Resource: aws_eks_addon

Manages an EKS add-on.

Example Usage

resource "aws_eks_addon" "example" {
  cluster_name = aws_eks_cluster.example.name
  addon_name   = "vpc-cni"
}

Example Update add-on usage with resolve_conflicts_on_update and PRESERVE

resolve_conflicts_on_update with PRESERVE can be used to retain the config changes applied to the add-on with kubectl while upgrading to a newer version of the add-on.

resource "aws_eks_addon" "example" {
  cluster_name                = aws_eks_cluster.example.name
  addon_name                  = "coredns"
  addon_version               = "v1.10.1-eksbuild.1" #e.g., previous version v1.9.3-eksbuild.3 and the new version is v1.10.1-eksbuild.1
  resolve_conflicts_on_update = "PRESERVE"
}

Example add-on usage with custom configuration_values

Custom add-on configuration can be passed using configuration_values as a single JSON string while creating or updating the add-on.

To find the correct JSON schema for each add-on can be extracted using describe-addon-configuration call. This below is an example for extracting the configuration_values schema for coredns.

aws eks describe-addon-configuration \
 --addon-name coredns \
 --addon-version v1.10.1-eksbuild.1
 

Example to create a coredns managed addon with custom configuration_values.

resource "aws_eks_addon" "example" {
  cluster_name                = "mycluster"
  addon_name                  = "coredns"
  addon_version               = "v1.10.1-eksbuild.1"
  resolve_conflicts_on_create = "OVERWRITE"

  configuration_values = jsonencode({
    replicaCount = 4
    resources = {
      limits = {
        cpu    = "100m"
        memory = "150Mi"
      }
      requests = {
        cpu    = "100m"
        memory = "150Mi"
      }
    }
  })
}

Example IAM Role for EKS Addon "vpc-cni" with AWS managed policy

resource "aws_eks_cluster" "example" {
  # ... other configuration ...
}

data "tls_certificate" "example" {
  url = aws_eks_cluster.example.identity[0].oidc[0].issuer
}

resource "aws_iam_openid_connect_provider" "example" {
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = [data.tls_certificate.example.certificates[0].sha1_fingerprint]
  url             = aws_eks_cluster.example.identity[0].oidc[0].issuer
}

data "aws_iam_policy_document" "example_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRoleWithWebIdentity"]
    effect  = "Allow"

    condition {
      test     = "StringEquals"
      variable = "${replace(aws_iam_openid_connect_provider.example.url, "https://", "")}:sub"
      values   = ["system:serviceaccount:kube-system:aws-node"]
    }

    principals {
      identifiers = [aws_iam_openid_connect_provider.example.arn]
      type        = "Federated"
    }
  }
}

resource "aws_iam_role" "example" {
  assume_role_policy = data.aws_iam_policy_document.example_assume_role_policy.json
  name               = "example-vpc-cni-role"
}

resource "aws_iam_role_policy_attachment" "example" {
  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
  role       = aws_iam_role.example.name
}

Argument Reference

The following arguments are required:

The following arguments are optional:

Attribute Reference

This resource exports the following attributes in addition to the arguments above:

Timeouts

Configuration options:

Import

In Terraform v1.5.0 and later, use an import block to import EKS add-on using the cluster_name and addon_name separated by a colon (:). For example:

import {
  to = aws_eks_addon.my_eks_addon
  id = "my_cluster_name:my_addon_name"
}

Using terraform import, import EKS add-on using the cluster_name and addon_name separated by a colon (:). For example:

% terraform import aws_eks_addon.my_eks_addon my_cluster_name:my_addon_name