Skip to content

GovTechSG/terraform-aws-eks

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

87 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

EKS

This module creates a kubernetes cluster on amazon web services(AWS). This module has a number of assumptions and dependencies with https://gitlab.com/govtechsingapore/gdsace/terraform-modules/aws-vpc. It will probably not work with other infrastructure design, particularly on your subnet slices. This module works with the VPC module as it follows the subnet types(public,private,intranet,database) defined in it.

Usage

module "eks" {
  eks_cluster_name = "shire"

  cluster_version = "1.14"

  # user and roles
  # references:
  # 1. [aws-iam-authenticator](https://github.com/kubernetes-sigs/aws-iam-authenticator)
  # 2. [awscli configuration](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html)
  map_users = [
    {
      user_arn = "arn:aws:iam::${get_aws_account_id()}:user/USERNAME"
      username = "USERNAME"
      group    = "system:masters"
    }
  ]

  private_worker_variables = [
    {
      instance_type            = "r5.xlarge"
      asg_min_size             = "1"
      asg_desired_capacity     = "2"
      asg_max_size             = "4"
      iam_instance_profile_name = "eks-worker-private"
      ami_id                   = "ami-03a2cce9abe958c6c"
      name                     = "services"
      kubelet_extra_args       = ""
    },
    {
      instance_type            = "c5n.xlarge"
      asg_desired_capacity     = 0
      asg_max_size             = 4
      iam_instance_profile_name = "eks-worker-gitlab"
      ami_id                   = "ami-03a2cce9abe958c6c"
      name                     = "gitlab-runners"
      kubelet_extra_args       = "--register-with-taints=gitlab-runner=true:NoSchedule"
    }
  ]

  public_worker_variables = [
    {
      instance_type            = "m5.large"
      asg_desired_capacity     = 1
      asg_max_size             = 4
      iam_instance_profile_name = "eks-worker-public"
      name                     = "public-1"
      ami_id                   = "ami-03a2cce9abe958c6c"
      kubelet_extra_args       = "--register-with-taints=public=true:NoSchedule --node-labels=public-node=true"
    }
  ]


  cluster_endpoint_private_access = true
  cluster_endpoint_public_access = false
  permissions_boundary = "arn:aws:iam::${get_aws_account_id()}:policy/GCCIAccountBoundary"

  # write_kubeconfig = "true"
  config_output_path = "${get_terragrunt_dir()}/"
  additional_whitelist_cidr_block_443 = ["172.31.0.0/24"]
  additional_whitelist_cidr_block_443_description = ["description"]

  // remote state variables
  vpc_state_key = ""
  artifacts_base_path = get_terragrunt_dir()
  environment = "uat"
}

Migration

1.x.x to 2.x.x

  • delete aws-auth configmap as it is now created using k8s provider.

