Terraform module which creates multi-tenancy resources on Amazon EKS.
See tests directory for working tests to reference:
module "admin_team" {
source = "aws-ia/eks-blueprints-teams/aws"
name = "admin-team"
# Enables elevated, admin privileges for this team
enable_admin = true
users = ["arn:aws:iam::111122223333:role/my-admin-role"]
cluster_arn = "arn:aws:eks:us-west-2:111122223333:cluster/my-cluster"
tags = {
Environment = "dev"
}
}module "development_team" {
source = "aws-ia/eks-blueprints-teams/aws"
name = "development-team"
users = ["arn:aws:iam::012345678901:role/my-developer"]
cluster_arn = "arn:aws:eks:us-west-2:012345678901:cluster/my-cluster"
oidc_provider_arn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
# Labels applied to all Kubernetes resources
# More specific labels can be applied to individual resources under `namespaces` below
labels = {
team = "development"
}
# Annotations applied to all Kubernetes resources
# More specific labels can be applied to individual resources under `namespaces` below
annotations = {
team = "development"
}
namespaces = {
default = {
# Provides access to an existing namespace
create = false
}
development = {
labels = {
projectName = "project-awesome",
}
resource_quota = {
hard = {
"requests.cpu" = "1000m",
"requests.memory" = "4Gi",
"limits.cpu" = "2000m",
"limits.memory" = "8Gi",
"pods" = "10",
"secrets" = "10",
"services" = "10"
}
}
limit_range = {
limit = [
{
type = "Pod"
max = {
cpu = "200m"
memory = "1Gi"
}
},
{
type = "PersistentVolumeClaim"
min = {
storage = "24M"
}
},
{
type = "Container"
default = {
cpu = "50m"
memory = "24Mi"
}
}
]
}
network_policy = {
pod_selector = {
match_expressions = [{
key = "name"
operator = "In"
values = ["webfront", "api"]
}]
}
ingress = [{
ports = [
{
port = "http"
protocol = "TCP"
},
{
port = "53"
protocol = "TCP"
},
{
port = "53"
protocol = "UDP"
}
]
from = [
{
namespace_selector = {
match_labels = {
name = "default"
}
}
},
{
ip_block = {
cidr = "10.0.0.0/8"
except = [
"10.0.0.0/24",
"10.0.1.0/24",
]
}
}
]
}]
egress = [] # single empty rule to allow all egress traffic
policy_types = ["Ingress", "Egress"]
}
}
}
tags = {
Environment = "dev"
}
}You can utilize a module level for_each to create multiple teams with the same configuration, and even allow some of those values to be defaults that can be overridden.
module "development_team" {
source = "aws-ia/eks-blueprints-teams/aws"
for_each = {
one = {
# Add any additional variables here and update definition below to use
users = ["arn:aws:iam::012345678901:role/developers-one"]
}
two = {
users = ["arn:aws:iam::012345678901:role/developers-two"]
}
three = {
users = ["arn:aws:iam::012345678901:role/developers-three"]
}
}
name = "${each.key}-team"
users = each.value.users
cluster_arn = "arn:aws:eks:us-west-2:012345678901:cluster/my-cluster"
oidc_provider_arn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
# Labels applied to all Kubernetes resources
# More specific labels can be applied to individual resources under `namespaces` below
labels = {
team = each.key
}
# Annotations applied to all Kubernetes resources
# More specific labels can be applied to individual resources under `namespaces` below
annotations = {
team = each.key
}
namespaces = {
(each.key) = {
labels = {
projectName = "project-awesome",
}
resource_quota = {
hard = {
"requests.cpu" = "1000m",
"requests.memory" = "4Gi",
"limits.cpu" = "2000m",
"limits.memory" = "8Gi",
"pods" = "10",
"secrets" = "10",
"services" = "10"
}
}
limit_range = {
limit = [
{
type = "Pod"
max = {
cpu = "200m"
memory = "1Gi"
}
},
{
type = "PersistentVolumeClaim"
min = {
storage = "24M"
}
},
{
type = "Container"
default = {
cpu = "50m"
memory = "24Mi"
}
}
]
}
}
}
tags = {
Environment = "dev"
}
}| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.47 |
| kubernetes | >= 2.17 |
| Name | Version |
|---|---|
| aws | >= 4.47 |
| kubernetes | >= 2.17 |
No modules.
