terraform-aws-modules/terraform-aws-eksPublic

NotificationsYou must be signed in to change notification settings
Fork4.3k
Star4.9k

Terraform module to create Amazon Elastic Kubernetes (EKS) resources 🇺🇦

registry.terraform.io/modules/terraform-aws-modules/eks/aws

License

Apache-2.0 license

4.9k stars 4.3k forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 1,220 Commits
.github		.github
docs		docs
examples		examples
modules		modules
templates		templates
tests		tests
.editorconfig		.editorconfig
.gitattributes		.gitattributes
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
.releaserc.json		.releaserc.json
CHANGELOG.md		CHANGELOG.md
LICENSE		LICENSE
README.md		README.md
main.tf		main.tf
mkdocs.yml		mkdocs.yml
node_groups.tf		node_groups.tf
outputs.tf		outputs.tf
variables.tf		variables.tf
versions.tf		versions.tf

Repository files navigation

AWS EKS Terraform module

Terraform module which creates Amazon EKS (Kubernetes) resources

Documentation

External Documentation

Please note that we strive to provide a comprehensive suite of documentation forconfiguring and utilizing the module(s) defined here, and that documentation regarding EKS (including EKS managed node group, self managed node group, and Fargate profile) and/or Kubernetes features, usage, etc. are better left up to their respective sources:

Usage

EKS Auto Mode

Caution

Due to the current EKS Auto Mode API, to disable EKS Auto Mode you will have to explicity set:

compute_config={ enabled=false}

If you try to disable by simply removing thecompute_config block, this will fail to disable EKS Auto Mode. Only after applying withenabled = false can you then remove thecompute_config block from your configurations.

module"eks" {source="terraform-aws-modules/eks/aws"version="~> 21.0"name="example"kubernetes_version="1.33"# Optionalendpoint_public_access=true# Optional: Adds the current caller identity as an administrator via cluster access entryenable_cluster_creator_admin_permissions=truecompute_config={    enabled=true    node_pools= ["general-purpose"]  }vpc_id="vpc-1234556abcdef"subnet_ids=["subnet-abcde012","subnet-bcde012a","subnet-fghi345a"]tags={    Environment="dev"    Terraform="true"  }}

EKS Auto Mode - Custom Node Pools Only

module"eks" {source="terraform-aws-modules/eks/aws"version="~> 21.0"name="example"kubernetes_version="1.33"# Optionalendpoint_public_access=true# Optional: Adds the current caller identity as an administrator via cluster access entryenable_cluster_creator_admin_permissions=true# Create just the IAM resources for EKS Auto Mode for use with custom node poolscreate_auto_mode_iam_resources=truecompute_config={    enabled=true  }vpc_id="vpc-1234556abcdef"subnet_ids=["subnet-abcde012","subnet-bcde012a","subnet-fghi345a"]tags={    Environment="dev"    Terraform="true"  }}

EKS Provisioned Control Plane

EKS Provisioned Control Plane allows you to provision a control plane with increased capacity for larger workloads. Valid tier values arestandard,tier-xl,tier-2xl, andtier-4xl.

module"eks" {source="terraform-aws-modules/eks/aws"version="~> 21.0"name="my-cluster"kubernetes_version="1.33"# Optionalendpoint_public_access=true# Optional: Adds the current caller identity as an administrator via cluster access entryenable_cluster_creator_admin_permissions=true# EKS Provisioned Control Plane configurationcontrol_plane_scaling_config={    tier="tier-xl"  }vpc_id="vpc-1234556abcdef"subnet_ids=["subnet-abcde012","subnet-bcde012a","subnet-fghi345a"]tags={    Environment="dev"    Terraform="true"  }}

EKS Managed Node Group

module"eks" {source="terraform-aws-modules/eks/aws"version="~> 21.0"name="my-cluster"kubernetes_version="1.33"addons={    coredns= {}    eks-pod-identity-agent= {      before_compute=true    }    kube-proxy= {}    vpc-cni= {      before_compute=true    }  }# Optionalendpoint_public_access=true# Optional: Adds the current caller identity as an administrator via cluster access entryenable_cluster_creator_admin_permissions=truevpc_id="vpc-1234556abcdef"subnet_ids=["subnet-abcde012","subnet-bcde012a","subnet-fghi345a"]control_plane_subnet_ids=["subnet-xyzde987","subnet-slkjf456","subnet-qeiru789"]# EKS Managed Node Group(s)eks_managed_node_groups={    example= {# Starting on 1.30, AL2023 is the default AMI type for EKS managed node groups      ami_type="AL2023_x86_64_STANDARD"      instance_types= ["m5.xlarge"]      min_size=2      max_size=10      desired_size=2    }  }tags={    Environment="dev"    Terraform="true"  }}

Cluster Access Entry

When enablingauthentication_mode = "API_AND_CONFIG_MAP", EKS will automatically create an access entry for the IAM role(s) used by managed node group(s) and Fargate profile(s). There are no additional actions required by users. For self-managed node groups and the Karpenter sub-module, this project automatically adds the access entry on behalf of users so there are no additional actions required by users.

