR blocks for remote nodes.<br/>    `pod_ipv4_cidrs` - A set of IPv4 CIDR blocks for remote pods. |
 | <a name="output_resource_group"></a> [resource\_group](#output\_resource\_group) | The resource group created to manage resources in this module. |

modules/eks-cluster/outputs.tf

@@ -212,6 +212,22 @@ output "irsa_oidc_provider" {
   }
 }
 
+output "pod_identity_associations" {
+  description = "A map of all created Pod Identity Associations."
+  value = {
+    for key, assoc in aws_eks_pod_identity_association.this :
+    key => {
+      id                      = assoc.association_id
+      arn                     = assoc.association_arn
+      namespace               = assoc.namespace
+      service_account         = assoc.service_account
+      role                    = assoc.role_arn
+      target_role             = assoc.target_role_arn
+      session_tagging_enabled = !assoc.disable_session_tags
+    }
+  }
+}
+
 output "logging" {
   description = "The configurations of the control plane logging."
   value = {

modules/eks-cluster/pod-identity-associations.tf

@@ -0,0 +1,30 @@
+###################################################
+# Pod Identity Associations
+###################################################
+
+resource "aws_eks_pod_identity_association" "this" {
+  for_each = {
+    for assoc in var.pod_identity_associations :
+    "${assoc.namespace}/${assoc.service_account}" => assoc
+  }
+
+  region = var.region
+
+  cluster_name = aws_eks_cluster.this.name
+
+  namespace       = each.value.namespace
+  service_account = each.value.service_account
+
+  role_arn        = each.value.role
+  target_role_arn = each.value.target_role
+
+  disable_session_tags = !each.value.session_tagging_enabled
+  tags = merge(
+    {
+      "Name" = each.key
+    },
+    local.module_tags,
+    var.tags,
+    each.value.tags,
+  )
+}

modules/eks-cluster/variables.tf

@@ -335,6 +335,28 @@ variable "irsa_oidc_provider" {
   nullable = false
 }
 
+variable "pod_identity_associations" {
+  description = <<EOF
+  (Optional) A list of Pod Identity Associations to create for the EKS cluster. Each item of `pod_identity_associations` block as defined below.
+    (Required) `namespace` - The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.
+    (Required) `service_account` - The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
+    (Required) `role` - The ARN (Amazon Resource Name) of the IAM Role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.
+    (Optional) `target_role` - The ARN (Amazon Resource Name) of the IAM Role to be chained to the the IAM role specified as `role`.
+    (Optional) `session_tagging_enabled` - Whether to enable the automatic sessions tags that are appended by EKS Pod Identity. EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to AWS resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. Defaults to `true`.
+    (Optional) `tags` - A map of tags to add to the Pod Identity Association.
+  EOF
+  type = list(object({
+    namespace               = string
+    service_account         = string
+    role                    = string
+    target_role             = optional(string)
+    session_tagging_enabled = optional(bool, true)
+    tags                    = optional(map(string), {})
+  }))
+  default  = []
+  nullable = false
+}
+
 variable "oidc_identity_providers" {
   description = <<EOF
   (Optional) A list of OIDC Identity Providers to associate as an additional method for user authentication to your Kubernetes cluster. Each item of `oidc_identity_providers` block as defined below.