Skip to main content
Amazon EKS 0.72.3Last updated in version 0.72.1

K8S External DNS IAM Policy Module

View Source Release Notes

This Terraform Module defines an IAM policy that defines the minimal set of permissions necessary for the external-dns application. This policy can then be attached to EC2 instances or IAM roles so that the app deployed has enough permissions to manage Route 53 Hosted Zones.

See the eks-k8s-external-dns module for a module that deploys the external-dns application on to your EKS cluster.

Attaching IAM policy to workers

To allow the external-dns app to manage Route 53 Hosted Zones, it needs IAM permissions to use the AWS API to manage the zones. Currently, the way to grant Pods IAM privileges is to use the worker IAM profiles provisioned by the eks-cluster-workers module.

The Terraform templates in this module create an IAM policy that has the required permissions. You then need to use an aws_iam_policy_attachment to attach that policy to the IAM roles of your EC2 Instances.

module "eks_workers" {
# (arguments omitted)
}

module "k8s_external_dns_iam_policy" {
# (arguments omitted)
}

resource "aws_iam_role_policy_attachment" "attach_k8s_external_dns_iam_policy" {
role = "${module.eks_workers.eks_worker_iam_role_name}"
policy_arn = "${module.k8s_external_dns_iam_policy.k8s_external_dns_policy_arn}"
}

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EKS-K8S-EXTERNAL-DNS-IAM-POLICY MODULE
# ------------------------------------------------------------------------------------------------------

module "eks_k_8_s_external_dns_iam_policy" {

source = "git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-k8s-external-dns-iam-policy?ref=v0.72.3"

# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------

# A name that uniquely identified in which context this module is being
# invoked. This also helps to avoid creating two resources with the same name
# from different terraform applies.
name_prefix = <string>

# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------

# The AWS partition used for default AWS Resources.
aws_partition = "aws"

# If you set this variable to false, this module will not create any
# resources. This is used as a workaround because Terraform does not allow you
# to use the 'count' parameter on modules. By using this parameter, you can
# optionally create or not create the resources within this module.
create_resources = true

# Tags to apply to all AWS resources managed by this module.
default_tags = {}

# A map of custom tags to apply to the External DNS IAM Policies if enabled.
# The key is the tag name and the value is the tag value.
external_dns_iam_policy_tags = {}

}


Reference

Required

name_prefixstringrequired

A name that uniquely identified in which context this module is being invoked. This also helps to avoid creating two resources with the same name from different terraform applies.

Optional

aws_partitionstringoptional

The AWS partition used for default AWS Resources.

"aws"
create_resourcesbooloptional

If you set this variable to false, this module will not create any resources. This is used as a workaround because Terraform does not allow you to use the 'count' parameter on modules. By using this parameter, you can optionally create or not create the resources within this module.

true
default_tagsmap(string)optional

Tags to apply to all AWS resources managed by this module.

{}
external_dns_iam_policy_tagsmap(string)optional

A map of custom tags to apply to the External DNS IAM Policies if enabled. The key is the tag name and the value is the tag value.

{}