EKS Capability

The capability sub-module creates the AWS resources required to install an EKS Capability onto an existing cluster. EKS Capabilities are AWS-managed add-ons that integrate popular open-source tools directly into EKS.

Supported capability types

Type	Description
`ACK`	AWS Controllers for Kubernetes — manage AWS services via Kubernetes custom resources
`ARGOCD`	Argo CD — GitOps continuous delivery with AWS Identity Center (SSO) integration
`KRO`	Kubernetes Resource Orchestrator — compose and deploy complex Kubernetes resource groups

Usage

ACK
ArgoCD
KRO

module "ack_eks_capability" {
  source  = "terraform-aws-modules/eks/aws//modules/capability"
  version = "~> 21.0"

  type         = "ACK"
  cluster_name = module.eks.cluster_name

  # IAM Role/Policy
  iam_role_policies = {
    AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess"
  }

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

ArgoCD requires AWS Identity Center (SSO) configuration.

module "argocd_eks_capability" {
  source  = "terraform-aws-modules/eks/aws//modules/capability"
  version = "~> 21.0"

  type         = "ARGOCD"
  cluster_name = module.eks.cluster_name

  configuration = {
    argo_cd = {
      aws_idc = {
        idc_instance_arn = "arn:aws:sso:::instance/ssoins-1234567890abcdef0"
      }
      namespace = "argocd"
      rbac_role_mapping = [{
        role = "ADMIN"
        identity = [{
          id   = "686103e0-f051-7068-b225-e6392b959d9e"
          type = "SSO_GROUP"
        }]
      }]
    }
  }

  iam_policy_statements = {
    ECRRead = {
      actions = [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
      ]
      resources = ["*"]
    }
  }

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

module "kro_eks_capability" {
  source  = "terraform-aws-modules/eks/aws//modules/capability"
  version = "~> 21.0"

  type         = "KRO"
  cluster_name = module.eks.cluster_name

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

Key inputs

type

string

required

The capability type. Valid values: ACK, ARGOCD, KRO.

cluster_name

string

required

The name of the EKS cluster to install the capability on.

create

bool

default:"true"

Controls whether resources are created. Set to false to disable the module without removing it from configuration.

configuration

object

default:"null"

Capability-specific configuration. Currently only used for ARGOCD type.

Show ARGOCD configuration fields

configuration.argo_cd.aws_idc.idc_instance_arn

string

required

ARN of the AWS Identity Center instance.

configuration.argo_cd.aws_idc.idc_region

string

Region of the AWS Identity Center instance. Defaults to the provider region.

configuration.argo_cd.namespace

string

Kubernetes namespace where ArgoCD is installed. Defaults to argocd.

configuration.argo_cd.rbac_role_mapping

list(object)

List of role mappings from AWS Identity Center groups/users to ArgoCD RBAC roles.

configuration.argo_cd.network_access.vpce_ids

list(string)

List of VPC endpoint IDs for private access to the ArgoCD server.

name

string

default:""

Name for the capability. Defaults to an empty string (uses module key).

region

string

default:"null"

AWS region. Defaults to the provider region.

IAM role inputs

iam_role_policies

map(string)

default:"{}"

Map of IAM managed policy ARNs to attach to the capability IAM role. Key is a static label; value is the policy ARN.

iam_policy_statements

map(object)

Map of inline IAM policy statements to create and attach to the capability IAM role.

iam_role_name

string

default:"null"

Override name for the IAM role. Defaults to derived from capability type and cluster name.

iam_role_use_name_prefix

bool

default:"true"

Whether to use iam_role_name as a name prefix.

iam_role_permissions_boundary_arn

string

default:"null"

ARN of a permissions boundary policy to attach to the IAM role.

Outputs

arn

string

The ARN of the EKS Capability.

version

string

The version of the installed EKS Capability.

argocd_server_url

string

URL of the Argo CD server. Only populated when type = "ARGOCD".

iam_role_name

string

The name of the IAM role created for the capability.

iam_role_arn

string

The ARN of the IAM role created for the capability.

iam_role_unique_id

string

Stable and unique string identifying the IAM role.

Notes

The capability sub-module requires the EKS cluster to be active before installing capabilities. Ensure the root module.eks is created before referencing module.eks.cluster_name in the capability module.

For ARGOCD type, your AWS account must have AWS Identity Center (IAM Identity Center / SSO) enabled. The idc_instance_arn must match the region where your Identity Center is configured (typically us-east-1).

Get Started

Compute Resources

Configuration

Sub-Modules

Examples

Operations

Supported capability types

Usage

Key inputs

IAM role inputs

Outputs

Notes

Build docs developers (and LLMs) love

Get Started

Compute Resources

Configuration

Sub-Modules

Examples

Operations

​Supported capability types

​Usage

​Key inputs

​IAM role inputs

​Outputs

​Notes

Build docs developers (and LLMs) love

Supported capability types

Usage

Key inputs

IAM role inputs

Outputs

Notes