AWS EKS Module

This repository contains Terraform configuration files that create an Amazon Elastic Kubernetes Service (EKS) cluster. This module sets various paremeters for this cluster including the cluster name, version, VPC information, security group rules, and user and role mappings. Additionally, it sets up self-managed node groups for the EKS cluster.

Examples

To view examples for how you can leverage this EKS Module, please see the examples directory.

Bastion

You can use the bastion instance to connect to the EKS cluster when the cluster's endpoint is not publicly accessible. We use sshuttle combined with SSM to forward all traffic through the bastion instance to the EKS cluster. This allows you to use kubectl to interact with the EKS cluster from your local machine.

Use of sshuttle with password:

1. Set Bastion ID export BASTION_INSTANCE_ID=$(terraform output -raw bastion_instance_id)
2. Connect to bastion: sshuttle --dns -vr ec2-user@$BASTION_INSTANCE_ID 10.200.0.0/16

Use of sshuttle with private key:

1. Set Bastion ID export BASTION_INSTANCE_ID=$(terraform output -raw bastion_instance_id)
2. Dump key: terraform output -raw bastion_instance_private_key > priv.key; chmod 600 priv.key
3. Connect to bastion: sshuttle --dns -vr ec2-user@$BASTION_INSTANCE_ID 10.200.0.0/16 --ssh-cmd 'ssh -i priv.key'
4. Delete key afterwards: rm priv.key

Requirements

Name	Version
terraform	>= 1.3
aws	>= 5.34
helm	>= 2.7
kubernetes	>= 2.20
random	>= 3.1.0

Providers

Name	Version
aws	>= 5.34
kubernetes	>= 2.20
random	>= 3.1.0

Modules

Name	Source	Version
aws_eks	git::https://github.com/terraform-aws-modules/terraform-aws-eks.git	v20.11.0
ebs_csi_driver_irsa	terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks	~> 5.20
efs	terraform-aws-modules/efs/aws	~> 1.0
efs_csi_driver_irsa	terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks	~> 5.20
eks_blueprints_kubernetes_addons	git::https://github.com/aws-ia/terraform-aws-eks-blueprints-addons.git	v1.16.3

