AWS EKS Terraform module

Terraform module which creates AWS EKS (Kubernetes) resources

Documentation

Frequently Asked Questions
Compute Resources
IRSA Integration
User Data
Network Connectivity
Upgrade Guides
- Upgrade to v17.x
- Upgrade to v18.x

External Documentation

Please note that we strive to provide a comprehensive suite of documentation for configuring and utilizing the module(s) defined here, and that documentation regarding EKS (including EKS managed node group, self managed node group, and Fargate profile) and/or Kubernetes features, usage, etc. are better left up to their respective sources:

Available Features

AWS EKS Cluster Addons
AWS EKS Identity Provider Configuration
All node types are supported:
Support for custom AMI, custom launch template, and custom user data including custom user data template
Support for Amazon Linux 2 EKS Optimized AMI and Bottlerocket nodes
- Windows based node support is limited to a default user data template that is provided due to the lack of Windows support and manual steps required to provision Windows based EKS nodes
Support for module created security group, bring your own security groups, as well as adding additional security group rules to the module created security group(s)
Support for creating node groups/profiles separate from the cluster through the use of sub-modules (same as what is used by root module)
Support for node group/profile "default" settings - useful for when creating multiple node groups/Fargate profiles where you want to set a common set of configurations once, and then individually control only select features on certain node groups/profiles

IRSA Terraform Module

An IAM role for service accounts (IRSA) sub-module has been created to make deploying common addons/controllers easier. Instead of users having to create a custom IAM role with the necessary federated role assumption required for IRSA plus find and craft the associated policy required for the addon/controller, users can create the IRSA role and policy with a few lines of code. See the terraform-aws-iam/examples/iam-role-for-service-accounts directory for examples on how to use the IRSA sub-module in conjunction with this (terraform-aws-eks) module.

Some of the addon/controller policies that are currently supported include:

See terraform-aws-iam/modules/iam-role-for-service-accounts for current list of supported addon/controller policies as more are added to the project.

Usage

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 18.0"

  cluster_name    = "my-cluster"
  cluster_version = "1.21"

  cluster_endpoint_private_access = true
  cluster_endpoint_public_access  = true

  cluster_addons = {
    coredns = {
      resolve_conflicts = "OVERWRITE"
    }
    kube-proxy = {}
    vpc-cni = {
      resolve_conflicts = "OVERWRITE"
    }
  }

  cluster_encryption_config = [{
    provider_key_arn = "ac01234b-00d9-40f6-ac95-e42345f78b00"
    resources        = ["secrets"]
  }]

  vpc_id     = "vpc-1234556abcdef"
  subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]

  # Self Managed Node Group(s)
  self_managed_node_group_defaults = {
    instance_type                          = "m6i.large"
    update_launch_template_default_version = true
    iam_role_additional_policies = [
      "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
    ]
  }

  self_managed_node_groups = {
    one = {
      name         = "mixed-1"
      max_size     = 5
      desired_size = 2

      use_mixed_instances_policy = true
      mixed_instances_policy = {
        instances_distribution = {
          on_demand_base_capacity                  = 0
          on_demand_percentage_above_base_capacity = 10
          spot_allocation_strategy                 = "capacity-optimized"
        }

        override = [
          {
            instance_type     = "m5.large"
            weighted_capacity = "1"
          },
          {
            instance_type     = "m6i.large"
            weighted_capacity = "2"
          },
        ]
      }
    }
  }

  # EKS Managed Node Group(s)
  eks_managed_node_group_defaults = {
    disk_size      = 50
    instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"]
  }

  eks_managed_node_groups = {
    blue = {}
    green = {
      min_size     = 1
      max_size     = 10
      desired_size = 1

      instance_types = ["t3.large"]
      capacity_type  = "SPOT"
    }
  }

  # Fargate Profile(s)
  fargate_profiles = {
    default = {
      name = "default"
      selectors = [
        {
          namespace = "default"
        }
      ]
    }
  }

  # aws-auth configmap
  manage_aws_auth_configmap = true

  aws_auth_roles = [
    {
      rolearn  = "arn:aws:iam::66666666666:role/role1"
      username = "role1"
      groups   = ["system:masters"]
    },
  ]

  aws_auth_users = [
    {
      userarn  = "arn:aws:iam::66666666666:user/user1"
      username = "user1"
      groups   = ["system:masters"]
    },
    {
      userarn  = "arn:aws:iam::66666666666:user/user2"
      username = "user2"
      groups   = ["system:masters"]
    },
  ]

  aws_auth_accounts = [
    "777777777777",
    "888888888888",
  ]

