diff --git a/examples/iam-role-for-service-accounts-eks/README.md b/examples/iam-role-for-service-accounts-eks/README.md
index 25fcda06..b8dd0f0e 100644
--- a/examples/iam-role-for-service-accounts-eks/README.md
+++ b/examples/iam-role-for-service-accounts-eks/README.md
@@ -20,13 +20,13 @@ Run `terraform destroy` when you don't need these resources.
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 4.0 |
+| [aws](#requirement\_aws) | >= 5.29 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.0 |
+| [aws](#provider\_aws) | >= 5.29 |
## Modules
@@ -46,6 +46,7 @@ Run `terraform destroy` when you don't need these resources.
| [external\_secrets\_irsa\_role](#module\_external\_secrets\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| [fsx\_lustre\_csi\_irsa\_role](#module\_fsx\_lustre\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| [iam\_eks\_role](#module\_iam\_eks\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
+| [iam\_pod\_identity\_role](#module\_iam\_pod\_identity\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
| [iam\_policy](#module\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | n/a |
| [irsa\_role](#module\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| [karpenter\_controller\_irsa\_role](#module\_karpenter\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
@@ -61,6 +62,7 @@ Run `terraform destroy` when you don't need these resources.
| Name | Type |
|------|------|
+| [aws_eks_pod_identity_association.my_app_staging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_pod_identity_association) | resource |
| [aws_iam_policy.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf
index 5c4a0e8b..7640496e 100644
--- a/examples/iam-role-for-service-accounts-eks/main.tf
+++ b/examples/iam-role-for-service-accounts-eks/main.tf
@@ -399,6 +399,26 @@ module "iam_eks_role" {
}
}
+################################################################################
+# Pod Identity Roles
+################################################################################
+module "iam_pod_identity_role" {
+ source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+ role_name = "my-pod-identity"
+
+ role_policy_arns = {
+ policy = module.iam_policy.arn
+ }
+}
+
+# This resource requires installed eks-pod-identity-agent to work
+resource "aws_eks_pod_identity_association" "my_app_staging" {
+ cluster_name = module.eks.cluster_name
+ role_arn = module.iam_pod_identity_role.iam_role_arn
+ namespace = "default"
+ service_account = "my-app-staging"
+}
+
################################################################################
# Supporting Resources
################################################################################
@@ -438,6 +458,13 @@ module "eks" {
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
+ cluster_addons = {
+ # Required for Pod Identity roles
+ eks-pod-identity-agent = {
+ most_recent = true
+ }
+ }
+
eks_managed_node_groups = {
default = {}
}
diff --git a/examples/iam-role-for-service-accounts-eks/versions.tf b/examples/iam-role-for-service-accounts-eks/versions.tf
index d8dd1a44..ef42ed42 100644
--- a/examples/iam-role-for-service-accounts-eks/versions.tf
+++ b/examples/iam-role-for-service-accounts-eks/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.0"
+ version = ">= 5.29"
}
}
}
diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md
index 72031c6e..875fffe5 100644
--- a/modules/iam-role-for-service-accounts-eks/README.md
+++ b/modules/iam-role-for-service-accounts-eks/README.md
@@ -105,13 +105,13 @@ module "eks" {
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 4.0 |
+| [aws](#requirement\_aws) | >= 5.29 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.0 |
+| [aws](#provider\_aws) | >= 5.29 |
## Modules
diff --git a/modules/iam-role-for-service-accounts-eks/main.tf b/modules/iam-role-for-service-accounts-eks/main.tf
index 6095f390..d9569023 100644
--- a/modules/iam-role-for-service-accounts-eks/main.tf
+++ b/modules/iam-role-for-service-accounts-eks/main.tf
@@ -62,6 +62,16 @@ data "aws_iam_policy_document" "this" {
}
}
+
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole", "sts:TagSession"]
+
+ principals {
+ type = "Service"
+ identifiers = ["pods.eks.amazonaws.com"]
+ }
+ }
}
resource "aws_iam_role" "this" {
diff --git a/modules/iam-role-for-service-accounts-eks/versions.tf b/modules/iam-role-for-service-accounts-eks/versions.tf
index d8dd1a44..ef42ed42 100644
--- a/modules/iam-role-for-service-accounts-eks/versions.tf
+++ b/modules/iam-role-for-service-accounts-eks/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.0"
+ version = ">= 5.29"
}
}
}