chore(main): release 4.3.0

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## [4.3.0](https://github.com/nullplatform/tofu-modules/compare/v4.2.0...v4.3.0) (2026-06-11)
+
+
+### Features
+
+* **agent:** IAM assume-role support + multi-instance parametrization ([#386](https://github.com/nullplatform/tofu-modules/issues/386)) ([b82df52](https://github.com/nullplatform/tofu-modules/commit/b82df529244fbf85aab52a23d748ea59c31fb11e))
+
 ## [4.2.0](https://github.com/nullplatform/tofu-modules/compare/v4.1.0...v4.2.0) (2026-06-10)
 
 

infrastructure/aws/acm/README.md

@@ -18,7 +18,7 @@ The module creates an aws_acm_certificate resource with DNS validation, which is
 
 ```hcl
 module "acm" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/acm?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/acm?ref=v4.3.0"
 
   domain_name = "your-domain-name"
   zone_id     = "your-zone-id"

infrastructure/aws/aws_load_balancer_controller/README.md

@@ -18,7 +18,7 @@ This module creates a helm_release resource to deploy the AWS Load Balancer Cont
 
 ```hcl
 module "aws_load_balancer_controller" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/aws_load_balancer_controller?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/aws_load_balancer_controller?ref=v4.3.0"
 
   cluster_name = "your-cluster-name"
   vpc_id       = "your-vpc-id"

infrastructure/aws/backend/README.md

@@ -20,7 +20,7 @@ This module creates an S3 bucket with versioning and server-side encryption enab
 
 ```hcl
 module "backend" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/backend?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/backend?ref=v4.3.0"
 }
 ```
 

infrastructure/aws/dns/README.md

@@ -20,7 +20,7 @@ The module conditionally creates an aws_route53_zone resource for a public hoste
 
 ```hcl
 module "dns" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/dns?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/dns?ref=v4.3.0"
 
   domain_name = "your-domain-name"
   vpc_id      = "your-vpc-id"

infrastructure/aws/eks/README.md

@@ -22,7 +22,7 @@ The module wraps terraform-aws-modules/eks to create the EKS cluster (aws_eks_cl
 
 ```hcl
 module "eks" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/eks?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/eks?ref=v4.3.0"
 
   aws_subnets_private_ids = "your-aws-subnets-private-ids"
   aws_vpc_vpc_id          = "your-aws-vpc-vpc-id"

infrastructure/aws/iam/agent/README.md

@@ -2,24 +2,27 @@
 
 ## Description
 
-Creates and configures IAM roles and policies for a Kubernetes cluster
+Creates an IRSA-enabled IAM role with scoped policies for the nullplatform agent Kubernetes service account on EKS
 
 ## Architecture
 
-This module creates an IAM role for a Kubernetes service account using the terraform-aws-modules/iam/aws module, and attaches policies for managing Route 53 DNS records, Elastic Load Balancing resources, EKS cluster resources, and AVP resources. The policies are created using the aws_iam_policy resource and are attached to the IAM role using the policies attribute of the iam-role-for-service-accounts module. The module also outputs the ARN of the created IAM role.
+The module uses the terraform-aws-modules/iam//modules/iam-role-for-service-accounts submodule to create an aws_iam_role with an OIDC trust policy bound to a specific Kubernetes namespace and service account. Four aws_iam_policy resources are created for Route53, ELB, EKS, and Amazon Verified Permissions, and conditionally a fifth for sts:AssumeRole when assume_role_arns is non-empty. All policies are attached to the IAM role via the submodule's policies map, and the resulting role ARN is exposed as an output.
 
 ## Features
 
-- Creates IAM role with OIDC provider trust for Kubernetes service account
-- Configures policies for managing Route 53 DNS records and Elastic Load Balancing resources
-- Supports EKS cluster resource management and AVP resource management
-- Attaches additional policies to the IAM role using the additional_policies variable
+- Creates an IRSA IAM role scoped to a specific Kubernetes namespace and service account via OIDC provider trust
+- Attaches a Route53 policy granting DNS record management permissions for hosted zones
+- Attaches an ELB policy granting describe permissions for load balancers and target groups
+- Attaches an EKS policy granting read access to clusters, node groups, and addons
+- Attaches an Amazon Verified Permissions (AVP) policy granting full verifiedpermissions access
+- Conditionally creates and attaches an sts:AssumeRole policy when assume_role_arns is provided
+- Supports attaching additional custom IAM policies via the additional_policies map
 
 ## Basic Usage
 
 ```hcl
 module "agent" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/agent?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/agent?ref=v4.3.0"
 
   agent_namespace                     = "your-agent-namespace"
   aws_iam_openid_connect_provider_arn = "your-aws-iam-openid-connect-provider-arn"
@@ -43,7 +46,7 @@ resource "example_resource" "this" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.47.0 |
 
 ## Modules
 
@@ -55,6 +58,7 @@ resource "example_resource" "this" {
 
 | Name | Type |
 |------|------|
+| [aws_iam_policy.nullplatform_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.nullplatform_avp_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.nullplatform_eks_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.nullplatform_elb_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -66,8 +70,12 @@ resource "example_resource" "this" {
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_policies"></a> [additional\_policies](#input\_additional\_policies) | Additional policy ARNs to attach to the agent role | `map(string)` | `{}` | no |
 | <a name="input_agent_namespace"></a> [agent\_namespace](#input\_agent\_namespace) | Namespace where the agent runs | `string` | n/a | yes |
+| <a name="input_assume_role_arns"></a> [assume\_role\_arns](#input\_assume\_role\_arns) | List of IAM role ARNs the agent is allowed to assume via sts:AssumeRole | `list(string)` | `[]` | no |
 | <a name="input_aws_iam_openid_connect_provider_arn"></a> [aws\_iam\_openid\_connect\_provider\_arn](#input\_aws\_iam\_openid\_connect\_provider\_arn) | ARN of the AWS IAM OIDC provider for EKS service account authentication | `string` | n/a | yes |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the cluster where the policy runs | `string` | n/a | yes |
+| <a name="input_policies_name_prefix"></a> [policies\_name\_prefix](#input\_policies\_name\_prefix) | Override for IAM policy name prefix. Defaults to nullplatform\_{cluster\_name} | `string` | `""` | no |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | Override for the IAM role name. Defaults to nullplatform-{cluster\_name}-agent-role | `string` | `""` | no |
+| <a name="input_service_account_name"></a> [service\_account\_name](#input\_service\_account\_name) | Kubernetes service account name trusted by the IRSA role | `string` | `"nullplatform-agent"` | no |
 
 ## Outputs
 
@@ -79,13 +87,16 @@ resource "example_resource" "this" {
 <!-- BEGIN_AI_METADATA
 {
   "name": "agent",
-  "description": "Creates and configures IAM roles and policies for a Kubernetes cluster",
-  "architecture": "This module creates an IAM role for a Kubernetes service account using the terraform-aws-modules/iam/aws module, and attaches policies for managing Route 53 DNS records, Elastic Load Balancing resources, EKS cluster resources, and AVP resources. The policies are created using the aws_iam_policy resource and are attached to the IAM role using the policies attribute of the iam-role-for-service-accounts module. The module also outputs the ARN of the created IAM role.",
+  "description": "Creates an IRSA-enabled IAM role with scoped policies for the nullplatform agent Kubernetes service account on EKS",
+  "architecture": "The module uses the terraform-aws-modules/iam//modules/iam-role-for-service-accounts submodule to create an aws_iam_role with an OIDC trust policy bound to a specific Kubernetes namespace and service account. Four aws_iam_policy resources are created for Route53, ELB, EKS, and Amazon Verified Permissions, and conditionally a fifth for sts:AssumeRole when assume_role_arns is non-empty. All policies are attached to the IAM role via the submodule's policies map, and the resulting role ARN is exposed as an output.",
   "features": [
-    "Creates IAM role with OIDC provider trust for Kubernetes service account",
-    "Configures policies for managing Route 53 DNS records and Elastic Load Balancing resources",
-    "Supports EKS cluster resource management and AVP resource management",
-    "Attaches additional policies to the IAM role using the additional_policies variable"
+    "Creates an IRSA IAM role scoped to a specific Kubernetes namespace and service account via OIDC provider trust",
+    "Attaches a Route53 policy granting DNS record management permissions for hosted zones",
+    "Attaches an ELB policy granting describe permissions for load balancers and target groups",
+    "Attaches an EKS policy granting read access to clusters, node groups, and addons",
+    "Attaches an Amazon Verified Permissions (AVP) policy granting full verifiedpermissions access",
+    "Conditionally creates and attaches an sts:AssumeRole policy when assume_role_arns is provided",
+    "Supports attaching additional custom IAM policies via the additional_policies map"
   ],
   "inputs": [
     {
@@ -103,15 +114,35 @@ resource "example_resource" "this" {
       "description": "Name of the cluster where the policy runs",
       "required": true
     },
+    {
+      "name": "assume_role_arns",
+      "description": "List of IAM role ARNs the agent is allowed to assume via sts:AssumeRole",
+      "required": false
+    },
     {
       "name": "additional_policies",
       "description": "Additional policy ARNs to attach to the agent role",
       "required": false
+    },
+    {
+      "name": "service_account_name",
+      "description": "Kubernetes service account name trusted by the IRSA role",
+      "required": false
+    },
+    {
+      "name": "role_name",
+      "description": "Override for the IAM role name. Defaults to nullplatform-{cluster_name}-agent-role",
+      "required": false
+    },
+    {
+      "name": "policies_name_prefix",
+      "description": "Override for IAM policy name prefix. Defaults to nullplatform_{cluster_name}",
+      "required": false
     }
   ],
   "outputs": [
     "nullplatform_agent_role_arn"
   ],
-  "hash": "7e0c149a7a37463a4040cfb993cbb71f"
+  "hash": "5142461751e55436dbc95fa82a376955"
 }
 END_AI_METADATA -->

infrastructure/aws/iam/aws_load_balancer_controller_iam/README.md

@@ -19,7 +19,7 @@ This module creates an IAM role for the AWS Load Balancer Controller using the t
 
 ```hcl
 module "aws_load_balancer_controller_iam" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/aws_load_balancer_controller_iam?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/aws_load_balancer_controller_iam?ref=v4.3.0"
 
   aws_iam_openid_connect_provider_arn = "your-aws-iam-openid-connect-provider-arn"
   cluster_name                        = "your-cluster-name"

infrastructure/aws/iam/cert_manager/README.md

@@ -21,7 +21,7 @@ An aws_iam_policy is created granting Route53 permissions (GetChange, ChangeReso
 
 ```hcl
 module "cert_manager" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/cert_manager?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/cert_manager?ref=v4.3.0"
 
   aws_iam_openid_connect_provider_arn = "your-aws-iam-openid-connect-provider-arn"
   cluster_name                        = "your-cluster-name"

infrastructure/aws/iam/ecr/README.md

@@ -21,7 +21,7 @@ The module creates two aws_iam_role resources (an application role with a config
 
 ```hcl
 module "ecr" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/ecr?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/ecr?ref=v4.3.0"
 
   cluster_name = "your-cluster-name"
 }
@@ -53,11 +53,8 @@ resource "example_resource" "this" {
 | [aws_iam_access_key.nullplatform_build_workflow_user_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
 | [aws_iam_group.nullplatform_ecr_managers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource |
 | [aws_iam_group_policy_attachment.ecr_manager_policy_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
-| [aws_iam_policy.ecr_cross_account_pull](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.nullplatform_ecr_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_role.ecr_cross_account_pull](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.nullplatform_application_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.ecr_cross_account_pull](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ecr_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_user.nullplatform_build_workflow_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [aws_iam_user_group_membership.build_workflow_ecr_managers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_group_membership) | resource |
@@ -79,7 +76,6 @@ resource "example_resource" "this" {
 | <a name="output_application_role_arn"></a> [application\_role\_arn](#output\_application\_role\_arn) | ARN of the IAM role used by applications to pull ECR images |
 | <a name="output_build_workflow_access_key_id"></a> [build\_workflow\_access\_key\_id](#output\_build\_workflow\_access\_key\_id) | Access key ID for the CI/CD build workflow IAM user |
 | <a name="output_build_workflow_access_key_secret"></a> [build\_workflow\_access\_key\_secret](#output\_build\_workflow\_access\_key\_secret) | Secret access key for the CI/CD build workflow IAM user |
-| <a name="output_cross_account_pull_role_arn"></a> [cross\_account\_pull\_role\_arn](#output\_cross\_account\_pull\_role\_arn) | ARN of the IAM role that cross-account principals can assume to pull ECR images. Empty string when enable\_cross\_account\_pull is false. |
 | <a name="output_ecr_repository_policy"></a> [ecr\_repository\_policy](#output\_ecr\_repository\_policy) | ECR repository policy JSON granting pull access to the configured cross-account IDs. Empty string when enable\_cross\_account\_pull is false. |
 <!-- END_TF_DOCS -->
 

