This module creates a kubernetes cluster on amazon web services(AWS). This module has a number of assumptions and dependencies with https://gitlab.com/govtechsingapore/gdsace/terraform-modules/aws-vpc. It will probably not work with other infrastructure design, particularly on your subnet slices. This module works with the VPC module as it follows the subnet types(public,private,intranet,database) defined in it.
module "eks" {
eks_cluster_name = "shire"
cluster_version = "1.14"
# user and roles
# references:
# 1. [aws-iam-authenticator](https://github.com/kubernetes-sigs/aws-iam-authenticator)
# 2. [awscli configuration](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html)
map_users = [
{
user_arn = "arn:aws:iam::${get_aws_account_id()}:user/USERNAME"
username = "USERNAME"
group = "system:masters"
}
]
private_worker_variables = [
{
instance_type = "r5.xlarge"
asg_min_size = "1"
asg_desired_capacity = "2"
asg_max_size = "4"
iam_instance_profile_name = "eks-worker-private"
ami_id = "ami-03a2cce9abe958c6c"
name = "services"
kubelet_extra_args = ""
},
{
instance_type = "c5n.xlarge"
asg_desired_capacity = 0
asg_max_size = 4
iam_instance_profile_name = "eks-worker-gitlab"
ami_id = "ami-03a2cce9abe958c6c"
name = "gitlab-runners"
kubelet_extra_args = "--register-with-taints=gitlab-runner=true:NoSchedule"
}
]
public_worker_variables = [
{
instance_type = "m5.large"
asg_desired_capacity = 1
asg_max_size = 4
iam_instance_profile_name = "eks-worker-public"
name = "public-1"
ami_id = "ami-03a2cce9abe958c6c"
kubelet_extra_args = "--register-with-taints=public=true:NoSchedule --node-labels=public-node=true"
}
]
cluster_endpoint_private_access = true
cluster_endpoint_public_access = false
permissions_boundary = "arn:aws:iam::${get_aws_account_id()}:policy/GCCIAccountBoundary"
# write_kubeconfig = "true"
config_output_path = "${get_terragrunt_dir()}/"
additional_whitelist_cidr_block_443 = ["172.31.0.0/24"]
additional_whitelist_cidr_block_443_description = ["description"]
// remote state variables
vpc_state_key = ""
artifacts_base_path = get_terragrunt_dir()
environment = "uat"
}- delete aws-auth configmap as it is now created using k8s provider.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_subnets | Additional Subnets aside from those in your main vpc(e.g secondary cidr blocks) | list(any) |
[] |
no |
| additional_whitelist_cidr_block_443 | Additional cidr to allow inbound and outbound for port 443 to eks cluster | list(any) |
[] |
no |
| additional_whitelist_cidr_block_443_description | Description for the additional cidr to allow inbound and outbound for port 443 to eks cluster | list(any) |
[] |
no |
| addon_coredns_version | Specify CoreDNS addon version | string |
"" |
no |
| addon_create_coredns | Use EKS built-in addon CoreDNS | bool |
false |
no |
| addon_create_kube_proxy | Use EKS built-in addon Kube Proxy | bool |
false |
no |
| addon_create_vpc_cni | Use EKS built-in addon VPC CNI | bool |
false |
no |
| addon_kube_proxy_version | Specify Kube Proxy addon version | string |
"" |
no |
| addon_vpc_cni_version | Specify VPC CNI addon version | string |
"" |
no |
| aws_account_id | AWS account ID | string |
"*" |
no |
| aws_region | Region in which to spin up EKS | string |
"ap-southeast-1" |
no |
| cluster_create_endpoint_private_access_sg_rule | Whether to create security group rules for the access to the Amazon EKS private API server endpoint. | bool |
false |
no |
| cluster_encryption_config | Configuration block with encryption configuration for the cluster. See examples/secrets_encryption/main.tf for example format | list(object({ |
[] |
no |
| cluster_endpoint_private_access | Indicates whether or not the Amazon EKS private API server endpoint is enabled. | bool |
false |
no |
| cluster_endpoint_public_access | Indicates whether or not the Amazon EKS public API server endpoint is enabled. | bool |
true |
no |
| cluster_endpoint_public_access_cidrs | List of CIDR blocks which can access the Amazon EKS public API server endpoint. | list(string) |
[ |
no |
| cluster_iam_role_name | IAM role name for the cluster. Only applicable if manage_cluster_iam_resources is set to false. | string |
"" |
no |
| cluster_log_retention_in_days | Log retention in days | number |
90 |
no |
| cluster_version | Kubernetes version to use for the EKS cluster. | string |
"1.13" |
no |
| config_output_path | Where to save the Kubectl config file (if write_kubeconfig = true). Should end in a forward slash / . |
string |
"./" |
no |
| create_eks | Controls if EKS resources should be created (it affects almost all resources) | bool |
true |
no |
| create_fargate_pod_execution_role | Controls if the EKS Fargate pod execution IAM role should be created. | bool |
true |
no |
| eks_cluster_name | Name of the EKS cluster. Also used as a prefix in names of related resources. | string |
n/a | yes |
| enable_alb | Enables alb by creating alb ingress controller policy required for alb ingress controller | bool |
false |
no |
| enable_dynamic_pv | Enables dynamic persistent volume provisioning by allowing nodes to manage ec2 volumes and attaches policy to worker groups | bool |
false |
no |
| enable_external_dns | (Legacy) Enables External DNS installation(policy) and attaches policy to worker groups | bool |
false |
no |
| enable_kamus | (Legacy) Enables kamus by creating role, policy and trust relationship required for kamus usage | bool |
false |
no |
| enable_kube2iam | (Legacy) Enables kube2iam by creating role, policy and trust relationship required for kube2iam usage | bool |
false |
no |
