Skip to content

devopsmakers/terraform-aws-eks

Repository files navigation

terraform-aws-eks

Conventional Commits

This is a complete rework of the upstream community EKS module: https://github.com/terraform-aws-modules/terraform-aws-eks

⚠️ Only Terraform >= 0.12 will be supported. Based on v9.0.x of the upstream module.

The interface to the module is the same similar, but it attempts to be more flexible by allowing users to create and use components separately by splitting out sub-modules for:

  • EKS Control Plane
  • EKS Worker Groups
  • EKS Managed Node Groups
  • aws-auth Configuration

The submodules are designed to be used as individual modules to help the user perform actions in between creating the control plane and creating workers and nodes (Custom CNI Configuration).

By breaking out separate sub modules we create a clearer separation of concerns and reduce tight coupling of control plane and worker nodes whilst maintaining the same interface for seamless migration to this module. The interface has become an example implementation of the sub-modules.

🚨 Major Changes

There are some core implementation changes from the original eks module:

  1. Launch Configuration support removed in favour of Launch Template driven worker_groups sub-module. They're doing the same things with no benefit to supporting both LC's and LT's (to my current knowledge). worker_groups_launch_template has been dropped and worker_groups now creates LT's.

  2. Simplified code through merging defaults. A pattern I saw in the node_groups sub-module which I really liked. Merging the defaults local, defaults variable and and map values:

    # Merge defaults and per-group values to make code cleaner
    worker_groups_expanded = { for k, v in var.worker_groups : k => merge(
      local.worker_groups_defaults,
      var.worker_groups_defaults,
      v,
    ) if var.create_eks }
    

    It means that code moves from this:

    enabled_metrics = lookup(
      var.worker_groups[count.index],
      "enabled_metrics",
      local.workers_group_defaults["enabled_metrics"]
    )
    

    To this:

    enabled_metrics = each.value["enabled_metrics"]
    
  3. Enabling a map of maps for worker_groups. By passing in a map of maps we can add and remove worker_groups without affecting the existing resources. A list of maps still works with all of the issues when removing objects from the list.

    With the sub-module approach, there's nothing stopping a user from using a module instance per worker_group further isolating the data structures in the state file.

Providers

No provider.

