Requirements

The following requirements are needed by this module:

• terraform (>= 0.13.1)

• aws (>= 3.40.0)

• http (>= 2.4.1)

• kubernetes (>= 1.11.1)

• local (>= 1.4)

Providers

The following providers are used by this module:

• aws (3.45.0)

• http (2.4.1)

• kubernetes (2.3.2)

• local (2.1.0)

Modules

The following Modules are called:

addons

Source: ./modules/addons

Version:

fargate

Source: ./modules/fargate

Version:

node_groups

Source: ./modules/node_groups

Version:

Resources

The following resources are used by this module:

• aws_autoscaling_group.workers (resource)
• aws_autoscaling_group.workers_launch_template (resource)
• aws_cloudwatch_log_group.this (resource)
• aws_eks_cluster.this (resource)
• aws_iam_instance_profile.workers (resource)
• aws_iam_instance_profile.workers_launch_template (resource)
• aws_iam_openid_connect_provider.oidc_provider (resource)
• aws_iam_policy.cluster_elb_sl_role_creation (resource)
• aws_iam_role.cluster (resource)
• aws_iam_role.workers (resource)
• aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy (resource)
• aws_iam_role_policy_attachment.cluster_AmazonEKSServicePolicy (resource)
• aws_iam_role_policy_attachment.cluster_AmazonEKSVPCResourceControllerPolicy (resource)
• aws_iam_role_policy_attachment.cluster_elb_sl_role_creation (resource)
• aws_iam_role_policy_attachment.workers_AmazonEC2ContainerRegistryReadOnly (resource)
• aws_iam_role_policy_attachment.workers_AmazonEKSWorkerNodePolicy (resource)
• aws_iam_role_policy_attachment.workers_AmazonEKS_CNI_Policy (resource)
• aws_iam_role_policy_attachment.workers_additional_policies (resource)
• aws_launch_configuration.workers (resource)
• aws_launch_template.workers_launch_template (resource)
• aws_security_group.cluster (resource)
• aws_security_group.workers (resource)
• aws_security_group_rule.cluster_egress_internet (resource)
• aws_security_group_rule.cluster_https_worker_ingress (resource)
• aws_security_group_rule.cluster_primary_ingress_workers (resource)
• aws_security_group_rule.cluster_private_access_cidrs_source (resource)
• aws_security_group_rule.cluster_private_access_sg_source (resource)
• aws_security_group_rule.workers_egress_internet (resource)
• aws_security_group_rule.workers_ingress_cluster (resource)
• aws_security_group_rule.workers_ingress_cluster_https (resource)
• aws_security_group_rule.workers_ingress_cluster_kubelet (resource)
• aws_security_group_rule.workers_ingress_cluster_primary (resource)
• aws_security_group_rule.workers_ingress_self (resource)
• kubernetes_config_map.aws_auth (resource)
• local_file.kubeconfig (resource)
• aws_ami.eks_worker (data source)
• aws_ami.eks_worker_windows (data source)
• aws_caller_identity.current (data source)
• aws_iam_instance_profile.custom_worker_group_iam_instance_profile (data source)
• aws_iam_instance_profile.custom_worker_group_launch_template_iam_instance_profile (data source)
• aws_iam_policy_document.cluster_assume_role_policy (data source)
• aws_iam_policy_document.cluster_elb_sl_role_creation (data source)
• aws_iam_policy_document.workers_assume_role_policy (data source)
• aws_iam_role.custom_cluster_iam_role (data source)
• aws_partition.current (data source)
• http_http.wait_for_cluster (data source)

Required Inputs

The following input variables are required:

cluster_name

Description: Name of the EKS cluster. Also used as a prefix in names of related resources.

Type: string

cluster_version

Description: Kubernetes version to use for the EKS cluster.

Type: string

subnets

Description: A list of subnets to place the EKS cluster and workers within.

Type: list(string)

vpc_id

Description: VPC where the cluster and workers will be deployed.

Type: string

Optional Inputs

The following input variables are optional (have default values):

addon_tags

Description: A map of tags to add to addons.

