This Terraform module creates an AWS Elastic Kubernetes Service (EKS) along with additional configuration options.
To use this module, you can include it in your Terraform configuration. Here's an example of how to use it:
module "eks" {
source = "git::https://github.com/opsstation/terraform-aws-eks.git?ref=v1.0.0"
enabled = true
name = local.name
environment = local.environment
# EKS
kubernetes_version = "1.29"
endpoint_public_access = true
# Networking
vpc_id = module.vpc.vpc_id
subnet_ids = module.subnets.private_subnet_id
allowed_security_groups = [module.ssh.security_group_id]
eks_additional_security_group_ids = [module.ssh.security_group_id, module.http_https.security_group_id]
allowed_cidr_blocks = [local.vpc_cidr_block]
managed_node_group_defaults = {
subnet_ids = module.subnets.private_subnet_id
nodes_additional_security_group_ids = [module.ssh.security_group_id]
tags = {
"kubernetes.io/cluster/${module.eks.cluster_name}" = "shared"
"k8s.io/cluster/${module.eks.cluster_name}" = "shared"
}
block_device_mappings = {
xvda = {
device_name = "/dev/xvda"
ebs = {
volume_size = 50
volume_type = "gp3"
iops = 3000
throughput = 150
encrypted = true
kms_key_id = module.kms.key_arn
}
}
}
}
managed_node_group = {
critical = {
name = "${module.eks.cluster_name}-critical-node"
capacity_type = "ON_DEMAND"
min_size = 1
max_size = 2
desired_size = 2
instance_types = ["t3.medium"]
}
application = {
name = "${module.eks.cluster_name}-application"
capacity_type = "SPOT"
min_size = 1
max_size = 2
desired_size = 1
force_update_version = true
instance_types = ["t3.medium"]
}
}
apply_config_map_aws_auth = true
map_additional_iam_users = [
{
userarn = "arn:aws:iam::123456789:user/opsstation"
username = "test"
groups = ["system:masters"]
}
]
}For detailed examples on how to use this module, please refer to the Examples directory within this repository.
Your Name Replace MIT and opsstation with the appropriate license and your information. Feel free to expand this README with additional details or usage instructions as needed for your specific use case.
This project is licensed under the MIT License - see the LICENSE file for details.
| Name | Version |
|---|---|
| terraform | >= 1.5.4 |
| aws | >= 5.11.0 |
| cloudinit | >= 2.0 |
| kubernetes | >= 2.0.0, < 3.0.0 |
| null | >= 3.0.0 |
| tls | >= 2.0.0 |
| Name | Version |
|---|---|
| aws | >= 5.11.0 |
| kubernetes | >= 2.0.0, < 3.0.0 |
| null | >= 3.0.0 |
| tls | >= 2.0.0 |
| Name | Source | Version |
|---|---|---|
| eks_managed_node_group | ./node_group/ | n/a |
| labels | git::https://github.com/opsstation/terraform-aws-labels.git | v1.0.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| addons | Manages aws_eks_addon resources. |
list(any) |
[ |
no |
| allowed_cidr_blocks | List of CIDR blocks to be allowed to connect to the EKS cluster. | list(string) |
[] |
no |
| allowed_security_groups | List of Security Group IDs to be allowed to connect to the EKS cluster. | list(string) |
[] |
no |
| apply_config_map_aws_auth | Whether to generate local files from kubeconfig and config_map_aws_auth and perform kubectl apply to apply the ConfigMap to allow the worker nodes to join the EKS cluster. |
bool |
true |
no |
| attributes | Additional attributes (e.g. 1). |
list(any) |
[] |
no |
| cluster_encryption_config_enabled | Set to true to enable Cluster Encryption Configuration |
bool |
true |
no |
| cluster_encryption_config_kms_key_deletion_window_in_days | Cluster Encryption Config KMS Key Resource argument - key deletion windows in days post destruction | number |
10 |
no |
| cluster_encryption_config_kms_key_enable_key_rotation | Cluster Encryption Config KMS Key Resource argument - enable kms key rotation | bool |
true |
no |
| cluster_encryption_config_kms_key_policy | Cluster Encryption Config KMS Key Resource argument - key policy | string |
null |
no |
| cluster_encryption_config_resources | Cluster Encryption Config Resources to encrypt, e.g. ['secrets'] | list(any) |
[ |
no |
| cluster_ip_family | The IP family used to assign Kubernetes pod and service addresses. Valid values are ipv4 (default) and ipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created |
string |
null |
no |
| cluster_log_retention_period | Number of days to retain cluster logs. Requires enabled_cluster_log_types to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. |
number |
30 |
no |
| cluster_service_ipv4_cidr | The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | string |
null |
no |
| cluster_service_ipv6_cidr | The CIDR block to assign Kubernetes pod and service IP addresses from if ipv6 was specified when the cluster was created. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster |
string |
null |
no |
| cluster_timeouts | Create, update, and delete timeout configurations for the cluster | map(string) |
