eks-cluster

eks-cluster

This module creates following resources.

• aws_eks_cluster
• aws_eks_identity_provider_config (optional)
• aws_ec2_tag (optional)
• aws_iam_role
• aws_iam_role_policy
• aws_iam_role_policy_attachment
• aws_iam_instance_profile
• aws_iam_openid_connect_provider
• aws_security_group
• aws_security_group_rule

Requirements

Name	Version
terraform	>= 1.6
aws	>= 5.42
tls	>= 4.0

Providers

Name	Version
aws	5.50.0

Modules

Name	Source	Version
oidc_provider	tedilabs/account/aws//modules/iam-oidc-identity-provider	~> 0.30.0
resource_group	tedilabs/misc/aws//modules/resource-group	~> 0.10.0
role	tedilabs/account/aws//modules/iam-role	~> 0.30.0
role__node	tedilabs/account/aws//modules/iam-role	~> 0.30.0
security_group__control_plane	tedilabs/network/aws//modules/security-group	~> 0.32.0
security_group__node	tedilabs/network/aws//modules/security-group	~> 0.32.0
security_group__pod	tedilabs/network/aws//modules/security-group	~> 0.32.0

Resources

Name	Type
aws_ec2_tag.cluster_security_group	resource
aws_eks_cluster.this	resource
aws_eks_identity_provider_config.this	resource
aws_vpc_security_group_ingress_rule.node	resource
aws_vpc_security_group_ingress_rule.pod	resource
aws_cloudwatch_log_group.this	data source
aws_default_tags.this	data source
aws_subnet.selected	data source