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

Examples

Complete: EKS Cluster using all available node group types in various combinations demonstrating many of the supported features and configurations
EKS Managed Node Group: EKS Cluster using EKS managed node groups
Fargate Profile: EKS cluster using Fargate Profiles
Karpenter: EKS Cluster with Karpenter provisioned for managing compute resource scaling
Self Managed Node Group: EKS Cluster using self-managed node groups
User Data: Various supported methods of providing necessary bootstrap scripts and configuration settings via user data

Contributing

We are grateful to the community for contributing bugfixes and improvements! Please see below to learn how you can take part.

Requirements

Name	Version
terraform	>= 0.13.1
aws	>= 3.72
kubernetes	>= 2.10
tls	>= 3.0

Providers

Name	Version
aws	>= 3.72
kubernetes	>= 2.10
tls	>= 3.0

Modules

Name	Source	Version
eks_managed_node_group	./modules/eks-managed-node-group	n/a
fargate_profile	./modules/fargate-profile	n/a
self_managed_node_group	./modules/self-managed-node-group	n/a

Resources

Name	Type
aws_cloudwatch_log_group.this	resource
aws_ec2_tag.cluster_primary_security_group	resource
aws_eks_addon.this	resource
aws_eks_cluster.this	resource
aws_eks_identity_provider_config.this	resource
aws_iam_openid_connect_provider.oidc_provider	resource
aws_iam_policy.cluster_encryption	resource
aws_iam_policy.cni_ipv6_policy	resource
aws_iam_role.this	resource
aws_iam_role_policy_attachment.cluster_encryption	resource
aws_iam_role_policy_attachment.this	resource
aws_security_group.cluster	resource
aws_security_group.node	resource
aws_security_group_rule.cluster	resource
aws_security_group_rule.node	resource
kubernetes_config_map.aws_auth	resource
kubernetes_config_map_v1_data.aws_auth	resource
aws_iam_policy_document.assume_role_policy	data source
aws_iam_policy_document.cni_ipv6_policy	data source
aws_partition.current	data source
tls_certificate.this	data source

