feat(sync): sync universal-addon changes

.github/workflows/cache-warmup.yaml

@@ -0,0 +1,45 @@
+name: Cache Warmup
+
+on:
+  push:
+    branches:
+      - main # caches from the main branch are shared with all other branches and pull requests
+
+permissions: {}
+
+env:
+  # renovate: datasource=github-releases depName=asdf-vm/asdf
+  ASDF_VERSION: 0.18.0
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Setup ASDF
+        uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 # v4.0.0
+        with:
+          asdf_version: ${{ env.ASDF_VERSION }}
+
+      - name: Cache ASDF
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        id: asdf-cache
+        with:
+          # https://github.com/asdf-vm/asdf/blob/master/.gitignore
+          path: |
+            ~/.asdf/installs
+            ~/.asdf/plugins
+            ~/.asdf/shims
+            ~/.cache/pip
+          key: ${{ runner.os }}-asdf-${{ hashFiles('.tool-versions') }}-warmup
+          restore-keys: ${{ runner.os }}-asdf-
+
+      - name: Install ASDF
+        uses: asdf-vm/actions/install@1902764435ca0dd2f3388eea723a4f92a4eb8302 # v4.0.0
+        if: ${{ steps.asdf-cache.outputs.cache-hit != 'true' }}
+        with:
+          asdf_version: ${{ env.ASDF_VERSION }}

.github/workflows/pre-commit.yaml

@@ -16,7 +16,7 @@ concurrency:
 
 env:
   # renovate: datasource=github-releases depName=asdf-vm/asdf
-  ASDF_VERSION: 31e8c93004abd76253d186b8896785895069749b # v0.15.0 # pragma: allowlist secret
+  ASDF_VERSION: 0.18.0
 
 jobs:
   pre-commit:
@@ -28,7 +28,9 @@ jobs:
           persist-credentials: false
 
       - name: Setup ASDF
-        uses: asdf-vm/actions/setup@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2
+        uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 # v4.0.0
+        with:
+          asdf_version: ${{ env.ASDF_VERSION }}
 
       - name: Cache ASDF
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
@@ -39,27 +41,20 @@ jobs:
             ~/.asdf/installs
             ~/.asdf/plugins
             ~/.asdf/shims
+            ~/.cache/pip
           key: ${{ runner.os }}-asdf-${{ hashFiles('.tool-versions') }}
-          restore-keys: ${{ runner.os }}-asdf-
+          restore-keys: ${{ runner.os }}-asdf-${{ hashFiles('.tool-versions') }}-
 
       - name: Install ASDF
-        uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2
+        uses: asdf-vm/actions/install@1902764435ca0dd2f3388eea723a4f92a4eb8302 # v4.0.0
         if: ${{ steps.asdf-cache.outputs.cache-hit != 'true' }}
         with:
-          asdf_branch: ${{ env.ASDF_VERSION }}
+          asdf_version: ${{ env.ASDF_VERSION }}
 
       - name: Reshim installed ASDF tools
         shell: bash
         run: asdf reshim
 
-      - name: Cache pip
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-        with:
-          path: ~/.cache/pip/
-          key: ${{ runner.os }}-pip-${{ hashFiles('.pre-commit-config.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pip-
-
       - name: Run pre-commit
         run: pre-commit run --show-diff-on-failure --color=always --all-files
         env:

.github/workflows/validate.yaml

@@ -23,7 +23,7 @@ jobs:
 
       - name: Extract Terraform min/max versions
         id: terraform-min-max
-        uses: clowdhaus/terraform-min-max@f489335873df04c3ce04b5e73f385a726d910039 # v1.3.2
+        uses: clowdhaus/terraform-min-max@503e88c41953f537fc2b283a310c85e0a2cd585c # v1.4.0
         with:
           directory: .
     outputs:

