AWS EKS Addons
GitHub: clouddrove/terraform-aws-eks-addons →
A single Terraform module that manages 31 production-grade EKS add-ons. Each add-on is a boolean toggle — set it to true and the module installs the Helm chart, creates the IRSA role (where required), and wires everything together.
module "eks_addons" {
source = "git::https://github.com/clouddrove/terraform-aws-eks-addons.git?ref=0.0.7"
eks_cluster_name = module.eks.cluster_name
data_plane_wait_arn = module.eks.data_plane_wait_arn
metrics_server = true
cluster_autoscaler = true
aws_load_balancer_controller = true
external_secrets = true
certification_manager = true
}
| Terraform | ≥ 1.0.0 |
| AWS provider | ≥ 3.72 |
| Helm provider | required |
Add-on Reference
Autoscaling
| Add-on | Variable | IRSA | Description |
|---|---|---|---|
| Metrics Server | metrics_server | — | Kubernetes resource metrics API — required for HPA and kubectl top |
| Cluster Autoscaler | cluster_autoscaler | ✓ | Scales node groups up/down based on pending pods |
| Karpenter | karpenter | ✓ | High-performance, flexible node provisioner — alternative to Cluster Autoscaler |
| KEDA | keda | — | Event-driven autoscaler — scale deployments based on Kafka, SQS, Redis, and 60+ other sources |
| Node Termination Handler | aws_node_termination_handler | — | Gracefully drains nodes before Spot interruptions and scheduled maintenance |
Networking & Ingress
| Add-on | Variable | IRSA | Description |
|---|---|---|---|
| AWS Load Balancer Controller | aws_load_balancer_controller | ✓ | Manages ALBs and NLBs for Kubernetes Ingress and Service resources |
| Ingress Nginx | ingress_nginx | — | NGINX-based ingress controller — alternative to ALB Ingress |
| External DNS | external_dns | ✓ | Automatically creates Route 53 DNS records for Kubernetes Services and Ingresses |
| cert-manager | certification_manager | — | Automatically provisions and renews TLS certificates via Let's Encrypt |
Service Mesh
| Add-on | Variable | IRSA | Notes |
|---|---|---|---|
| Istio Ingress | istio_ingress | — | Istio service mesh ingress gateway — requires aws_load_balancer_controller |
| Kiali | kiali_server | — | Service mesh observability dashboard — requires istio_ingress |
| Calico / Tigera | calico_tigera | — | Network policy engine and eBPF dataplane |
Storage & Backup
| Add-on | Variable | IRSA | Description |
|---|---|---|---|
| EFS CSI Driver | aws_efs_csi_driver | ✓ | Mount Amazon EFS volumes as Kubernetes PersistentVolumes |
| EBS CSI Driver | aws_ebs_csi_driver | ✓ | Mount Amazon EBS volumes with full lifecycle management |
| Velero | velero | ✓ | Backup and restore Kubernetes resources and persistent volumes to S3 |
| Redis | redis | — | In-cluster Redis for caching and session storage |
Observability
| Add-on | Variable | IRSA | Description |
|---|---|---|---|
| Prometheus | prometheus | — | Metrics collection and alerting |
| Grafana | grafana | — | Metrics dashboards — requires aws_load_balancer_controller |
| Loki | loki | — | Log aggregation — pairs with Grafana |
| FluentBit | fluent_bit | ✓ | Log processor and forwarder to CloudWatch, Elasticsearch, or Loki |
| Filebeat | filebeat | — | Lightweight log shipper to Elasticsearch / Logstash |
| Kube State Metrics | kube_state_metrics | — | Kubernetes object metrics for Prometheus |
| Prometheus CloudWatch Exporter | prometheus_cloudwatch_exporter | ✓ | Exports AWS CloudWatch metrics into Prometheus |
| New Relic | new_relic | — | Full-stack observability via New Relic agent |
| Jaeger | jaeger | — | Distributed tracing |
| AWS X-Ray | aws_xray | ✓ | AWS-native distributed tracing |
| Pod Restart Info Collector | k8s_pod_restart_info_collector | — | Alerts on pod restarts with context (OOMKilled, CrashLoopBackOff, etc.) |
Security & Secrets
| Add-on | Variable | IRSA | Description |
|---|---|---|---|
| External Secrets | external_secrets | ✓ | Syncs secrets from AWS Secrets Manager and SSM Parameter Store into Kubernetes Secrets |
| KubeClarity | kubeclarity | — | Runtime vulnerability scanning for container images |
CI/CD & Utilities
| Add-on | Variable | IRSA | Notes |
|---|---|---|---|
| Actions Runner Controller | actions_runner_controller | — | Self-hosted GitHub Actions runners on Kubernetes — requires certification_manager |
| Reloader | reloader | — | Automatically rolls Deployments when ConfigMaps or Secrets change |
IRSA Add-ons
The following add-ons create an IAM Role for Service Accounts (IRSA) automatically. You can override the IAM policy with <addon>_iampolicy_json_content:
| Add-on | Default permission scope |
|---|---|
| Cluster Autoscaler | EC2 DescribeAutoScalingGroups, SetDesiredCapacity |
| AWS Load Balancer Controller | EC2, ELBv2, WAFv2, Shield |
| EFS CSI Driver | EFS — DescribeMountTargets, CreateAccessPoint |
| EBS CSI Driver | EC2 volumes — CreateVolume, AttachVolume, DeleteVolume |
| Karpenter | EC2 — RunInstances, TerminateInstances, full fleet management |
| External Secrets | SecretsManager GetSecretValue, SSM GetParameter |
| FluentBit | CloudWatch Logs — CreateLogGroup, PutLogEvents |
| Velero | S3 + EC2 snapshots |
| External DNS | Route 53 ChangeResourceRecordSets |
| AWS X-Ray | xray:PutTraceSegments, xray:PutTelemetryRecords |
| Prometheus CloudWatch Exporter | CloudWatch GetMetricData, ListMetrics |