Inputs

Name	Description	Type	Default	Required
attach_cluster_encryption_policy	Indicates whether or not to attach an additional policy for the cluster IAM role to utilize the encryption key provided	`bool`	`true`	no
aws_auth_accounts	List of account maps to add to the aws-auth configmap	`list(any)`	`[]`	no
aws_auth_fargate_profile_pod_execution_role_arns	List of Fargate profile pod execution role ARNs to add to the aws-auth configmap	`list(string)`	`[]`	no
aws_auth_node_iam_role_arns_non_windows	List of non-Windows based node IAM role ARNs to add to the aws-auth configmap	`list(string)`	`[]`	no
aws_auth_node_iam_role_arns_windows	List of Windows based node IAM role ARNs to add to the aws-auth configmap	`list(string)`	`[]`	no
aws_auth_roles	List of role maps to add to the aws-auth configmap	`list(any)`	`[]`	no
aws_auth_users	List of user maps to add to the aws-auth configmap	`list(any)`	`[]`	no
cloudwatch_log_group_kms_key_id	If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)	`string`	`null`	no
cloudwatch_log_group_retention_in_days	Number of days to retain log events. Default retention - 90 days	`number`	`90`	no
cluster_additional_security_group_ids	List of additional, externally created security group IDs to attach to the cluster control plane	`list(string)`	`[]`	no
cluster_addons	Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with `name`	`any`	`{}`	no
cluster_enabled_log_types	A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)	`list(string)`	[ "audit", "api", "authenticator" ]	no
cluster_encryption_config	Configuration block with encryption configuration for the cluster	list(object({ provider_key_arn = string resources = list(string) }))	`[]`	no
cluster_encryption_policy_description	Description of the cluster encryption policy created	`string`	`"Cluster encryption policy to allow cluster role to utilize CMK provided"`	no
cluster_encryption_policy_name	Name to use on cluster encryption policy created	`string`	`null`	no
cluster_encryption_policy_path	Cluster encryption policy path	`string`	`null`	no
cluster_encryption_policy_tags	A map of additional tags to add to the cluster encryption policy created	`map(string)`	`{}`	no
cluster_encryption_policy_use_name_prefix	Determines whether cluster encryption policy name (`cluster_encryption_policy_name`) is used as a prefix	`string`	`true`	no
cluster_endpoint_private_access	Indicates whether or not the Amazon EKS private API server endpoint is enabled	`bool`	`false`	no
cluster_endpoint_public_access	Indicates whether or not the Amazon EKS public API server endpoint is enabled	`bool`	`true`	no
cluster_endpoint_public_access_cidrs	List of CIDR blocks which can access the Amazon EKS public API server endpoint	`list(string)`	[ "0.0.0.0/0" ]	no
cluster_iam_role_dns_suffix	Base DNS domain name for the current partition (e.g., amazonaws.com in AWS Commercial, amazonaws.com.cn in AWS China)	`string`	`null`	no
cluster_identity_providers	Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA	`any`	`{}`	no
cluster_ip_family	The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created	`string`	`null`	no
cluster_name	Name of the EKS cluster	`string`	`""`	no
cluster_security_group_additional_rules	List of additional security group rules to add to the cluster security group created. Set `source_node_security_group = true` inside rules to set the `node_security_group` as source	`any`	`{}`	no
cluster_security_group_description	Description of the cluster security group created	`string`	`"EKS cluster security group"`	no
cluster_security_group_id	Existing security group ID to be attached to the cluster. Required if `create_cluster_security_group` = `false`	`string`	`""`	no
cluster_security_group_name	Name to use on cluster security group created	`string`	`null`	no
cluster_security_group_tags	A map of additional tags to add to the cluster security group created	`map(string)`	`{}`	no
cluster_security_group_use_name_prefix	Determines whether cluster security group name (`cluster_security_group_name`) is used as a prefix	`string`	`true`	no
cluster_service_ipv4_cidr	The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks	`string`	`null`	no
cluster_tags	A map of additional tags to add to the cluster	`map(string)`	`{}`	no
cluster_timeouts	Create, update, and delete timeout configurations for the cluster	`map(string)`	`{}`	no
cluster_version	Kubernetes `<major>.<minor>` version to use for the EKS cluster (i.e.: `1.21`)	`string`	`null`	no
create	Controls if EKS resources should be created (affects nearly all resources)	`bool`	`true`	no
create_aws_auth_configmap	Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap`	`bool`	`false`	no
create_cloudwatch_log_group	Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled	`bool`	`true`	no
create_cluster_security_group	Determines if a security group is created for the cluster or use the existing `cluster_security_group_id`	`bool`	`true`	no
create_cni_ipv6_iam_policy	Determines whether to create an `AmazonEKS_CNI_IPv6_Policy`	`bool`	`false`	no
create_iam_role	Determines whether a an IAM role is created or to use an existing IAM role	`bool`	`true`	no
create_node_security_group	Determines whether to create a security group for the node groups or use the existing `node_security_group_id`	`bool`	`true`	no
custom_oidc_thumbprints	Additional list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s)	`list(string)`	`[]`	no
eks_managed_node_group_defaults	Map of EKS managed node group default configurations	`any`	`{}`	no
eks_managed_node_groups	Map of EKS managed node group definitions to create	`any`	`{}`	no
enable_irsa	Determines whether to create an OpenID Connect Provider for EKS to enable IRSA	`bool`	`true`	no
fargate_profile_defaults	Map of Fargate Profile default configurations	`any`	`{}`	no
fargate_profiles	Map of Fargate Profile definitions to create	`any`	`{}`	no
iam_role_additional_policies	Additional policies to be added to the IAM role	`list(string)`	`[]`	no
iam_role_arn	Existing IAM role ARN for the cluster. Required if `create_iam_role` is set to `false`	`string`	`null`	no
iam_role_description	Description of the role	`string`	`null`	no
iam_role_name	Name to use on IAM role created	`string`	`null`	no
iam_role_path	Cluster IAM role path	`string`	`null`	no
iam_role_permissions_boundary	ARN of the policy that is used to set the permissions boundary for the IAM role	`string`	`null`	no
iam_role_tags	A map of additional tags to add to the IAM role created	`map(string)`	`{}`	no
iam_role_use_name_prefix	Determines whether the IAM role name (`iam_role_name`) is used as a prefix	`bool`	`true`	no
manage_aws_auth_configmap	Determines whether to manage the aws-auth configmap	`bool`	`false`	no
node_security_group_additional_rules	List of additional security group rules to add to the node security group created. Set `source_cluster_security_group = true` inside rules to set the `cluster_security_group` as source	`any`	`{}`	no
node_security_group_description	Description of the node security group created	`string`	`"EKS node shared security group"`	no
node_security_group_id	ID of an existing security group to attach to the node groups created	`string`	`""`	no
node_security_group_name	Name to use on node security group created	`string`	`null`	no
node_security_group_tags	A map of additional tags to add to the node security group created	`map(string)`	`{}`	no
node_security_group_use_name_prefix	Determines whether node security group name (`node_security_group_name`) is used as a prefix	`string`	`true`	no
openid_connect_audiences	List of OpenID Connect audience client IDs to add to the IRSA provider	`list(string)`	`[]`	no
prefix_separator	The separator to use between the prefix and the generated timestamp for resource names	`string`	`"-"`	no
putin_khuylo	Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!	`bool`	`true`	no
self_managed_node_group_defaults	Map of self-managed node group default configurations	`any`	`{}`	no
self_managed_node_groups	Map of self-managed node group definitions to create	`any`	`{}`	no
subnet_ids	A list of subnet IDs where the EKS cluster (ENIs) will be provisioned along with the nodes/node groups. Node groups can be deployed within a different set of subnet IDs from within the node group configuration	`list(string)`	`[]`	no
tags	A map of tags to add to all resources	`map(string)`	`{}`	no
vpc_id	ID of the VPC where the cluster and its nodes will be provisioned	`string`	`null`	no

Outputs

Name	Description
aws_auth_configmap_yaml	[DEPRECATED - use `var.manage_aws_auth_configmap`] Formatted yaml output for base aws-auth configmap containing roles used in cluster node groups/fargate profiles
cloudwatch_log_group_arn	Arn of cloudwatch log group created
cloudwatch_log_group_name	Name of cloudwatch log group created
cluster_addons	Map of attribute maps for all EKS cluster addons enabled
cluster_arn	The Amazon Resource Name (ARN) of the cluster
cluster_certificate_authority_data	Base64 encoded certificate data required to communicate with the cluster
cluster_endpoint	Endpoint for your Kubernetes API server
cluster_iam_role_arn	IAM role ARN of the EKS cluster
cluster_iam_role_name	IAM role name of the EKS cluster
cluster_iam_role_unique_id	Stable and unique string identifying the IAM role
cluster_id	The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready
cluster_identity_providers	Map of attribute maps for all EKS identity providers enabled
cluster_oidc_issuer_url	The URL on the EKS cluster for the OpenID Connect identity provider
cluster_platform_version	Platform version for the cluster
cluster_primary_security_group_id	Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console
cluster_security_group_arn	Amazon Resource Name (ARN) of the cluster security group
cluster_security_group_id	ID of the cluster security group
cluster_status	Status of the EKS cluster. One of `CREATING`, `ACTIVE`, `DELETING`, `FAILED`
cluster_version	The Kubernetes version for the cluster
eks_managed_node_groups	Map of attribute maps for all EKS managed node groups created
eks_managed_node_groups_autoscaling_group_names	List of the autoscaling group names created by EKS managed node groups
fargate_profiles	Map of attribute maps for all EKS Fargate Profiles created
node_security_group_arn	Amazon Resource Name (ARN) of the node shared security group
node_security_group_id	ID of the node shared security group
oidc_provider	The OpenID Connect identity provider (issuer URL without leading `https://`)
oidc_provider_arn	The ARN of the OIDC Provider if `enable_irsa = true`
self_managed_node_groups	Map of attribute maps for all self managed node groups created
self_managed_node_groups_autoscaling_group_names	List of the autoscaling group names created by self-managed node groups

License

Apache 2 Licensed. See LICENSE for full details.

Additional information for users from Russia and Belarus

Russia has illegally annexed Crimea in 2014 and brought the war in Donbas followed by full-scale invasion of Ukraine in 2022.
Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
Putin khuylo!

mmontpetit/terraform-aws-eks