Skip to content

Latest commit

 

History

History
198 lines (183 loc) · 33.4 KB

README.md

File metadata and controls

198 lines (183 loc) · 33.4 KB
Raw

AWS EKS Module

This repository contains Terraform configuration files that create an Amazon Elastic Kubernetes Service (EKS) cluster. This module sets various paremeters for this cluster including the cluster name, version, VPC information, security group rules, and user and role mappings. Additionally, it sets up self-managed node groups for the EKS cluster.

Examples

To view examples for how you can leverage this EKS Module, please see the examples directory.

Requirements

Name Version
terraform >= 1.3
aws >= 5.34
helm >= 2.7
kubernetes >= 2.20
random >= 3.1.0

Providers

Name Version
aws >= 5.34
kubernetes >= 2.20
random >= 3.1.0

Modules

Name Source Version
aws_eks git::https://github.com/terraform-aws-modules/terraform-aws-eks.git v20.31.4
ebs_csi_driver_irsa terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks ~> 5.20
efs terraform-aws-modules/efs/aws ~> 1.0
efs_csi_driver_irsa terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks ~> 5.20
eks_blueprints_kubernetes_addons git::https://github.com/aws-ia/terraform-aws-eks-blueprints-addons.git v1.19.0

Resources

Name Type
aws_ssm_parameter.file_system_id_for_efs_storage_class resource
aws_ssm_parameter.helm_input_values resource
kubernetes_annotations.gp2 resource
kubernetes_storage_class_v1.efs resource
kubernetes_storage_class_v1.gp3 resource
random_id.efs_name resource
aws_caller_identity.current data source
aws_iam_session_context.current data source
aws_partition.current data source

Inputs

Name Description Type Default Required
access_entries Map of access entries to add to the cluster any {} no
attach_cluster_encryption_policy Indicates whether or not to attach an additional policy for the cluster IAM role to utilize the encryption key provided bool true no
authentication_mode The authentication mode for the cluster. Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAP string "API_AND_CONFIG_MAP" no
aws_admin_usernames A list of one or more AWS usernames with authorized access to KMS and EKS resources, will automatically add the user or role running the terraform as an admin list(string) [] no
aws_cloudwatch_metrics AWS Cloudwatch Metrics config for aws-ia/eks-blueprints-addon/aws any {} no
aws_fsx_csi_driver FSX CSI Driver config for aws-ia/eks-blueprints-addon/aws any {} no
aws_load_balancer_controller AWS Loadbalancer Controller config for aws-ia/eks-blueprints-addon/aws any {} no
aws_node_termination_handler AWS Node Termination Handler config for aws-ia/eks-blueprints-addon/aws any {} no
aws_privateca_issuer AWS Private CA Issuer config for aws-ia/eks-blueprints-addon/aws any {} no
aws_region used to create vpc-cni eni config objects when configuring the vpc-cni marketplace addon string "" no
azs List of names of availability zones to use for subnet configs list(string) [] no
blueprints_addons_prefixes Prefixes for the eks blueprints addons, used to parse addon gitops_metadata output and create objects with list(string) 
[
  "cert_manager",
  "cluster_autoscaler",
  "aws_cloudwatch_metrics",
  "aws_efs_csi_driver",
  "aws_fsx_csi_driver",
  "aws_privateca_issuer",
  "external_dns_route53",
  "external_secrets",
  "aws_load_balancer_controller",
  "aws_for_fluentbit",
  "aws_node_termination_handler",
  "karpenter",
  "velero",
  "aws_gateway_api_controller",
  "fargate_fluentbit_log"
]
 no
bottlerocket_shadow Bottlerocket Shadow config for aws-ia/eks-blueprints-addon/aws any {} no
bottlerocket_update_operator Bottlerocket Update Operator config for aws-ia/eks-blueprints-addon/aws any {} no
cert_manager Cert Manager config for aws-ia/eks-blueprints-addon/aws any {} no
cert_manager_route53_hosted_zone_arns List of Route53 Hosted Zone ARNs that are used by cert-manager to create DNS records list(string) [] no
cloudwatch_log_group_class Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT_ACCESS string null no
cloudwatch_log_group_kms_key_id If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) string null no
cloudwatch_log_group_retention_in_days Number of days to retain log events. Default retention - 90 days number 90 no
cloudwatch_log_group_tags A map of additional tags to add to the cloudwatch log group created map(string) {} no
cluster_additional_security_group_ids List of additional, externally created security group IDs to attach to the cluster control plane list(string) [] no
cluster_addons Nested of eks native add-ons and their associated parameters.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values.
See https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/examples/complete/main.tf#L44-L60 for upstream example.

