AWS EKS Pod Identity Terraform module

Terraform module which creates Amazon EKS Pod Identity roles.

Usage

See examples directory for working examples to reference:

Custom IAM Role

You can attach custom permissions/policies in a number of different ways:

module "custom_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "custom"

  trust_policy_conditions = [
    {
      test     = "StringEquals"
      variable = "aws:PrincipalOrgID"
      values   = ["o-1234567890"]
    }
  ]

  trust_policy_statements = [
    {
      sid       = "Test"
      actions   = ["sts:AssumeRole"]
      resources = ["arn:aws:iam::1234567890:role/Test*"]
    }
  ]

  attach_custom_policy      = true
  source_policy_documents   = [data.aws_iam_policy_document.source.json]
  override_policy_documents = [data.aws_iam_policy_document.override.json]

  policy_statements = [
    {
      sid       = "S3"
      actions   = ["s3:List*"]
      resources = ["*"]
    }
  ]

  additional_policy_arns = {
    AmazonEKS_CNI_Policy = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
    additional           = aws_iam_policy.additional.arn
  }

  tags = {
    Environment = "dev"
  }
}

AWS Gateway Controller

module "aws_gateway_controller_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-gateway-controller"

  attach_aws_gateway_controller_policy = true

  tags = {
    Environment = "dev"
  }
}

Cert Manager

module "cert_manager_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "cert-manager"

  attach_cert_manager_policy    = true
  cert_manager_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"]

  tags = {
    Environment = "dev"
  }
}

AWS CloudWatch Observability

module "aws_cloudwatch_observability_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-cloudwatch-observability"

  attach_aws_cloudwatch_observability_policy = true

  tags = {
    Environment = "dev"
  }
}

Cluster Autoscaler

module "cluster_autoscaler_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "cluster-autoscaler"

  attach_cluster_autoscaler_policy = true
  cluster_autoscaler_cluster_names = ["foo"]

  tags = {
    Environment = "dev"
  }
}

AWS EBS CSI Driver

module "aws_ebs_csi_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-ebs-csi"

  attach_aws_ebs_csi_policy = true
  aws_ebs_csi_kms_arns      = ["arn:aws:kms:*:*:key/1234abcd-12ab-34cd-56ef-1234567890ab"]

  tags = {
    Environment = "dev"
  }
}

AWS EFS CSI Driver

module "aws_efs_csi_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-efs-csi"

  attach_aws_efs_csi_policy = true

  tags = {
    Environment = "dev"
  }
}

External DNS

module "external_dns_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "external-dns"

  attach_external_dns_policy    = true
  external_dns_hosted_zone_arns = ["arn:aws:route53:::hostedzone/IClearlyMadeThisUp"]

  tags = {
    Environment = "dev"
  }
}

External Secrets

module "external_secrets_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "external-secrets"

  attach_external_secrets_policy        = true
  external_secrets_ssm_parameter_arns   = ["arn:aws:ssm:*:*:parameter/foo"]
  external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:*:*:secret:bar"]
  external_secrets_kms_key_arns         = ["arn:aws:kms:*:*:key/1234abcd-12ab-34cd-56ef-1234567890ab"]
  external_secrets_create_permission    = true

  tags = {
    Environment = "dev"
  }
}

AWS FSx for Lustre CSI Driver

module "aws_fsx_lustre_csi_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-fsx-lustre-csi"

  attach_aws_fsx_lustre_csi_policy     = true
  aws_fsx_lustre_csi_service_role_arns = ["arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"]

  tags = {
    Environment = "dev"
  }
}

AWS Load Balancer Controller

module "aws_lb_controller_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-lbc"

  attach_aws_lb_controller_policy = true

  tags = {
    Environment = "dev"
  }
}

AWS Load Balancer Controller - Target Group Binding Only

module "aws_lb_controller_targetgroup_binding_only_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-lbc-targetgroup-binding-only"

