feat: Add EKS Fargate support

README.md

@@ -173,6 +173,8 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | cluster\_version | Kubernetes version to use for the EKS cluster. | `string` | `"1.16"` | no |
 | config\_output\_path | Where to save the Kubectl config file (if `write_kubeconfig = true`). Assumed to be a directory if the value ends with a forward slash `/`. | `string` | `"./"` | no |
 | create\_eks | Controls if EKS resources should be created (it affects almost all resources) | `bool` | `true` | no |
+| create\_eks\_fargate | Controls if EKS Fargate resources should be created | `bool` | `false` | no |
+| eks\_fargate\_profiles | EKS Fargate profiles | <pre>list(object({<br>    namespace = string<br>    labels    = map(string)<br>  }))</pre> | `[]` | no |
 | eks\_oidc\_root\_ca\_thumbprint | Thumbprint of Root CA for EKS OIDC, Valid until 2037 | `string` | `"9e99a48a9960b14926bb7f3b02e22da2b0ab7280"` | no |
 | enable\_irsa | Whether to create OpenID Connect Provider for EKS to enable IRSA | `bool` | `false` | no |
 | iam\_path | If provided, all IAM roles will be created on this path. | `string` | `"/"` | no |
@@ -227,6 +229,8 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | cluster\_security\_group\_id | Security group ID attached to the EKS cluster. On 1.14 or later, this is the 'Additional security groups' in the EKS console. |
 | cluster\_version | The Kubernetes server version for the EKS cluster. |
 | config\_map\_aws\_auth | A kubernetes configuration to authenticate to this EKS cluster. |
+| fargate\_iam\_role\_arn | IAM role ARN for EKS Fargate pods |
+| fargate\_iam\_role\_name | IAM role name for EKS Fargate pods |
 | kubeconfig | kubectl config file contents for this EKS cluster. |
 | kubeconfig\_filename | The filename of the generated kubectl config. |
 | node\_groups | Outputs from EKS node groups. Map of maps, keyed by var.node\_groups keys |

aws_auth.tf

@@ -38,22 +38,31 @@ locals {
     }
   ]
 
+  auth_fargate_roles = [
+    for index in range(0, var.create_eks && var.create_eks_fargate ? 1 : 0) : {
+      worker_role_arn = module.fargate.iam_role_arn
+      platform        = "fargate"
+    }
+  ]
+
   # Convert to format needed by aws-auth ConfigMap
   configmap_roles = [
     for role in concat(
       local.auth_launch_template_worker_roles,
       local.auth_worker_roles,
+      local.auth_fargate_roles,
       module.node_groups.aws_auth_roles,
     ) :
     {
       rolearn  = role["worker_role_arn"]
-      username = "system:node:{{EC2PrivateDNSName}}"
+      username = role["platform"] == "fargate" ? "system:node:{{SessionName}}" : "system:node:{{EC2PrivateDNSName}}"
       groups = tolist(concat(
         [
           "system:bootstrappers",
           "system:nodes",
         ],
-        role["platform"] == "windows" ? ["eks:kube-proxy-windows"] : []
+        role["platform"] == "windows" ? ["eks:kube-proxy-windows"] : [],
+        role["platform"] == "fargate" ? ["system:node-proxier"] : [],
       ))
     }
   ]

fargate.tf

@@ -0,0 +1,10 @@
+module "fargate" {
+  source                            = "./modules/fargate"
+  create                            = var.create_eks && var.create_eks_fargate
+  cluster_name                      = aws_eks_cluster.this[0].name
+  profiles                          = var.eks_fargate_profiles
+  subnets                           = var.subnets
+  tags                              = var.tags
+  cluster_primary_security_group_id = element(concat(aws_eks_cluster.this[*].vpc_config[0].cluster_security_group_id, list("")), 0)
+  worker_security_group_id          = local.worker_security_group_id
+}