Type: map(string)

Default: {}

attach_worker_cni_policy

Description: Whether to attach the Amazon managed AmazonEKS_CNI_Policy IAM policy to the default worker IAM role. WARNING: If set false the permissions must be assigned to the aws-node DaemonSet pods via another method or nodes will not be able to join the cluster. Note: Set to false if you enable the vpc_cni addon with create_vpc_cni_addon = true

Type: bool

Default: true

aws_auth_additional_labels

Description: Additional kubernetes labels applied on aws-auth ConfigMap

Type: map(string)

Default: {}

cluster_create_endpoint_private_access_sg_rule

Description: Whether to create security group rules for the access to the Amazon EKS private API server endpoint. When is true, cluster_endpoint_private_access_cidrs must be setted.

Type: bool

Default: false

cluster_create_security_group

Description: Whether to create a security group for the cluster or attach the cluster to cluster_security_group_id.

Type: bool

Default: true

cluster_create_timeout

Description: Timeout value when creating the EKS cluster.

Type: string

Default: "30m"

cluster_delete_timeout

Description: Timeout value when deleting the EKS cluster.

Type: string

Default: "15m"

cluster_egress_cidrs

Description: List of CIDR blocks that are permitted for cluster egress traffic.

Type: list(string)

Default:

[
  "0.0.0.0/0"
]

cluster_enabled_log_types

Description: A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)

Type: list(string)

Default: []

cluster_encryption_config

Description: Configuration block with encryption configuration for the cluster. See examples/secrets_encryption/main.tf for example format

Type:

list(object({
    provider_key_arn = string
    resources        = list(string)
  }))

Default: []

cluster_endpoint_private_access

Description: Indicates whether or not the Amazon EKS private API server endpoint is enabled.

Type: bool

Default: false

cluster_endpoint_private_access_cidrs

Description: List of CIDR blocks which can access the Amazon EKS private API server endpoint. To use this cluster_endpoint_private_access and cluster_create_endpoint_private_access_sg_rule must be set to true.

Type: list(string)

Default: null

cluster_endpoint_private_access_sg

Description: List of security group IDs which can access the Amazon EKS private API server endpoint. To use this cluster_endpoint_private_access and cluster_create_endpoint_private_access_sg_rule must be set to true.

Type: list(string)

Default: null

cluster_endpoint_public_access

Description: Indicates whether or not the Amazon EKS public API server endpoint is enabled. When it's set to false ensure to have a proper private access with cluster_endpoint_private_access = true.

Type: bool

Default: true

cluster_endpoint_public_access_cidrs

Description: List of CIDR blocks which can access the Amazon EKS public API server endpoint.

Type: list(string)

Default:

[
  "0.0.0.0/0"
]

cluster_iam_role_name

Description: IAM role name for the cluster. If manage_cluster_iam_resources is set to false, set this to reuse an existing IAM role. If manage_cluster_iam_resources is set to true, set this to force the created role name.

Type: string

Default: ""

cluster_log_kms_key_id

Description: If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)

Type: string

Default: ""

cluster_log_retention_in_days

Description: Number of days to retain log events. Default retention - 90 days.

Type: number

Default: 90

cluster_security_group_id

Description: If provided, the EKS cluster will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the workers

Type: string

Default: ""

cluster_service_ipv4_cidr

Description: service ipv4 cidr for the kubernetes cluster

Type: string

Default: null

create_coredns_addon

Description: Controls if coredns addon should be deployed

Type: bool

Default: false

create_eks

Description: Controls if EKS resources should be created (it affects almost all resources)

Type: bool

Default: true

create_fargate_pod_execution_role

Description: Controls if the EKS Fargate pod execution IAM role should be created.

Type: bool

Default: true

create_kube_proxy_addon

Description: Controls if kube proxy addon should be deployed

Type: bool

Default: false

create_vpc_cni_addon

Description: Controls if vpc cni addon should be deployed

Type: bool

Default: false

eks_oidc_root_ca_thumbprint

Description: Thumbprint of Root CA for EKS OIDC, Valid until 2037

Type: string

Default: "9e99a48a9960b14926bb7f3b02e22da2b0ab7280"

enable_irsa

Description: Whether to create OpenID Connect Provider for EKS to enable IRSA

Type: bool

Default: false

fargate_pod_execution_role_name

Description: The IAM Role that provides permissions for the EKS Fargate Profile.

Type: string

Default: null

fargate_profiles

Description: Fargate profiles to create. See fargate_profile keys section in fargate submodule's README.md for more details

Type: any

Default: {}

iam_path

Description: If provided, all IAM roles will be created on this path.

