EKS Hybrid Node Role Module

Terraform module which creates IAM role and policy resources for Amazon EKS Hybrid Node(s).

Usage

EKS Hybrid nodes use the AWS IAM Authenticator and temporary IAM credentials provisioned by AWS SSM or AWS IAM Roles Anywhere to authenticate with the EKS cluster. This module supports both SSM and IAM Roles Anywhere based IAM permissions.

SSM

module "eks" {
  source = "terraform-aws-modules/eks/aws"

  ...
  access_entries = {
    hybrid-node-role = {
      principal_arn = module.eks_hybrid_node_role.arn
      type          = "HYBRID_LINUX"
    }
  }
}

module "eks_hybrid_node_role" {
  source = "terraform-aws-modules/eks/aws//modules/hybrid-node-role"

  name = "hybrid"

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

IAM Roles Anywhere

module "eks" {
  source = "terraform-aws-modules/eks/aws"

  ...
  access_entries = {
    hybrid-node-role = {
      principal_arn = module.eks_hybrid_node_role.arn
      type          = "HYBRID_LINUX"
    }
  }
}

module "eks_hybrid_node_role" {
  source = "terraform-aws-modules/eks/aws//modules/hybrid-node-role"

  name = "hybrid-ira"

  enable_ira = true

  ira_trust_anchor_source_type           = "CERTIFICATE_BUNDLE"
  ira_trust_anchor_x509_certificate_data = <<-EOT
    MIIFMzCCAxugAwIBAgIRAMnVXU7ncv/+Cl16eJbZ9hswDQYJKoZIhvcNAQELBQAw
    ...
    MGx/BMRkrNUVcg3xA0lhECo/olodCkmZo5/mjybbjFQwJzDSKFoW
  EOT

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

Requirements

Name	Version
terraform	>= 1.3.2
aws	>= 5.95

Providers

Name	Version
aws	>= 5.95

Modules

No modules.

Resources

Name	Type
aws_iam_policy.intermediate	resource
aws_iam_policy.this	resource
aws_iam_role.intermediate	resource
aws_iam_role.this	resource
aws_iam_role_policy_attachment.intermediate	resource
aws_iam_role_policy_attachment.this	resource
aws_rolesanywhere_profile.this	resource
aws_rolesanywhere_trust_anchor.this	resource
aws_iam_policy_document.assume_role	data source
aws_iam_policy_document.intermediate	data source
aws_iam_policy_document.intermediate_assume_role	data source
aws_iam_policy_document.this	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
cluster_arns	List of EKS cluster ARNs to allow the node to describe	list(string)	[ "*" ]	no
create	Controls if resources should be created (affects nearly all resources)	bool	true	no
description	IAM role description	string	"EKS Hybrid Node IAM role"	no
enable_ira	Enables IAM Roles Anywhere based IAM permissions on the node	bool	false	no
enable_pod_identity	Enables EKS Pod Identity based IAM permissions on the node	bool	true	no
intermediate_policy_name	Name of the IAM policy	string	null	no
intermediate_policy_statements	A list of IAM policy statements - used for adding specific IAM permissions as needed	any	[]	no
intermediate_policy_use_name_prefix	Determines whether the name of the IAM policy (intermediate_policy_name) is used as a prefix	bool	true	no
intermediate_role_description	IAM role description	string	"EKS Hybrid Node IAM Roles Anywhere intermediate IAM role"	no
intermediate_role_name	Name of the IAM role	string	null	no
intermediate_role_path	Path of the IAM role	string	"/"	no
intermediate_role_policies	Policies to attach to the IAM role in {'static_name' = 'policy_arn'} format	map(string)	{}	no
intermediate_role_use_name_prefix	Determines whether the name of the IAM role (intermediate_role_name) is used as a prefix	bool	true	no
ira_profile_duration_seconds	The number of seconds the vended session credentials are valid for. Defaults to 3600	number	null	no
ira_profile_managed_policy_arns	A list of managed policy ARNs that apply to the vended session credentials	list(string)	[]	no
ira_profile_name	Name of the Roles Anywhere profile	string	null	no
ira_profile_require_instance_properties	Specifies whether instance properties are required in CreateSession requests with this profile	bool	null	no
ira_profile_session_policy	A session policy that applies to the trust boundary of the vended session credentials	string	null	no
ira_trust_anchor_acm_pca_arn	The ARN of the ACM PCA that issued the trust anchor certificate	string	null	no
ira_trust_anchor_name	Name of the Roles Anywhere trust anchor	string	null	no
ira_trust_anchor_notification_settings	Notification settings for the trust anchor	any	[]	no
ira_trust_anchor_source_type	The source type of the trust anchor	string	null	no
ira_trust_anchor_x509_certificate_data	The X.509 certificate data of the trust anchor	string	null	no
max_session_duration	Maximum API session duration in seconds between 3600 and 43200	number	null	no
name	Name of the IAM role	string	"EKSHybridNode"	no
path	Path of the IAM role	string	"/"	no
permissions_boundary_arn	Permissions boundary ARN to use for the IAM role	string	null	no
policies	Policies to attach to the IAM role in {'static_name' = 'policy_arn'} format	map(string)	{}	no
policy_description	IAM policy description	string	"EKS Hybrid Node IAM role policy"	no
policy_name	Name of the IAM policy	string	"EKSHybridNode"	no
policy_path	Path of the IAM policy	string	"/"	no
policy_statements	A list of IAM policy statements - used for adding specific IAM permissions as needed	any	[]	no
policy_use_name_prefix	Determines whether the name of the IAM policy (policy_name) is used as a prefix	bool	true	no
tags	A map of additional tags to add the the IAM role	map(any)	{}	no
trust_anchor_arns	List of IAM Roles Anywhere trust anchor ARNs. Required if enable_ira is set to true	list(string)	[]	no
use_name_prefix	Determines whether the name of the IAM role (name) is used as a prefix	bool	true	no

Outputs

Name	Description
arn	The Amazon Resource Name (ARN) specifying the node IAM role
intermediate_role_arn	The Amazon Resource Name (ARN) specifying the node IAM role
intermediate_role_name	The name of the node IAM role
intermediate_role_unique_id	Stable and unique string identifying the node IAM role
name	The name of the node IAM role
unique_id	Stable and unique string identifying the node IAM role