Inputs

Name Description Type Default Required
additional_subnets Additional Subnets aside from those in your main vpc(e.g secondary cidr blocks) list(any) [] no
additional_whitelist_cidr_block_443 Additional cidr to allow inbound and outbound for port 443 to eks cluster list(any) [] no
additional_whitelist_cidr_block_443_description Description for the additional cidr to allow inbound and outbound for port 443 to eks cluster list(any) [] no
addon_coredns_version Specify CoreDNS addon version string "" no
addon_create_coredns Use EKS built-in addon CoreDNS bool false no
addon_create_kube_proxy Use EKS built-in addon Kube Proxy bool false no
addon_create_vpc_cni Use EKS built-in addon VPC CNI bool false no
addon_kube_proxy_version Specify Kube Proxy addon version string "" no
addon_vpc_cni_version Specify VPC CNI addon version string "" no
aws_account_id AWS account ID string "*" no
aws_region Region in which to spin up EKS string "ap-southeast-1" no
cluster_create_endpoint_private_access_sg_rule Whether to create security group rules for the access to the Amazon EKS private API server endpoint. bool false no
cluster_encryption_config Configuration block with encryption configuration for the cluster. See examples/secrets_encryption/main.tf for example format
list(object({
provider_key_arn = string
resources = list(string)
}))
[] no
cluster_endpoint_private_access Indicates whether or not the Amazon EKS private API server endpoint is enabled. bool false no
cluster_endpoint_public_access Indicates whether or not the Amazon EKS public API server endpoint is enabled. bool true no
cluster_endpoint_public_access_cidrs List of CIDR blocks which can access the Amazon EKS public API server endpoint. list(string)
[
"0.0.0.0/0"
]
no
cluster_iam_role_name IAM role name for the cluster. Only applicable if manage_cluster_iam_resources is set to false. string "" no
cluster_log_retention_in_days Log retention in days number 90 no
cluster_version Kubernetes version to use for the EKS cluster. string "1.13" no
config_output_path Where to save the Kubectl config file (if write_kubeconfig = true). Should end in a forward slash / . string "./" no
create_eks Controls if EKS resources should be created (it affects almost all resources) bool true no
create_fargate_pod_execution_role Controls if the EKS Fargate pod execution IAM role should be created. bool true no
eks_cluster_name Name of the EKS cluster. Also used as a prefix in names of related resources. string n/a yes
enable_alb Enables alb by creating alb ingress controller policy required for alb ingress controller bool false no
enable_dynamic_pv Enables dynamic persistent volume provisioning by allowing nodes to manage ec2 volumes and attaches policy to worker groups bool false no
enable_external_dns (Legacy) Enables External DNS installation(policy) and attaches policy to worker groups bool false no
enable_kamus (Legacy) Enables kamus by creating role, policy and trust relationship required for kamus usage bool false no
enable_kube2iam (Legacy) Enables kube2iam by creating role, policy and trust relationship required for kube2iam usage bool false no
enable_ssm Enables SSM and Inspector bool false no
environment Name for environment of this EKS cluster any n/a yes
fargate_pod_execution_role_name The IAM Role that provides permissions for the EKS Fargate Profile. string null no
fargate_profiles Fargate profiles to create. See fargate_profile keys section in fargate submodule's README.md for more details any {} no
intranet_worker_template_variables Worker launch template group declaration of nodes to be placed in intranet subnet list(any) [] no
intranet_worker_variables Worker group declaration of nodes to be placed in intranet subnet list(any) [] no
kubeconfig_aws_authenticator_additional_args Any additional arguments to pass to the authenticator such as the role to assume. e.g. ["-r", "MyEksRole"]. list(string) [] no
kubeconfig_aws_authenticator_command Command to use to fetch AWS EKS credentials. string "aws-iam-authenticator" no
kubeconfig_aws_authenticator_command_args Default arguments passed to the authenticator command. Defaults to [token -i $cluster_name]. list(string) [] no
kubeconfig_aws_authenticator_env_variables Environment variables that should be used when executing the authenticator. e.g. { AWS_PROFILE = "eks"}. map(string) {} no
manage_aws_auth Whether to apply the aws-auth configmap file. bool true no
manage_cluster_iam_resources Whether to let the module manage cluster IAM resources. If set to false, cluster_iam_role_name must be specified. bool true no
manage_worker_iam_resources Whether to let the module manage worker IAM resources. If set to false, iam_instance_profile_name must be specified for workers. bool true no
map_accounts Additional AWS account numbers to add to the aws-auth configmap. list(string) [] no
map_roles Additional IAM roles to add to the aws-auth configmap.
list(object({
rolearn = string
username = string
groups = list(string)
}))
[] no
map_users Additional IAM users to add to the aws-auth configmap.
list(object({
userarn = string
username = string
groups = list(string)
}))
[] no
master_subnets_ids Subnets used by EKS master nodes list(list(string)) n/a yes
module_source_version Version of module to use string "5.0.0" no
permissions_boundary If provided, all IAM roles will be created with this permissions boundary attached. string "" no
private_worker_template_variables Worker launch template group declaration of nodes to be placed in private subnet list(any) [] no
private_worker_variables Worker group declaration of nodes to be placed in private subnet list(any) [] no
public_worker_template_variables Worker launch template group declaration of nodes to be placed in public subnet list(any) [] no
public_worker_variables Worker group declaration of nodes to be placed in public subnet list(any) [] no
tags A map of tags to add to all resources. map(string) {} no
tfstate_global_bucket S3 where the remote state is stored any n/a yes
use_launch_template Toggle use of launch template vs launch configuration bool false no
vpc_id VPC ID any n/a yes
vpc_name VPC Name any n/a yes
vpc_state_key Key where the vpc remote state is stored string "vpc" no
worker_additional_security_group_ids A list of additional security group ids to attach to worker instances. list(any) [] no
worker_intra_subnets_ids Intra subnets used by worker nodes set(string) n/a yes
worker_private_subnets_ids Private subnets used by worker nodes set(string) n/a yes
worker_public_subnets_ids Public subnets used by worker nodes set(string) n/a yes
workers_additional_policies Additional IAM policies to be added to workers list(string) [] no
workers_custom_policy Custom IAM policy to be added to workers (supports heredoc syntax, e.g. <<EOF ... EOF) string "" no
write_aws_auth_config Whether to write the aws-auth configmap file. bool true no
write_kubeconfig Whether to write a Kubectl config file containing the cluster configuration. Saved to config_output_path. bool true no

Outputs

Name Description
alb_role_arn alb role arn
cloudwatch_log_group_name Name of cloudwatch log group created
cluster_endpoint Endpoint for EKS control plane.
cluster_id The name/id of the EKS cluster.
cluster_security_group_id Security group ids attached to the cluster control plane.
cluster_version The Kubernetes server version for the EKS cluster.
config_map_aws_auth A kubernetes configuration to authenticate to this EKS cluster.
dynamic_persistent_volume_provisioning_arn Dynamic PV policy arn
external_dns_role_arn external role arn
kamus_role_arn kamus role arn
kubectl_config kubectl config as generated by the module.
node_groups Outputs from EKS node groups. Map of maps, keyed by var.node_groups keys
worker_additional_policies Additional policies added to the worker iam role
worker_iam_role_arn default IAM role ARN for EKS worker groups
worker_iam_role_name default IAM role name for EKS worker groups
worker_security_group_id Security group ID attached to the EKS workers.
workers_asg_arns IDs of the autoscaling groups containing workers.
workers_asg_names Names of the autoscaling groups containing workers.
workers_launch_template_ids IDs of the worker launch templates.
workers_user_data User data of worker groups