Creates an AWS IAM role which trusts the deployment account.
This role should be added to the cluster's aws-auth ConfigMap to allow deployment. CodeBuild projects in the deployment account can assume this role to deploy to the cluster.
Setting up:
- Create an instance of this module for each EKS cluster, in the same account as the cluster.
- Add the role's ARN to the aws-auth ConfigMap.
- Make sure the EKS cluster is included in the cluster names for your deploy project. This will ensure the CodeBuild IAM role has permission to assume the deploy role.
- Provide the role's ARN in the corresponding deployment in your pipeline.
Once configured correctly, this will allow the deploy CodeBuild projects to apply the generated manifests to the appropriate cluster. AWS tags are used to ensure that each CodeBuild role can only connect to the appropriate cluster.
| Name | Version |
|---|---|
| terraform | >= 0.14.0 |
| aws | ~> 5.0 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_role.this | resource |
| aws_iam_role_policy.eks | resource |
| aws_eks_cluster.this | data source |
| aws_iam_policy_document.assume_role | data source |
| aws_iam_policy_document.eks | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cluster_name | Name of the EKS cluster | string |
n/a | yes |
| deployment_account_ids | IDs of AWS accounts running continuous deployment | list(string) |
n/a | yes |
| tags | Tags to be applied to created AWS resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| arn | ARN of the created IAM role |