From e81ee49b969f7c1608464267096c680f4e8b22dc Mon Sep 17 00:00:00 2001
From: jarpat <jay.patel@sas.com>
Date: Thu, 21 Sep 2023 14:25:09 -0400
Subject: [PATCH] migrate changes from IAC-918 branch

---
 examples/sample-input-singlestore.tfvars  | 3 +++
 files/policies/devops-iac-eks-policy.json | 1 +
 main.tf                                   | 9 +++++----
 variables.tf                              | 6 ++++++
 4 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/examples/sample-input-singlestore.tfvars b/examples/sample-input-singlestore.tfvars
index e98e4c8c..01aec9ff 100644
--- a/examples/sample-input-singlestore.tfvars
+++ b/examples/sample-input-singlestore.tfvars
@@ -32,6 +32,9 @@ default_nodepool_node_count  = 2
 default_nodepool_vm_type     = "m5.2xlarge"
 default_nodepool_custom_data = ""
 
+# This forces all worker nodes to run in a single zone and is required when deploying a 'singlestore' node pool.
+enable_multi_zone = false
+
 ## General
 efs_performance_mode = "maxIO"
 storage_type         = "standard"
diff --git a/files/policies/devops-iac-eks-policy.json b/files/policies/devops-iac-eks-policy.json
index 473488eb..54047169 100644
--- a/files/policies/devops-iac-eks-policy.json
+++ b/files/policies/devops-iac-eks-policy.json
@@ -145,6 +145,7 @@
                 "iam:TagPolicy",
                 "iam:TagInstanceProfile",
                 "iam:TagOpenIDConnectProvider",
+                "iam:UpdateOpenIDConnectProviderThumbprint",
                 "iam:UntagPolicy",
                 "iam:UpdateAssumeRolePolicy",
                 "iam:UpdateAccessKey",
diff --git a/main.tf b/main.tf
index 7b9d7ca3..9012c594 100755
--- a/main.tf
+++ b/main.tf
@@ -97,10 +97,11 @@ module "eks" {
   cluster_endpoint_public_access       = var.cluster_api_mode == "public" ? true : false
   cluster_endpoint_public_access_cidrs = local.cluster_endpoint_public_access_cidrs
 
-  subnet_ids  = module.vpc.private_subnets
-  vpc_id      = module.vpc.vpc_id
-  tags        = local.tags
-  enable_irsa = var.autoscaling_enabled
+  control_plane_subnet_ids = module.vpc.private_subnets                                                           # AWS requires two or more subnets in different Availability Zones for your cluster's control plane.
+  subnet_ids               = var.enable_multi_zone ? module.vpc.private_subnets : [module.vpc.private_subnets[0]] # Specifies the list of subnets in which the worker nodes of the EKS cluster will be launched.
+  vpc_id                   = module.vpc.vpc_id
+  tags                     = local.tags
+  enable_irsa              = var.autoscaling_enabled
   ################################################################################
   # Cluster Security Group
   ################################################################################
diff --git a/variables.tf b/variables.tf
index 574d7465..ecc7a82e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -232,6 +232,12 @@ variable "default_nodepool_metadata_http_put_response_hop_limit" {
   default     = 1
 }
 
+variable "enable_multi_zone" {
+  description = "Should be true to deploy EKS in multiple availability zones."
+  type        = bool
+  default     = false
+}
+
 ## Dynamic node pool config
 variable "node_pools" {
   description = "Node Pool Definitions."