{} |
no |
| eks_additional_security_group_ids | EKS additional security group id | list(string) |
[] |
no |
| enabled | Whether to create the resources. Set to false to prevent the module from creating any resources. |
bool |
true |
no |
| enabled_cluster_log_types | A list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [api, audit, authenticator, controllerManager, scheduler]. |
list(string) |
[ |
no |
| endpoint_private_access | Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default to AWS EKS resource and it is false. | bool |
true |
no |
| endpoint_public_access | Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default to AWS EKS resource and it is true. | bool |
true |
no |
| environment | Environment (e.g. prod, dev, staging). |
string |
"" |
no |
| iam_role_additional_policies | Additional policies to be added to the IAM role | map(string) |
{} |
no |
| kubernetes_version | Desired Kubernetes master version. If you do not specify a value, the latest available version is used. | string |
"" |
no |
| label_order | Label order, e.g. name,application. |
list(any) |
[ |
no |
| local_exec_interpreter | shell to use for local_exec | list(string) |
[ |
no |
| managed_node_group | Map of eks-managed node group definitions to create | any |
{} |
no |
| managed_node_group_defaults | Map of eks-managed node group definitions to create | any |
{} |
no |
| managedby | ManagedBy, eg 'opsstation'. | string |
"opsstation" |
no |
| map_additional_aws_accounts | Additional AWS account numbers to add to config-map-aws-auth ConfigMap |
list(string) |
[] |
no |
| map_additional_iam_roles | Additional IAM roles to add to config-map-aws-auth ConfigMap |
list(object({ |
[] |
no |
| map_additional_iam_users | Additional IAM users to add to config-map-aws-auth ConfigMap |
list(object({ |
[] |
no |
| name | Name (e.g. app or cluster). |
string |
"" |
no |
| nodes_additional_security_group_ids | EKS additional node group ids | list(string) |
[] |
no |
| oidc_provider_enabled | Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html | bool |
true |
no |
| openid_connect_audiences | List of OpenID Connect audience client IDs to add to the IRSA provider | list(string) |
[] |
no |
| outpost_config | Configuration for the AWS Outpost to provision the cluster on | any |
{} |
no |
| permissions_boundary | If provided, all IAM roles will be created with this permissions boundary attached. | string |
null |
no |
| public_access_cidrs | Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0. | list(string) |
[ |
no |
| repository | Terraform current module repo | string |
"https://github.com/opsstation/terraform-aws-eks" |
no |
| schedules | Map of autoscaling group schedule to create | map(any) |
{} |
no |
| subnet_ids | A list of subnet IDs to launch the cluster in. | list(string) |
[] |
no |
| tags | Additional tags (e.g. map(BusinessUnit,XYZ). |
map(any) |
{} |
no |
| vpc_id | VPC ID for the EKS cluster. | string |
"" |
no |
| wait_for_cluster_command | local-exec command to execute to determine if the EKS cluster is healthy. Cluster endpoint are available as environment variable ENDPOINT |
string |
"curl --silent --fail --retry 60 --retry-delay 5 --retry-connrefused --insecure --output /dev/null $ENDPOINT/healthz" |
no |
| Name | Description |
|---|---|
| cluster_arn | The Amazon Resource Name (ARN) of the cluster |
| cluster_certificate_authority_data | Base64 encoded certificate data required to communicate with the cluster |
| cluster_endpoint | Endpoint for your Kubernetes API server |
| cluster_iam_role_arn | IAM role ARN of the EKS cluster |
| cluster_iam_role_name | IAM role name of the EKS cluster |
| cluster_iam_role_unique_id | Stable and unique string identifying the IAM role |
| cluster_id | The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready |
| cluster_name | n/a |
| cluster_oidc_issuer_url | The URL on the EKS cluster for the OpenID Connect identity provider |
| cluster_platform_version | Platform version for the cluster |
| cluster_primary_security_group_id | Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use default security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console |
| cluster_status | Status of the EKS cluster. One of CREATING, ACTIVE, DELETING, FAILED |
| node_group_iam_role_arn | IAM role ARN of the EKS cluster |
| node_group_iam_role_name | IAM role name of the EKS cluster |
| node_group_iam_role_unique_id | Stable and unique string identifying the IAM role |
| node_security_group_arn | Amazon Resource Name (ARN) of the node shared security group |
| node_security_group_id | ID of the node shared security group |
| oidc_provider_arn | The ARN of the OIDC Provider if enable_irsa = true |
| tags | n/a |