From a8d2c542c3c736086b27d64d632877d0c45416b3 Mon Sep 17 00:00:00 2001
From: Drew Paettie <cazlo@users.noreply.github.com>
Date: Wed, 20 Aug 2025 20:22:59 -0700
Subject: [PATCH 1/3] feat: optional pod_identity_association for eks_addons

---
 main.tf | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/main.tf b/main.tf
index d324bd30..32067c18 100644
--- a/main.tf
+++ b/main.tf
@@ -2236,6 +2236,15 @@ resource "aws_eks_addon" "this" {
   resolve_conflicts_on_update = try(each.value.resolve_conflicts, "OVERWRITE")
   service_account_role_arn    = try(each.value.service_account_role_arn, null)
 
+  dynamic "pod_identity_association" {
+    for_each = try(each.value.pod_identity_association, [])
+
+    content {
+      role_arn        = pod_identity_association.value.role_arn
+      service_account = pod_identity_association.value.service_account
+    }
+  }
+
   timeouts {
     create = try(each.value.timeouts.create, var.eks_addons_timeouts.create, null)
     update = try(each.value.timeouts.update, var.eks_addons_timeouts.update, null)

From ca8cf5f0b9435d482f2379531d00c2be5700a066 Mon Sep 17 00:00:00 2001
From: Drew Paettie <cazlo@users.noreply.github.com>
Date: Wed, 20 Aug 2025 20:38:27 -0700
Subject: [PATCH 2/3] docs: pod_identity_association for eks_addons

---
 docs/amazon-eks-addons.md | 43 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/docs/amazon-eks-addons.md b/docs/amazon-eks-addons.md
index e0ae00c1..a0e23804 100644
--- a/docs/amazon-eks-addons.md
+++ b/docs/amazon-eks-addons.md
@@ -39,6 +39,11 @@ module "eks_blueprints_addons" {
       resolve_conflicts_on_create = string # defaults to `OVERWRITE`
       resolve_conflicts_on_update = string # defaults to `OVERWRITE`
 
+      pod_identity_association = list(object({ # Optional, defaults to []
+        role_arn        = string
+        service_account = string
+      }))
+
       timeouts = {
         create = string # optional
         update = string # optional
@@ -366,3 +371,41 @@ module "eks_blueprints_addons" {
       })
     }
 ```
+
+### EKS Pod Identity
+
+Several addons can use the [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) feature to provide IAM roles to pods.
+For example, the [CloudWatch Observability add-on](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/install-CloudWatch-Observability-EKS-addon.html#install-CloudWatch-Observability-EKS-pod-identity)
+ can optionally use Pod Identities instead of an IRSA, as shown below:
+
+
+```hcl
+module "eks_blueprints_addons" {
+  source = "aws-ia/eks-blueprints-addons/aws"
+
+  # ... truncated for brevity
+
+  eks_addons = {
+    # required for the pod identity feature
+    eks-pod-identity-agent = {
+      most_recent = true
+    }
+
+    amazon-cloudwatch-observability = {
+      most_recent = true
+      pod_identity_association = [
+        {
+          role_arn = module.aws_cloudwatch_observability_pod_identity.iam_role_arn
+          service_account = "cloudwatch-agent"
+        }
+      ]
+    }
+  }
+}
+
+module "aws_cloudwatch_observability_pod_identity" {
+  source = "terraform-aws-modules/eks-pod-identity/aws"
+  name = "aws-cloudwatch-observability"
+  attach_aws_cloudwatch_observability_policy = true
+}
+```

From 5bd180e3614bf1b89c3d3848ed626104b9a1fae3 Mon Sep 17 00:00:00 2001
From: Drew Paettie <cazlo@users.noreply.github.com>
Date: Wed, 20 Aug 2025 22:53:24 -0700
Subject: [PATCH 3/3] chore: vpc-cni pod-identity test

---
 tests/complete/README.md |  1 +
 tests/complete/main.tf   | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/tests/complete/README.md b/tests/complete/README.md
index fa8fe65c..d3a6720b 100644
--- a/tests/complete/README.md
+++ b/tests/complete/README.md
@@ -48,6 +48,7 @@ terraform destroy
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_aws_vpc_cni_ipv4_pod_identity"></a> [aws\_vpc\_cni\_ipv4\_pod\_identity](#module\_aws\_vpc\_cni\_ipv4\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.12.1 |
 | <a name="module_ebs_csi_driver_irsa"></a> [ebs\_csi\_driver\_irsa](#module\_ebs\_csi\_driver\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.20 |
 | <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 20.26 |
 | <a name="module_eks_blueprints_addons"></a> [eks\_blueprints\_addons](#module\_eks\_blueprints\_addons) | ../../ | n/a |
diff --git a/tests/complete/main.tf b/tests/complete/main.tf
index 8da0ce05..5bac40b4 100644
--- a/tests/complete/main.tf
+++ b/tests/complete/main.tf
@@ -86,8 +86,18 @@ module "eks_blueprints_addons" {
     }
     vpc-cni = {
       most_recent = true
+      pod_identity_association = [
+        {
+          role_arn        = module.aws_vpc_cni_ipv4_pod_identity.iam_role_arn
+          service_account = "aws-node"
+        }
+      ]
     }
     kube-proxy = {}
+    # required for the pod identity feature
+    eks-pod-identity-agent = {
+      most_recent = true
+    }
   }
 
   enable_aws_efs_csi_driver                    = true
@@ -361,3 +371,15 @@ module "ebs_csi_driver_irsa" {
 
   tags = local.tags
 }
+
+module "aws_vpc_cni_ipv4_pod_identity" {
+  source = "terraform-aws-modules/eks-pod-identity/aws"
+  # Note 2.0 requires AWS provider 6, locking to last version before 2.0 until test migrated to AWS provider 6
+  version = "~> 1.12.1"
+
+  name = "aws-vpc-cni-ipv4"
+
+  attach_aws_vpc_cni_policy = true
+  aws_vpc_cni_enable_ipv4   = true
+
+}