  attach_aws_lb_controller_targetgroup_binding_only_policy = true
  aws_lb_controller_targetgroup_arns                       = ["arn:aws:elasticloadbalancing:*:*:targetgroup/foo/bar"]

  tags = {
    Environment = "dev"
  }
}

AwS AppMesh Controller

module "aws_appmesh_controller_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-appmesh-controller"

  attach_aws_appmesh_controller_policy = true

  tags = {
    Environment = "dev"
  }
}

AwS AppMesh Envoy Proxy

module "aws_appmesh_envoy_proxy_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-appmesh-envoy-proxy"

  attach_aws_appmesh_envoy_proxy_policy = true

  tags = {
    Environment = "dev"
  }
}

Amazon Managed Service for Prometheus

module "amazon_managed_service_prometheus_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "amazon-managed-service-prometheus"

  attach_amazon_managed_service_prometheus_policy  = true
  amazon_managed_service_prometheus_workspace_arns = ["arn:aws:prometheus:*:*:workspace/foo"]

  tags = {
    Environment = "dev"
  }
}

Mountpoint S3 CSI Driver

module "mountpoint_s3_csi_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "mountpoint-s3-csi"

  attach_mountpoint_s3_csi_policy    = true
  mountpoint_s3_csi_bucket_arns      = ["arn:aws:s3:::mountpoint-s3"]
  mountpoint_s3_csi_bucket_path_arns = ["arn:aws:s3:::mountpoint-s3/example/*"]

  tags = {
    Environment = "dev"
  }
}

AWS Node Termination Handler

module "aws_node_termination_handler_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-node-termination-handler"

  attach_aws_node_termination_handler_policy  = true
  aws_node_termination_handler_sqs_queue_arns = ["arn:aws:sqs:*:*:eks-node-termination-handler"]

  tags = {
    Environment = "dev"
  }
}

AWS Private CA Issuer

module "aws_privateca_issuer_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-privateca-issuer"

  attach_aws_privateca_issuer_policy = true
  aws_privateca_issuer_acmca_arns    = ["arn:aws:acm-pca:*:*:certificate-authority/foo"]

  tags = {
    Environment = "dev"
  }
}

Velero

module "velero_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "velero"

  attach_velero_policy       = true
  velero_s3_bucket_arns      = ["arn:aws:s3:::velero-backups"]
  velero_s3_bucket_path_arns = ["arn:aws:s3:::velero-backups/example/*"]

  tags = {
    Environment = "dev"
  }
}

AWS VPC CNI - IPv4

module "aws_vpc_cni_ipv4_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-vpc-cni-ipv4"

  attach_aws_vpc_cni_policy = true
  aws_vpc_cni_enable_ipv4   = true

  tags = {
    Environment = "dev"
  }
}

AWS VPC CNI - IPv6

module "aws_vpc_cni_ipv6_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"

  name = "aws-vpc-cni-ipv6"

  attach_aws_vpc_cni_policy = true
  aws_vpc_cni_enable_ipv6   = true

  tags = {
    Environment = "dev"
  }
}

Examples

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

• Complete

Requirements

Name	Version
terraform	>= 1.3.2
aws	>= 5.30

Providers

Name	Version
aws	>= 5.30

Modules

No modules.

