xpk/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/terraform-aws-modules/terraform-aws-eks.git synced 2025-09-09 19:32:58 +08:00
Code Activity
Files
b7eabbd3848f09e62add631e0c7683b7db0db8b9
terraform-aws-eks/modules/hybrid-node-role
T
History
Bryant Biggs 416515a0da feat!: Upgrade min AWS provider and Terraform versions to 6.0 and 1.5.7 respectively (#3412) 
* feat!: Upgrade min AWS provider and Terraform versions to `6.0` and `1.5.7` respectively

* fix: Remove deprecated arguments in AWS v6.0 provider, upgrade Helm provider to v3.0, bump VPC module to v6.0

* fix: Remove `aws-auth` sub-module

* fix: Remove `platform` and `cluster_service_ipv4_cidr` variables from `user-data` sub-module

* fix: Resolve all marked `todos` that have been accumulated

* fix: Set default `http_put_response_hop_limit` to `1`

* fix: Remove IRSA support from Karpenter sub-module

* fix: Avoid making GET requests from data sources unless absolutely necessary

* feat: Add variable optional attribute definitions

* feat: Bump KMS key module version to latest, add remaining variable attribute definitions

* fix: Remove `cluster_` prefix from variable names to better match the underlying API

* fix: Move all EFA logic to the nodegroup itself

* fix: Remove arguments that do not make sense in EKS

* fix: Updates from plan validation

* fix: Remove more self-managed node group attributes that are commonly not used in EKS clusters

* fix: Remove data plane compute `*_defaults` variables that do not work with variable optional attributes

* fix: Ignore changes to `bootstrap_self_managed_addons` to aid in upgrade

* feat: Add support for `region` argument on relevant resources

* feat: Initial pass on upgrade guide

* fix: Updates from testing and validating EKS managed node group

* fix: Updates from testing and validating self-managed node group

* docs: Ensure addon ussage documented is aligned

* feat: Switch to dualstack OIDC issuer URL

* feat: Allow sourcing over overriding the Karpenter assume role policy

* fix: Use `Bool` instead of `StringEquals` for DenyHTTP queue policy

* fix: Correct use of `nullable` and default value propagation
2025-07-23 15:11:01 -05:00
..
main.tf
feat!: Upgrade min AWS provider and Terraform versions to 6.0 and 1.5.7 respectively (#3412)
2025-07-23 15:11:01 -05:00
outputs.tf
feat: Add support for EKS Auto Mode and EKS Hybrid nodes (#3225)
2024-12-04 09:24:21 -06:00
README.md
feat!: Upgrade min AWS provider and Terraform versions to 6.0 and 1.5.7 respectively (#3412)
2025-07-23 15:11:01 -05:00
variables.tf
feat!: Upgrade min AWS provider and Terraform versions to 6.0 and 1.5.7 respectively (#3412)
2025-07-23 15:11:01 -05:00
versions.tf
feat!: Upgrade min AWS provider and Terraform versions to 6.0 and 1.5.7 respectively (#3412)
2025-07-23 15:11:01 -05:00

README.md

EKS Hybrid Node Role Module

Terraform module which creates IAM role and policy resources for Amazon EKS Hybrid Node(s).

Usage

EKS Hybrid nodes use the AWS IAM Authenticator and temporary IAM credentials provisioned by AWS SSM or AWS IAM Roles Anywhere to authenticate with the EKS cluster. This module supports both SSM and IAM Roles Anywhere based IAM permissions.

SSM

module "eks" {
  source = "terraform-aws-modules/eks/aws"

  ...
  access_entries = {
    hybrid-node-role = {
      principal_arn = module.eks_hybrid_node_role.arn
      type          = "HYBRID_LINUX"
    }
  }
}

module "eks_hybrid_node_role" {
  source = "terraform-aws-modules/eks/aws//modules/hybrid-node-role"

  name = "hybrid"

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

IAM Roles Anywhere

module "eks" {
  source = "terraform-aws-modules/eks/aws"

  ...
  access_entries = {
    hybrid-node-role = {
      principal_arn = module.eks_hybrid_node_role.arn
      type          = "HYBRID_LINUX"
    }
  }
}

module "eks_hybrid_node_role" {
  source = "terraform-aws-modules/eks/aws//modules/hybrid-node-role"

  name = "hybrid-ira"

  enable_ira = true

  ira_trust_anchor_source_type           = "CERTIFICATE_BUNDLE"
  ira_trust_anchor_x509_certificate_data = <<-EOT
    MIIFMzCCAxugAwIBAgIRAMnVXU7ncv/+Cl16eJbZ9hswDQYJKoZIhvcNAQELBQAw
    ...
    MGx/BMRkrNUVcg3xA0lhECo/olodCkmZo5/mjybbjFQwJzDSKFoW
  EOT

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

Requirements

Name Version
terraform >= 1.5.7
aws >= 6.0

Providers

Name Version
aws >= 6.0

Modules

No modules.

