feat: Add support for EKS Capabilities (#3624)

SCT-Engineering · Jan 13, 2026 · 990050b · 990050b
1 parent d57cdac
commit 990050b
Show file tree

Hide file tree

Showing 17 changed files with 1,043 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -376,6 +376,7 @@ module "eks" {
 ## Examples
 
 - [EKS Auto Mode](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/eks-auto-mode): EKS Cluster with EKS Auto Mode
+- [EKS Capabilities](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/eks-capabilities): EKS Cluster with EKS Capabilities
 - [EKS Hybrid Nodes](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/eks-hybrid-nodes): EKS Cluster with EKS Hybrid nodes
 - [EKS Managed Node Group](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/eks-managed-node-group): EKS Cluster with EKS managed node group(s)
 - [Karpenter](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/karpenter): EKS Cluster with [Karpenter](https://karpenter.sh/) provisioned for intelligent data plane management

diff --git a/examples/eks-auto-mode/README.md b/examples/eks-auto-mode/README.md
@@ -1,4 +1,4 @@
-# EKS Auto Mode
+# EKS Auto Mode Example
 
 ## Usage
 

diff --git a/examples/eks-capabilities/README.md b/examples/eks-capabilities/README.md
@@ -0,0 +1,74 @@
+# EKS Capabilities Example
+
+## Usage
+
+To provision the provided configurations you need to execute:
+
+```bash
+terraform init
+terraform plan
+terraform apply --auto-approve
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.28 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.28 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_ack_eks_capability"></a> [ack\_eks\_capability](#module\_ack\_eks\_capability) | ../../modules/capability | n/a |
+| <a name="module_argocd_eks_capability"></a> [argocd\_eks\_capability](#module\_argocd\_eks\_capability) | ../../modules/capability | n/a |
+| <a name="module_disabled_eks_capability"></a> [disabled\_eks\_capability](#module\_disabled\_eks\_capability) | ../../modules/capability | n/a |
+| <a name="module_eks"></a> [eks](#module\_eks) | ../.. | n/a |
+| <a name="module_kro_eks_capability"></a> [kro\_eks\_capability](#module\_kro\_eks\_capability) | ../../modules/capability | n/a |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_identitystore_group.aws_administrator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
+| [aws_ssoadmin_instances.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_ack_argocd_server_url"></a> [ack\_argocd\_server\_url](#output\_ack\_argocd\_server\_url) | URL of the Argo CD server |
+| <a name="output_ack_arn"></a> [ack\_arn](#output\_ack\_arn) | The ARN of the EKS Capability |
+| <a name="output_ack_iam_role_arn"></a> [ack\_iam\_role\_arn](#output\_ack\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| <a name="output_ack_iam_role_name"></a> [ack\_iam\_role\_name](#output\_ack\_iam\_role\_name) | The name of the IAM role |
+| <a name="output_ack_iam_role_unique_id"></a> [ack\_iam\_role\_unique\_id](#output\_ack\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| <a name="output_ack_version"></a> [ack\_version](#output\_ack\_version) | The version of the EKS Capability |
+| <a name="output_argocd_arn"></a> [argocd\_arn](#output\_argocd\_arn) | The ARN of the EKS Capability |
+| <a name="output_argocd_iam_role_arn"></a> [argocd\_iam\_role\_arn](#output\_argocd\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| <a name="output_argocd_iam_role_name"></a> [argocd\_iam\_role\_name](#output\_argocd\_iam\_role\_name) | The name of the IAM role |
+| <a name="output_argocd_iam_role_unique_id"></a> [argocd\_iam\_role\_unique\_id](#output\_argocd\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| <a name="output_argocd_server_url"></a> [argocd\_server\_url](#output\_argocd\_server\_url) | URL of the Argo CD server |
+| <a name="output_argocd_version"></a> [argocd\_version](#output\_argocd\_version) | The version of the EKS Capability |