Resources

Name	Type
aws_eks_pod_identity_association.this	resource
aws_iam_policy.amazon_managed_service_prometheus	resource
aws_iam_policy.appmesh_controller	resource
aws_iam_policy.appmesh_envoy_proxy	resource
aws_iam_policy.aws_gateway_controller	resource
aws_iam_policy.aws_privateca_issuer	resource
aws_iam_policy.cert_manager	resource
aws_iam_policy.cluster_autoscaler	resource
aws_iam_policy.custom	resource
aws_iam_policy.ebs_csi	resource
aws_iam_policy.efs_csi	resource
aws_iam_policy.external_dns	resource
aws_iam_policy.external_secrets	resource
aws_iam_policy.fsx_lustre_csi	resource
aws_iam_policy.lb_controller	resource
aws_iam_policy.lb_controller_targetgroup_only	resource
aws_iam_policy.mountpoint_s3_csi	resource
aws_iam_policy.node_termination_handler	resource
aws_iam_policy.velero	resource
aws_iam_policy.vpc_cni	resource
aws_iam_role.this	resource
aws_iam_role_policy_attachment.amazon_managed_service_prometheus	resource
aws_iam_role_policy_attachment.appmesh_controller	resource
aws_iam_role_policy_attachment.appmesh_envoy_proxy	resource
aws_iam_role_policy_attachment.aws_cloudwatch_observability	resource
aws_iam_role_policy_attachment.aws_gateway_controller	resource
aws_iam_role_policy_attachment.aws_privateca_issuer	resource
aws_iam_role_policy_attachment.cert_manager	resource
aws_iam_role_policy_attachment.cluster_autoscaler	resource
aws_iam_role_policy_attachment.custom	resource
aws_iam_role_policy_attachment.ebs_csi	resource
aws_iam_role_policy_attachment.efs_csi	resource
aws_iam_role_policy_attachment.external_dns	resource
aws_iam_role_policy_attachment.external_secrets	resource
aws_iam_role_policy_attachment.fsx_lustre_csi	resource
aws_iam_role_policy_attachment.lb_controller	resource
aws_iam_role_policy_attachment.lb_controller_targetgroup_only	resource
aws_iam_role_policy_attachment.mountpoint_s3_csi	resource
aws_iam_role_policy_attachment.node_termination_handler	resource
aws_iam_role_policy_attachment.this	resource
aws_iam_role_policy_attachment.velero	resource
aws_iam_role_policy_attachment.vpc_cni	resource
aws_iam_policy_document.amazon_managed_service_prometheus	data source
aws_iam_policy_document.appmesh_controller	data source
aws_iam_policy_document.appmesh_envoy_proxy	data source
aws_iam_policy_document.assume	data source
aws_iam_policy_document.aws_gateway_controller	data source
aws_iam_policy_document.aws_privateca_issuer	data source
aws_iam_policy_document.base	data source
aws_iam_policy_document.cert_manager	data source
aws_iam_policy_document.cluster_autoscaler	data source
aws_iam_policy_document.ebs_csi	data source
aws_iam_policy_document.efs_csi	data source
aws_iam_policy_document.external_dns	data source
aws_iam_policy_document.external_secrets	data source
aws_iam_policy_document.fsx_lustre_csi	data source
aws_iam_policy_document.lb_controller	data source
aws_iam_policy_document.lb_controller_targetgroup_only	data source
aws_iam_policy_document.mountpoint_s3_csi	data source
aws_iam_policy_document.node_termination_handler	data source
aws_iam_policy_document.velero	data source
aws_iam_policy_document.vpc_cni	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
additional_policy_arns	ARNs of additional policies to attach to the IAM role	map(string)	{}	no
amazon_managed_service_prometheus_policy_name	Custom name of the Amazon Managed Service for Prometheus IAM policy	string	null	no
amazon_managed_service_prometheus_workspace_arns	List of AMP Workspace ARNs to read and write metrics	list(string)	[]	no
appmesh_controller_policy_name	Custom name of the AppMesh Controller IAM policy	string	null	no
appmesh_envoy_proxy_policy_name	Custom name of the AppMesh Envoy Proxy IAM policy	string	null	no
association_defaults	Default values used across all Pod Identity associations created unless a more specific value is provided	any	{}	no
associations	Map of Pod Identity associations to be created (map of maps)	any	{}	no
