feat: enable pod identity for eks addons by default

aws_auth.tf

@@ -53,7 +53,7 @@ locals {
 
 module "eks_aws_auth" {
   source  = "terraform-aws-modules/eks/aws//modules/aws-auth"
-  version = "~> 20.26.0"
+  version = "~> 20.29.0"
 
   create_aws_auth_configmap = var.create_aws_auth_configmap
   manage_aws_auth_configmap = var.migrate_aws_auth_to_access_entry ? true : var.manage_aws_auth_configmap

iam.tf

@@ -126,40 +126,29 @@ module "aws_vpc_cni_pod_identity" {
   count = var.enable_pod_identity_for_eks_addons ? 1 : 0
 
   source  = "terraform-aws-modules/eks-pod-identity/aws"
-  version = "~> 1.5.0"
+  version = "~> 1.7.0"
 
   name = "aws-vpc-cni-${var.cluster_ip_family}"
 
   attach_aws_vpc_cni_policy = true
   aws_vpc_cni_enable_ipv4   = var.cluster_ip_family == "ipv4" ? "true" : "false"
   aws_vpc_cni_enable_ipv6   = var.cluster_ip_family == "ipv6" ? "true" : "false"
 
-  # Pod Identity Associations
-  association_defaults = {
-    namespace       = "kube-system"
-    service_account = "aws-node"
-  }
-
   tags = var.tags
 }
 
 module "aws_ebs_csi_pod_identity" {
   count = var.enable_pod_identity_for_eks_addons ? 1 : 0
 
   source  = "terraform-aws-modules/eks-pod-identity/aws"
-  version = "~> 1.5.0"
+  version = "~> 1.7.0"
 
   name = "aws-ebs-csi"
 
   attach_aws_ebs_csi_policy = true
   aws_ebs_csi_kms_arns = [
     module.kms_ebs.key_arn,
   ]
-  # Pod Identity Associations
-  association_defaults = {
-    namespace       = "kube-system"
-    service_account = "ebs-csi-controller-sa"
-  }
 
   tags = var.tags
 }

main.tf

@@ -1,16 +1,86 @@
 locals {
-  addon_vpc_cni_pod_identity = {
-    most_recent                 = true
-    resolve_conflicts_on_update = "OVERWRITE"
+  addon_vpc_cni = {
+    fargate_pod_identity = {
+      most_recent                 = true
+      resolve_conflicts_on_update = "OVERWRITE"
+      configuration_values = jsonencode({
+        env = {
+          # Reference doc: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html#security-groups-pods-deployment
+          ENABLE_POD_ENI                    = "true"
+          POD_SECURITY_GROUP_ENFORCING_MODE = "standard"
+        }
+        init = {
+          env = {
+            DISABLE_TCP_EARLY_DEMUX = "true"
+          }
+        }
+      })
+      pod_identity_association = [{
+        role_arn        = module.aws_vpc_cni_pod_identity[0].iam_role_arn
+        service_account = "aws-node"
+      }]
+    }
+    fargate_irsa = {
+      most_recent                 = true
+      resolve_conflicts_on_update = "OVERWRITE"
+      configuration_values = jsonencode({
+        env = {
+          # Reference doc: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html#security-groups-pods-deployment
+          ENABLE_POD_ENI                    = "true"
+          POD_SECURITY_GROUP_ENFORCING_MODE = "standard"
+        }
+        init = {
+          env = {
+            DISABLE_TCP_EARLY_DEMUX = "true"
+          }
+        }
+      })
+      service_account_role_arn = module.vpc_cni_irsa_role[0].iam_role_arn
+    }
+    nodegroup_irsa = {
+      most_recent                 = true
+      resolve_conflicts_on_update = "OVERWRITE"
+      service_account_role_arn    = module.vpc_cni_irsa_role[0].iam_role_arn
+    }
+    nodegroup_pod_identity = {
+      most_recent                 = true
+      resolve_conflicts_on_update = "OVERWRITE"
+      pod_identity_association = [{
+        role_arn        = module.aws_vpc_cni_pod_identity[0].iam_role_arn
+        service_account = "aws-node"
+      }]
+    }
   }
+
+  addon_vpc_cni_lookup = var.fargate_cluster && var.enable_pod_identity_for_eks_addons ? "fargate_pod_identity" : (
+    var.fargate_cluster ? "fargate_irsa" : (
+      var.enable_pod_identity_for_eks_addons ? "nodegroup_pod_identity" : "nodegroup_irsa"
+  ))
+
+  addon_aws_ebs_csi_driver = {
+    pod_identity = {
+      most_recent                 = true
+      resolve_conflicts_on_update = "OVERWRITE"
+      pod_identity_association = [{
+        role_arn        = module.aws_ebs_csi_pod_identity[0].iam_role_arn
+        service_account = "ebs-csi-controller-sa"
+      }]
+    }
+    irsa = {
+      most_recent                 = true
+      resolve_conflicts_on_update = "OVERWRITE"
+      service_account_role_arn    = module.ebs_csi_irsa_role[0].iam_role_arn
+    }
+  }
+  addon_aws_ebs_csi_driver_lookup = var.enable_pod_identity_for_eks_addons ? "pod_identity" : "irsa"
 }
 #tfsec:ignore:aws-eks-no-public-cluster-access-to-cidr
 #tfsec:ignore:aws-eks-no-public-cluster-access
 #tfsec:ignore:aws-ec2-no-public-egress-sgr
 #tfsec:ignore:aws-eks-enable-control-plane-logging
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 20.26.0"
+  version = "~> 20.29.0"
 
