WIP refactor: switch to universal addon

[matejhasul]

Description

Replace template addon with universal addon

Type of change

• A bug fix (PR prefix fix)
• A new feature (PR prefix feat)
• A code change that neither fixes a bug nor adds a feature (PR prefix refactor)
• Adding missing tests or correcting existing tests (PR prefix test)
• Changes that do not affect the meaning of the code like white-spaces, formatting, missing semi-colons, etc. (PR prefix style)
• Changes to our CI configuration files and scripts (PR prefix ci)
• Documentation only changes (PR prefix docs)

How Has This Been Tested?

TBD

Tasks:

• Impove examples
• Add irsa and pod identity to examples
• Doc updates
• README update
• Support pod identity
• Testing
• Separate crds installation? - not possible
• Modify variables.tf? - not needed
• Modify .templatesyncignore
• Modify main.tf
• add support for pod identity to universal addon - skipped in the end
• decide how to load iam policy (json file, aws_iam_document, ...)

[jaygridley]

IMHO this should be aws-load-balancer-controller according to

terraform-aws-eks-load-balancer-controller/variables.tf

Line 31 in 40a0fee

default = "aws-load-balancer-controller"

[matejhasul]

Fixed.

[jaygridley]

Regarding using plain JSON file for the policy, I will come to this later. Need to evaluate pros and cons.

[matejhasul]

As agreed, I'm using policy from aws_iam_policy_document datasource. Defined in default_policy.tf file. Is it ok to use it that way? Or should I put it somewhere else?

[jaygridley]

As we discussed we would like to retain EKS Pod Identity support.

[jaygridley]

I would name the file iam.tf as per our convention.

[matejhasul]

fixed.

[jaygridley]

Suggested change

	data "aws_iam_policy_document" "default_policy" {
	data "aws_iam_policy_document" "this" { # or `controller`

We tend to name TF resources that are used only once using this. If there are multiple instances then name it accordingly. In this case this should work.

[jaygridley]

Also, we should add a condition using count = var.enabled && var.irsa_policy == null to prevent unnecessary creation of this when it wont be used after all.

[matejhasul]

Using this with condition as suggested.

[sassdavid]

Hi,

sorry for jumping in here — I just noticed that you’ve recently started using asdf.

Have you heard about mise?
It’s more than just a tool manager; it’s a complete solution for managing your development environment smoothly.

While it primarily helps you manage different versions of various tools — like asdf — it also allows you to manage environment variables and run tasks, making it much more than just a tool installer.
Additionally, mise addresses some of the supply chain risks present in asdf. With asdf, you're often relying on third-party plugins that may execute untrusted code on your system. mise improves on this by using trusted "backends" like the aqua registry and ubi to install tools. When it does need to fall back to the traditional asdf plugin system, it uses forks of those plugins maintained by the mise team, aiming to ensure they are handled more strictly and securely.
It also supports using precompiled binaries for most tools — for example, if your system supports it, you can install a precompiled Python version, saving time and avoiding unnecessary builds.

Please take a look and consider using mise instead of asdf.
You can find more details here and here.

You can also find a more detailed comparison here.