K8S External DNS IAM Policy Module
This Terraform Module defines an IAM policy that defines the minimal set of permissions necessary for the external-dns application. This policy can then be attached to EC2 instances or IAM roles so that the app deployed has enough permissions to manage Route 53 Hosted Zones.
See the eks-k8s-external-dns module for a module that deploys the external-dns application on to your EKS cluster.
Attaching IAM policy to workers
To allow the external-dns app to manage Route 53 Hosted Zones, it needs IAM permissions to use the AWS API to manage the zones. Currently, the way to grant Pods IAM privileges is to use the worker IAM profiles provisioned by the eks-cluster-workers module.
The Terraform templates in this module create an IAM policy that has the required permissions. You then need to use an aws_iam_policy_attachment to attach that policy to the IAM roles of your EC2 Instances.
module "eks_workers" {
# (arguments omitted)
}
module "k8s_external_dns_iam_policy" {
# (arguments omitted)
}
resource "aws_iam_role_policy_attachment" "attach_k8s_external_dns_iam_policy" {
role = "${module.eks_workers.eks_worker_iam_role_name}"
policy_arn = "${module.k8s_external_dns_iam_policy.k8s_external_dns_policy_arn}"
}
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EKS-K8S-EXTERNAL-DNS-IAM-POLICY MODULE
# ------------------------------------------------------------------------------------------------------
module "eks_k_8_s_external_dns_iam_policy" {
source = "git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-k8s-external-dns-iam-policy?ref=v0.72.3"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# A name that uniquely identified in which context this module is being
# invoked. This also helps to avoid creating two resources with the same name
# from different terraform applies.
name_prefix = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# The AWS partition used for default AWS Resources.
aws_partition = "aws"
# If you set this variable to false, this module will not create any
# resources. This is used as a workaround because Terraform does not allow you
# to use the 'count' parameter on modules. By using this parameter, you can
# optionally create or not create the resources within this module.
create_resources = true
# Tags to apply to all AWS resources managed by this module.
default_tags = {}
# A map of custom tags to apply to the External DNS IAM Policies if enabled.
# The key is the tag name and the value is the tag value.
external_dns_iam_policy_tags = {}
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EKS-K8S-EXTERNAL-DNS-IAM-POLICY MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-k8s-external-dns-iam-policy?ref=v0.72.3"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# A name that uniquely identified in which context this module is being
# invoked. This also helps to avoid creating two resources with the same name
# from different terraform applies.
name_prefix = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# The AWS partition used for default AWS Resources.
aws_partition = "aws"
# If you set this variable to false, this module will not create any
# resources. This is used as a workaround because Terraform does not allow you
# to use the 'count' parameter on modules. By using this parameter, you can
# optionally create or not create the resources within this module.
create_resources = true
# Tags to apply to all AWS resources managed by this module.
default_tags = {}
# A map of custom tags to apply to the External DNS IAM Policies if enabled.
# The key is the tag name and the value is the tag value.
external_dns_iam_policy_tags = {}
}
Reference
- Inputs
- Outputs
Required
name_prefix
stringA name that uniquely identified in which context this module is being invoked. This also helps to avoid creating two resources with the same name from different terraform applies.
Optional
aws_partition
stringThe AWS partition used for default AWS Resources.
"aws"
create_resources
boolIf you set this variable to false, this module will not create any resources. This is used as a workaround because Terraform does not allow you to use the 'count' parameter on modules. By using this parameter, you can optionally create or not create the resources within this module.
true
default_tags
map(string)Tags to apply to all AWS resources managed by this module.
{}
external_dns_iam_policy_tags
map(string)A map of custom tags to apply to the External DNS IAM Policies if enabled. The key is the tag name and the value is the tag value.
{}
The ARN of the IAM policy created with the permissions for the external-dns Kubernetes app.
The AWS ID of the IAM policy created with the permissions for the external-dns Kubernetes app.
The name of the IAM policy created with the permissions for the external-dns Kubernetes app.