diff --git a/docs/resources/eks_addon.md b/docs/resources/eks_addon.md index c4163325e..3bf41fd7a 100644 --- a/docs/resources/eks_addon.md +++ b/docs/resources/eks_addon.md @@ -1,5 +1,4 @@ --- -# generated by https://github.com/hashicorp/terraform-plugin-docs page_title: "awscc_eks_addon Resource - terraform-provider-awscc" subcategory: "" description: |- @@ -10,7 +9,181 @@ description: |- Resource Schema for AWS::EKS::Addon +## Example Usage + +### Basic usage to create coredns and kube_proxy addons +```terraform +resource "awscc_eks_addon" "coredns" { + cluster_name = var.cluster_name + addon_name = "coredns" + # Optional: addon_version = "v1.8.4-eksbuild.1" + # Optional: resolve_conflicts = "OVERWRITE" +} + +resource "awscc_eks_addon" "kube_proxy" { + cluster_name = var.cluster_name + addon_name = "kube-proxy" +} + +variable "cluster_name" { + type = string +} +``` + +### Create EBS CSI addon +To use awscc_eks_addon for creating Amazon EKS Cluster with control plane logging enabled +```terraform +# AWS IAM expects the OIDC provider URL without the `https://` prefix in the condition block. This creates a local variable for it: +# locals { +# oidc_provider = replace(awscc_eks_cluster.eks_cluster.open_id_connect_issuer_url, "https://", "") +# } + +# Create custom policy for KMS support. It's optional, but recommended. +resource "awscc_iam_managed_policy" "ebs_csi_kms_policy" { + managed_policy_name = "AmazonEKS_EBS_CSI_KMS_Policy" + policy_document = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "kms:CreateGrant", + "kms:ListGrants", + "kms:RevokeGrant" + ] + Resource = [var.kms_key_arn] + Condition = { + Bool = { + "kms:GrantIsForAWSResource" = "true" + } + } + }, + { + Effect = "Allow" + Action = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ] + Resource = [var.kms_key_arn] + } + ] + }) +} + +# Create IAM role for EBS CSI Driver +resource "awscc_iam_role" "ebs_csi_role" { + role_name = "AmazonEKS_EBS_CSI_DriverRole" + assume_role_policy_document = jsonencode({ + Version = "2012-10-17" + Statement = [{ + Effect = "Allow" + Principal = { + Federated = awscc_iam_oidc_provider.eks.arn + # Example: "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" + } + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringEquals = { + "${local.oidc_provider}:aud" = "sts.amazonaws.com" + "${local.oidc_provider}:sub" = "system:serviceaccount:kube-system:ebs-csi-controller-sa" + } + } + }] + }) + managed_policy_arns = [ + "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy", + awscc_iam_managed_policy.ebs_csi_kms_policy.policy_arn + ] +} + +# Now that the IAM role is ready, create EBS CSI addon +resource "awscc_eks_addon" "ebs_csi" { + cluster_name = var.cluster_name + addon_name = "aws-ebs-csi-driver" + service_account_role_arn = awscc_iam_role.ebs_csi_role.arn + resolve_conflicts = "OVERWRITE" +} + +variable "cluster_name" { + type = string +} +``` +### Create VPC CNI addon: +To use awscc_eks_addon for creating Amazon EKS Cluster with secrets encryption enabled using AWS KMS +```terraform +# AWS IAM expects the OIDC provider URL without the `https://` prefix in the condition block. +# This creates a local variable for it: +locals { + oidc_provider = replace(awscc_eks_cluster.eks_cluster.open_id_connect_issuer_url, "https://", "") +} + +# Create an IAM policy for EKS VPC CNI IPv6 support +# https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html +resource "awscc_iam_managed_policy" "eks_vpc_cni_ipv6_policy" { + managed_policy_name = "AmazonEKS_CNI_IPv6_Policy" + policy_document = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "ec2:AssignIpv6Addresses", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeInstanceTypes" + ] + Resource = "*" + }, + { + Effect = "Allow" + Action = ["ec2:CreateTags"] + Resource = "arn:aws:ec2:*:*:network-interface/*" + } + ] + }) +} + +resource "awscc_iam_role" "eks_vpc_cni_role" { + role_name = "AmazonEKSVPCCNIRole" + assume_role_policy_document = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Principal = { Federated = awscc_iam_oidc_provider.eks.arn } + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringEquals = { + "${local.oidc_provider}:aud" = "sts.amazonaws.com" + "${local.oidc_provider}:sub" = "system:serviceaccount:kube-system:aws-node" + } + } + } + ] + }) + managed_policy_arns = [ + "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", + awscc_iam_managed_policy.eks_vpc_cni_ipv6_policy.policy_arn + ] +} + +# Now that the IAM role is ready, create the VPC CNI plugin: +resource "awscc_eks_addon" "vpc_cni" { + cluster_name = var.cluster_name + addon_name = "vpc-cni" + service_account_role_arn = awscc_iam_role.eks_vpc_cni_role.arn + resolve_conflicts = "OVERWRITE" +} + +variable "cluster_name" { + type = string +} +``` ## Schema diff --git a/docs/resources/eks_identity_provider_config.md b/docs/resources/eks_identity_provider_config.md index 1bf5ba2dc..923df8327 100644 --- a/docs/resources/eks_identity_provider_config.md +++ b/docs/resources/eks_identity_provider_config.md @@ -1,5 +1,4 @@ --- -# generated by https://github.com/hashicorp/terraform-plugin-docs page_title: "awscc_eks_identity_provider_config Resource - terraform-provider-awscc" subcategory: "" description: |- @@ -10,7 +9,28 @@ description: |- An object representing an Amazon EKS IdentityProviderConfig. - +## Example Usage + +```terraform +# Configure Auth0 as an OIDC identity provider for EKS user authentication +# This allows users to authenticate to the EKS cluster using Auth0 credentials +resource "awscc_eks_identity_provider_config" "auth0_idp" { + cluster_name = var.cluster_name + type = "oidc" + + oidc = { + client_id = var.oicd_client_id + issuer_url = var.oicd_issuer_url # Like: "https://dev-xxxxxxxxx.au.auth0.com" + groups_claim = "groups" + username_claim = "email" + groups_prefix = var.oicd_groups_prefix # Like: "auth0:eks-cluster" + } +} + +variable "cluster_name" { + type = string +} +``` ## Schema diff --git a/docs/resources/eks_pod_identity_association.md b/docs/resources/eks_pod_identity_association.md index f7ceac297..bdc94b718 100644 --- a/docs/resources/eks_pod_identity_association.md +++ b/docs/resources/eks_pod_identity_association.md @@ -1,5 +1,4 @@ --- -# generated by https://github.com/hashicorp/terraform-plugin-docs page_title: "awscc_eks_pod_identity_association Resource - terraform-provider-awscc" subcategory: "" description: |- @@ -10,7 +9,57 @@ description: |- An object representing an Amazon EKS PodIdentityAssociation. - +## Example Usage + +```terraform +# Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. +# It associates an IAM role with a Service Account which is then associated with Pods. +# First create IAM role for EKS Pod Identity +resource "awscc_iam_role" "pod_identity_role" { + role_name = "eks_pod_identity_role" + assume_role_policy_document = jsonencode({ + Version = "2012-10-17" + Statement = [{ + Sid = "AllowEksAuthToAssumeRoleForPodIdentity" + Effect = "Allow" + Principal = { + Service = "pods.eks.amazonaws.com" # One trust policy for all EKS clusters. + } + Action = [ + "sts:AssumeRole", + "sts:TagSession" + ] + }] + }) + managed_policy_arns = var.managed_policy_arns +} + +# Associate the IAM role with a Service Account +resource "awscc_eks_pod_identity_association" "pod_identity_association_s3_readonly" { + cluster_name = var.cluster_name + namespace = var.namespace + service_account = var.serviceaccount + role_arn = awscc_iam_role.pod_identity_role.arn # like: arn:aws:iam::xxxxxxxxxxxx:role/role1 +} + +variable "cluster_name" { + type = string +} + +variable "namespace" { + type = string +} + +variable "serviceaccount" { + type = string +} + +variable "managed_policy_arns" { + description = "List of IAM policy ARNs to attach" + type = list(string) + default = ["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"] # Change this as needed. +} +``` ## Schema diff --git a/templates/resources/eks_addon_ebs_csi_driver.md.tmpl b/templates/resources/eks_addon_ebs_csi_driver.md.tmpl deleted file mode 100644 index 5e7dbe7f2..000000000 --- a/templates/resources/eks_addon_ebs_csi_driver.md.tmpl +++ /dev/null @@ -1,25 +0,0 @@ ---- -page_title: "{{.Name}} {{.Type}} - {{.ProviderName}}" -subcategory: "" -description: |- -{{ .Description | plainmarkdown | trimspace | prefixlines " " }} ---- - -# {{.Name}} ({{.Type}}) - -{{ .Description | trimspace }} - -## Example Usage - -{{ tffile (printf "examples/resources/%s/eks_addon_ebs_csi_driver.tf" .Name)}} - -{{ .SchemaMarkdown | trimspace }} -{{- if .HasImport }} - -## Import - -Import is supported using the following syntax: - -{{ codefile "shell" .ImportFile }} - -{{- end }} diff --git a/templates/resources/eks_addon_vpc_cni.md.tmpl b/templates/resources/eks_addon_vpc_cni.md.tmpl deleted file mode 100644 index 60d816516..000000000 --- a/templates/resources/eks_addon_vpc_cni.md.tmpl +++ /dev/null @@ -1,25 +0,0 @@ ---- -page_title: "{{.Name}} {{.Type}} - {{.ProviderName}}" -subcategory: "" -description: |- -{{ .Description | plainmarkdown | trimspace | prefixlines " " }} ---- - -# {{.Name}} ({{.Type}}) - -{{ .Description | trimspace }} - -## Example Usage - -{{ tffile (printf "examples/resources/%s/eks_addon_vpc_cni.tf" .Name)}} - -{{ .SchemaMarkdown | trimspace }} -{{- if .HasImport }} - -## Import - -Import is supported using the following syntax: - -{{ codefile "shell" .ImportFile }} - -{{- end }}