| enable_ssm | Enables SSM and Inspector | bool |
false |
no |
| environment | Name for environment of this EKS cluster | any |
n/a | yes |
| fargate_pod_execution_role_name | The IAM Role that provides permissions for the EKS Fargate Profile. | string |
null |
no |
| fargate_profiles | Fargate profiles to create. See fargate_profile keys section in fargate submodule's README.md for more details |
any |
{} |
no |
| intranet_worker_template_variables | Worker launch template group declaration of nodes to be placed in intranet subnet | list(any) |
[] |
no |
| intranet_worker_variables | Worker group declaration of nodes to be placed in intranet subnet | list(any) |
[] |
no |
| kubeconfig_aws_authenticator_additional_args | Any additional arguments to pass to the authenticator such as the role to assume. e.g. ["-r", "MyEksRole"]. | list(string) |
[] |
no |
| kubeconfig_aws_authenticator_command | Command to use to fetch AWS EKS credentials. | string |
"aws-iam-authenticator" |
no |
| kubeconfig_aws_authenticator_command_args | Default arguments passed to the authenticator command. Defaults to [token -i $cluster_name]. | list(string) |
[] |
no |
| kubeconfig_aws_authenticator_env_variables | Environment variables that should be used when executing the authenticator. e.g. { AWS_PROFILE = "eks"}. | map(string) |
{} |
no |
| manage_aws_auth | Whether to apply the aws-auth configmap file. | bool |
true |
no |
| manage_cluster_iam_resources | Whether to let the module manage cluster IAM resources. If set to false, cluster_iam_role_name must be specified. | bool |
true |
no |
| manage_worker_iam_resources | Whether to let the module manage worker IAM resources. If set to false, iam_instance_profile_name must be specified for workers. | bool |
true |
no |
| map_accounts | Additional AWS account numbers to add to the aws-auth configmap. | list(string) |
[] |
no |
| map_roles | Additional IAM roles to add to the aws-auth configmap. | list(object({ |
[] |
no |
| map_users | Additional IAM users to add to the aws-auth configmap. | list(object({ |
[] |
no |
| master_subnets_ids | Subnets used by EKS master nodes | list(list(string)) |
n/a | yes |
| module_source_version | Version of module to use | string |
"5.0.0" |
no |
| permissions_boundary | If provided, all IAM roles will be created with this permissions boundary attached. | string |
"" |
no |
| private_worker_template_variables | Worker launch template group declaration of nodes to be placed in private subnet | list(any) |
[] |
no |
| private_worker_variables | Worker group declaration of nodes to be placed in private subnet | list(any) |
[] |
no |
| public_worker_template_variables | Worker launch template group declaration of nodes to be placed in public subnet | list(any) |
[] |
no |
| public_worker_variables | Worker group declaration of nodes to be placed in public subnet | list(any) |
[] |
no |
| tags | A map of tags to add to all resources. | map(string) |
{} |
no |
| tfstate_global_bucket | S3 where the remote state is stored | any |
n/a | yes |
| use_launch_template | Toggle use of launch template vs launch configuration | bool |
false |
no |
| vpc_id | VPC ID | any |
n/a | yes |
| vpc_name | VPC Name | any |
n/a | yes |
| vpc_state_key | Key where the vpc remote state is stored | string |
"vpc" |
no |
| worker_additional_security_group_ids | A list of additional security group ids to attach to worker instances. | list(any) |
[] |
no |
| worker_intra_subnets_ids | Intra subnets used by worker nodes | set(string) |
n/a | yes |
| worker_private_subnets_ids | Private subnets used by worker nodes | set(string) |
n/a | yes |
| worker_public_subnets_ids | Public subnets used by worker nodes | set(string) |
n/a | yes |
| workers_additional_policies | Additional IAM policies to be added to workers | list(string) |
[] |
no |
| workers_custom_policy | Custom IAM policy to be added to workers (supports heredoc syntax, e.g. <<EOF ... EOF) | string |
"" |
no |
| write_aws_auth_config | Whether to write the aws-auth configmap file. | bool |
true |
no |
| write_kubeconfig | Whether to write a Kubectl config file containing the cluster configuration. Saved to config_output_path. |
bool |
true |
no |
| Name | Description |
|---|---|
| alb_role_arn | alb role arn |
| cloudwatch_log_group_name | Name of cloudwatch log group created |
| cluster_endpoint | Endpoint for EKS control plane. |
| cluster_id | The name/id of the EKS cluster. |
| cluster_security_group_id | Security group ids attached to the cluster control plane. |
| cluster_version | The Kubernetes server version for the EKS cluster. |
| config_map_aws_auth | A kubernetes configuration to authenticate to this EKS cluster. |
| dynamic_persistent_volume_provisioning_arn | Dynamic PV policy arn |
| external_dns_role_arn | external role arn |
| kamus_role_arn | kamus role arn |
| kubectl_config | kubectl config as generated by the module. |
| node_groups | Outputs from EKS node groups. Map of maps, keyed by var.node_groups keys |
| worker_additional_policies | Additional policies added to the worker iam role |
| worker_iam_role_arn | default IAM role ARN for EKS worker groups |
| worker_iam_role_name | default IAM role name for EKS worker groups |
| worker_security_group_id | Security group ID attached to the EKS workers. |
| workers_asg_arns | IDs of the autoscaling groups containing workers. |
| workers_asg_names | Names of the autoscaling groups containing workers. |
| workers_launch_template_ids | IDs of the worker launch templates. |
| workers_user_data | User data of worker groups |