Inputs

Name	Description	Type	Default	Required
name	(Required) Name of the EKS cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores.	string	n/a	yes
subnets	(Required) A list of subnet IDs. Must be in at least two different availability zones. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your worker nodes and the Kubernetes control plane.	list(string)	n/a	yes
additional_security_groups	(Optional) A list of additional security group IDs to associate with the Kubernetes API server endpoint. The cluster security group always attached to the endpoint. You can specify additional security groups to use for the endpoint using this argument. Defaults to [].	list(string)	[]	no
authentication_mode	(Optional) The authentication mode for the cluster. Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAP. Defaults to API_AND_CONFIG_MAP.	string	"API_AND_CONFIG_MAP"	no
bootstrap_cluster_creator_admin_access	(Optional) Whether to set the cluster creator IAM principal as a cluster admin access entry during cluster creation time. Defaults to false.	bool	false	no
cluster_role	(Optional) The ARN (Amazon Resource Name) of the IAM Role for the EKS cluster role. Only required if default_cluster_role.enabled is false.	string	null	no
default_cluster_role	(Optional) A configuration for the default IAM role for EKS cluster. Use cluster_role if default_cluster_role.enabled is false. default_cluster_role as defined below. (Optional) enabled - Whether to create the default cluster role. Defaults to true. (Optional) name - The name of the default cluster role. Defaults to eks-${var.name}-cluster. (Optional) path - The path of the default cluster role. Defaults to /. (Optional) description - The description of the default cluster role. (Optional) policies - A list of IAM policy ARNs to attach to the default cluster role. AmazonEKSClusterPolicy is always attached. Defaults to []. (Optional) inline_policies - A Map of inline IAM policies to attach to the default cluster role. (name => policy).	object({ enabled = optional(bool, true) name = optional(string) path = optional(string, "/") description = optional(string, "Managed by Terraform.") policies = optional(list(string), []) inline_policies = optional(map(string), {}) })	{}	no
default_node_role	(Optional) A configuration for the default IAM role for EKS nodes. default_node_role as defined below. (Optional) enabled - Whether to create the default node role. Defaults to false. (Optional) name - The name of the default node role. Defaults to eks-${var.name}-node. (Optional) path - The path of the default node role. Defaults to /. (Optional) description - The description of the default node role. (Optional) policies - A list of IAM policy ARNs to attach to the default node role. AmazonEKSWorkerNodePolicy, AmazonEC2ContainerRegistryReadOnly are always attached. Defaults to []. (Optional) inline_policies - A Map of inline IAM policies to attach to the default node role. (name => policy).	object({ enabled = optional(bool, false) name = optional(string) path = optional(string, "/") description = optional(string, "Managed by Terraform.") policies = optional(list(string), []) inline_policies = optional(map(string), {}) })	{}	no
endpoint_access	(Optional) A configuration for the endpoint access to the Kubernetes API server endpoint. endpoint_access as defined below. (Optional) private_access_enabled - Whether to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. Defaults to true. If you disable private access and you have nodes or Fargate pods in the cluster, then ensure that public_access_cidrs includes the necessary CIDR blocks for communication with the nodes or Fargate pods. (Optional) private_access_cidrs - A list of allowed CIDR to communicate to the Amazon EKS private API server endpoint. (Optional) private_access_security_groups - A list of allowed source security group to communicate to the Amazon EKS private API server endpoint. (Optional) public_access_enabled - Whether to enable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. Defaults to false. (Optional) public_access_cidrs - A list of CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Defaults to 0.0.0.0/0 .	object({ private_access_enabled = optional(bool, true) private_access_cidrs = optional(list(string), []) private_access_security_groups = optional(list(string), []) public_access_enabled = optional(bool, false) public_access_cidrs = optional(list(string), ["0.0.0.0/0"]) })	{}	no
kubernetes_network_config	(Optional) A configuration of Kubernetes network. kubernetes_network_config as defined below. (Optional) service_ipv4_cidr - The CIDR block to assign Kubernetes pod and service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created. (Optional) ip_family - The IP family used to assign Kubernetes pod and service addresses. Valid values are IPv4 and IPv6. Defaults to IPv4. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created.	object({ service_ipv4_cidr = optional(string) ip_family = optional(string, "IPv4") })	{}	no
kubernetes_version	(Optional) Desired Kubernetes version to use for the EKS cluster. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS. Defaults to 1.26.	string	"1.26"	no
log_types	(Optional) A set of the desired control plane logging to enable. Valid values are api, audit, authenticator, controllerManager, scheduler. Defaults to all.	set(string)	[ "api", "audit", "authenticator", "controllerManager", "scheduler" ]	no
module_tags_enabled	(Optional) Whether to create AWS Resource Tags for the module informations.	bool	true	no
oidc_identity_providers	(Optional) A list of OIDC Identity Providers to associate as an additional method for user authentication to your Kubernetes cluster. Each item of oidc_identity_providers block as defined below. (Required) name - A unique name for the Identity Provider Configuration. (Required) issuer_url - The OIDC Identity Provider issuer URL. (Required) client_id - The OIDC Identity Provider client ID. (Optional) required_claims - The key value pairs that describe required claims in the identity token. (Optional) username_claim - The JWT claim that the provider will use as the username. (Optional) username_prefix - A prefix that is prepended to username claims. (Optional) groups_claim - The JWT claim that the provider will use to return groups. (Optional) groups_prefix - A prefix that is prepended to group claims e.g., oidc:.	list(object({ name = string issuer_url = string client_id = string required_claims = optional(map(string), {}) username_claim = optional(string) username_prefix = optional(string) groups_claim = optional(string) groups_prefix = optional(string) }))	[]	no
outpost_config	(Optional) A configuration of the outpost for the EKS cluster. outpost_config as defined below. (Required) outposts - A list of the Outpost ARNs that you want to use for your local Amazon EKS cluster on Outposts. This argument is a list of arns, but only a single Outpost ARN is supported currently. (Required) control_plane_instance_type - The Amazon EC2 instance type that you want to use for your local Amazon EKS cluster on Outposts. The instance type that you specify is used for all Kubernetes control plane instances. The instance type can't be changed after cluster creation. Choose an instance type based on the number of nodes that your cluster will have. - 1–20 nodes, then we recommend specifying a large instance type. - 21–100 nodes, then we recommend specifying an xlarge instance type. - 101–250 nodes, then we recommend specifying a 2xlarge instance type. (Optional) control_plane_placement_group - The name of the placement group for the Kubernetes control plane instances. This setting can't be changed after cluster creation.	object({ outposts = list(string) control_plane_instance_type = string control_plane_placement_group = optional(string) })	null	no
resource_group_description	(Optional) The description of Resource Group.	string	"Managed by Terraform."	no
resource_group_enabled	(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module.	bool	true	no
resource_group_name	(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with AWS or aws.	string	""	no
secrets_encryption	(Optional) A configuration to encrypt Kubernetes secrets. Envelope encryption provides an additional layer of encryption for your Kubernetes secrets. Once turned on, secrets encryption cannot be modified or removed. secrets_encryption as defined below. (Optional) enabled - Whether to enable envelope encryption of Kubernetes secrets. Defaults to false. (Optional) kms_key - The ID of AWS KMS key to use for envelope encryption of Kubernetes secrets.	object({ enabled = optional(bool, false) kms_key = optional(string) })	{}	no
tags	(Optional) A map of tags to add to all resources.	map(string)	{}	no
timeouts	(Optional) How long to wait for the EKS Cluster to be created/updated/deleted.	object({ create = optional(string, "30m") update = optional(string, "60m") delete = optional(string, "15m") })	{}	no

