Configure for AWS Elastic Kubernetes Service (EKS)
AWS Elastic Kubernetes Service (EKS) offers IAM Roles for Service Accounts (IRSA) as a mechanism by which to provide credentials to Kubernetes pods. This can be used to provide the required AWS credentials to Terraform runners for performing plans and applies.
You can use
eksctl to associate an OIDC provider with your EKS cluster, for example:
eksctl utils associate-iam-oidc-provider --cluster CLUSTER_NAME --approve
Then follow the instructions here
to add a trust policy to the IAM role which grants the necessary permissions for Terraform.
Please note that if you have installed the controller following the README, then the
flux-system:tf-runner. You'll obtain a Role ARN to use in the next step.
Finally, annotate the ServiceAccount for the
tf-runner with the obtained Role ARN in your cluster:
kubectl annotate -n flux-system serviceaccount tf-runner eks.amazonaws.com/role-arn=ROLE_ARN
If deploying the
tf-controller via Helm, this can be accomplished as follows: