feat: Update EKS module to v19.9.0 which added support for `before_co…

…mpute` for addons and fixed IPv6 policy dependency (#1442)

.gitignore

@@ -2,6 +2,9 @@
 .idea
 .build
 
+# mkdocs documentation
+/site
+
 # Local .terraform directories
 **/.terraform/*
 
@@ -33,181 +36,5 @@ override.tf.json
 .terraformrc
 terraform.rc
 
-# Locals
-kubeconfig*
-kube-config*
-local_tf_state/
-.vscode
-.gitallowed
-site
-.env*
-
-# Checks
+# TFSec files
 .tfsec
-
-# Created by https://www.toptal.com/developers/gitignore/api/python
-# Edit at https://www.toptal.com/developers/gitignore?templates=python
-
-### Python ###
-# Byte-compiled / optimized / DLL files
-__pycache__/
-*.py[cod]
-*$py.class
-
-# C extensions
-*.so
-
-# Distribution / packaging
-.Python
-build/
-develop-eggs/
-dist/
-downloads/
-eggs/
-.eggs/
-lib/
-lib64/
-parts/
-sdist/
-var/
-wheels/
-share/python-wheels/
-*.egg-info/
-.installed.cfg
-*.egg
-MANIFEST
-
-# PyInstaller
-#  Usually these files are written by a python script from a template
-#  before PyInstaller builds the exe, so as to inject date/other infos into it.
-*.manifest
-*.spec
-
-# Installer logs
-pip-log.txt
-pip-delete-this-directory.txt
-
-# Unit test / coverage reports
-htmlcov/
-.tox/
-.nox/
-.coverage
-.coverage.*
-.cache
-nosetests.xml
-coverage.xml
-*.cover
-*.py,cover
-.hypothesis/
-.pytest_cache/
-cover/
-
-# Translations
-*.mo
-*.pot
-
-# Django stuff:
-*.log
-local_settings.py
-db.sqlite3
-db.sqlite3-journal
-
-# Flask stuff:
-instance/
-.webassets-cache
-
-# Scrapy stuff:
-.scrapy
-
-# Sphinx documentation
-docs/_build/
-
-# PyBuilder
-.pybuilder/
-target/
-
-# Jupyter Notebook
-.ipynb_checkpoints
-
-# IPython
-profile_default/
-ipython_config.py
-
-# pyenv
-#   For a library or package, you might want to ignore these files since the code is
-#   intended to run in multiple environments; otherwise, check them in:
-**/.python-version
-
-# pipenv
-#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
-#   However, in case of collaboration, if having platform-specific dependencies or dependencies
-#   having no cross-platform support, pipenv may install dependencies that don't work, or not
-#   install all needed dependencies.
-#Pipfile.lock
-
-# poetry
-#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
-#   This is especially recommended for binary packages to ensure reproducibility, and is more
-#   commonly ignored for libraries.
-#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
-#poetry.lock
-
-# pdm
-#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
-#pdm.lock
-#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
-#   in version control.
-#   https://pdm.fming.dev/#use-with-ide
-.pdm.toml
-
-# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
-__pypackages__/
-
-# Celery stuff
-celerybeat-schedule
-celerybeat.pid
-
-# SageMath parsed files
-*.sage.py
-
-# Environments
-.env
-.venv
-env/
-venv/
-ENV/
-env.bak/
-venv.bak/
-
-# Spyder project settings
-.spyderproject
-.spyproject
-
-# Rope project settings
-.ropeproject
-
-# mkdocs documentation
-/site
-
-# mypy
-.mypy_cache/
-.dmypy.json
-dmypy.json
-
-# Pyre type checker
-.pyre/
-
-# pytype static type analyzer
-.pytype/
-
-# Cython debug symbols
-cython_debug/
-
-# PyCharm
-#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
-#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
-#  and can be added to the global gitignore or merged into this file.  For a more nuclear
-#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
-#.idea/
-
-# End of https://www.toptal.com/developers/gitignore/api/python

README.md

@@ -1,7 +1,7 @@
 # Amazon EKS Blueprints for Terraform
 
 [![plan-examples](https://github.com/aws-ia/terraform-aws-eks-blueprints/actions/workflows/plan-examples.yml/badge.svg)](https://github.com/aws-ia/terraform-aws-eks-blueprints/actions/workflows/plan-examples.yml)
-[![pre-commit](https://github.com/aws-ia/terraform-aws-eks-blueprints/actions/workflows/pre-commit.yaml/badge.svg)](https://github.com/aws-ia/terraform-aws-eks-blueprints/actions/workflows/pre-commit.yaml)
+[![pre-commit](https://github.com/aws-ia/terraform-aws-eks-blueprints/actions/workflows/pre-commit.yml/badge.svg)](https://github.com/aws-ia/terraform-aws-eks-blueprints/actions/workflows/pre-commit.yml)
 
