eks

Component: eks

This component is responsible for provisioning an end-to-end EKS Cluster, including managed node groups and spotinst ocean node pools.

Usage

Stack Level: Regional

Here's an example snippet for how to use this component.

components:
  terraform:
    eks:
      vars:
        cluster_kubernetes_version: "1.19"
        region_availability_zones: ["us-east-1b", "us-east-1c", "us-east-1d"]
        spotinst_instance_profile: example-gbl-dev-spotinst-worker
        map_additional_worker_roles: ["arn:aws:iam::xxxxxxxxxx:role/example-ue1-dev-spotinst-worker"]
        public_access_cidrs: ["72.107.0.0/24"]
        spotinst_oceans:
          main: &standard_node_group
            desired_group_size: 1
            max_group_size: 10
            min_group_size: 1

            # Can only set one of ami_release_version or kubernetes_version
            # Leave both null to use latest AMI for Cluster Kubernetes version
            kubernetes_version: null   # use cluster Kubernetes version
            ami_release_version: null  # use latest AMI for Kubernetes version

            attributes: null
            disk_size: 100
            instance_types: null
            ami_type: null # use "AL2_x86_64" for standard instances, "AL2_x86_64_GPU" for GPU instances
            tags: null

Requirements

Name	Version
terraform	>= 0.13
aws	>= 3.0
local	>= 1.3
template	>= 2.0

Providers

Name	Version
terraform	n/a

Modules

Name	Source	Version
eks_cluster	git::https://github.com/cloudposse/terraform-aws-eks-cluster.git	tags/0.29.0
iam_roles	../account-map/modules/iam-roles	n/a
region_node_group	./modules/node_group_by_region	n/a
this	git::https://github.com/cloudposse/terraform-null-label.git	tags/0.21.0

Resources

Name	Type
terraform_remote_state.delegated_roles	data source
terraform_remote_state.eks	data source
terraform_remote_state.primary_roles	data source
terraform_remote_state.vpc	data source