Resources

Name	Type
aws_ssm_parameter.file_system_id_for_efs_storage_class	resource
aws_ssm_parameter.helm_input_values	resource
kubernetes_annotations.gp2	resource
kubernetes_storage_class_v1.efs	resource
kubernetes_storage_class_v1.gp3	resource
random_id.efs_name	resource
aws_caller_identity.current	data source
aws_iam_session_context.current	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
access_entries	Map of access entries to add to the cluster	any	{}	no
attach_cluster_encryption_policy	Indicates whether or not to attach an additional policy for the cluster IAM role to utilize the encryption key provided	bool	true	no
authentication_mode	The authentication mode for the cluster. Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAP	string	"API_AND_CONFIG_MAP"	no
aws_admin_usernames	A list of one or more AWS usernames with authorized access to KMS and EKS resources, will automatically add the user or role running the terraform as an admin	list(string)	[]	no
aws_cloudwatch_metrics	AWS Cloudwatch Metrics config for aws-ia/eks-blueprints-addon/aws	any	{}	no
aws_fsx_csi_driver	FSX CSI Driver config for aws-ia/eks-blueprints-addon/aws	any	{}	no
aws_load_balancer_controller	AWS Loadbalancer Controller config for aws-ia/eks-blueprints-addon/aws	any	{}	no
aws_node_termination_handler	AWS Node Termination Handler config for aws-ia/eks-blueprints-addon/aws	any	{}	no
aws_privateca_issuer	AWS Private CA Issuer config for aws-ia/eks-blueprints-addon/aws	any	{}	no
aws_region	used to create vpc-cni eni config objects when configuring the vpc-cni marketplace addon	string	""	no
azs	List of names of availability zones to use for subnet configs	list(string)	[]	no
blueprints_addons_prefixes	Prefixes for the eks blueprints addons, used to parse addon gitops_metadata output and create objects with	list(string)	[ "cert_manager", "cluster_autoscaler", "aws_cloudwatch_metrics", "aws_efs_csi_driver", "aws_fsx_csi_driver", "aws_privateca_issuer", "external_dns_route53", "external_secrets", "aws_load_balancer_controller", "aws_for_fluentbit", "aws_node_termination_handler", "karpenter", "velero", "aws_gateway_api_controller", "fargate_fluentbit_log" ]	no
bottlerocket_shadow	Bottlerocket Shadow config for aws-ia/eks-blueprints-addon/aws	any	{}	no
bottlerocket_update_operator	Bottlerocket Update Operator config for aws-ia/eks-blueprints-addon/aws	any	{}	no
cert_manager	Cert Manager config for aws-ia/eks-blueprints-addon/aws	any	{}	no
cert_manager_route53_hosted_zone_arns	List of Route53 Hosted Zone ARNs that are used by cert-manager to create DNS records	list(string)	[]	no
cloudwatch_log_group_class	Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT_ACCESS	string	null	no
cloudwatch_log_group_kms_key_id	If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)	string	null	no
cloudwatch_log_group_retention_in_days	Number of days to retain log events. Default retention - 90 days	number	90	no
cloudwatch_log_group_tags	A map of additional tags to add to the cloudwatch log group created	map(string)	{}	no
cluster_additional_security_group_ids	List of additional, externally created security group IDs to attach to the cluster control plane	list(string)	[]	no
cluster_addons	Nested of eks native add-ons and their associated parameters. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. See https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/examples/complete/main.tf#L44-L60 for upstream example. to see available eks marketplace addons available for your cluster's version run: aws eks describe-addon-versions --kubernetes-version $k8s_cluster_version --query 'addons[].{MarketplaceProductUrl: marketplaceInformation.productUrl, Name: addonName, Owner: owner Publisher: publisher, Type: type}' --output table	any	{}	no
cluster_autoscaler	Cluster Autoscaler config for aws-ia/eks-blueprints-addon/aws	any	{ "set": [ { "name": "extraArgs.expander", "value": "priority" }, { "name": "expanderPriorities", "value": "100:\n - .-spot-2vcpu-8mem.\n90:\n - .-spot-4vcpu-16mem.\n10:\n - .*\n" } ] }	no
cluster_enabled_log_types	A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)	list(string)	[ "audit", "api", "authenticator" ]	no
cluster_endpoint_private_access	Indicates whether or not the Amazon EKS private API server endpoint is enabled	bool	true	no
cluster_endpoint_public_access	Enable public access to the cluster endpoint	bool	false	no
cluster_endpoint_public_access_cidrs	List of CIDR blocks which can access the Amazon EKS public API server endpoint	list(string)	[ "0.0.0.0/0" ]	no
cluster_ip_family	The IP family used to assign Kubernetes pod and service addresses. Valid values are ipv4 (default) and ipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created	string	"ipv4"	no
cluster_name	Name of cluster	string	""	no
cluster_security_group_additional_rules	List of additional security group rules to add to the cluster security group created. Set source_node_security_group = true inside rules to set the node_security_group as source	any	{}	no
cluster_security_group_description	Description of the cluster security group created	string	"EKS cluster security group"	no
cluster_security_group_id	Existing security group ID to be attached to the cluster	string	""	no
cluster_security_group_name	Name to use on cluster security group created	string	null	no
cluster_security_group_tags	A map of additional tags to add to the cluster security group created	map(string)	{}	no
cluster_security_group_use_name_prefix	Determines whether cluster security group name (cluster_security_group_name) is used as a prefix	bool	true	no
cluster_service_ipv4_cidr	The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks	string	null	no
cluster_tags	A map of additional tags to add to the cluster	map(string)	{}	no
cluster_timeouts	Create, update, and delete timeout configurations for the cluster	map(string)	{}	no
cluster_version	Kubernetes version to use for EKS cluster	string	"1.29"	no
control_plane_subnet_ids	Subnet IDs for control plane	list(string)	[]	no
create_cloudwatch_log_group	Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled	bool	true	no
create_cluster_primary_security_group_tags	Indicates whether or not to tag the cluster's primary security group. This security group is created by the EKS service, not the module, and therefore tagging is handled after cluster creation	bool	true	no