   cluster_name              = var.cluster_name
   cluster_version           = var.cluster_version
@@ -72,44 +142,8 @@ module "eks" {
       most_recent                 = true
       resolve_conflicts_on_update = "OVERWRITE"
     }
-    vpc-cni = var.fargate_cluster && var.enable_pod_identity_for_eks_addons ? merge(local.addon_vpc_cni_pod_identity, {
-      configuration_values = jsonencode({
-        env = {
-          # Reference doc: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html#security-groups-pods-deployment
-          ENABLE_POD_ENI                    = "true"
-          POD_SECURITY_GROUP_ENFORCING_MODE = "standard"
-        }
-        init = {
-          env = {
-            DISABLE_TCP_EARLY_DEMUX = "true"
-          }
-        }
-      })
-      }) : (var.fargate_cluster ? merge(local.addon_vpc_cni_pod_identity, {
-        service_account_role_arn = module.vpc_cni_irsa_role[0].iam_role_arn
-        configuration_values = jsonencode({
-          env = {
-            # Reference doc: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html#security-groups-pods-deployment
-            ENABLE_POD_ENI                    = "true"
-            POD_SECURITY_GROUP_ENFORCING_MODE = "standard"
-          }
-          init = {
-            env = {
-              DISABLE_TCP_EARLY_DEMUX = "true"
-            }
-          }
-        })
-        }) : (var.enable_pod_identity_for_eks_addons ? local.addon_vpc_cni_pod_identity : merge(local.addon_vpc_cni_pod_identity, {
-          service_account_role_arn = module.vpc_cni_irsa_role[0].iam_role_arn
-    })))
-    aws-ebs-csi-driver = var.enable_pod_identity_for_eks_addons ? {
-      most_recent                 = true
-      resolve_conflicts_on_update = "OVERWRITE"
-      } : {
-      most_recent                 = true
-      resolve_conflicts_on_update = "OVERWRITE"
-      service_account_role_arn    = module.ebs_csi_irsa_role[0].iam_role_arn
-    }
+    vpc-cni            = lookup(local.addon_vpc_cni, local.addon_vpc_cni_lookup, {})
+    aws-ebs-csi-driver = lookup(local.addon_aws_ebs_csi_driver, local.addon_aws_ebs_csi_driver_lookup, {})
     coredns = var.fargate_cluster ? {
       most_recent                 = true
       resolve_conflicts_on_update = "OVERWRITE"

modules/eks_managed_nodes/main.tf

@@ -54,7 +54,7 @@ locals {
 ################################################################################
 module "eks_managed_node_group" {
   source  = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
-  version = "~> 20.26.0"
+  version = "~> 20.29.0"
 
   for_each = local.eks_managed_node_groups
 

modules/fargate_profile/main.tf

@@ -1,6 +1,6 @@
 module "fargate_profile" {
   source  = "terraform-aws-modules/eks/aws//modules/fargate-profile"
-  version = "~> 20.26.0"
+  version = "~> 20.29.0"
 
   for_each          = var.fargate_profiles
   cluster_ip_family = var.cluster_ip_family

modules/karpenter/karpenter.tf

@@ -1,6 +1,6 @@
 module "karpenter" {
   source  = "terraform-aws-modules/eks/aws//modules/karpenter"
-  version = "~> 20.26.0"
+  version = "~> 20.29.0"
 
   cluster_name = var.cluster_name
 

modules/self_managed_nodes/main.tf

@@ -58,7 +58,7 @@ locals {
 
 module "self_managed_group" {
   source  = "terraform-aws-modules/eks/aws//modules/self-managed-node-group"
-  version = "~> 20.26.0"
+  version = "~> 20.29.0"
 
   for_each = local.self_managed_node_groups
 

variables.tf

@@ -628,7 +628,7 @@ variable "enable_pod_identity_for_karpenter" {
 variable "enable_pod_identity_for_eks_addons" {
   description = "Enable pod identity for eks addons, Note - Default is `false` because AWS Terraform Provider still DOESN'T Support Pod Identity Association for EKS Addons"
   type        = bool
-  default     = false
+  default     = true
 }
 
 ################################################################################