docs genetated for EKS addons

hashicorp · Dec 23, 2024 · 6e16d79 · 6e16d79
1 parent 463d690
commit 6e16d79
Show file tree

Hide file tree

Showing 5 changed files with 247 additions and 55 deletions.
diff --git a/docs/resources/eks_addon.md b/docs/resources/eks_addon.md
@@ -1,5 +1,4 @@
 ---
-# generated by https://github.com/hashicorp/terraform-plugin-docs
 page_title: "awscc_eks_addon Resource - terraform-provider-awscc"
 subcategory: ""
 description: |-
@@ -10,7 +9,181 @@ description: |-
 
 Resource Schema for AWS::EKS::Addon
 
+## Example Usage
+
+### Basic usage to create coredns and kube_proxy addons
+```terraform
+resource "awscc_eks_addon" "coredns" {
+  cluster_name = var.cluster_name
+  addon_name   = "coredns"
+  # Optional: addon_version = "v1.8.4-eksbuild.1"
+  # Optional: resolve_conflicts = "OVERWRITE"
+}
+
+resource "awscc_eks_addon" "kube_proxy" {
+  cluster_name = var.cluster_name
+  addon_name   = "kube-proxy"
+}
+
+variable "cluster_name" {
+  type = string
+}
+```
+
+### Create EBS CSI addon
+To use awscc_eks_addon for creating Amazon EKS Cluster with control plane logging enabled
+```terraform
+# AWS IAM expects the OIDC provider URL without the `https://` prefix in the condition block. This creates a local variable for it:
+# locals {
+#   oidc_provider = replace(awscc_eks_cluster.eks_cluster.open_id_connect_issuer_url, "https://", "")
+# }
+
+# Create custom policy for KMS support. It's optional, but recommended.
+resource "awscc_iam_managed_policy" "ebs_csi_kms_policy" {
+  managed_policy_name = "AmazonEKS_EBS_CSI_KMS_Policy"
+  policy_document = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:CreateGrant",
+          "kms:ListGrants",
+          "kms:RevokeGrant"
+        ]
+        Resource = [var.kms_key_arn]
+        Condition = {
+          Bool = {
+            "kms:GrantIsForAWSResource" = "true"
+          }
+        }
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = [var.kms_key_arn]
+      }
+    ]
+  })
+}
+
+# Create IAM role for EBS CSI Driver
+resource "awscc_iam_role" "ebs_csi_role" {
+  role_name = "AmazonEKS_EBS_CSI_DriverRole"
+  assume_role_policy_document = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Principal = {
+        Federated = awscc_iam_oidc_provider.eks.arn
+        # Example: "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
+      }
+      Action = "sts:AssumeRoleWithWebIdentity"
+      Condition = {
+        StringEquals = {
+          "${local.oidc_provider}:aud" = "sts.amazonaws.com"
+          "${local.oidc_provider}:sub" = "system:serviceaccount:kube-system:ebs-csi-controller-sa"
+        }
+      }
+    }]
+  })
+  managed_policy_arns = [
+    "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy",
+    awscc_iam_managed_policy.ebs_csi_kms_policy.policy_arn
+  ]
+}
+
+# Now that the IAM role is ready, create EBS CSI addon
+resource "awscc_eks_addon" "ebs_csi" {
+  cluster_name             = var.cluster_name
+  addon_name               = "aws-ebs-csi-driver"
+  service_account_role_arn = awscc_iam_role.ebs_csi_role.arn
+  resolve_conflicts        = "OVERWRITE"
+}
+
+variable "cluster_name" {
+  type = string
+}
+```
 
+### Create VPC CNI addon:
+To use awscc_eks_addon for creating Amazon EKS Cluster with secrets encryption enabled using AWS KMS
+```terraform
+# AWS IAM expects the OIDC provider URL without the `https://` prefix in the condition block. 
+# This creates a local variable for it:
+locals {
+  oidc_provider = replace(awscc_eks_cluster.eks_cluster.open_id_connect_issuer_url, "https://", "")
+}
+
+# Create an IAM policy for EKS VPC CNI IPv6 support
+# https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html
+resource "awscc_iam_managed_policy" "eks_vpc_cni_ipv6_policy" {
+  managed_policy_name = "AmazonEKS_CNI_IPv6_Policy"
+  policy_document = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ec2:AssignIpv6Addresses",
+          "ec2:DescribeInstances",
+          "ec2:DescribeTags",
+          "ec2:DescribeNetworkInterfaces",
+          "ec2:DescribeInstanceTypes"
+        ]
+        Resource = "*"
+      },
+      {
+        Effect   = "Allow"
+        Action   = ["ec2:CreateTags"]
+        Resource = "arn:aws:ec2:*:*:network-interface/*"
+      }
+    ]
+  })
+}
+
+resource "awscc_iam_role" "eks_vpc_cni_role" {
+  role_name = "AmazonEKSVPCCNIRole"
+  assume_role_policy_document = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect    = "Allow"
+        Principal = { Federated = awscc_iam_oidc_provider.eks.arn }
+        Action    = "sts:AssumeRoleWithWebIdentity"
+        Condition = {
+          StringEquals = {
+            "${local.oidc_provider}:aud" = "sts.amazonaws.com"
+            "${local.oidc_provider}:sub" = "system:serviceaccount:kube-system:aws-node"
+          }
+        }
+      }
+    ]
+  })
+  managed_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
+    awscc_iam_managed_policy.eks_vpc_cni_ipv6_policy.policy_arn
+  ]
+}
+
+# Now that the IAM role is ready, create the VPC CNI plugin:
+resource "awscc_eks_addon" "vpc_cni" {
+  cluster_name             = var.cluster_name
+  addon_name               = "vpc-cni"
+  service_account_role_arn = awscc_iam_role.eks_vpc_cni_role.arn
+  resolve_conflicts        = "OVERWRITE"
+}
+
+variable "cluster_name" {
+  type = string
+}
+```
 