to see available eks marketplace addons available for your cluster's version run:
aws eks describe-addon-versions --kubernetes-version $k8s_cluster_version --query 'addons[].{MarketplaceProductUrl: marketplaceInformation.productUrl, Name: addonName, Owner: owner Publisher: publisher, Type: type}' --output table		 any {} no
cluster_autoscaler Cluster Autoscaler config for aws-ia/eks-blueprints-addon/aws any 
{
  "set": [
    {
      "name": "extraArgs.expander",
      "value": "priority"
    },
    {
      "name": "expanderPriorities",
      "value": "100:\n  - .-spot-2vcpu-8mem.\n90:\n  - .-spot-4vcpu-16mem.\n10:\n  - .*\n"
    }
  ]
}
 no
cluster_enabled_log_types A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) list(string) 
[
  "audit",
  "api",
  "authenticator"
]
 no
cluster_endpoint_private_access Indicates whether or not the Amazon EKS private API server endpoint is enabled bool true no
cluster_endpoint_public_access Enable public access to the cluster endpoint bool false no
cluster_endpoint_public_access_cidrs List of CIDR blocks which can access the Amazon EKS public API server endpoint list(string) 
[
  "0.0.0.0/0"
]
 no
cluster_ip_family The IP family used to assign Kubernetes pod and service addresses. Valid values are ipv4 (default) and ipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created string "ipv4" no
cluster_name Name of cluster string "" no
cluster_security_group_additional_rules List of additional security group rules to add to the cluster security group created. Set source_node_security_group = true inside rules to set the node_security_group as source any {} no
cluster_security_group_description Description of the cluster security group created string "EKS cluster security group" no
cluster_security_group_id Existing security group ID to be attached to the cluster string "" no
cluster_security_group_name Name to use on cluster security group created string null no
cluster_security_group_tags A map of additional tags to add to the cluster security group created map(string) {} no
cluster_security_group_use_name_prefix Determines whether cluster security group name (cluster_security_group_name) is used as a prefix bool true no
cluster_service_ipv4_cidr The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks string null no
cluster_tags A map of additional tags to add to the cluster map(string) {} no
cluster_timeouts Create, update, and delete timeout configurations for the cluster map(string) {} no
cluster_version Kubernetes version to use for EKS cluster string "1.30" no
control_plane_subnet_ids Subnet IDs for control plane list(string) [] no
create_cloudwatch_log_group Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled bool true no
create_cluster_primary_security_group_tags Indicates whether or not to tag the cluster's primary security group. This security group is created by the EKS service, not the module, and therefore tagging is handled after cluster creation bool true no
create_cluster_security_group Determines if a security group is created for the cluster. Note: the EKS service creates a primary security group for the cluster by default bool true no
create_eni_configs Merge ENI configs for VPC CNI into cluster_addons configuration bool true no
create_kms_key Controls if a KMS key for cluster encryption should be created bool true no
create_kubernetes_resources Create Kubernetes resource with Helm or Kubernetes provider bool true no
create_ssm_parameters Create SSM parameters for values from eks blueprints addons outputs bool true no
dataplane_wait_duration Duration to wait after the EKS cluster has become active before creating the dataplane components (EKS managed nodegroup(s), self-managed nodegroup(s), Fargate profile(s)) string "4m" no
ebs_storageclass_reclaim_policy Reclaim policy for gp3 storage class, valid options are Delete and Retain string "Delete" no
efs_storageclass_reclaim_policy Reclaim policy for EFS storage class, valid options are Delete and Retain string "Delete" no
efs_vpc_cidr_blocks CIDR blocks to allow access to EFS list(string) [] no
eks_managed_node_group_defaults Map of EKS-managed node group default configurations any {} no
eks_managed_node_groups Managed node groups configuration any {} no
enable_amazon_eks_aws_ebs_csi_driver Enable EKS Managed AWS EBS CSI Driver add-on bool false no
enable_amazon_eks_aws_efs_csi_driver Enable EFS CSI Driver add-on bool false no
enable_aws_cloudwatch_metrics Enable AWS Cloudwatch Metrics add-on bool false no
enable_aws_fsx_csi_driver Enable FSX CSI Driver add-on bool false no
enable_aws_load_balancer_controller Enable AWS Loadbalancer Controller add-on bool false no
enable_aws_node_termination_handler Enable AWS Node Termination Handler add-on bool false no
enable_aws_privateca_issuer Enable AWS Private CA Issuer add-on bool false no
enable_bottlerocket_update_operator Enable Bottlerocket and Bottlerocket Update Operator add-on bool false no
enable_cert_manager Enable Cert Manager add-on bool false no
enable_cluster_autoscaler Enable Cluster autoscaler add-on bool false no
enable_cluster_creator_admin_permissions Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry bool true no
enable_external_dns Enable External DNS add-on bool false no
enable_external_secrets Enable External Secrets add-on bool false no
enable_gp3_default_storage_class Enable gp3 as default storage class bool false no
enable_karpenter Enable Karpenter add-on bool false no
enable_kms_key_rotation Specifies whether key rotation is enabled bool true no
enable_metrics_server Enable metrics server add-on bool false no
enable_secrets_store_csi_driver Enable k8s Secret Store CSI Driver add-on bool false no
external_dns External DNS config for aws-ia/eks-blueprints-addon/aws any {} no
external_secrets External Secrets config for aws-ia/eks-blueprints-addon/aws any {} no
external_secrets_kms_key_arns List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets list(string) [] no
external_secrets_secrets_manager_arns List of Secrets Manager ARNs that contain secrets to mount using External Secrets list(string) [] no
external_secrets_ssm_parameter_arns List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets list(string) [] no
iam_role_permissions_boundary ARN of the policy that is used to set the permissions boundary for the IAM role string null no
karpenter Karpenter config for aws-ia/eks-blueprints-addon/aws any {} no
kms_key_administrators A list of IAM ARNs for key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available list(string) [] no
kms_key_aliases A list of aliases to create. Note - due to the use of toset(), values must be static strings and not computed values list(string) [] no
kms_key_deletion_window_in_days The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30 number null no
kms_key_description The description of the key as viewed in AWS console string null no
kms_key_enable_default_policy Specifies whether to enable the default key policy bool true no
kms_key_override_policy_documents List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid list(string) [] no
kms_key_owners A list of IAM ARNs for those who will have full key permissions (kms:*) list(string) [] no
kms_key_service_users A list of IAM ARNs for key service users list(string) [] no
kms_key_source_policy_documents List of IAM policy documents that are merged together into the exported document. Statements must have unique sids list(string) [] no
kms_key_users A list of IAM ARNs for key users list(string) [] no
metrics_server Metrics Server config for aws-ia/eks-blueprints-addon/aws any {} no
name tflint-ignore: terraform_unused_declarations string "" no
node_security_group_additional_rules List of additional security group rules to add to the node security group created. Set source_cluster_security_group = true inside rules to set the cluster_security_group as source any {} no
private_subnet_ids Private subnet IDs list(string) [] no
secrets_store_csi_driver k8s Secret Store CSI Driver config for aws-ia/eks-blueprints-addon/aws any {} no
self_managed_node_group_defaults Map of self-managed node group default configurations any {} no
self_managed_node_groups Self-managed node groups configuration any {} no
ssm_parameter_kms_key_arn KMS key arn for use with SSM parameter encryption/decryption string "" no
tags A map of tags to apply to all resources map(string) {} no
vpc_cni_custom_subnet Subnet to put pod ENIs in list(string) [] no
vpc_id ID of the VPC where the cluster security group will be provisioned string null no

