Skip to content

Instantly share code, notes, and snippets.

@todd-dsm

todd-dsm/eks-addons.tf

Created July 15, 2025 15:51
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save todd-dsm/55fe0228ee987f32f0a2eec37607fca2 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save todd-dsm/55fe0228ee987f32f0a2eec37607fca2 to your computer and use it in GitHub Desktop.
Download ZIP
This is a robust example but - it WILL fail. Likely better to add this on as a second layer over the infrastructure. Experiments pending...
Raw
eks-addons.tf
########################################################################################################################
# EKS Addons
# VER: https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/releases
# TFR: https://github.com/aws-ia/terraform-aws-eks-blueprints-addons#usage
# GHR: https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/99520ae0125df7b24163e14cf4eba2c96fcf14bd/docs/amazon-eks-addons.md#configuration-values
########################################################################################################################
module "eks_blueprints_addons" {
source = "aws-ia/eks-blueprints-addons/aws"
version = "~> 1.21.0"
# Any addon from this page can be added to the below block
# https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html#workloads-add-ons-available-eks
eks_addons = {
aws-ebs-csi-driver = {
most_recent = true
service_account_role_arn = module.ebs_csi_driver_irsa.iam_role_arn
resolve_conflicts_on_create = "OVERWRITE"
}
coredns = {
most_recent = true
resolve_conflicts_on_create = "OVERWRITE"
}
kube-proxy = {
most_recent = true
resolve_conflicts_on_create = "OVERWRITE"
}
vpc-cni = {
most_recent = true
service_account_role_arn = module.vpc_cni_irsa.iam_role_arn
before_compute = true
configuration_values = jsonencode({
env = {
ENABLE_PREFIX_DELEGATION = "true"
WARM_PREFIX_TARGET = "1"
}
})
}
snapshot-controller = {
most_recent = true
resolve_conflicts_on_create = "OVERWRITE"
}
}
eks_addons_timeouts = {
create = "7m"
update = "1m"
delete = "1m"
}
######################################################################################################################
# Auto-Scaling
# Versions: https://github.com/aws/karpenter-provider-aws/releases
# karpenter: https://karpenter.sh/docs/getting-started/getting-started-with-karpenter/
# AWS Samples: https://github.com/aws-samples/karpenter-blueprints/blob/main/cluster/terraform/karpenter.tf
# --------------------------------------------------------------------------------------------------------------------
enable_karpenter = true
karpenter_enable_spot_termination = true
karpenter_enable_instance_profile_creation = true
karpenter = {
#chart_version = "1.0.1" # TF fails if this is set
irsa_tag_key = "aws:ResourceTag/kubernetes.io/cluster/${local.name}"
irsa_tag_value = ["*"]
values = [
file("${path.module}/addons/karpenter/helm-values.yaml")
]
}
karpenter_node = {
iam_role_use_name_prefix = false
}
# # KEDA ---------------------------------------------------------------------------------------------------------------
# # Charts: https://github.com/kedacore/charts/releases
# # Config: https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/issues/245#issuecomment-1729329835
# helm_releases = {
# keda = {
# chart = "keda"
# chart_version = "2.13.0"
# repository = "https://kedacore.github.io/charts"
# description = "Keda Helm chart deployment"
# namespace = "keda"
# create_namespace = true
# }
# }
#enable_cluster_proportional_autoscaler = false # horizontal "pod" autoscaler; KEDA REPLACES HPA
######################################################################################################################
# Rollouts
# Connect: kubectl -n argocd port-forward svc/argo-cd-argocd-server 8080:80
# --------------------------------------------------------------------------------------------------------------------
enable_argocd = true
# Pinned to the latest Helm chart version
# https://github.com/argoproj/argo-helm/releases
argocd = {
chart_version = "7.5.1"
repository = "https://argoproj.github.io/argo-helm"
namespace = "argocd"
#values = [templatefile("${path.module}/addons/argocd/values.yaml", {})]
}
# enable_argo_rollouts = true
# enable_argo_events = true
# enable_argo_workflows = true
######################################################################################################################
# Cluster Security Policies
# --------------------------------------------------------------------------------------------------------------------
# enable_kyverno = true
# CertManager
# enable_cert_manager = true
# # https://github.com/cert-manager/aws-privateca-issuer
# enable_aws_privateca_issuer = true
######################################################################################################################
# System Support
# --------------------------------------------------------------------------------------------------------------------
enable_metrics_server = true
# AWS
# enable_kube_prometheus_stack = true
# kube_prometheus_stack = {
# name = "kube-prometheus-stack"
# chart_version = "51.2.0"
# repository = "https://prometheus-community.github.io/helm-charts"
# namespace = "kube-prometheus-stack"
# values = [templatefile("${path.module}/values.yaml", {})]
# }
######################################################################################################################
# AWS Drivers
# --------------------------------------------------------------------------------------------------------------------
enable_aws_load_balancer_controller = true
