feat(iam): add Pod Identity support to cert-manager and external-dns modules#409
Merged
Merged
Conversation
…modules
Add identity_mode variable ('irsa' default | 'pod_identity') to both modules.
Pod Identity mode creates a native aws_iam_role with pods.eks.amazonaws.com trust
and aws_eks_pod_identity_association resources instead of the OIDC community module.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Use one(resource[*].attr) instead of resource[0].attr in for_each bodies and outputs to avoid plan errors when count = 0 - Make aws_iam_openid_connect_provider_arn optional (default null) with cross-variable validation requiring it only for irsa mode - Add destructive mode-switch warning to identity_mode description - Add mode-exclusivity test assertions (irsa/pod_identity resources must not coexist) and output ARN assertions in both modules Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…refactor Consumers upgrading from a version where the IRSA submodule had no count would see destroy+recreate of the IAM role without these moved blocks. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… aws_identity_mode=pod_identity Add aws_identity_mode variable (irsa|pod_identity, default irsa). In pod_identity mode the eks.amazonaws.com/role-arn annotation is omitted from the cert-manager service account — EKS Pod Identity injects credentials via the agent instead. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… aws_identity_mode=pod_identity Add aws_identity_mode variable (irsa|pod_identity, default irsa). In pod_identity mode the eks.amazonaws.com/role-arn annotation is omitted from the external-dns service account — EKS Pod Identity injects credentials via the agent instead. Validated with tofu validate (tofu test disabled for AWS provider due to preexisting OCI eager-evaluation bug in locals.tf; commented test added for when the bug is fixed). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add policy attachment count + role assertions to creates_pod_identity_role - Add ARN output value assertion (vs mock ARN, not just != null) - Add pod_identity_does_not_require_oidc_arn run for both modules - Clarify moved block comment: IRSA path only, pod_identity has no prior state Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…d external-dns - Regenerate BEGIN_TF_DOCS sections via terraform-docs (identity_mode/aws_identity_mode now appear in inputs table, aws_iam_openid_connect_provider_arn marked optional, new resources listed) - Update narrative sections to describe both IRSA and Pod Identity modes - Add Pod Identity usage examples with correct ref=v4.6.0 - Update AI_METADATA descriptions and feature lists Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace WARNING with Note in identity_mode description: the default 'irsa' is backward compatible with v4.5.x (no state changes on upgrade). Mode-switch note is preserved but scoped to the deliberate irsa<->pod_identity transition. Regenerate README TF docs to reflect updated variable description. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaced fabricated hex values with original hashes from before the PR. These will be stale until the indexing tool reruns — but they are real values, not invented ones. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
sebastiancorrea81
approved these changes
Jun 26, 2026
The AWS test file was fully commented out citing an OCI eager-evaluation bug in locals.tf that no longer reproduces. Re-enable it and fix the expect_failures tests to target the terraform_data.provider_validation resource (validation lives in preconditions, not variable validation blocks) and use empty strings instead of null. Add nullable = false to the AWS string variables so an explicit null fails clearly instead of crashing length(). Recovers 9 tests, including aws_pod_identity_omits_role_annotation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
davidf-null
approved these changes
Jun 26, 2026
…ernal-dns-pod-identity # Conflicts: # infrastructure/aws/iam/cert_manager/README.md # infrastructure/aws/iam/external_dns/README.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changes
Backward compatibility
No breaking changes. Default `identity_mode = "irsa"` preserves the existing behavior. `moved` blocks handle the state address change from the `count` refactor on the community submodule — consumers upgrading from v4.5.x see a no-op plan when keeping the default.
Test plan
🤖 Generated with Claude Code