diff --git a/README.md b/README.md
index 502483a..e9c9eff 100644
--- a/README.md
+++ b/README.md
@@ -148,6 +148,7 @@ No modules.
| Name | Type |
|------|------|
+| [aws_eks_pod_identity_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_pod_identity_association) | resource |
| [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -168,8 +169,10 @@ No modules.
| [chart](#input\_chart) | Chart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if `repository` is specified | `string` | `""` | no |
| [chart\_version](#input\_chart\_version) | Specify the exact chart version to install. If this is not specified, the latest version is installed | `string` | `null` | no |
| [cleanup\_on\_fail](#input\_cleanup\_on\_fail) | Allow deletion of new resources created in this upgrade when upgrade fails. Defaults to `false` | `bool` | `null` | no |
+| [cluster\_name](#input\_cluster\_name) | The name of the EKS cluster | `string` | `""` | no |
| [create](#input\_create) | Controls if resources should be created (affects all resources) | `bool` | `true` | no |
| [create\_namespace](#input\_create\_namespace) | Create the namespace if it does not yet exist. Defaults to `false` | `bool` | `null` | no |
+| [create\_pod\_identity\_association](#input\_create\_pod\_identity\_association) | Determines whether to create Pod Identity association | `bool` | `false` | no |
| [create\_policy](#input\_create\_policy) | Whether to create an IAM policy that is attached to the IAM role created | `bool` | `true` | no |
| [create\_release](#input\_create\_release) | Determines whether the Helm release is created | `bool` | `true` | no |
| [create\_role](#input\_create\_role) | Determines whether to create an IAM role | `bool` | `false` | no |
@@ -178,6 +181,7 @@ No modules.
| [devel](#input\_devel) | Use chart development versions, too. Equivalent to version '>0.0.0-0'. If version is set, this is ignored | `bool` | `null` | no |
| [disable\_openapi\_validation](#input\_disable\_openapi\_validation) | If set, the installation process will not validate rendered templates against the Kubernetes OpenAPI Schema. Defaults to `false` | `bool` | `null` | no |
| [disable\_webhooks](#input\_disable\_webhooks) | Prevent hooks from running. Defaults to `false` | `bool` | `null` | no |
+| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Determines whether to enable support for EKS Pod Identity | `bool` | `false` | no |
| [force\_update](#input\_force\_update) | Force resource update through delete/recreate if needed. Defaults to `false` | `bool` | `null` | no |
| [keyring](#input\_keyring) | Location of public keys used for verification. Used only if verify is true. Defaults to `/.gnupg/pubring.gpg` in the location set by `home` | `string` | `null` | no |
| [lint](#input\_lint) | Run the helm chart linter during the plan. Defaults to `false` | `bool` | `null` | no |
@@ -210,6 +214,7 @@ No modules.
| [role\_path](#input\_role\_path) | Path of IAM role | `string` | `"/"` | no |
| [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no |
| [role\_policies](#input\_role\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no |
+| [service\_account](#input\_service\_account) | Service account to associate with the Pod Identity | `string` | `""` | no |
| [set](#input\_set) | Value block with custom values to be merged with the values yaml | `any` | `[]` | no |
| [set\_irsa\_names](#input\_set\_irsa\_names) | Value annotations name where IRSA role ARN created by module will be assigned to the `value` | `list(string)` | `[]` | no |
| [set\_sensitive](#input\_set\_sensitive) | Value block with custom sensitive values to be merged with the values yaml that won't be exposed in the plan's diff | `any` | `[]` | no |
@@ -228,6 +233,7 @@ No modules.
|------|-------------|
| [app\_version](#output\_app\_version) | The version number of the application being deployed |
| [chart](#output\_chart) | The name of the chart |
+| [create\_pod\_identity\_association](#output\_create\_pod\_identity\_association) | Pod Identity configuration |
| [iam\_policy](#output\_iam\_policy) | The policy document |
| [iam\_policy\_arn](#output\_iam\_policy\_arn) | The ARN assigned by AWS to this policy |
| [iam\_role\_arn](#output\_iam\_role\_arn) | ARN of IAM role |
@@ -237,6 +243,7 @@ No modules.