Inputs

Name Description Type Default Required
attach_node_cni_policy Whether to attach the Amazon managed AmazonEKS_CNI_Policy IAM policy to the default worker IAM role. WARNING: If set false the permissions must be assigned to the aws-node DaemonSet pods via another method or nodes will not be able to join the cluster. bool true no
attach_worker_cni_policy Whether to attach the Amazon managed AmazonEKS_CNI_Policy IAM policy to the default worker IAM role. WARNING: If set false the permissions must be assigned to the aws-node DaemonSet pods via another method or nodes will not be able to join the cluster. bool true no
cluster_create_security_group Whether to create a security group for the cluster or attach the cluster to cluster_security_group_id. bool true no
cluster_create_timeout Timeout value when creating the EKS cluster. string "30m" no
cluster_delete_timeout Timeout value when deleting the EKS cluster. string "15m" no
cluster_enabled_log_types A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) list(string) [] no
cluster_encryption_key_arn KMS Key ARN to encrypt EKS secrets with. string "" no
cluster_encryption_resources A list of the EKS resources to encrypt. list(string)
[
"secrets"
]
no
cluster_endpoint_private_access Indicates whether or not the Amazon EKS private API server endpoint is enabled. bool false no
cluster_endpoint_public_access Indicates whether or not the Amazon EKS public API server endpoint is enabled. bool true no
cluster_endpoint_public_access_cidrs List of CIDR blocks which can access the Amazon EKS public API server endpoint. list(string)
[
"0.0.0.0/0"
]
no
cluster_iam_role_name IAM role name for the cluster. Only applicable if manage_cluster_iam_resources is set to false. string "" no
cluster_log_kms_key_id If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) string "" no
cluster_log_retention_in_days Number of days to retain log events. Default retention - 90 days. number 90 no
cluster_name Name of the EKS cluster. Also used as a prefix in names of related resources. string n/a yes
cluster_security_group_id If provided, the EKS cluster will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the workers string "" no
cluster_version Kubernetes version to use for the EKS cluster. string "1.15" no
config_output_path Where to save the Kubectl config file (if write_kubeconfig = true). Assumed to be a directory if the value ends with a forward slash /. string "./" no
create_eks Controls if EKS resources should be created (it affects almost all resources) bool true no
eks_oidc_root_ca_thumbprint Thumbprint of Root CA for EKS OIDC, Valid until 2037 string "9e99a48a9960b14926bb7f3b02e22da2b0ab7280" no
enable_irsa Whether to create OpenID Connect Provider for EKS to enable IRSA bool false no
iam_path If provided, all IAM roles will be created on this path. string "/" no
kubeconfig_aws_authenticator_additional_args Any additional arguments to pass to the authenticator such as the role to assume. e.g. ["-r", "MyEksRole"]. list(string) [] no
kubeconfig_aws_authenticator_command Command to use to fetch AWS EKS credentials. string "aws-iam-authenticator" no
kubeconfig_aws_authenticator_command_args Default arguments passed to the authenticator command. Defaults to [token -i $cluster_name]. list(string) [] no
kubeconfig_aws_authenticator_env_variables Environment variables that should be used when executing the authenticator. e.g. { AWS_PROFILE = "eks"}. map(string) {} no
kubeconfig_name Override the default name used for items kubeconfig. string "" no
manage_aws_auth Whether to apply the aws-auth configmap file. bool true no
manage_cluster_iam_resources Whether to let the module manage cluster IAM resources. If set to false, cluster_iam_role_name must be specified. bool true no
manage_node_iam_resources Whether to let the module manage worker IAM resources. If set to false, iam_instance_profile_name must be specified for workers. bool true no
manage_worker_iam_resources Whether to let the module manage worker IAM resources. If set to false, iam_instance_profile_name must be specified for workers. bool true no
map_accounts Additional AWS account numbers to add to the aws-auth configmap. See examples/basic/variables.tf for example format. list(string) [] no
map_roles Additional IAM roles to add to the aws-auth configmap. See examples/basic/variables.tf for example format.
list(object({
rolearn = string
username = string
groups = list(string)
}))
[] no
map_users Additional IAM users to add to the aws-auth configmap. See examples/basic/variables.tf for example format.
list(object({
userarn = string
username = string
groups = list(string)
}))
[] no
node_groups Map of map of node groups to create. See node_groups module's documentation for more details any {} no
node_groups_additional_policies Additional policies to be added to workers list(string) [] no
node_groups_defaults Map of values to be applied to all node groups. See node_groups module's documentaton for more details any {} no
node_groups_role_name User defined workers role name. string "" no
permissions_boundary If provided, all IAM roles will be created with this permissions boundary attached. string n/a yes
subnets A list of subnets to place the EKS cluster and workers within. list(string) n/a yes
tags A map of tags to add to all resources. map(string) {} no
vpc_id VPC where the cluster and workers will be deployed. string n/a yes
wait_for_cluster_cmd Custom local-exec command to execute for determining if the eks cluster is healthy. Cluster endpoint will be available as an environment variable called ENDPOINT string "until wget --no-check-certificate -O - -q $ENDPOINT/healthz \u003e/dev/null; do sleep 4; done" no
worker_additional_security_group_ids A list of additional security group ids to attach to worker instances list(string) [] no
worker_ami_name_filter Name filter for AWS EKS worker AMI. If not provided, the latest official AMI for the specified 'cluster_version' is used. string "" no
worker_ami_name_filter_windows Name filter for AWS EKS Windows worker AMI. If not provided, the latest official AMI for the specified 'cluster_version' is used. string "" no
worker_ami_owner_id The ID of the owner for the AMI to use for the AWS EKS workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). string "602401143452" no
worker_ami_owner_id_windows The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). string "801119661308" no
worker_create_initial_lifecycle_hooks Whether to create initial lifecycle hooks provided in worker groups. bool false no
worker_create_security_group Whether to create a security group for the workers or attach the workers to worker_security_group_id. bool true no
worker_groups A list of maps defining worker group configurations to be defined using AWS Launch Configurations. See workers_group_defaults for valid keys. any [] no
worker_groups_additional_policies Additional policies to be added to workers list(string) [] no
worker_groups_defaults Override default values for target groups. See worker_group_defaults in local.tf for valid keys. any {} no
worker_groups_launch_template A list of maps defining worker group configurations to be defined using AWS Launch Templates. See workers_group_defaults for valid keys. any [] no
worker_groups_role_name User defined workers role name. string "" no
worker_security_group_id If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the EKS cluster. string "" no
worker_sg_ingress_from_port Minimum port number from which pods will accept communication. Must be changed to a lower value if some pods in your cluster will expose a port lower than 1025 (e.g. 22, 80, or 443). number 1025 no
write_kubeconfig Whether to write a Kubectl config file containing the cluster configuration. Saved to config_output_path. bool true no

Outputs

Name Description
cloudwatch_log_group_name Name of cloudwatch log group created
cluster_arn The Amazon Resource Name (ARN) of the cluster.
cluster_certificate_authority_data Nested attribute containing certificate-authority-data for your cluster. This is the base64 encoded certificate data required to communicate with your cluster.
cluster_endpoint The endpoint for your EKS Kubernetes API.
cluster_iam_role_arn IAM role ARN of the EKS cluster.
cluster_id The name/id of the EKS cluster.
cluster_oidc_issuer_url The URL on the EKS cluster OIDC Issuer
cluster_security_group_id Security group ID attached to the EKS cluster.
cluster_version The Kubernetes server version for the EKS cluster.
config_map_aws_auth A kubernetes configuration to authenticate to this EKS cluster.
kubeconfig kubectl config file contents for this EKS cluster.
kubeconfig_filename The filename of the generated kubectl config.
node_groups Outputs from EKS node groups. Map of maps, keyed by var.node_groups keys
oidc_provider_arn The ARN of the OIDC Provider if enable_irsa = true.
worker_iam_instance_profile_arns default IAM instance profile ARN for EKS worker groups
worker_iam_instance_profile_names default IAM instance profile name for EKS worker groups
worker_iam_role_arn default IAM role ARN for EKS worker groups
worker_iam_role_name default IAM role name for EKS worker groups
worker_security_group_id Security group ID attached to the EKS workers.
workers_asg_arns IDs of the autoscaling groups containing workers.
workers_asg_names Names of the autoscaling groups containing workers.
workers_default_ami_id ID of the default worker group AMI
workers_launch_template_arns ARNs of the worker launch templates.
workers_launch_template_ids IDs of the worker launch templates.
workers_launch_template_latest_versions Latest versions of the worker launch templates.
workers_user_data User data of worker groups