Outputs

Name	Description
additional_security_groups	The list of additional security groups for the EKS control plane.
arn	The ARN of the cluster.
authentication_mode	The authentication mode for the cluster.
ca_cert	The base64 encoded certificate data required to communicate with your cluster. Add this to the certificate-authority-data section of the kubeconfig file for your cluster.
cluster_role	The IAM Role for the EKS cluster.
cluster_security_group	The security group that was created by EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.
created_at	The Unix epoch timestamp in seconds for when the cluster was created.
default_cluster_role	The default IAM Role for the EKS cluster.
default_node_role	The default IAM Role for the EKS node.
endpoint	The endpoint for the Kubernetes API server.
endpoint_access	The configuration for the endpoint access to the Kubernetes API server endpoint.
id	The ID of the cluster.
irsa_oidc_provider	The configurations of the OIDC provider for IRSA (IAM Roles for Service Accounts). arn - The ARN assigned by AWS for this provider. url - The URL of the identity provider. urn - The URN of the identity provider. audiences - A list of audiences (also known as client IDs) for the IAM OIDC provider.
kubernetes_network_config	The configurations of Kubernetes network. service_ipv4_cidr - The IPv4 CIDR block which is assigned to Kubernetes service IP addresses. service_ipv6_cidr - The IPv6 CIDR block that Kubernetes pod and service IP addresses are assigned from if you specified IPV6 for ip_family when you created the cluster. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster. ip_family - The IP family used to assign Kubernetes pod and service addresses.
logging	The configurations of the control plane logging.
name	The name of the cluster.
oidc_identity_providers	A map of all associated OIDC Identity Providers to the cluster.
outpost_config	The configurations of the outpost for the EKS cluster. outposts - The list of the Outposts ARNs. control_plane_instance_type - The EC2 instance type of the local EKS control plane node on Outposts. control_plane_placement_group - The name of the placement group for the EKS control plane node on Outposts.
platform_version	The platform version for the cluster.
secrets_encryption	The configurations of the encryption of Kubernetes secrets.
security_group_ids	Security groups that were created for the EKS cluster.
status	The status of the EKS cluster. One of CREATING, ACTIVE, DELETING, FAILED.
subnets	The IDs of subnets which the ENIs of Kubernetes control plane are located in.
version	The Kubernetes server version for the cluster.
vpc_id	The ID of VPC associated with the cluster.