Component: `eks-iam`

This component is responsible for provisioning specific IAM roles for Kubernetes Service Accounts. IAM roles are created for the following Kubernetes projects:

Usage

Stack Level: Regional

Here's an example snippet for how to use this component.

components:
  terraform:
    eks-iam:
      vars:
        standard_service_accounts:
          - "alb-controller",
          - "external-dns"
          - "cert-manager"

Requirements

Name	Version
terraform	>= 0.13.0
aws	>= 3.0
local	>= 1.3
template	>= 2.2

Providers

Name	Version
aws	>= 3.0
terraform	n/a

Modules

Name	Source	Version
alb-controller	./modules/service-account	n/a
autoscaler	./modules/service-account	n/a
cert-manager	./modules/service-account	n/a
external-dns	./modules/service-account	n/a
iam_roles	../account-map/modules/iam-roles	n/a
this	git::https://github.com/cloudposse/terraform-null-label.git	tags/0.21.0

Resources

Name	Type
aws_iam_policy_document.autoscaler	data source
aws_iam_policy_document.cert_manager	data source
aws_iam_policy_document.external_dns	data source
aws_kms_alias.ssm	data source
terraform_remote_state.account_map	data source
terraform_remote_state.dns_delegated	data source
terraform_remote_state.dns_gbl_delegated	data source
terraform_remote_state.eks	data source

Inputs

Name	Description	Type	Default	Required
account_map_environment_name	The name of the environment where `account_map` is provisioned	`string`	`"gbl"`	no
account_map_stage_name	The name of the stage where `account_map` is provisioned	`string`	`"root"`	no
additional_tag_map	Additional tags for appending to tags_as_list_of_maps. Not added to `tags`.	`map(string)`	`{}`	no
attributes	Additional attributes (e.g. `1`)	`list(string)`	`[]`	no
context	Single object for setting entire context at once. See description of individual variables for details. Leave string and numeric variables as `null` to use default value. Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged.	`object({ enabled = bool namespace = string environment = string stage = string name = string delimiter = string attributes = list(string) tags = map(string) additional_tag_map = map(string) regex_replace_chars = string label_order = list(string) id_length_limit = number })`	`{ "additional_tag_map": {}, "attributes": [], "delimiter": null, "enabled": true, "environment": null, "id_length_limit": null, "label_order": [], "name": null, "namespace": null, "regex_replace_chars": null, "stage": null, "tags": {} }`	no
delimiter	Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`. Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.	`string`	`null`	no
dns_gbl_delegated_environment_name	The name of the environment where global `dns_delegated` is provisioned	`string`	`"gbl"`	no
enabled	Set to false to prevent the module from creating any resources	`bool`	`null`	no
environment	Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT'	`string`	`null`	no
id_length_limit	Limit `id` to this many characters. Set to `0` for unlimited length. Set to `null` for default, which is `0`. Does not affect `id_full`.	`number`	`null`	no
import_role_arn	IAM Role ARN to use when importing a resource	`string`	`null`	no
kms_alias_name	AWS KMS alias used for encryption/decryption of SSM parameters default is alias used in SSM	`string`	`"alias/aws/ssm"`	no
label_order	The naming order of the id output and Name tag. Defaults to ["namespace", "environment", "stage", "name", "attributes"]. You can omit any of the 5 elements, but at least one must be present.	`list(string)`	`null`	no
name	Solution name, e.g. 'app' or 'jenkins'	`string`	`null`	no
namespace	Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp'	`string`	`null`	no
optional_service_accounts	List of optional service accounts to enable	`list(string)`	`[]`	no
regex_replace_chars	Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`. If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.	`string`	`null`	no
region	AWS Region	`string`	n/a	yes
stage	Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release'	`string`	`null`	no
standard_service_accounts	List of standard service accounts expected to be enabled everywhere	`list(string)`	n/a	yes
tags	Additional tags (e.g. `map('BusinessUnit','XYZ')`	`map(string)`	`{}`	no
tfstate_account_id	The ID of the account where the Terraform remote state backend is provisioned	`string`	`""`	no
tfstate_assume_role	Set to false to use the caller's role to access the Terraform remote state	`bool`	`true`	no
tfstate_bucket_environment_name	The name of the environment for Terraform state bucket	`string`	`""`	no
tfstate_bucket_stage_name	The name of the stage for Terraform state bucket	`string`	`"root"`	no
tfstate_existing_role_arn	The ARN of the existing IAM Role to access the Terraform remote state. If not provided and `remote_state_assume_role` is `true`, a role will be constructed from `remote_state_role_arn_template`	`string`	`""`	no
tfstate_role_arn_template	IAM Role ARN template for accessing the Terraform remote state	`string`	`"arn:aws:iam::%s:role/%s-%s-%s-%s"`	no
tfstate_role_environment_name	The name of the environment for Terraform state IAM role	`string`	`"gbl"`	no
tfstate_role_name	IAM Role name for accessing the Terraform remote state	`string`	`"terraform"`	no
tfstate_role_stage_name	The name of the stage for Terraform state IAM role	`string`	`"root"`	no

Outputs

Name	Description
service_accounts	n/a

References

cloudposse/terraform-aws-components - Cloud Posse's upstream component

Component: eks-iam

Usage​

Requirements​

Providers​

Modules​

Resources​

Inputs​

Outputs​

References​