Resources

Name Type
aws_iam_policy.intermediate resource
aws_iam_policy.this resource
aws_iam_role.intermediate resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.intermediate resource
aws_iam_role_policy_attachment.this resource
aws_rolesanywhere_profile.this resource
aws_rolesanywhere_trust_anchor.this resource
aws_iam_policy_document.assume_role data source
aws_iam_policy_document.intermediate data source
aws_iam_policy_document.intermediate_assume_role data source
aws_iam_policy_document.this data source
aws_partition.current data source

Inputs

Name Description Type Default Required
cluster_arns List of EKS cluster ARNs to allow the node to describe list(string) 
[
  "*"
]
 no
create Controls if resources should be created (affects nearly all resources) bool true no
description IAM role description string "EKS Hybrid Node IAM role" no
enable_ira Enables IAM Roles Anywhere based IAM permissions on the node bool false no
enable_pod_identity Enables EKS Pod Identity based IAM permissions on the node bool true no
intermediate_policy_name Name of the IAM policy string null no
intermediate_policy_statements A list of IAM policy statements - used for adding specific IAM permissions as needed 
list(object({
    sid           = optional(string)
    actions       = optional(list(string))
    not_actions   = optional(list(string))
    effect        = optional(string)
    resources     = optional(list(string))
    not_resources = optional(list(string))
    principals = optional(list(object({
      type        = string
      identifiers = list(string)
    })))
    not_principals = optional(list(object({
      type        = string
      identifiers = list(string)
    })))
    condition = optional(list(object({
      test     = string
      values   = list(string)
      variable = string
    })))
  }))
 null no
intermediate_policy_use_name_prefix Determines whether the name of the IAM policy (intermediate_policy_name) is used as a prefix bool true no
intermediate_role_description IAM role description string "EKS Hybrid Node IAM Roles Anywhere intermediate IAM role" no
intermediate_role_name Name of the IAM role string null no
intermediate_role_path Path of the IAM role string "/" no
intermediate_role_policies Policies to attach to the IAM role in {'static_name' = 'policy_arn'} format map(string) {} no
intermediate_role_use_name_prefix Determines whether the name of the IAM role (intermediate_role_name) is used as a prefix bool true no
ira_profile_duration_seconds The number of seconds the vended session credentials are valid for. Defaults to 3600 number null no
ira_profile_managed_policy_arns A list of managed policy ARNs that apply to the vended session credentials list(string) [] no
ira_profile_name Name of the Roles Anywhere profile string null no
ira_profile_require_instance_properties Specifies whether instance properties are required in CreateSession requests with this profile bool null no
ira_profile_session_policy A session policy that applies to the trust boundary of the vended session credentials string null no
ira_trust_anchor_acm_pca_arn The ARN of the ACM PCA that issued the trust anchor certificate string null no
ira_trust_anchor_name Name of the Roles Anywhere trust anchor string null no
ira_trust_anchor_notification_settings Notification settings for the trust anchor 
list(object({
    channel   = optional(string)
    enabled   = optional(bool)
    event     = optional(string)
    threshold = optional(number)
  }))
 null no
ira_trust_anchor_source_type The source type of the trust anchor string null no
ira_trust_anchor_x509_certificate_data The X.509 certificate data of the trust anchor string null no
max_session_duration Maximum API session duration in seconds between 3600 and 43200 number null no
name Name of the IAM role string "EKSHybridNode" no
path Path of the IAM role string "/" no
permissions_boundary_arn Permissions boundary ARN to use for the IAM role string null no
policies Policies to attach to the IAM role in {'static_name' = 'policy_arn'} format map(string) {} no
policy_description IAM policy description string "EKS Hybrid Node IAM role policy" no
policy_name Name of the IAM policy string "EKSHybridNode" no
policy_path Path of the IAM policy string "/" no
policy_statements A list of IAM policy statements - used for adding specific IAM permissions as needed 
list(object({
    sid           = optional(string)
    actions       = optional(list(string))
    not_actions   = optional(list(string))
    effect        = optional(string)
    resources     = optional(list(string))
    not_resources = optional(list(string))
    principals = optional(list(object({
      type        = string
      identifiers = list(string)
    })))
    not_principals = optional(list(object({
      type        = string
      identifiers = list(string)
    })))
    condition = optional(list(object({
      test     = string
      values   = list(string)
      variable = string
    })))
  }))
 null no
policy_use_name_prefix Determines whether the name of the IAM policy (policy_name) is used as a prefix bool true no
tags A map of additional tags to add the the IAM role map(string) {} no
trust_anchor_arns List of IAM Roles Anywhere trust anchor ARNs. Required if enable_ira is set to true list(string) [] no
use_name_prefix Determines whether the name of the IAM role (name) is used as a prefix bool true no

Outputs

Name Description
arn The Amazon Resource Name (ARN) specifying the node IAM role
intermediate_role_arn The Amazon Resource Name (ARN) specifying the node IAM role
intermediate_role_name The name of the node IAM role
intermediate_role_unique_id Stable and unique string identifying the node IAM role
name The name of the node IAM role
unique_id Stable and unique string identifying the node IAM role
View Git Blame Copy Permalink