 <!-- schema generated by tfplugindocs -->
 ## Schema

diff --git a/docs/resources/eks_identity_provider_config.md b/docs/resources/eks_identity_provider_config.md
@@ -1,5 +1,4 @@
 ---
-# generated by https://github.com/hashicorp/terraform-plugin-docs
 page_title: "awscc_eks_identity_provider_config Resource - terraform-provider-awscc"
 subcategory: ""
 description: |-
@@ -10,7 +9,28 @@ description: |-
 
 An object representing an Amazon EKS IdentityProviderConfig.
 
-
+## Example Usage
+
+```terraform
+# Configure Auth0 as an OIDC identity provider for EKS user authentication
+# This allows users to authenticate to the EKS cluster using Auth0 credentials
+resource "awscc_eks_identity_provider_config" "auth0_idp" {
+  cluster_name = var.cluster_name
+  type         = "oidc"
+
+  oidc = {
+    client_id      = var.oicd_client_id
+    issuer_url     = var.oicd_issuer_url # Like: "https://dev-xxxxxxxxx.au.auth0.com"
+    groups_claim   = "groups"
+    username_claim = "email"
+    groups_prefix  = var.oicd_groups_prefix # Like: "auth0:eks-cluster" 
+  }
+}
+
+variable "cluster_name" {
+  type = string
+}
+```
 
 <!-- schema generated by tfplugindocs -->
 ## Schema

diff --git a/docs/resources/eks_pod_identity_association.md b/docs/resources/eks_pod_identity_association.md
@@ -1,5 +1,4 @@
 ---
-# generated by https://github.com/hashicorp/terraform-plugin-docs
 page_title: "awscc_eks_pod_identity_association Resource - terraform-provider-awscc"
 subcategory: ""
 description: |-
@@ -10,7 +9,57 @@ description: |-
 
 An object representing an Amazon EKS PodIdentityAssociation.
 
-
+## Example Usage
+
+```terraform
+# Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances.
+# It associates an IAM role with a Service Account which is then associated with Pods. 
+# First create IAM role for EKS Pod Identity
+resource "awscc_iam_role" "pod_identity_role" {
+  role_name = "eks_pod_identity_role"
+  assume_role_policy_document = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Sid    = "AllowEksAuthToAssumeRoleForPodIdentity"
+      Effect = "Allow"
+      Principal = {
+        Service = "pods.eks.amazonaws.com" # One trust policy for all EKS clusters.
+      }
+      Action = [
+        "sts:AssumeRole",
+        "sts:TagSession"
+      ]
+    }]
+  })
+  managed_policy_arns = var.managed_policy_arns
+}
+
+# Associate the IAM role with a Service Account
+resource "awscc_eks_pod_identity_association" "pod_identity_association_s3_readonly" {
+  cluster_name    = var.cluster_name
+  namespace       = var.namespace
+  service_account = var.serviceaccount
+  role_arn        = awscc_iam_role.pod_identity_role.arn  # like: arn:aws:iam::xxxxxxxxxxxx:role/role1
+}
+
+variable "cluster_name" {
+  type = string
+}
+
+variable "namespace" {
+  type = string
+}
+
+variable "serviceaccount" {
+  type = string
+}
+
+variable "managed_policy_arns" {
+  description = "List of IAM policy ARNs to attach"
+  type        = list(string)
+  default     = ["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"]  # Change this as needed.
+}
+```
 
 <!-- schema generated by tfplugindocs -->
 ## Schema

diff --git a/templates/resources/eks_addon_ebs_csi_driver.md.tmpl b/templates/resources/eks_addon_ebs_csi_driver.md.tmpl
diff --git a/templates/resources/eks_addon_vpc_cni.md.tmpl b/templates/resources/eks_addon_vpc_cni.md.tmpl