+| <a name="output_kro_argocd_server_url"></a> [kro\_argocd\_server\_url](#output\_kro\_argocd\_server\_url) | URL of the Argo CD server |
+| <a name="output_kro_arn"></a> [kro\_arn](#output\_kro\_arn) | The ARN of the EKS Capability |
+| <a name="output_kro_iam_role_arn"></a> [kro\_iam\_role\_arn](#output\_kro\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| <a name="output_kro_iam_role_name"></a> [kro\_iam\_role\_name](#output\_kro\_iam\_role\_name) | The name of the IAM role |
+| <a name="output_kro_iam_role_unique_id"></a> [kro\_iam\_role\_unique\_id](#output\_kro\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| <a name="output_kro_version"></a> [kro\_version](#output\_kro\_version) | The version of the EKS Capability |
+<!-- END_TF_DOCS -->
diff --git a/examples/eks-capabilities/main.tf b/examples/eks-capabilities/main.tf
@@ -0,0 +1,163 @@
+provider "aws" {
+  region = local.region
+}
+
+data "aws_availability_zones" "available" {
+  # Exclude local zones
+  filter {
+    name   = "opt-in-status"
+    values = ["opt-in-not-required"]
+  }
+}
+
+data "aws_ssoadmin_instances" "this" {}
+
+data "aws_identitystore_group" "aws_administrator" {
+  identity_store_id = one(data.aws_ssoadmin_instances.this.identity_store_ids)
+
+  alternate_identifier {
+    unique_attribute {
+      attribute_path  = "DisplayName"
+      attribute_value = "AWSAdministrator"
+    }
+  }
+}
+
+locals {
+  name   = "ex-${basename(path.cwd)}"
+  region = "us-east-1" # will need to match where your AWS Identity Center is configured
+
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
+  tags = {
+    Test       = local.name
+    GithubRepo = "terraform-aws-eks"
+    GithubOrg  = "terraform-aws-modules"
+  }
+}
+
+################################################################################
+# EKS Capability Module
+################################################################################
+
+module "ack_eks_capability" {
+  source = "../../modules/capability"
+
+  type         = "ACK"
+  cluster_name = module.eks.cluster_name
+
+  # IAM Role/Policy
+  iam_role_policies = {
+    AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess"
+  }
+
+  tags = local.tags
+}
+
+module "argocd_eks_capability" {
+  source = "../../modules/capability"
+
+  type         = "ARGOCD"
+  cluster_name = module.eks.cluster_name
+
+  configuration = {
+    argo_cd = {
+      aws_idc = {
+        idc_instance_arn = one(data.aws_ssoadmin_instances.this.arns)
+      }
+      namespace = "argocd"
+      rbac_role_mapping = [{
+        role = "ADMIN"
+        identity = [{
+          id   = data.aws_identitystore_group.aws_administrator.group_id
+          type = "SSO_GROUP"
+        }]
+      }]
+    }
+  }
+
+  # IAM Role/Policy
+  iam_policy_statements = {
+    ECRRead = {
+      actions = [
+        "ecr:GetAuthorizationToken",
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:BatchGetImage",
+      ]
+      resources = ["*"]
+    }
+  }
+
+  tags = local.tags
+}
+
+module "kro_eks_capability" {
+  source = "../../modules/capability"
+
+  type         = "KRO"
+  cluster_name = module.eks.cluster_name
+
+  tags = local.tags
+}
+
+module "disabled_eks_capability" {
+  source = "../../modules/capability"
+
+  create = false
+}
+
+################################################################################
+# EKS Module
+################################################################################
+
+module "eks" {
+  source = "../.."
+
+  name                   = local.name
+  kubernetes_version     = "1.34"
+  endpoint_public_access = true
+
+  enable_cluster_creator_admin_permissions = true
+
+  compute_config = {
+    enabled    = true
+    node_pools = ["general-purpose"]
+  }
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  tags = local.tags
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 6.0"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