.pre-commit-config.yaml

@@ -40,7 +40,7 @@ repos:
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
     # renovate: datasource=github-releases depName=antonbabenko/pre-commit-terraform
-    rev: 55d0143972eec4905fdaea2f444f1e88218f9dce # v1.96.3 # pragma: allowlist secret
+    rev: 2f8bda194a420ad77a050a9de627d77a74841fdc # v1.99.4 # pragma: allowlist secret
     hooks:
       - id: terraform_docs # should be run after luactl sync
         args:
@@ -56,6 +56,6 @@ repos:
 
   - repo: https://github.com/woodruffw/zizmor-pre-commit
     # renovate: datasource=github-releases depName=woodruffw/zizmor-pre-commit
-    rev: 07a06156e31897fbb5ba0e22a961e8e3c2a0677b # v1.16.0 # pragma: allowlist secret
+    rev: 69fa534d69454f44ddd4451b5e2da7a1c48e525b # v1.11.0 # pragma: allowlist secret
     hooks:
       - id: zizmor

.tool-versions

@@ -1,7 +1,6 @@
 terraform 1.5.7
 terraform-docs 0.20.0
 tflint 0.50.3
-checkov 3.2.352
-awscli 2.27.42
+checkov 3.2.447
+awscli 2.27.49
 pre-commit 4.2.0
-python 3.13.5

addon-irsa.tf

@@ -2,7 +2,7 @@
 module "addon-irsa" {
   for_each = local.addon_irsa
 
-  source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.22"
+  source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.23"
 
   enabled = var.enabled
 
@@ -19,6 +19,8 @@ module "addon-irsa" {
   irsa_role_name_prefix = var.irsa_role_name_prefix != null ? var.irsa_role_name_prefix : lookup(each.value, "irsa_role_name_prefix", "${local.addon.name}-irsa")
   irsa_role_name        = var.irsa_role_name != null ? var.irsa_role_name : lookup(each.value, "irsa_role_name", local.addon_name)
 
+  irsa_role_additional_trust_policies = var.irsa_role_additional_trust_policies != null ? var.irsa_role_additional_trust_policies : lookup(each.value, "irsa_role_additional_trust_policies", null)
+
   irsa_policy_enabled       = var.irsa_policy_enabled != null ? var.irsa_policy_enabled : lookup(each.value, "irsa_policy_enabled", null)
   irsa_policy               = var.irsa_policy != null ? var.irsa_policy : lookup(each.value, "irsa_policy", null)
   irsa_assume_role_enabled  = var.irsa_assume_role_enabled != null ? var.irsa_assume_role_enabled : lookup(each.value, "irsa_assume_role_enabled", null)
@@ -38,6 +40,8 @@ module "addon-irsa" {
   pod_identity_role_name_prefix = var.pod_identity_role_name_prefix != null ? var.pod_identity_role_name_prefix : lookup(each.value, "pod_identity_role_name_prefix", "${local.addon.name}-pi")
   pod_identity_role_name        = var.pod_identity_role_name != null ? var.pod_identity_role_name : lookup(each.value, "pod_identity_role_name", local.addon_name)
 
+  pod_identity_role_additional_trust_policies = var.pod_identity_role_additional_trust_policies != null ? var.pod_identity_role_additional_trust_policies : lookup(each.value, "pod_identity_role_additional_trust_policies", null)
+
   pod_identity_policy_enabled       = var.pod_identity_policy_enabled != null ? var.pod_identity_policy_enabled : lookup(each.value, "pod_identity_policy_enabled", null)
   pod_identity_policy               = var.pod_identity_policy != null ? var.pod_identity_policy : lookup(each.value, "pod_identity_policy", null)
   pod_identity_permissions_boundary = var.pod_identity_permissions_boundary != null ? var.pod_identity_permissions_boundary : lookup(each.value, "pod_identity_permissions_boundary", null)

addon.tf

@@ -11,7 +11,7 @@ locals {
 }
 
 module "addon" {
-  source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.22"
+  source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.23"
 
   enabled = var.enabled
 

examples/basic/versions.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.5.0"
+  required_version = "~> 1.5.0"
 
   required_providers {
     aws = {

variables-addon-irsa.tf

@@ -54,6 +54,12 @@ variable "irsa_role_name" {
   description = "IRSA role name. The value is prefixed by `irsa_role_name_prefix`. Either `irsa_role_name` or `irsa_role_name_prefix` must be set. Defaults to `\"\"`."
 }
 
+variable "irsa_role_additional_trust_policies" {
+  type        = map(any)
+  default     = null
+  description = "Map of additional trust policy statements to attach to the IRSA role where map key is a statement SID and value is a statement object. Defaults to `{}`."
+}
+
 variable "irsa_policy_enabled" {
   type        = bool
   default     = null
@@ -111,13 +117,13 @@ variable "irsa_assume_role_policy_condition_values" {
 variable "cluster_name" {
   type        = string
   default     = null
-  description = "The name of the cluster (required for pod identity). Defaults to `\"\"`."
+  description = "The name of the cluster (required for Pod Identity). Defaults to `\"\"`."
 }
 
 variable "pod_identity_role_create" {
   type        = bool
   default     = null
-  description = "Whether to create pod identity role and annotate Service Account. Defaults to `false`."
+  description = "Whether to create Pod Identity role and annotate Service Account. Defaults to `false`."
 }
 
 variable "pod_identity_role_name_prefix" {
@@ -132,6 +138,12 @@ variable "pod_identity_role_name" {
   description = "Pod identity role name. The value is prefixed by `pod_identity_role_name_prefix`. Either `pod_identity_role_name` or `pod_identity_role_name_prefix` must be set. Defaults to `\"\"`."
 }
 
+variable "pod_identity_role_additional_trust_policies" {
+  type        = map(any)
+  default     = null
+  description = "Additional trust policy statements to attach to the Pod Identity role where map key is a statement SID and value is a statement object. Defaults to `{}`."
+}
+
 variable "pod_identity_policy_enabled" {
   type        = bool
   default     = null
@@ -141,19 +153,19 @@ variable "pod_identity_policy_enabled" {
 variable "pod_identity_policy" {
   type        = string
   default     = null
-  description = "AWS IAM policy JSON document to be attached to the pod identity role. Applied only if `pod_identity_policy_enabled` is `true`. Defaults to `\"\"`."
+  description = "AWS IAM policy JSON document to be attached to the Pod Identity role. Applied only if `pod_identity_policy_enabled` is `true`. Defaults to `\"\"`."
 }
 
 variable "pod_identity_permissions_boundary" {
   type        = string
   default     = null
-  description = "ARN of the policy that is used to set the permissions boundary for the pod identity role. Defaults to `null`."
+  description = "ARN of the policy that is used to set the permissions boundary for the Pod Identity role. Defaults to `null`."
 }
 
 variable "pod_identity_additional_policies" {
   type        = map(string)
   default     = null
-  description = "Map of the additional policies to be attached to pod identity role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`."
+  description = "Map of the additional policies to be attached to Pod Identity role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`."
 }
 
 variable "pod_identity_tags" {

variables-addon.tf

@@ -105,7 +105,7 @@ variable "argo_helm_wait_backoff_limit" {
 variable "argo_helm_wait_kubectl_version" {
   type        = string
   default     = null
-  description = "Version of kubectl to use for ArgoCD Application wait job. Defaults to `1.33.0`."
+  description = "Version of kubectl to use for ArgoCD Application wait job. Defaults to `1.33.2`."
 }
 
 variable "argo_source_type" {

versions.tf

@@ -1,6 +1,6 @@
 # IMPORTANT: This file is synced with the "terraform-aws-eks-universal-addon" module. Any changes to this file might be overwritten upon the next release of that module.
 terraform {
-  required_version = ">= 1.5.0"
+  required_version = "~> 1.5.0"
 
   required_providers {
     aws = {