Type: string

Default: "/"

kubeconfig_aws_authenticator_additional_args

Description: Any additional arguments to pass to the authenticator such as the role to assume. e.g. ["-r", "MyEksRole"].

Type: list(string)

Default: []

kubeconfig_aws_authenticator_command

Description: Command to use to fetch AWS EKS credentials.

Type: string

Default: "aws-iam-authenticator"

kubeconfig_aws_authenticator_command_args

Description: Default arguments passed to the authenticator command. Defaults to [token -i $cluster_name].

Type: list(string)

Default: []

kubeconfig_aws_authenticator_env_variables

Description: Environment variables that should be used when executing the authenticator. e.g. { AWS_PROFILE = "eks"}.

Type: map(string)

Default: {}

kubeconfig_file_permission

Description: File permission of the Kubectl config file containing cluster configuration saved to kubeconfig_output_path.

Type: string

Default: "0600"

kubeconfig_name

Description: Override the default name used for items kubeconfig.

Type: string

Default: ""

kubeconfig_output_path

Description: Where to save the Kubectl config file (if write_kubeconfig = true). Assumed to be a directory if the value ends with a forward slash /.

Type: string

Default: "./"

manage_aws_auth

Description: Whether to apply the aws-auth configmap file.

Type: bool

Default: true

manage_cluster_iam_resources

Description: Whether to let the module manage cluster IAM resources. If set to false, cluster_iam_role_name must be specified.

Type: bool

Default: true

manage_worker_iam_resources

Description: Whether to let the module manage worker IAM resources. If set to false, iam_instance_profile_name must be specified for workers.

Type: bool

Default: true

map_accounts

Description: Additional AWS account numbers to add to the aws-auth configmap. See examples/basic/variables.tf for example format.

Type: list(string)

Default: []

map_roles

Description: Additional IAM roles to add to the aws-auth configmap. See examples/basic/variables.tf for example format.

Type:

list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))

Default: []

map_users

Description: Additional IAM users to add to the aws-auth configmap. See examples/basic/variables.tf for example format.

Type:

list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))

Default: []

node_groups

Description: Map of map of node groups to create. See node_groups module's documentation for more details

Type: any

Default: {}

node_groups_defaults

Description: Map of values to be applied to all node groups. See node_groups module's documentation for more details

Type: any

Default: {}

permissions_boundary

Description: If provided, all IAM roles will be created with this permissions boundary attached.

Type: string

Default: null

tags

Description: A map of tags to add to all resources except addons. Tags added to launch configuration or templates override these values for ASG Tags only.

Type: map(string)

Default: {}

wait_for_cluster_timeout

Description: A timeout (in seconds) to wait for cluster to be available.

Type: number

Default: 300

worker_additional_security_group_ids

Description: A list of additional security group ids to attach to worker instances

Type: list(string)

Default: []

worker_ami_name_filter

Description: Name filter for AWS EKS worker AMI. If not provided, the latest official AMI for the specified 'cluster_version' is used.

Type: string

Default: ""

worker_ami_name_filter_windows

Description: Name filter for AWS EKS Windows worker AMI. If not provided, the latest official AMI for the specified 'cluster_version' is used.

Type: string

Default: ""

worker_ami_owner_id

Description: The ID of the owner for the AMI to use for the AWS EKS workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft').

Type: string

Default: "amazon"

worker_ami_owner_id_windows

Description: The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft').

Type: string

Default: "amazon"

worker_create_cluster_primary_security_group_rules

Description: Whether to create security group rules to allow communication between pods on workers and pods using the primary cluster security group.

Type: bool

Default: false

worker_create_initial_lifecycle_hooks

Description: Whether to create initial lifecycle hooks provided in worker groups.

Type: bool

Default: false

worker_create_security_group

Description: Whether to create a security group for the workers or attach the workers to worker_security_group_id.

Type: bool

Default: true

worker_groups

Description: A list of maps defining worker group configurations to be defined using AWS Launch Configurations. See workers_group_defaults for valid keys.

Type: any

Default: []

worker_groups_launch_template

Description: A list of maps defining worker group configurations to be defined using AWS Launch Templates. See workers_group_defaults for valid keys.

