// Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: MIT-0 variable "subnet_ids" { type = list(string) } variable "name" { type = string } ##################### EKS CLUSTER ####################### resource "aws_eks_cluster" "eks_cluster" { name = var.name role_arn = aws_iam_role.cluster.arn vpc_config { subnet_ids = var.subnet_ids endpoint_private_access = true } tags = { "k8s.io/cluster-autoscaler/${module.eks_cluster.cluster_id}" = "owned" "k8s.io/cluster-autoscaler/enabled" = "TRUE" } # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling. # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups. depends_on = [ "aws_iam_role_policy_attachment.eks_cluster-AmazonEKSClusterPolicy", "aws_iam_role_policy_attachment.eks_cluster-AmazonEKSServicePolicy", ] } ############################### IAM SERVICE ACCOUNT ####################### resource "aws_iam_openid_connect_provider" "eks_cluster" { client_id_list = ["sts.amazonaws.com"] thumbprint_list = [] url = aws_eks_cluster.eks_cluster.identity.0.oidc.0.issuer } data "aws_caller_identity" "current" {} data "aws_iam_policy_document" "eks_assume_role_policy" { statement { actions = ["sts:AssumeRoleWithWebIdentity"] effect = "Allow" condition { test = "StringEquals" variable = "${replace(aws_iam_openid_connect_provider.eks_cluster.url, "https://", "")}:sub" values = ["system:serviceaccount:kube-system:aws-node"] } principals { identifiers = ["${aws_iam_openid_connect_provider.eks_cluster.arn}"] type = "Federated" } } } ############################### IAM CLUSTER ####################### resource "aws_iam_role" "cluster" { name = "eks-cluster" assume_role_policy = <