modules/fargate/fargate.tf

@@ -0,0 +1,67 @@
+# Allow Fargate pods and EC2 workers to communicate
+
+resource "aws_security_group_rule" "eks_fargate1" {
+  count                    = var.create ? 1 : 0
+  type                     = "ingress"
+  from_port                = 0
+  to_port                  = 65535
+  protocol                 = "all"
+  security_group_id        = var.worker_security_group_id
+  source_security_group_id = var.cluster_primary_security_group_id
+}
+
+resource "aws_security_group_rule" "eks_fargate2" {
+  count                    = var.create ? 1 : 0
+  type                     = "ingress"
+  from_port                = 0
+  to_port                  = 65535
+  protocol                 = "all"
+  security_group_id        = var.cluster_primary_security_group_id
+  source_security_group_id = var.worker_security_group_id
+}
+
+
+# EKS Fargate Pod Execution Role
+
+data "aws_iam_policy_document" "eks_fargate_pod_assume_role" {
+  count = var.create ? 1 : 0
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["eks-fargate-pods.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "eks_fargate_pod" {
+  count              = var.create ? 1 : 0
+  name               = format("%s-fargate", var.cluster_name)
+  assume_role_policy = join("", data.aws_iam_policy_document.eks_fargate_pod_assume_role.*.json)
+  tags               = merge(var.tags, { "kubernetes.io/cluster/${var.cluster_name}" = "owned" })
+}
+
+resource "aws_iam_role_policy_attachment" "eks_fargate_pod" {
+  count      = var.create ? 1 : 0
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
+  role       = join("", aws_iam_role.eks_fargate_pod.*.name)
+}
+
+
+# EKS Fargate profiles
+
+resource "aws_eks_fargate_profile" "this" {
+  count                  = var.create ? local.profile_count : 0
+  cluster_name           = var.cluster_name
+  fargate_profile_name   = format("%s-fargate-%s", var.cluster_name, var.profiles[count.index].namespace)
+  pod_execution_role_arn = join("", aws_iam_role.eks_fargate_pod.*.arn)
+  subnet_ids             = var.subnets
+  tags                   = merge(var.tags, { "kubernetes.io/cluster/${var.cluster_name}" = "owned" })
+
+  selector {
+    namespace = var.profiles[count.index].namespace
+    labels    = var.profiles[count.index].labels
+  }
+}

modules/fargate/locals.tf

@@ -0,0 +1,3 @@
+locals {
+  profile_count = length(var.profiles)
+}

modules/fargate/outputs.tf

@@ -0,0 +1,9 @@
+output "iam_role_name" {
+  description = "IAM role name for EKS Fargate pods"
+  value       = element(concat(aws_iam_role.eks_fargate_pod.*.name, list("")), 0)
+}
+
+output "iam_role_arn" {
+  description = "IAM role ARN for EKS Fargate pods"
+  value       = element(concat(aws_iam_role.eks_fargate_pod.*.arn, list("")), 0)
+}

modules/fargate/variables.tf

@@ -0,0 +1,39 @@
+variable "create" {
+  description = "Controls if EKS Fargate resources should be created."
+  type        = bool
+  default     = false
+}
+
+variable "cluster_name" {
+  description = "Name of parent cluster."
+  type        = string
+}
+
+variable "profiles" {
+  description = "List of EKS Fargate profiles to create."
+  type = list(object({
+    namespace = string
+    labels    = map(string)
+  }))
+  default = []
+}
+
+variable "subnets" {
+  description = "A list of subnets for the EKS Fargate profiles."
+  type        = list(string)
+}
+
+variable "tags" {
+  description = "A map of tags to add to all resources."
+  type        = map(string)
+}
+
+variable "cluster_primary_security_group_id" {
+  description = "Cluster primary security group ID created by the EKS cluster on 1.14 or later. Referred to as 'Cluster security group' in the EKS console."
+  type        = string
+}
+
+variable "worker_security_group_id" {
+  description = "Security group ID attached to the EKS workers."
+  type        = string
+}

outputs.tf

@@ -158,6 +158,16 @@ output "worker_iam_role_arn" {
   )[0]
 }
 
+output "fargate_iam_role_name" {
+  description = "IAM role name for EKS Fargate pods"
+  value       = module.fargate.iam_role_name
+}
+
+output "fargate_iam_role_arn" {
+  description = "IAM role ARN for EKS Fargate pods"
+  value       = module.fargate.iam_role_arn
+}
+
 output "node_groups" {
   description = "Outputs from EKS node groups. Map of maps, keyed by var.node_groups keys"
   value       = module.node_groups.node_groups

variables.tf

@@ -332,3 +332,18 @@ variable "cluster_encryption_config" {
   }))
   default = []
 }
+
+variable "create_eks_fargate" {
+  description = "Controls if EKS Fargate resources should be created"
+  type        = bool
+  default     = false
+}
+
+variable "eks_fargate_profiles" {
+  description = "EKS Fargate profiles"
+  type = list(object({
+    namespace = string
+    labels    = map(string)
+  }))
+  default = []
+}