attach_amazon_managed_service_prometheus_policy	Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role	bool	false	no
attach_aws_appmesh_controller_policy	Determines whether to attach the AppMesh Controller policy to the role	bool	false	no
attach_aws_appmesh_envoy_proxy_policy	Determines whether to attach the AppMesh Envoy Proxy policy to the role	bool	false	no
attach_aws_cloudwatch_observability_policy	Determines whether to attach the AWS Cloudwatch Observability IAM policy to the role	bool	false	no
attach_aws_ebs_csi_policy	Determines whether to attach the EBS CSI IAM policy to the role	bool	false	no
attach_aws_efs_csi_policy	Determines whether to attach the EFS CSI IAM policy to the role	bool	false	no
attach_aws_fsx_lustre_csi_policy	Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role	bool	false	no
attach_aws_gateway_controller_policy	Determines whether to attach the AWS Gateway Controller IAM policy to the role	bool	false	no
attach_aws_lb_controller_policy	Determines whether to attach the AWS Load Balancer Controller policy to the role	bool	false	no
attach_aws_lb_controller_targetgroup_binding_only_policy	Determines whether to attach the AWS Load Balancer Controller policy for the TargetGroupBinding only	bool	false	no
attach_aws_node_termination_handler_policy	Determines whether to attach the Node Termination Handler policy to the role	bool	false	no
attach_aws_privateca_issuer_policy	Determines whether to attach the AWS Private CA Issuer IAM policy to the role	bool	false	no
attach_aws_vpc_cni_policy	Determines whether to attach the VPC CNI IAM policy to the role	bool	false	no
attach_cert_manager_policy	Determines whether to attach the Cert Manager IAM policy to the role	bool	false	no
attach_cluster_autoscaler_policy	Determines whether to attach the Cluster Autoscaler IAM policy to the role	bool	false	no
attach_custom_policy	Determines whether to attach the custom IAM policy to the role	bool	false	no
attach_external_dns_policy	Determines whether to attach the External DNS IAM policy to the role	bool	false	no
attach_external_secrets_policy	Determines whether to attach the External Secrets policy to the role	bool	false	no
attach_mountpoint_s3_csi_policy	Determines whether to attach the Mountpoint S3 CSI IAM policy to the role	bool	false	no
attach_velero_policy	Determines whether to attach the Velero IAM policy to the role	bool	false	no
aws_ebs_csi_kms_arns	KMS key ARNs to allow EBS CSI to manage encrypted volumes	list(string)	[]	no
aws_ebs_csi_policy_name	Custom name of the EBS CSI IAM policy	string	null	no
aws_efs_csi_policy_name	Custom name of the EFS CSI IAM policy	string	null	no
aws_fsx_lustre_csi_policy_name	Custom name of the FSx for Lustre CSI Driver IAM policy	string	null	no
aws_fsx_lustre_csi_service_role_arns	Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles	list(string)	[]	no
aws_gateway_controller_policy_name	Custom name of the AWS Gateway Controller IAM policy	string	null	no
aws_lb_controller_policy_name	Custom name of the AWS Load Balancer Controller IAM policy	string	null	no
aws_lb_controller_targetgroup_arns	List of Target groups ARNs using Load Balancer Controller	list(string)	[]	no
aws_lb_controller_targetgroup_only_policy_name	Custom name of the AWS Load Balancer Controller IAM policy for the TargetGroupBinding only	string	null	no
aws_node_termination_handler_policy_name	Custom name of the Node Termination Handler IAM policy	string	null	no
aws_node_termination_handler_sqs_queue_arns	List of SQS ARNs that contain node termination events	list(string)	[]	no
aws_privateca_issuer_acmca_arns	List of ACM Private CA ARNs to issue certificates from	list(string)	[]	no
aws_privateca_issuer_policy_name	Custom name of the AWS Private CA Issuer IAM policy	string	null	no
aws_vpc_cni_enable_cloudwatch_logs	Determines whether to enable VPC CNI permission to create CloudWatch Log groups and publish network policy events	bool	false	no