create_cluster_security_group	Determines if a security group is created for the cluster. Note: the EKS service creates a primary security group for the cluster by default	bool	true	no
create_eni_configs	Merge ENI configs for VPC CNI into cluster_addons configuration	bool	true	no
create_kms_key	Controls if a KMS key for cluster encryption should be created	bool	true	no
create_kubernetes_resources	Create Kubernetes resource with Helm or Kubernetes provider	bool	true	no
create_ssm_parameters	Create SSM parameters for values from eks blueprints addons outputs	bool	true	no
dataplane_wait_duration	Duration to wait after the EKS cluster has become active before creating the dataplane components (EKS managed nodegroup(s), self-managed nodegroup(s), Fargate profile(s))	string	"4m"	no
ebs_storageclass_reclaim_policy	Reclaim policy for gp3 storage class, valid options are Delete and Retain	string	"Delete"	no
efs_storageclass_reclaim_policy	Reclaim policy for EFS storage class, valid options are Delete and Retain	string	"Delete"	no
efs_vpc_cidr_blocks	CIDR blocks to allow access to EFS	list(string)	[]	no
eks_managed_node_group_defaults	Map of EKS-managed node group default configurations	any	{}	no
eks_managed_node_groups	Managed node groups configuration	any	{}	no
enable_amazon_eks_aws_ebs_csi_driver	Enable EKS Managed AWS EBS CSI Driver add-on	bool	false	no
enable_amazon_eks_aws_efs_csi_driver	Enable EFS CSI Driver add-on	bool	false	no
enable_aws_cloudwatch_metrics	Enable AWS Cloudwatch Metrics add-on	bool	false	no
enable_aws_fsx_csi_driver	Enable FSX CSI Driver add-on	bool	false	no
enable_aws_load_balancer_controller	Enable AWS Loadbalancer Controller add-on	bool	false	no
enable_aws_node_termination_handler	Enable AWS Node Termination Handler add-on	bool	false	no
enable_aws_privateca_issuer	Enable AWS Private CA Issuer add-on	bool	false	no
enable_bottlerocket_update_operator	Enable Bottlerocket and Bottlerocket Update Operator add-on	bool	false	no
enable_cert_manager	Enable Cert Manager add-on	bool	false	no
enable_cluster_autoscaler	Enable Cluster autoscaler add-on	bool	false	no
enable_cluster_creator_admin_permissions	Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry	bool	true	no
enable_external_dns	Enable External DNS add-on	bool	false	no
enable_external_secrets	Enable External Secrets add-on	bool	false	no
enable_gp3_default_storage_class	Enable gp3 as default storage class	bool	false	no
enable_karpenter	Enable Karpenter add-on	bool	false	no
enable_kms_key_rotation	Specifies whether key rotation is enabled	bool	true	no
enable_metrics_server	Enable metrics server add-on	bool	false	no
enable_secrets_store_csi_driver	Enable k8s Secret Store CSI Driver add-on	bool	false	no
external_dns	External DNS config for aws-ia/eks-blueprints-addon/aws	any	{}	no
external_secrets	External Secrets config for aws-ia/eks-blueprints-addon/aws	any	{}	no
external_secrets_kms_key_arns	List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets	list(string)	[]	no
external_secrets_secrets_manager_arns	List of Secrets Manager ARNs that contain secrets to mount using External Secrets	list(string)	[]	no
external_secrets_ssm_parameter_arns	List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets	list(string)	[]	no
iam_role_permissions_boundary	ARN of the policy that is used to set the permissions boundary for the IAM role	string	null	no
karpenter	Karpenter config for aws-ia/eks-blueprints-addon/aws	any	{}	no
kms_key_administrators	A list of IAM ARNs for key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available	list(string)	[]	no
kms_key_aliases	A list of aliases to create. Note - due to the use of toset(), values must be static strings and not computed values	list(string)	[]	no
kms_key_deletion_window_in_days	The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30	number	null	no
kms_key_description	The description of the key as viewed in AWS console	string	null	no
kms_key_enable_default_policy	Specifies whether to enable the default key policy	bool	true	no
kms_key_override_policy_documents	List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid	list(string)	[]	no
kms_key_owners	A list of IAM ARNs for those who will have full key permissions (kms:*)	list(string)	[]	no
kms_key_service_users	A list of IAM ARNs for key service users	list(string)	[]	no
kms_key_source_policy_documents	List of IAM policy documents that are merged together into the exported document. Statements must have unique sids	list(string)	[]	no
kms_key_users	A list of IAM ARNs for key users	list(string)	[]	no
metrics_server	Metrics Server config for aws-ia/eks-blueprints-addon/aws	any	{}	no
name	tflint-ignore: terraform_unused_declarations	string	""	no
private_subnet_ids	Private subnet IDs	list(string)	[]	no
secrets_store_csi_driver	k8s Secret Store CSI Driver config for aws-ia/eks-blueprints-addon/aws	any	{}	no
self_managed_node_group_defaults	Map of self-managed node group default configurations	any	{}	no
self_managed_node_groups	Self-managed node groups configuration	any	{}	no
ssm_parameter_kms_key_arn	KMS key arn for use with SSM parameter encryption/decryption	string	""	no
tags	A map of tags to apply to all resources	map(string)	{}	no
vpc_cni_custom_subnet	Subnet to put pod ENIs in	list(string)	[]	no
vpc_id	ID of the VPC where the cluster security group will be provisioned	string	null	no

Outputs

Name	Description
cluster_arn	The ARN of the EKS cluster
cluster_certificate_authority_data	EKS cluster certificate authority data
cluster_endpoint	EKS cluster endpoint
cluster_iam_role_arn	EKS cluster IAM role ARN
cluster_name	The name of the EKS cluster
cluster_security_group_id	EKS cluster security group ID
cluster_status	status of the EKS cluster
efs_storageclass_name	The name of the EFS storageclass that was created (if var.enable_amazon_eks_aws_efs_csi_driver was set to true)
eks_addons_gitops_metadata	############################################################################### EKS Addons metadata ############################################################################### see https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/main/outputs.tf#L167-L276
managed_nodegroups	EKS managed node groups
oidc_provider	The OpenID Connect identity provider (issuer URL without leading https://)
oidc_provider_arn	EKS OIDC provider ARN
region	AWS region