######################################################################################################################
# Storage: Secrets and Volumes
# --------------------------------------------------------------------------------------------------------------------
# Adding support for Lustre Volumes
# enable_aws_fsx_csi_driver = true
# Adding support for Kubernetes Secrets Management
# enable_secrets_store_csi_driver = true
# enable_secrets_store_csi_driver_provider_aws = true # see docs/storage for more configuration support
# enable_external_secrets = false
# Further configuration support is here:
# https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/99520ae0125df7b24163e14cf4eba2c96fcf14bd/docs/addons/secrets-store-csi-driver-provider-aws.md
######################################################################################################################
# cert-manager
# tf state show data.aws_route53_zone.selected (for details)
# --------------------------------------------------------------------------------------------------------------------
#enable_cert_manager = true
#enable_aws_privateca_issuer = true
#cert_manager_route53_hosted_zone_arns = [data.aws_route53_zone.selected.arn]
#helm_releases = {
# cert-manager-csi-driver = {
# description = "Cert Manager CSI Driver Add-on"
# chart = "cert-manager-csi-driver"
# namespace = "cert-manager"
# create_namespace = true
# chart_version = "v0.5.0"
# repository = "https://charts.jetstack.io"
# }
#}
#enable_aws_privateca_issuer = true
#aws_privateca_issuer = {
# acmca_arn = aws_acmpca_certificate_authority.this.arn
# namespace = "aws-privateca-issuer"
# create_namespace = true
#}
######################################################################################################################
# Vendor Addons
# Any add-ons from "independent software vendors" on the [Amazon EKS add-ons] page can be added like ExternalDNS.
# https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html#workloads-add-ons-available-vendors
# However, any program supported by a Helm Chart should be deployable via helm_releases block, like:
# https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/issues/245#issuecomment-1729329835
# Versions: https://kubernetes-sigs.github.io/external-dns/latest/charts/external-dns/#installing-the-chart
######################################################################################################################
# ExternalDNS
# tf state show data.aws_route53_zone.selected (for details)
# --------------------------------------------------------------------------------------------------------------------
enable_external_dns = true
external_dns_route53_zone_arns = [data.aws_route53_zone.selected.arn]
external_dns = {
chart = "external-dns"
repository = "https://kubernetes-sigs.github.io/external-dns/"
role_name = var.xdns-sa-name
create_namespace = false
namespace = "kube-system"
reuse_values = true
values = [
"provider: aws",
"txtOwnerId: ${data.aws_route53_zone.selected.zone_id}",
"domainFilters: [${data.aws_route53_zone.selected.name}]",
"policy: sync",
"sources: [service, ingress]"
]
#values = [templatefile("${path.module}/addons/eks/xdns/values.yaml", {})]
}
# Cluster COMMs
cluster_name = module.eks.cluster_name
cluster_endpoint = module.eks.cluster_endpoint
cluster_version = module.eks.cluster_version
oidc_provider_arn = module.eks.oidc_provider_arn
}
########################################################################################################################
# IRSAs to Support EKS Addons
# VER: https://github.com/terraform-aws-modules/terraform-aws-iam/releases
# TFR: https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest/examples/iam-role-for-service-accounts-eks
# Supported: https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-role-for-service-accounts-eks
# DOC: https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
# EXs: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/7825816ce6cb6a2838c0978b629868d24358f5aa/README.md
# ######################################################################################################################
# Networking
# The Amazon EBS CSI driver
# https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/0e9d6c9b7115ecf0404c377c9c2529bffa56d10d/tests/complete/main.tf#L323-L339
# ----------------------------------------------------------------------------------------------------------------------
module "vpc_cni_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
version = "5.58.0"
role_name_prefix = "${local.name}-vpc-cni-"
attach_vpc_cni_policy = true
vpc_cni_enable_ipv4 = true
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:aws-node"]
}
}
tags = {
Name = "vpc-cni-irsa"
}
}
# ######################################################################################################################
# STORAGE
# The Amazon EBS CSI driver
# https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/0e9d6c9b7115ecf0404c377c9c2529bffa56d10d/tests/complete/main.tf#L323-L339
# ----------------------------------------------------------------------------------------------------------------------
module "ebs_csi_driver_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
version = "5.58.0"
role_name_prefix = "${local.name}-ebs-csi-driver-"
attach_ebs_csi_policy = true
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
}
}
tags = {
Name = "ebs-csi-controller-sa"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment