feat: add fargate support

README.md

@@ -1,13 +1,12 @@
 # terraform-aws-eks-basic
 
-> **⚠️ Note**: This module supports **EC2 managed node groups** and **EKS Auto Mode**. Fargate is not available in this version.
-
-A Terraform module for creating and managing Amazon EKS (Elastic Kubernetes Service) clusters with EC2 managed node groups and optional EKS Auto Mode.
+A Terraform module for creating and managing Amazon EKS (Elastic Kubernetes Service) clusters with EC2 managed node groups, optional EKS Auto Mode, and optional Fargate profiles.
 
 ## Features
 
 - **EC2 Managed Node Groups**: Full support with customizable launch templates and auto-scaling
 - **EKS Auto Mode**: Optional; compute is auto-provisioned by AWS (no managed node groups; built-in node pools). Mutually exclusive with `eks_managed_node_groups`.
+- **Fargate profiles**: Optional via `fargate_profiles`; shared pod execution role (create or bring-your-own ARN), profiles, and optional API access entry (`create_fargate_access_entry`, `fargate_access_entry_type`). IAM options: `fargate_pod_execution_role_name`, `path`, `permissions_boundary`. See `examples/eks-fargate`.
 - **Dual-Stack Support**: IPv4 and IPv6 cluster support (IPv6 service CIDR auto-assigned by AWS)
 - **Modern EKS Access Entries**: Native EKS authentication via access entries (no aws-auth ConfigMap)
 - **IRSA and Pod Identity**: OIDC provider for IAM Roles for Service Accounts (IRSA); optional EKS Pod Identity per component (ALB controller, External DNS, addons, Secrets Manager). Choose per component via `*_identity_type` variables (`"irsa"` or `"pod_identity"`). When using Pod Identity, enable the **eks-pod-identity-agent** addon.
@@ -177,6 +176,7 @@ EKS automatically creates an access entry for each capability role with default
 - **[examples/eks-capabilities](examples/eks-capabilities/)** - Platform engineering example with EKS capabilities (ACK, KRO, Argo CD)
 - **[examples/eks-capabilities-private](examples/eks-capabilities-private/)** - Private-only EKS and Argo CD (VPC endpoints; access from within VPC)
 - **[examples/eks-auto-mode](examples/eks-auto-mode/)** - EKS cluster with Auto Mode (compute auto-provisioned; no managed node groups)
+- **[examples/eks-fargate](examples/eks-fargate/)** - EKS with Fargate only (no EC2 nodes); CoreDNS on Fargate; IRSA for workload AWS credentials
 - **[examples/eks-auto-mode-keda-workload](examples/eks-auto-mode-keda-workload/)** - Auto Mode + workload IAM wiring example (SQS; suitable for KEDA-managed workers)
 - **[examples/private-endpoint](examples/private-endpoint/)** - EKS with private API endpoint
 
@@ -449,8 +449,8 @@ terraform test
 
 ```plaintext
 terraform-aws-eks-basic/
-├── main.tf              # Core EKS cluster, node groups, addons, OIDC provider
-├── access-entries.tf    # EKS access entries for authentication
+├── main.tf              # Core EKS cluster, node groups, addons, access entries, OIDC provider
+├── fargate.tf           # Optional Fargate execution role (create/BYO), profiles, access entry
 ├── capabilities.tf                 # EKS Capabilities (ACK, KRO, ArgoCD)
 ├── capabilities-iam.tf             # IAM roles for EKS Capabilities
 ├── capabilities-access-entries.tf # Optional access entry policy associations (e.g. ACK Secret Reader)
@@ -468,6 +468,7 @@ terraform-aws-eks-basic/
     ├── eks-capabilities/         # Platform engineering with capabilities
     ├── eks-capabilities-private/ # Private-only EKS and Argo CD
     ├── eks-auto-mode/            # EKS Auto Mode (no managed node groups)
+    ├── eks-fargate/              # Fargate (kube-system + app) + small MNG for Pod Identity agent
     ├── pod-identity/             # Pod Identity for ALB, External DNS, EBS CSI, Secrets Manager
     └── private-endpoint/         # EKS with private API endpoint
 ```

docs/README.md

@@ -29,8 +29,8 @@ This directory contains detailed documentation for the module's design decisions
 
 The module is organized into focused files:
 
-- `main.tf` - Core cluster, node groups, addons, and OIDC provider
-- `access-entries.tf` - EKS access entries for authentication
+- `main.tf` - Core cluster, node groups, addons, access entries, and OIDC provider
+- `fargate.tf` - Optional Fargate pod execution role (create or BYO ARN), profiles, access entry; related variables in `variables.tf`
 - `capabilities.tf` - EKS Capabilities (ACK, KRO, ArgoCD)
 - `capabilities-iam.tf` - IAM roles for capabilities
 - `addons-iam.tf` - IAM roles for addons (IRSA)

examples/eks-fargate/README.md

@@ -0,0 +1,50 @@
+# EKS Fargate Example
+
+This example creates an EKS cluster with **Fargate profiles only** (no EC2 managed node groups). Pods in `kube-system` and in the configured application namespace run on AWS Fargate.
+
+## Requirements
+
+- Terraform >= 1.6.0
+- AWS provider >= 6.0
+
+## Usage
+
+1. Configure AWS credentials.
+2. Edit `terraform.tfvars` and set `access_entries` (required for kubectl access).
+3. Run:
+
+   ```bash
+   terraform init
+   terraform plan
+   terraform apply
+   ```
+
+## What's created
+
+- A VPC (via `cloudbuildlab/vpc/aws`) with public and private subnets and a NAT gateway
+- An EKS cluster using the root module with:
+  - **CoreDNS** and **vpc-cni** addons (CoreDNS uses `computeType = "fargate"`)
+  - **Fargate profiles** for `kube-system` and the namespace from `fargate_namespace` (default `app`)
+  - No `eks_managed_node_groups` and no `enable_automode`
+
+## Variables
+
+- `cluster_name`: EKS cluster name (default: `eks-fargate`)
+- `aws_region`: Region (default: `ap-southeast-2`)
+- `cluster_version`: Kubernetes version (default: `1.35`)
+- `fargate_namespace`: Namespace whose pods are scheduled on Fargate via the `default` profile (default: `app`)
+- `access_entries`: Map of IAM principals for cluster access
+- `tags`: Tags for resources
+
+## Connecting to the cluster
+
+```bash
+aws eks update-kubeconfig --name $(terraform output -raw cluster_name) --region $(terraform output -raw aws_region)
+kubectl get pods -A
+```
+
+## Notes
+
+- Fargate workloads need **private subnets with outbound internet** (NAT). This example uses private subnets for Fargate profile `subnet_ids`.
+- For AWS API access from application pods, use **IRSA** (IAM Roles for Service Accounts). EKS Pod Identity is not supported on Fargate; see [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+- You can combine Fargate profiles with managed node groups or Auto Mode in the module for hybrid clusters; this example stays Fargate-only.