Resource: awsEksAddon
Manages an EKS add-on.
\~> Note: Amazon EKS add-on can only be used with Amazon EKS Clusters running version 1.18 with platform version eks.3 or later because add-ons rely on the Server-side Apply Kubernetes feature, which is only available in Kubernetes 1.18 and later.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.eksAddon.EksAddon(this, "example", {
addonName: "vpc-cni",
clusterName: "${aws_eks_cluster.example.name}",
});
Example Update add-on usage with resolve_conflicts and PRESERVE
resolveConflicts with preserve can be used to retain the config changes applied to the add-on with kubectl while upgrading to a newer version of the add-on.
\~> Note: resolveConflicts with preserve can only be used for upgrading the add-ons but not during the creation of add-on.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.eksAddon.EksAddon(this, "example", {
addonName: "coredns",
addonVersion: "v1.8.7-eksbuild.3",
clusterName: "${aws_eks_cluster.example.name}",
resolveConflicts: "PRESERVE",
});
Example add-on usage with custom configuration_values
Custom add-on configuration can be passed using configurationValues as a single JSON string while creating or updating the add-on.
\~> Note: configurationValues is a single JSON string should match the valid JSON schema for each add-on with specific version.
To find the correct JSON schema for each add-on can be extracted using describe-addon-configuration call. This below is an example for extracting the configurationValues schema for coredns.
Example to create a coredns managed addon with custom configurationValues.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.eksAddon.EksAddon(this, "example", {
addonName: "coredns",
addonVersion: "v1.8.7-eksbuild.3",
clusterName: "mycluster",
configurationValues:
'{"replicaCount":4,"resources":{"limits":{"cpu":"100m","memory":"150Mi"},"requests":{"cpu":"100m","memory":"150Mi"}}}',
resolveConflicts: "OVERWRITE",
});
Example IAM Role for EKS Addon "vpc-cni" with AWS managed policy
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
import * as tls from "./.gen/providers/tls";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: tls.
For a more precise conversion please use the --provider flag in convert.*/
const awsEksClusterExample = new aws.eksCluster.EksCluster(this, "example", {});
const dataTlsCertificateExample = new tls.dataTlsCertificate.DataTlsCertificate(
this,
"example_1",
{
url: `\${${awsEksClusterExample.identity.fqn}[0].oidc[0].issuer}`,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataTlsCertificateExample.overrideLogicalId("example");
const awsIamOpenidConnectProviderExample =
new aws.iamOpenidConnectProvider.IamOpenidConnectProvider(this, "example_2", {
clientIdList: ["sts.amazonaws.com"],
thumbprintList: [
`\${${dataTlsCertificateExample.certificates.fqn}[0].sha1_fingerprint}`,
],
url: `\${${awsEksClusterExample.identity.fqn}[0].oidc[0].issuer}`,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamOpenidConnectProviderExample.overrideLogicalId("example");
const dataAwsIamPolicyDocumentExampleAssumeRolePolicy =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
this,
"example_assume_role_policy",
{
statement: [
{
actions: ["sts:AssumeRoleWithWebIdentity"],
condition: [
{
test: "StringEquals",
values: ["system:serviceaccount:kube-system:aws-node"],
variable: `\${replace(${awsIamOpenidConnectProviderExample.url}, "https://", "")}:sub`,
},
],
effect: "Allow",
principals: [
{
identifiers: [awsIamOpenidConnectProviderExample.arn],
type: "Federated",
},
],
},
],
}
);
const awsIamRoleExample = new aws.iamRole.IamRole(this, "example_4", {
assumeRolePolicy: dataAwsIamPolicyDocumentExampleAssumeRolePolicy.json,
name: "example-vpc-cni-role",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRoleExample.overrideLogicalId("example");
const awsIamRolePolicyAttachmentExample =
new aws.iamRolePolicyAttachment.IamRolePolicyAttachment(this, "example_5", {
policyArn: "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
role: awsIamRoleExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyAttachmentExample.overrideLogicalId("example");
Argument Reference
The following arguments are required:
addonName– (Required) Name of the EKS add-on. The name must match one of the names returned by describe-addon-versions.clusterName– (Required) Name of the EKS Cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (^[09AZaZ][aZaZ09\_]+$).
The following arguments are optional:
addonVersion– (Optional) The version of the EKS add-on. The version must match one of the versions returned by describe-addon-versions.configurationValues- (Optional) custom configuration values for addons with single JSON string. This JSON string value must match the JSON schema derived from describe-addon-configuration.resolveConflicts- (Optional) Define how to resolve parameter value conflicts when migrating an existing add-on to an Amazon EKS add-on or when applying version updates to the add-on. Valid values arenone,overwriteandpreserve. For more details check UpdateAddon API Docs.tags- (Optional) Key-value map of resource tags. If configured with a providerdefaultTagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.preserve- (Optional) Indicates if you want to preserve the created resources when deleting the EKS add-on.-
serviceAccountRoleArn- (Optional) The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see Amazon EKS node IAM role in the Amazon EKS User Guide.\~> Note: To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see Enabling IAM roles for service accounts on your cluster in the Amazon EKS User Guide.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
arn- Amazon Resource Name (ARN) of the EKS add-on.id- EKS Cluster name and EKS Addon name separated by a colon (:).status- Status of the EKS add-on.createdAt- Date and time in RFC3339 format that the EKS add-on was created.modifiedAt- Date and time in RFC3339 format that the EKS add-on was updated.tagsAll- (Optional) Key-value map of resource tags, including those inherited from the providerdefaultTagsconfiguration block.
Timeouts
create- (Default20M)update- (Default20M)delete- (Default40M)
Import
EKS add-on can be imported using the clusterName and addonName separated by a colon (:), e.g.,