aws_vpc_cni_enable_ipv4	Determines whether to enable IPv4 permissions for VPC CNI policy	bool	false	no
aws_vpc_cni_enable_ipv6	Determines whether to enable IPv6 permissions for VPC CNI policy	bool	false	no
aws_vpc_cni_policy_name	Custom name of the VPC CNI IAM policy	string	null	no
cert_manager_hosted_zone_arns	Route53 hosted zone ARNs to allow Cert manager to manage records	list(string)	[]	no
cert_manager_policy_name	Custom name of the Cert Manager IAM policy	string	null	no
cluster_autoscaler_cluster_names	List of cluster names to appropriately scope permissions within the Cluster Autoscaler IAM policy	list(string)	[]	no
cluster_autoscaler_policy_name	Custom name of the Cluster Autoscaler IAM policy	string	null	no
create	Determines whether resources will be created (affects all resources)	bool	true	no
custom_policy_description	Description of the custom IAM policy	string	"Custom IAM Policy"	no
description	IAM Role description	string	null	no
external_dns_hosted_zone_arns	Route53 hosted zone ARNs to allow External DNS to manage records	list(string)	[]	no
external_dns_policy_name	Custom name of the External DNS IAM policy	string	null	no
external_secrets_create_permission	Determines whether External Secrets has permission to create/delete secrets	bool	false	no
external_secrets_kms_key_arns	List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets	list(string)	[]	no
external_secrets_policy_name	Custom name of the External Secrets IAM policy	string	null	no
external_secrets_secrets_manager_arns	List of Secrets Manager ARNs that contain secrets to mount using External Secrets	list(string)	[]	no
external_secrets_ssm_parameter_arns	List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets	list(string)	[]	no
max_session_duration	Maximum CLI/API session duration in seconds between 3600 and 43200	number	null	no
mountpoint_s3_csi_bucket_arns	List of S3 Bucket ARNs that Mountpoint S3 CSI needs access to list	list(string)	[]	no
mountpoint_s3_csi_bucket_path_arns	S3 path ARNs to allow Mountpoint S3 CSI driver to manage items at the provided path(s). This is required if attach_mountpoint_s3_csi_policy = true	list(string)	[]	no
mountpoint_s3_csi_policy_name	Custom name of the Mountpoint S3 CSI IAM policy	string	null	no
name	Name of IAM role	string	""	no
override_policy_documents	List of IAM policy documents that are merged together into the exported document	list(string)	[]	no
path	Path of IAM role	string	"/"	no
permissions_boundary_arn	Permissions boundary ARN to use for IAM role	string	null	no
policy_name_prefix	IAM policy name prefix	string	"AmazonEKS_"	no
policy_statements	A list of IAM policy statements for custom permission usage	any	[]	no
source_policy_documents	List of IAM policy documents that are merged together into the exported document	list(string)	[]	no
tags	A map of tags to add to all resources	map(string)	{}	no
trust_policy_conditions	A list of conditions to add to the role trust policy	any	[]	no
trust_policy_statements	A list of IAM policy statements for the role trust policy	any	[]	no
use_name_prefix	Determines whether the role name and policy name(s) are used as a prefix	string	true	no
velero_policy_name	Custom name of the Velero IAM policy	string	null	no
velero_s3_bucket_arns	List of S3 Bucket ARNs that Velero needs access to list	list(string)	[]	no
velero_s3_bucket_path_arns	S3 path ARNs to allow Velero to manage items at the provided path(s). This is required if attach_mountpoint_s3_csi_policy = true	list(string)	[]	no

Outputs

Name	Description
associations	Map of Pod Identity associations created
iam_policy_arn	The ARN assigned by AWS to this policy
iam_policy_id	The policy's ID
iam_policy_name	Name of IAM policy
iam_role_arn	ARN of IAM role
iam_role_name	Name of IAM role
iam_role_path	Path of IAM role
iam_role_unique_id	Unique ID of IAM role

License

Apache-2.0 Licensed. See LICENSE.