+  intra_subnets   = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 52)]
+
+  enable_nat_gateway = true
+  single_nat_gateway = true
+
+  public_subnet_tags = {
+    "kubernetes.io/role/elb" = 1
+  }
+
+  private_subnet_tags = {
+    "kubernetes.io/role/internal-elb" = 1
+  }
+
+  tags = local.tags
+}
diff --git a/examples/eks-capabilities/outputs.tf b/examples/eks-capabilities/outputs.tf
@@ -0,0 +1,104 @@
+################################################################################
+# Capability - ACK
+################################################################################
+
+output "ack_arn" {
+  description = "The ARN of the EKS Capability"
+  value       = module.ack_eks_capability.arn
+}
+
+output "ack_version" {
+  description = "The version of the EKS Capability"
+  value       = module.ack_eks_capability.version
+}
+
+output "ack_argocd_server_url" {
+  description = "URL of the Argo CD server"
+  value       = module.ack_eks_capability.argocd_server_url
+}
+
+# IAM Role
+output "ack_iam_role_name" {
+  description = "The name of the IAM role"
+  value       = module.ack_eks_capability.iam_role_name
+}
+
+output "ack_iam_role_arn" {
+  description = "The Amazon Resource Name (ARN) specifying the IAM role"
+  value       = module.ack_eks_capability.iam_role_arn
+}
+
+output "ack_iam_role_unique_id" {
+  description = "Stable and unique string identifying the IAM role"
+  value       = module.ack_eks_capability.iam_role_unique_id
+}
+
+################################################################################
+# Capability - ArgoCD
+################################################################################
+
+output "argocd_arn" {
+  description = "The ARN of the EKS Capability"
+  value       = module.argocd_eks_capability.arn
+}
+
+output "argocd_version" {
+  description = "The version of the EKS Capability"
+  value       = module.argocd_eks_capability.version
+}
+
+output "argocd_server_url" {
+  description = "URL of the Argo CD server"
+  value       = module.argocd_eks_capability.argocd_server_url
+}
+
+# IAM Role
+output "argocd_iam_role_name" {
+  description = "The name of the IAM role"
+  value       = module.argocd_eks_capability.iam_role_name
+}
+
+output "argocd_iam_role_arn" {
+  description = "The Amazon Resource Name (ARN) specifying the IAM role"
+  value       = module.argocd_eks_capability.iam_role_arn
+}
+
+output "argocd_iam_role_unique_id" {
+  description = "Stable and unique string identifying the IAM role"
+  value       = module.argocd_eks_capability.iam_role_unique_id
+}
+
+################################################################################
+# Capability - KRO
+################################################################################
+
+output "kro_arn" {
+  description = "The ARN of the EKS Capability"
+  value       = module.kro_eks_capability.arn
+}
+
+output "kro_version" {
+  description = "The version of the EKS Capability"
+  value       = module.kro_eks_capability.version
+}
+
+output "kro_argocd_server_url" {
+  description = "URL of the Argo CD server"
+  value       = module.kro_eks_capability.argocd_server_url
+}
+
+# IAM Role
+output "kro_iam_role_name" {
+  description = "The name of the IAM role"
+  value       = module.kro_eks_capability.iam_role_name
+}
+
+output "kro_iam_role_arn" {
+  description = "The Amazon Resource Name (ARN) specifying the IAM role"
+  value       = module.kro_eks_capability.iam_role_arn
+}
+
+output "kro_iam_role_unique_id" {
+  description = "Stable and unique string identifying the IAM role"
+  value       = module.kro_eks_capability.iam_role_unique_id
+}
diff --git a/examples/eks-capabilities/variables.tf b/examples/eks-capabilities/variables.tf
diff --git a/examples/eks-capabilities/versions.tf b/examples/eks-capabilities/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.5.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.28"
+    }
+  }
+}