Outputs

Name Description
access_entries Map of access entries created and their attributes
access_policy_associations Map of eks cluster access policy associations created and their attributes
cloudwatch_log_group_arn Arn of cloudwatch log group created
cloudwatch_log_group_name Name of cloudwatch log group created
cluster_addons Map of attribute maps for all EKS cluster addons enabled
cluster_arn The Amazon Resource Name (ARN) of the cluster
cluster_certificate_authority_data Base64 encoded certificate data required to communicate with the cluster
cluster_endpoint Endpoint for your Kubernetes API server
cluster_iam_role_arn IAM role ARN of the EKS cluster
cluster_iam_role_name IAM role name of the EKS cluster
cluster_iam_role_unique_id Stable and unique string identifying the IAM role
cluster_id The ID of the EKS cluster. Note: currently a value is returned only for local EKS clusters created on Outposts
cluster_identity_providers Map of attribute maps for all EKS identity providers enabled
cluster_ip_family The IP family used by the cluster (e.g. ipv4 or ipv6)
cluster_name The name of the EKS cluster
cluster_oidc_issuer_url The URL on the EKS cluster for the OpenID Connect identity provider
cluster_platform_version Platform version for the cluster
cluster_primary_security_group_id Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console
cluster_security_group_arn Amazon Resource Name (ARN) of the cluster security group
cluster_security_group_id ID of the cluster security group
cluster_service_cidr The CIDR block where Kubernetes pod and service IP addresses are assigned from
cluster_status Status of the EKS cluster. One of CREATING, ACTIVE, DELETING, FAILED
cluster_tls_certificate_sha1_fingerprint The SHA1 fingerprint of the public key of the cluster's certificate
cluster_version The Kubernetes version for the cluster
efs_storageclass_name The name of the EFS storageclass that was created (if var.enable_amazon_eks_aws_efs_csi_driver was set to true)
eks_addons_gitops_metadata ############################################################################### EKS Addons metadata ############################################################################### see https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/main/outputs.tf#L167-L276
eks_managed_node_groups Map of attribute maps for all EKS managed node groups created
eks_managed_node_groups_autoscaling_group_names List of the autoscaling group names created by EKS managed node groups
kms_key_arn The Amazon Resource Name (ARN) of the key
kms_key_id The globally unique identifier for the key
kms_key_policy The IAM resource policy set on the key
node_security_group_arn Amazon Resource Name (ARN) of the node shared security group
node_security_group_id ID of the node shared security group
oidc_provider The OpenID Connect identity provider (issuer URL without leading https://)
oidc_provider_arn The ARN of the OIDC Provider if enable_irsa = true
region AWS region
self_managed_node_groups Map of attribute maps for all self managed node groups created
self_managed_node_groups_autoscaling_group_names List of the autoscaling group names created by self-managed node groups