| Name | Type |
|---|---|
| aws_iam_policy.admin | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy_attachment.admin | resource |
| aws_iam_role_policy_attachment.this | resource |
| kubernetes_cluster_role_binding_v1.this | resource |
| kubernetes_cluster_role_v1.this | resource |
| kubernetes_limit_range_v1.this | resource |
| kubernetes_namespace_v1.this | resource |
| kubernetes_network_policy_v1.this | resource |
| kubernetes_resource_quota_v1.this | resource |
| kubernetes_role_binding_v1.this | resource |
| kubernetes_secret_v1.service_account_token | resource |
| kubernetes_service_account_v1.this | resource |
| aws_iam_policy_document.admin | data source |
| aws_iam_policy_document.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_policy_name | Name to use on admin IAM policy created | string |
"" |
no |
| annotations | A map of Kubernetes annotations to add to all resources | map(string) |
{} |
no |
| cluster_arn | The Amazon Resource Name (ARN) of the cluster | string |
"" |
no |
| cluster_role_name | Name to use on Kubernetes cluster role created | string |
"" |
no |
| create_cluster_role | Determines whether a Kubernetes cluster role is created | bool |
true |
no |
| create_iam_role | Determines whether an IAM role is created or to use an existing IAM role | bool |
true |
no |
| create_role | Determines whether a Kubernetes role is created. Note: the role created is a cluster role but its bound to only namespaced role bindings | bool |
true |
no |
| enable_admin | Determines whether an IAM role policy is created to grant admin access to the Kubernetes cluster | bool |
false |
no |
| iam_role_arn | Existing IAM role ARN for the node group. Required if create_iam_role is set to false |
string |
null |
no |
| iam_role_description | Description of the role | string |
null |
no |
| iam_role_max_session_duration | Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours | number |
null |
no |
| iam_role_name | Name to use on IAM role created | string |
null |
no |
| iam_role_path | IAM role path | string |
null |
no |
| iam_role_permissions_boundary | ARN of the policy that is used to set the permissions boundary for the IAM role | string |
null |
no |
| iam_role_policies | IAM policies to be added to the IAM role created | map(string) |
{} |
no |
| iam_role_use_name_prefix | Determines whether the IAM role name (iam_role_name) is used as a prefix |
bool |
true |
no |
| labels | A map of Kubernetes labels to add to all resources | map(string) |
{} |
no |
| name | A common name used across resources created unless a more specific resource name is provdied | string |
"" |
no |
| namespaces | A map of Kubernetes namespace definitions to create | any |
{} |
no |
| oidc_provider_arn | ARN of the OIDC provider created by the EKS cluster | string |
"" |
no |
| principal_arns | A list of IAM principal arns to support passing wildcards for AWS Identity Center (SSO) roles. Reference | list(string) |
[] |
no |
| role_name | Name to use on Kubernetes role created | string |
"" |
no |
| tags | A map of tags to add to all AWS resources | map(string) |
{} |
no |
| users | A list of IAM user and/or role ARNs that can assume the IAM role created | list(string) |
[] |
no |
| Name | Description |
|---|---|
| aws_auth_configmap_role | Dictionary containing the necessary details for adding the role created to the aws-auth configmap |
| iam_role_arn | The Amazon Resource Name (ARN) specifying the IAM role |
| iam_role_name | The name of the IAM role |
| iam_role_unique_id | Stable and unique string identifying the IAM role |
| namespaces | Map of Kubernetes namespaces created and their attributes |
| rbac_group | The name of the Kubernetes RBAC group |
Apache-2.0 Licensed. See LICENSE