 ---
 

docs/getting-started.md

@@ -70,7 +70,6 @@ fargate-ip-10-0-10-71.us-west-2.compute.internal    Ready    <none>   2m48s   v1
 To teardown and remove the resources created in this example:
 
 ```sh
-kubectl delete deployment inflate
 terraform destroy -target="module.eks_blueprints_kubernetes_addons" -auto-approve
 terraform destroy -target="module.eks" -auto-approve
 terraform destroy -auto-approve

examples/agones-game-controller/main.tf

@@ -44,7 +44,7 @@ locals {
 #tfsec:ignore:aws-eks-enable-control-plane-logging
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 19.5"
+  version = "~> 19.9"
 
   cluster_name                   = local.name
   cluster_version                = local.cluster_version

examples/amp-amg-opensearch/main.tf

@@ -49,7 +49,7 @@ locals {
 #tfsec:ignore:aws-eks-enable-control-plane-logging
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 19.5"
+  version = "~> 19.9"
 
   cluster_name                   = local.name
   cluster_version                = local.cluster_version

examples/appmesh-mtls/main.tf

@@ -51,7 +51,7 @@ locals {
 #tfsec:ignore:aws-eks-enable-control-plane-logging
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 19.5"
+  version = "~> 19.9"
 
   cluster_name                   = local.name
   cluster_version                = "1.24"

examples/argocd/main.tf

@@ -46,7 +46,7 @@ locals {
 #tfsec:ignore:aws-eks-enable-control-plane-logging
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 19.5"
+  version = "~> 19.9"
 
   cluster_name                   = local.name
   cluster_version                = local.cluster_version

examples/external-secrets/main.tf

@@ -57,7 +57,7 @@ locals {
 #tfsec:ignore:aws-eks-enable-control-plane-logging
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 19.5"
+  version = "~> 19.9"
 
   cluster_name                   = local.name
   cluster_version                = "1.24"

examples/fargate-serverless/README.md

@@ -45,7 +45,7 @@ aws eks --region <REGION> update-kubeconfig --name <CLUSTER_NAME>
 kubectl get pods -A
 
 # Output should look like below
-game-2048      deployment-2048-7ff458c9f-mb5xs                 1/1     Running   0          5h23m
+game-2048     deployment-2048-7ff458c9f-mb5xs                 1/1     Running   0          5h23m
 game-2048     deployment-2048-7ff458c9f-qc99d                 1/1     Running   0          4h23m
 game-2048     deployment-2048-7ff458c9f-rm26f                 1/1     Running   0          4h23m
 game-2048     deployment-2048-7ff458c9f-vzjhm                 1/1     Running   0          4h23m

examples/fargate-serverless/main.tf

@@ -42,7 +42,7 @@ locals {
 #tfsec:ignore:aws-eks-enable-control-plane-logging
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 19.5"
+  version = "~> 19.9"
 
   cluster_name                   = local.name
   cluster_version                = "1.24"
@@ -85,26 +85,19 @@ module "eks" {
   create_cluster_security_group = false
   create_node_security_group    = false
 
-  fargate_profiles = merge(
-    { for i in range(3) :
-      "app-wildcard-${element(split("-", local.azs[i]), 2)}" => {
-        selectors = [
-          { namespace = "app-*" }
-        ]
-        # We want to create a profile per AZ for high availability
-        subnet_ids = [element(module.vpc.private_subnets, i)]
-      }
-    },
-    { for i in range(3) :
-      "kube-system-${element(split("-", local.azs[i]), 2)}" => {
-        selectors = [
-          { namespace = "kube-system" }
-        ]
-        # We want to create a profile per AZ for high availability
-        subnet_ids = [element(module.vpc.private_subnets, i)]
-      }
+  fargate_profiles = {
+    app_wildcard = {
+      selectors = [
+        { namespace = "app-*" }
+      ]
     }
-  )
+    kube_system = {
+      name = "kube-system"
+      selectors = [
+        { namespace = "kube-system" }
+      ]
+    }
+  }
 
   tags = local.tags
 }

examples/fully-private-cluster/main.tf

@@ -24,7 +24,7 @@ locals {
 #tfsec:ignore:aws-eks-enable-control-plane-logging
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 19.5"
+  version = "~> 19.9"
 
   cluster_name    = local.name
   cluster_version = "1.24"

examples/ipv4-prefix-delegation/README.md

@@ -7,9 +7,7 @@ This example shows how to provision an EKS cluster with prefix delegation enable
 
 ## VPC CNI Configuration
 
-In this example, the `vpc-cni` addon is configured outside of the `terraform-aws-eks` module even though the module supports configuring the `vpc-cni` addon. This is done to ensure the `vpc-cni` is updated *before* any EC2 instances are created so that the desired settings have applied before they will be referenced. In the `terraform-aws-eks` module, the addon resource has an explicit `depends_on` set to ensure the EKS managed node group(s), self-managed node group(s), and/or Fargate profile(s) are created *before* the addons. This is because nearly all of the addons require compute in order for them to reach a healthy state, otherwise they will fail and cause the `terraform apply` to fail. However, for the `vpc-cni` which is a daemonset, it does not require compute to exist first, and more importantly, it should be configured *before* compute is created.
-
-With this configuration, you will now see that nodes created will have `--max-pods 110` configured do to the use of prefix delegation being enabled on the `vpc-cni`.
+In this example, the `vpc-cni` addon is configured using `before_compute = true`. This is done to ensure the `vpc-cni` is created and updated *before* any EC2 instances are created so that the desired settings have applied before they will be referenced. With this configuration, you will now see that nodes created will have `--max-pods 110` configured do to the use of prefix delegation being enabled on the `vpc-cni`.
 
 If you find that your nodes are not being created with the correct number of max pods (i.e. - for `m5.large`, if you are seeing a max pods of 29 instead of 110), most likely the `vpc-cni` was not configured *before* the EC2 instances.