Inputs

Name	Description	Type	Default	Required
additional_tag_map	Additional tags for appending to tags_as_list_of_maps. Not added to tags.	map(string)	{}	no
allowed_cidr_blocks	List of CIDR blocks to be allowed to connect to the EKS cluster	list(string)	[]	no
allowed_security_groups	List of Security Group IDs to be allowed to connect to the EKS cluster	list(string)	[]	no
apply_config_map_aws_auth	Whether to execute kubectl apply to apply the ConfigMap to allow worker nodes to join the EKS cluster	bool	true	no
attributes	Additional attributes (e.g. 1)	list(string)	[]	no
cluster_endpoint_private_access	Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default to AWS EKS resource and it is false	bool	false	no
cluster_endpoint_public_access	Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default to AWS EKS resource and it is true	bool	true	no
cluster_kubernetes_version	Desired Kubernetes master version. If you do not specify a value, the latest available version is used	string	null	no
cluster_log_retention_period	Number of days to retain cluster logs. Requires enabled_cluster_log_types to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html.	number	0	no
color	The cluster stage represented by a color; e.g. blue, green	string	""	no
context	Single object for setting entire context at once. See description of individual variables for details. Leave string and numeric variables as null to use default value. Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged.	object({ enabled = bool namespace = string environment = string stage = string name = string delimiter = string attributes = list(string) tags = map(string) additional_tag_map = map(string) regex_replace_chars = string label_order = list(string) id_length_limit = number })	{ "additional_tag_map": {}, "attributes": [], "delimiter": null, "enabled": true, "environment": null, "id_length_limit": null, "label_order": [], "name": null, "namespace": null, "regex_replace_chars": null, "stage": null, "tags": {} }	no
delegated_iam_roles	Delegated IAM roles to add to config-map-aws-auth ConfigMap	list(object({ role = string groups = list(string) }))	[]	no
delimiter	Delimiter to be used between namespace, environment, stage, name and attributes. Defaults to - (hyphen). Set to "" to use no delimiter at all.	string	null	no
enable_vpn_access	Enable VPN access via the HAL VPN; see vpn project	bool	false	no
enabled	Set to false to prevent the module from creating any resources	bool	null	no
enabled_cluster_log_types	A list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [api, audit, authenticator, controllerManager, scheduler]	list(string)	[]	no
environment	Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT'	string	null	no
iam_primary_roles_stage_name	The name of the stage where the IAM primary roles are provisioned	string	"identity"	no
iam_roles_environment_name	The name of the environment where the IAM roles are provisioned	string	"gbl"	no
id_length_limit	Limit id to this many characters. Set to 0 for unlimited length. Set to null for default, which is 0. Does not affect id_full.	number	null	no
import_role_arn	IAM Role ARN to use when importing a resource	string	null	no
label_order	The naming order of the id output and Name tag. Defaults to ["namespace", "environment", "stage", "name", "attributes"]. You can omit any of the 5 elements, but at least one must be present.	list(string)	null	no
map_additional_aws_accounts	Additional AWS account numbers to add to config-map-aws-auth ConfigMap	list(string)	[]	no
map_additional_iam_users	Additional IAM users to add to config-map-aws-auth ConfigMap	list(object({ userarn = string username = string groups = list(string) }))	[]	no
name	Solution name, e.g. 'app' or 'jenkins'	string	null	no
namespace	Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp'	string	null	no
node_group_defaults	Defaults for node groups in the cluster	object({ availability_zones = list(string) # set to null to use var.region_availability_zones attributes = list(string) create_before_destroy = bool desired_group_size = number disk_size = number enable_cluster_autoscaler = bool instance_types = list(string) ami_type = string ami_release_version = string kubernetes_version = string # set to null to use cluster_kubernetes_version kubernetes_labels = map(string) kubernetes_taints = map(string) max_group_size = number min_group_size = number resources_to_tag = list(string) tags = map(string) })	n/a	yes
node_groups	List of objects defining a node group for the cluster	map(object({ # will create 1 auto scaling group in each specified availability zone availability_zones = list(string) # Additional attributes (e.g. 1) for the node group attributes = list(string) # True to create new node_groups before deleting old ones, avoiding a temporary outage create_before_destroy = bool # Desired number of worker nodes when initially provisioned desired_group_size = number # Disk size in GiB for worker nodes. Terraform will only perform drift detection if a configuration value is provided. disk_size = number # Whether to enable Node Group to scale its AutoScaling Group enable_cluster_autoscaler = bool # Set of instance types associated with the EKS Node Group. Terraform will only perform drift detection if a configuration value is provided. instance_types = list(string) # Type of Amazon Machine Image (AMI) associated with the EKS Node Group ami_type = string # EKS AMI version to use, e.g. "1.16.13-20200821" (no "v"). ami_release_version = string # Key-value mapping of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed kubernetes_labels = map(string) # Key-value mapping of Kubernetes taints. kubernetes_taints = map(string) # Desired Kubernetes master version. If you do not specify a value, the latest available version is used kubernetes_version = string # The maximum size of the AutoScaling Group max_group_size = number # The minimum size of the AutoScaling Group min_group_size = number # List of auto-launched resource types to tag resources_to_tag = list(string) tags = map(string) }))	null	no
oidc_provider_enabled	Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html	bool	n/a	yes
primary_iam_roles	Primary IAM roles to add to config-map-aws-auth ConfigMap	list(object({ role = string groups = list(string) }))	[]	no
public_access_cidrs	Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0.	list(string)	[ "0.0.0.0/0" ]	no
regex_replace_chars	Regex to replace chars with empty string in namespace, environment, stage and name. If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits.	string	null	no
region	AWS Region	string	n/a	yes
region_availability_zones	AWS Availability Zones in which to deploy multi-AZ resources	list(string)	n/a	yes
stage	Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release'	string	null	no
subnet_type_tag_key	The tag used to find the private subnets to find by availability zone	string	n/a	yes
tags	Additional tags (e.g. map('BusinessUnit','XYZ')	map(string)	{}	no
tfstate_account_id	The ID of the account where the Terraform remote state backend is provisioned	string	""	no
tfstate_assume_role	Set to false to use the caller's role to access the Terraform remote state	bool	true	no
tfstate_bucket_environment_name	The name of the environment for Terraform state bucket	string	""	no
tfstate_bucket_stage_name	The name of the stage for Terraform state bucket	string	"root"	no
tfstate_existing_role_arn	The ARN of the existing IAM Role to access the Terraform remote state. If not provided and remote_state_assume_role is true, a role will be constructed from remote_state_role_arn_template	string	""	no
tfstate_role_arn_template	IAM Role ARN template for accessing the Terraform remote state	string	"arn:aws:iam::%s:role/%s-%s-%s-%s"	no
tfstate_role_environment_name	The name of the environment for Terraform state IAM role	string	"gbl"	no
tfstate_role_name	IAM Role name for accessing the Terraform remote state	string	"terraform"	no
tfstate_role_stage_name	The name of the stage for Terraform state IAM role	string	"root"	no

Outputs

Name	Description
eks_cluster_arn	The Amazon Resource Name (ARN) of the cluster
eks_cluster_endpoint	The endpoint for the Kubernetes API server
eks_cluster_id	The name of the cluster
eks_cluster_identity_oidc_issuer	The OIDC Identity issuer for the cluster
eks_cluster_managed_security_group_id	Security Group ID that was created by EKS for the cluster. EKS creates a Security Group and applies it to ENI that is attached to EKS Control Plane master nodes and to any managed workloads
eks_cluster_version	The Kubernetes server version of the cluster
eks_managed_node_workers_role_arns	List of ARNs for workers in managed node groups
eks_node_group_arns	ARN of the worker nodes IAM role
eks_node_group_count	Count of the worker nodes
eks_node_group_ids	EKS Cluster name and EKS Node Group name separated by a colon
eks_node_group_role_names	Name of the worker nodes IAM role

References

• cloudposse/terraform-aws-components - Cloud Posse's upstream component