Amazon EKS 0.67.1Last updated in version 0.66.1

K8S Cluster Autoscaler IAM Policy Module

This Terraform Module defines an IAM policy that defines the minimal set of permissions necessary for the Kubernetes Cluster Autoscaler. This policy can then be attached to the EC2 instance profile of the worker nodes in a Kubernetes cluster which will allow the autoscaler to manage scaling up and down EC2 instances in targeted Auto Scaling Groups in response to resource utilization.

See the eks-k8s-cluster-autoscaler module for a module that deploys the Cluster Autoscaler to your EKS cluster.

Attaching IAM policy to workers

To allow the Cluster Autoscaler to manage Auto Scaling Groups, it needs IAM permissions to monitor and adjust them. Currently, the way to grant Pods IAM privileges is to use the worker IAM profiles provisioned by the eks-cluster-workers module.

The Terraform templates in this module create an IAM policy that has the required permissions. You then need to use an aws_iam_policy_attachment to attach that policy to the IAM roles of your EC2 Instances.

module "eks_workers" {
  # (arguments omitted)
}

module "k8s_cluster_autoscaler_iam_policy" {
  # (arguments omitted)
  eks_worker_asg_arns = module.eks_workers.eks_worker_asg_arns
}

resource "aws_iam_role_policy_attachment" "attach_k8s_cluster_autoscaler_iam_policy" {
    role = module.eks_workers.eks_worker_iam_role_name
    policy_arn = module.k8s_cluster_autoscaler_iam_policy.k8s_cluster_autoscaler_policy_arn
}

Sample Usage

Terraform
Terragrunt

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EKS-K8S-CLUSTER-AUTOSCALER-IAM-POLICY MODULE
# ------------------------------------------------------------------------------------------------------

module "eks_k_8_s_cluster_autoscaler_iam_policy" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-k8s-cluster-autoscaler-iam-policy?ref=v0.67.1"

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # A name that uniquely identified in which context this module is being
  # invoked. This also helps to avoid creating two resources with the same name
  # from different terraform applies.
  name_prefix = <string>

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # If you set this variable to false, this module will not create any
  # resources. This is used as a workaround because Terraform does not allow you
  # to use the 'count' parameter on modules. By using this parameter, you can
  # optionally create or not create the resources within this module.
  create_resources = true

  # ARNs of the EKS Managed Node Groups to grant access to. If this is not
  # specified the policy will match based on tags only (specifically, the tag
  # 'k8s.io/cluster-autoscaler/NAME_PREFIX').
  eks_managed_node_group_arns = []

  # ARNs of the Auto Scaling Groups to grant access to. If this is not specified
  # the policy will match based on tags only (specifically, the tag
  # 'k8s.io/cluster-autoscaler/NAME_PREFIX').
  eks_worker_asg_arns = []

}

terragrunt.hcl

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EKS-K8S-CLUSTER-AUTOSCALER-IAM-POLICY MODULE
# ------------------------------------------------------------------------------------------------------

terraform {
  source = "git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-k8s-cluster-autoscaler-iam-policy?ref=v0.67.1"
}

inputs = {

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # A name that uniquely identified in which context this module is being
  # invoked. This also helps to avoid creating two resources with the same name
  # from different terraform applies.
  name_prefix = <string>

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # If you set this variable to false, this module will not create any
  # resources. This is used as a workaround because Terraform does not allow you
  # to use the 'count' parameter on modules. By using this parameter, you can
  # optionally create or not create the resources within this module.
  create_resources = true

  # ARNs of the EKS Managed Node Groups to grant access to. If this is not
  # specified the policy will match based on tags only (specifically, the tag
  # 'k8s.io/cluster-autoscaler/NAME_PREFIX').
  eks_managed_node_group_arns = []

  # ARNs of the Auto Scaling Groups to grant access to. If this is not specified
  # the policy will match based on tags only (specifically, the tag
  # 'k8s.io/cluster-autoscaler/NAME_PREFIX').
  eks_worker_asg_arns = []

}

Reference

Inputs
Outputs

Required

name_prefixstringrequired

A name that uniquely identified in which context this module is being invoked. This also helps to avoid creating two resources with the same name from different terraform applies.

Optional

create_resourcesbooloptional

If you set this variable to false, this module will not create any resources. This is used as a workaround because Terraform does not allow you to use the 'count' parameter on modules. By using this parameter, you can optionally create or not create the resources within this module.

Default:true

eks_managed_node_group_arnslist(string)optional

ARNs of the EKS Managed Node Groups to grant access to. If this is not specified the policy will match based on tags only (specifically, the tag 'k8s.io/cluster-autoscaler/NAME_PREFIX').

Default:[]

eks_worker_asg_arnslist(string)optional

ARNs of the Auto Scaling Groups to grant access to. If this is not specified the policy will match based on tags only (specifically, the tag 'k8s.io/cluster-autoscaler/NAME_PREFIX').

Default:[]

k8s_cluster_autoscaler_policy_arn

The ARN of the IAM policy created with the permissions for the Kubernetes cluster autoscaler.

k8s_cluster_autoscaler_policy_id

The AWS ID of the IAM policy created with the permissions for the Kubernetes cluster autoscaler.

k8s_cluster_autoscaler_policy_name

The name of the IAM policy created with the permissions for the Kubernetes cluster autoscaler.

K8S Cluster Autoscaler IAM Policy Module

Attaching IAM policy to workers​

Sample Usage​

Reference​

Required​

Optional​

Attaching IAM policy to workers

Sample Usage

Reference

Required

Optional