| [name](#output\_name) | Name is the name of the release |
| [namespace](#output\_namespace) | Name of Kubernetes namespace |
| [revision](#output\_revision) | Version is an int32 which represents the version of the release |
+| [service\_account](#output\_service\_account) | Service Account associated with the Pod Identity |
| [values](#output\_values) | The compounded values from `values` and `set*` attributes |
| [version](#output\_version) | A SemVer 2 conformant version string of the chart |
diff --git a/main.tf b/main.tf
index 63d4da5..09f71cc 100644
--- a/main.tf
+++ b/main.tf
@@ -64,7 +64,7 @@ resource "helm_release" "this" {
}
dynamic "set" {
- for_each = { for k, v in toset(var.set_irsa_names) : k => v if var.create && var.create_role }
+ for_each = { for k, v in toset(var.set_irsa_names) : k => v if var.create && var.create_role && var.enable_pod_identity == false && var.create_pod_identity_association == false }
iterator = each
content {
name = each.value
@@ -84,7 +84,7 @@ resource "helm_release" "this" {
}
################################################################################
-# IAM Role for Service Account(s) (IRSA)
+# Pod Identity and IAM Role for Service Account(s) (IRSA)
################################################################################
data "aws_partition" "current" {
@@ -129,8 +129,25 @@ data "aws_iam_policy_document" "assume" {
}
}
+ # Pod Identity
dynamic "statement" {
- for_each = var.oidc_providers
+ for_each = var.enable_pod_identity ? [1] : []
+
+ content {
+ actions = [
+ "sts:AssumeRole",
+ "sts:TagSession",
+ ]
+
+ principals {
+ type = "Service"
+ identifiers = ["pods.eks.amazonaws.com"]
+ }
+ }
+ }
+
+ dynamic "statement" {
+ for_each = var.enable_pod_identity && var.create_pod_identity_association ? {} : var.oidc_providers
content {
effect = "Allow"
@@ -257,3 +274,18 @@ resource "aws_iam_role_policy_attachment" "this" {
role = aws_iam_role.this[0].name
policy_arn = aws_iam_policy.this[0].arn
}
+
+################################################################################
+# Pod Identity Association
+################################################################################
+
+resource "aws_eks_pod_identity_association" "this" {
+ count = local.create_role && var.enable_pod_identity && var.create_pod_identity_association ? 1 : 0
+
+ cluster_name = var.cluster_name
+ namespace = var.namespace
+ service_account = var.service_account
+ role_arn = aws_iam_role.this[0].arn
+
+ tags = var.tags
+}
diff --git a/outputs.tf b/outputs.tf
index 2251c79..5dcde5e 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -38,7 +38,7 @@ output "values" {
}
################################################################################
-# IAM Role for Service Account(s) (IRSA)
+# Pod Identity and IAM Role for Service Account(s) (IRSA)
################################################################################
output "iam_role_arn" {
@@ -61,6 +61,16 @@ output "iam_role_unique_id" {
value = try(aws_iam_role.this[0].unique_id, null)
}
+output "service_account" {
+ description = "Service Account associated with the Pod Identity"
+ value = var.service_account
+}
+
+output "create_pod_identity_association" {
+ description = "Pod Identity configuration"
+ value = aws_eks_pod_identity_association.this
+}
+
################################################################################
# IAM Policy
################################################################################
diff --git a/variables.tf b/variables.tf
index ab09aaf..9a2793e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -10,6 +10,12 @@ variable "tags" {
default = {}
}
+variable "cluster_name" {
+ description = "The name of the EKS cluster"
+ type = string
+ default = ""
+}
+
################################################################################
# Helm Release
################################################################################
@@ -243,7 +249,7 @@ variable "set_irsa_names" {
}
################################################################################
-# IAM Role for Service Account(s) (IRSA)
+# Pod Identity and IAM Role for Service Account(s) (IRSA)
################################################################################
variable "create_role" {
@@ -312,6 +318,24 @@ variable "allow_self_assume_role" {
default = false
}
+variable "enable_pod_identity" {
+ description = "Determines whether to enable support for EKS Pod Identity"
+ type = bool
+ default = false
+}
+
+variable "create_pod_identity_association" {
+ description = "Determines whether to create Pod Identity association"
+ type = bool
+ default = false
+}
+
+variable "service_account" {
+ description = "Service account to associate with the Pod Identity"
+ type = string
+ default = ""
+}
+
################################################################################
# IAM Policy
################################################################################