|
1 | 1 | locals { |
2 | | - addon_vpc_cni_pod_identity = { |
3 | | - most_recent = true |
4 | | - resolve_conflicts_on_update = "OVERWRITE" |
| 2 | + addon_vpc_cni = { |
| 3 | + fargate_pod_identity = { |
| 4 | + most_recent = true |
| 5 | + resolve_conflicts_on_update = "OVERWRITE" |
| 6 | + configuration_values = jsonencode({ |
| 7 | + env = { |
| 8 | + # Reference doc: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html#security-groups-pods-deployment |
| 9 | + ENABLE_POD_ENI = "true" |
| 10 | + POD_SECURITY_GROUP_ENFORCING_MODE = "standard" |
| 11 | + } |
| 12 | + init = { |
| 13 | + env = { |
| 14 | + DISABLE_TCP_EARLY_DEMUX = "true" |
| 15 | + } |
| 16 | + } |
| 17 | + }) |
| 18 | + pod_identity_association = [{ |
| 19 | + role_arn = module.aws_vpc_cni_pod_identity[0].iam_role_arn |
| 20 | + service_account = "aws-node" |
| 21 | + }] |
| 22 | + } |
| 23 | + fargate_irsa = { |
| 24 | + most_recent = true |
| 25 | + resolve_conflicts_on_update = "OVERWRITE" |
| 26 | + configuration_values = jsonencode({ |
| 27 | + env = { |
| 28 | + # Reference doc: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html#security-groups-pods-deployment |
| 29 | + ENABLE_POD_ENI = "true" |
| 30 | + POD_SECURITY_GROUP_ENFORCING_MODE = "standard" |
| 31 | + } |
| 32 | + init = { |
| 33 | + env = { |
| 34 | + DISABLE_TCP_EARLY_DEMUX = "true" |
| 35 | + } |
| 36 | + } |
| 37 | + }) |
| 38 | + service_account_role_arn = module.vpc_cni_irsa_role[0].iam_role_arn |
| 39 | + } |
| 40 | + nodegroup_irsa = { |
| 41 | + most_recent = true |
| 42 | + resolve_conflicts_on_update = "OVERWRITE" |
| 43 | + service_account_role_arn = module.vpc_cni_irsa_role[0].iam_role_arn |
| 44 | + } |
| 45 | + nodegroup_pod_identity = { |
| 46 | + most_recent = true |
| 47 | + resolve_conflicts_on_update = "OVERWRITE" |
| 48 | + pod_identity_association = [{ |
| 49 | + role_arn = module.aws_vpc_cni_pod_identity[0].iam_role_arn |
| 50 | + service_account = "aws-node" |
| 51 | + }] |
| 52 | + } |
5 | 53 | } |
| 54 | + |
| 55 | + addon_vpc_cni_lookup = var.fargate_cluster && var.enable_pod_identity_for_eks_addons ? "fargate_pod_identity" : ( |
| 56 | + var.fargate_cluster ? "fargate_irsa" : ( |
| 57 | + var.enable_pod_identity_for_eks_addons ? "nodegroup_pod_identity" : "nodegroup_irsa" |
| 58 | + )) |
| 59 | + |
| 60 | + addon_aws_ebs_csi_driver = { |
| 61 | + pod_identity = { |
| 62 | + most_recent = true |
| 63 | + resolve_conflicts_on_update = "OVERWRITE" |
| 64 | + pod_identity_association = [{ |
| 65 | + role_arn = module.aws_ebs_csi_pod_identity[0].iam_role_arn |
| 66 | + service_account = "ebs-csi-controller-sa" |
| 67 | + }] |
| 68 | + } |
| 69 | + irsa = { |
| 70 | + most_recent = true |
| 71 | + resolve_conflicts_on_update = "OVERWRITE" |
| 72 | + service_account_role_arn = module.ebs_csi_irsa_role[0].iam_role_arn |
| 73 | + } |
| 74 | + } |
| 75 | + addon_aws_ebs_csi_driver_lookup = var.enable_pod_identity_for_eks_addons ? "pod_identity" : "irsa" |
6 | 76 | } |
7 | 77 | #tfsec:ignore:aws-eks-no-public-cluster-access-to-cidr |
8 | 78 | #tfsec:ignore:aws-eks-no-public-cluster-access |
@@ -72,44 +142,8 @@ module "eks" { |
72 | 142 | most_recent = true |
73 | 143 | resolve_conflicts_on_update = "OVERWRITE" |
74 | 144 | } |
75 | | - vpc-cni = var.fargate_cluster && var.enable_pod_identity_for_eks_addons ? merge(local.addon_vpc_cni_pod_identity, { |
76 | | - configuration_values = jsonencode({ |
77 | | - env = { |
78 | | - # Reference doc: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html#security-groups-pods-deployment |
79 | | - ENABLE_POD_ENI = "true" |
80 | | - POD_SECURITY_GROUP_ENFORCING_MODE = "standard" |
81 | | - } |
82 | | - init = { |
83 | | - env = { |
84 | | - DISABLE_TCP_EARLY_DEMUX = "true" |
85 | | - } |
86 | | - } |
87 | | - }) |
88 | | - }) : (var.fargate_cluster ? merge(local.addon_vpc_cni_pod_identity, { |
89 | | - service_account_role_arn = module.vpc_cni_irsa_role[0].iam_role_arn |
90 | | - configuration_values = jsonencode({ |
91 | | - env = { |
92 | | - # Reference doc: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html#security-groups-pods-deployment |
93 | | - ENABLE_POD_ENI = "true" |
94 | | - POD_SECURITY_GROUP_ENFORCING_MODE = "standard" |
95 | | - } |
96 | | - init = { |
97 | | - env = { |
98 | | - DISABLE_TCP_EARLY_DEMUX = "true" |
99 | | - } |
100 | | - } |
101 | | - }) |
102 | | - }) : (var.enable_pod_identity_for_eks_addons ? local.addon_vpc_cni_pod_identity : merge(local.addon_vpc_cni_pod_identity, { |
103 | | - service_account_role_arn = module.vpc_cni_irsa_role[0].iam_role_arn |
104 | | - }))) |
105 | | - aws-ebs-csi-driver = var.enable_pod_identity_for_eks_addons ? { |
106 | | - most_recent = true |
107 | | - resolve_conflicts_on_update = "OVERWRITE" |
108 | | - } : { |
109 | | - most_recent = true |
110 | | - resolve_conflicts_on_update = "OVERWRITE" |
111 | | - service_account_role_arn = module.ebs_csi_irsa_role[0].iam_role_arn |
112 | | - } |
| 145 | + vpc-cni = lookup(local.addon_vpc_cni, local.addon_vpc_cni_lookup, {}) |
| 146 | + aws-ebs-csi-driver = lookup(local.addon_aws_ebs_csi_driver, local.addon_aws_ebs_csi_driver_lookup, {}) |
113 | 147 | coredns = var.fargate_cluster ? { |
114 | 148 | most_recent = true |
115 | 149 | resolve_conflicts_on_update = "OVERWRITE" |
|
0 commit comments