Type: any

Default: []

worker_security_group_id

Description: If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the EKS cluster.

Type: string

Default: ""

worker_sg_ingress_from_port

Description: Minimum port number from which pods will accept communication. Must be changed to a lower value if some pods in your cluster will expose a port lower than 1025 (e.g. 22, 80, or 443).

Type: number

Default: 1025

workers_additional_policies

Description: Additional policies to be added to workers

Type: list(string)

Default: []

workers_egress_cidrs

Description: List of CIDR blocks that are permitted for workers egress traffic.

Type: list(string)

Default:

[
  "0.0.0.0/0"
]

workers_group_defaults

Description: Override default values for target groups. See workers_group_defaults_defaults in local.tf for valid keys.

Type: any

Default: {}

workers_role_name

Description: User defined workers role name.

Type: string

Default: ""

write_kubeconfig

Description: Whether to write a Kubectl config file containing the cluster configuration. Saved to kubeconfig_output_path.

Type: bool

Default: true

Outputs

The following outputs are exported:

cloudwatch_log_group_arn

Description: Arn of cloudwatch log group created

cloudwatch_log_group_name

Description: Name of cloudwatch log group created

cluster_arn

Description: The Amazon Resource Name (ARN) of the cluster.

cluster_certificate_authority_data

Description: Nested attribute containing certificate-authority-data for your cluster. This is the base64 encoded certificate data required to communicate with your cluster.

cluster_endpoint

Description: The endpoint for your EKS Kubernetes API.

cluster_iam_role_arn

Description: IAM role ARN of the EKS cluster.

cluster_iam_role_name

Description: IAM role name of the EKS cluster.

cluster_id

Description: The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready.

cluster_oidc_issuer_url

Description: The URL on the EKS cluster OIDC Issuer

cluster_primary_security_group_id

Description: The cluster primary security group ID created by the EKS cluster on 1.14 or later. Referred to as 'Cluster security group' in the EKS console.

cluster_security_group_id

Description: Security group ID attached to the EKS cluster. On 1.14 or later, this is the 'Additional security groups' in the EKS console.

cluster_version

Description: The Kubernetes server version for the EKS cluster.

config_map_aws_auth

Description: A kubernetes configuration to authenticate to this EKS cluster.

coredns_arn

Description: The arn of the CoreDns addon

fargate_iam_role_arn

Description: IAM role ARN for EKS Fargate pods

fargate_iam_role_name

Description: IAM role name for EKS Fargate pods

fargate_profile_arns

Description: Amazon Resource Name (ARN) of the EKS Fargate Profiles.

fargate_profile_ids

Description: EKS Cluster name and EKS Fargate Profile names separated by a colon (:).

kube_proxy_arn

Description: The arn of the kube-proxy addon

kubeconfig

Description: kubectl config file contents for this EKS cluster. Will block on cluster creation until the cluster is really ready.

kubeconfig_filename

Description: The filename of the generated kubectl config. Will block on cluster creation until the cluster is really ready.

node_groups

Description: Outputs from EKS node groups. Map of maps, keyed by var.node_groups keys

oidc_provider_arn

Description: The ARN of the OIDC Provider if enable_irsa = true.

security_group_rule_cluster_https_worker_ingress

Description: Security group rule responsible for allowing pods to communicate with the EKS cluster API.

vpc_cni_arn

Description: The arn of the Amazon VPC CNI addon

worker_iam_instance_profile_arns

Description: default IAM instance profile ARN for EKS worker groups

worker_iam_instance_profile_names

Description: default IAM instance profile name for EKS worker groups

worker_iam_role_arn

Description: default IAM role ARN for EKS worker groups

worker_iam_role_name

Description: default IAM role name for EKS worker groups

worker_security_group_id

Description: Security group ID attached to the EKS workers.

workers_asg_arns

Description: IDs of the autoscaling groups containing workers.

workers_asg_names

Description: Names of the autoscaling groups containing workers.

workers_default_ami_id

Description: ID of the default worker group AMI

workers_default_ami_id_windows

Description: ID of the default Windows worker group AMI

workers_launch_template_arns

Description: ARNs of the worker launch templates.

workers_launch_template_ids

Description: IDs of the worker launch templates.

workers_launch_template_latest_versions

Description: Latest versions of the worker launch templates.

workers_user_data

Description: User data of worker groups