infrastructure/aws/iam/external_dns/README.md

@@ -21,7 +21,7 @@ The module creates an aws_iam_policy granting Route53 permissions scoped to the
 
 ```hcl
 module "external_dns" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/external_dns?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/external_dns?ref=v4.3.0"
 
   aws_iam_openid_connect_provider_arn = "your-aws-iam-openid-connect-provider-arn"
   cluster_name                        = "your-cluster-name"

infrastructure/aws/iam/s3/README.md

@@ -19,7 +19,7 @@ The module creates an aws_s3_bucket_policy resource attached to an existing S3 b
 
 ```hcl
 module "s3" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/s3?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/s3?ref=v4.3.0"
 
   bucket_arn = "your-bucket-arn"
   bucket_id  = "your-bucket-id"

infrastructure/aws/ingress/README.md

@@ -22,7 +22,7 @@ The module creates up to two kubernetes_ingress_v1 resources — one for an inte
 
 ```hcl
 module "ingress" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/ingress?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/ingress?ref=v4.3.0"
 
   certificate_arn = "your-certificate-arn"
 }

infrastructure/aws/security/README.md

@@ -22,7 +22,7 @@ The module uses data sources (aws_eks_cluster, aws_vpc) to derive VPC ID and CID
 
 ```hcl
 module "security" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/security?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/security?ref=v4.3.0"
 
   cluster_name = "your-cluster-name"
 }
@@ -48,7 +48,7 @@ resource "example_resource" "this" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.46.0 |
 
 ## Resources
 

infrastructure/aws/vpc/README.md

@@ -22,7 +22,7 @@ This module creates a terraform-aws-modules/vpc/aws module resource with DNS hos
 
 ```hcl
 module "vpc" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/vpc?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/vpc?ref=v4.3.0"
 
   account      = "your-account"
   organization = "your-organization"

infrastructure/azure/acr/README.md

@@ -18,7 +18,7 @@ The module uses the azurerm_container_registry resource to create the container
 
 ```hcl
 module "acr" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/acr?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/acr?ref=v4.3.0"
 
   containerregistry_name = "your-containerregistry-name"
   location               = "your-location"

infrastructure/azure/aks/README.md

@@ -22,7 +22,7 @@ The module wraps the Azure/aks/azurerm community module (version 11.0.0) and use
 
 ```hcl
 module "aks" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/aks?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/aks?ref=v4.3.0"
 
   cluster_name        = "your-cluster-name"
   location            = "your-location"

infrastructure/azure/aks_route_table/README.md

@@ -19,7 +19,7 @@ The module uses an azurerm_resources data source to discover the route table cre
 
 ```hcl
 module "aks_route_table" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/aks_route_table?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/aks_route_table?ref=v4.3.0"
 
   node_resource_group = "your-node-resource-group"
   subnet_id           = "your-subnet-id"

infrastructure/azure/dns/README.md

@@ -18,7 +18,7 @@ This module creates an azurerm_dns_zone resource and configures it with the prov
 
 ```hcl
 module "dns" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/dns?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/dns?ref=v4.3.0"
 
   domain_name         = "your-domain-name"
   resource_group_name = "your-resource-group-name"

infrastructure/azure/iam/README.md

@@ -21,7 +21,7 @@ The module creates an azurerm_user_assigned_identity resource in the specified r
 
 ```hcl
 module "iam" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/iam?ref=v4.1.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/iam?ref=v4.3.0"
 
   location             = "your-location"
   name                 = "your-name"