On clusters that were created prior to cluster access management (CAM) support, there will be an existing access entry for the cluster creator. This was previously not visible when usingaws-auth ConfigMap, but will become visible when access entry is enabled.

module"eks" {source="terraform-aws-modules/eks/aws"version="~> 21.0"# Truncated for brevity ...access_entries={# One access entry with a policy associated    example= {      principal_arn="arn:aws:iam::123456789012:role/something"      policy_associations= {        example= {          policy_arn="arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"          access_scope= {            namespaces= ["default"]            type="namespace"          }        }      }    }  }}

EKS Hybrid Nodes

locals {# RFC 1918 IP ranges supportedremote_network_cidr="172.16.0.0/16"remote_node_cidr=cidrsubnet(local.remote_network_cidr,2,0)remote_pod_cidr=cidrsubnet(local.remote_network_cidr,2,1)}# SSM and IAM Roles Anywhere supported - SSM is defaultmodule"eks_hybrid_node_role" {source="terraform-aws-modules/eks/aws//modules/hybrid-node-role"version="~> 21.0"tags={    Environment="dev"    Terraform="true"  }}module"eks" {source="terraform-aws-modules/eks/aws"version="~> 21.0"name="example"kubernetes_version="1.33"addons={    coredns= {}    eks-pod-identity-agent= {}    kube-proxy= {}  }# Optionalendpoint_public_access=true# Optional: Adds the current caller identity as an administrator via cluster access entryenable_cluster_creator_admin_permissions=truecreate_node_security_group=falsesecurity_group_additional_rules={    hybrid-all= {      cidr_blocks= [local.remote_network_cidr]      description="Allow all traffic from remote node/pod network"      from_port=0      to_port=0      protocol="all"      type="ingress"    }  }# Optionalcompute_config={    enabled=true    node_pools= ["system"]  }access_entries={    hybrid-node-role= {      principal_arn= module.eks_hybrid_node_role.arn      type="HYBRID_LINUX"    }  }vpc_id="vpc-1234556abcdef"subnet_ids=["subnet-abcde012","subnet-bcde012a","subnet-fghi345a"]remote_network_config={    remote_node_networks= {      cidrs= [local.remote_node_cidr]    }# Required if running webhooks on Hybrid nodes    remote_pod_networks= {      cidrs= [local.remote_pod_cidr]    }  }tags={    Environment="dev"    Terraform="true"  }}

Bootstrap Cluster Creator Admin Permissions

Setting thebootstrap_cluster_creator_admin_permissions is a one time operation when the cluster is created; it cannot be modified later through the EKS API. In this project we are hardcoding this tofalse. If users wish to achieve the same functionality, we will do that through an access entry which can be enabled or disabled at any time of their choosing using the variableenable_cluster_creator_admin_permissions

Enabling EFA Support

When enabling EFA support viaenable_efa_support = true, there are two locations this can be specified - one at the cluster level, and one at the node group level. Enabling at the cluster level will add the EFA required ingress/egress rules to the shared security group created for the node group(s). Enabling at the node group level will do the following (per node group where enabled):

All EFA interfaces supported by the instance will be exposed on the launch template used by the node group
A placement group withstrategy = "clustered" per EFA requirements is created and passed to the launch template used by the node group
Data sources will reverse lookup the availability zones that support the instance type selected based on the subnets provided, ensuring that only the associated subnets are passed to the launch template and therefore used by the placement group. This avoids the placement group being created in an availability zone that does not support the instance type selected.

Tip

Use theaws-efa-k8s-device-plugin Helm chart to expose the EFA interfaces on the nodes as an extended resource, and allow pods to request the interfaces be mounted to their containers.

The EKS AL2 GPU AMI comes with the necessary EFA components pre-installed - you just need to expose the EFA devices on the nodes via their launch templates, ensure the required EFA security group rules are in place, and deploy theaws-efa-k8s-device-plugin in order to start utilizing EFA within your cluster. Your application container will need to have the necessary libraries and runtime in order to utilize communication over the EFA interfaces (NCCL, aws-ofi-nccl, hwloc, libfabric, aws-neuornx-collectives, CUDA, etc.).

If you disable the creation and use of the managed node group custom launch template (create_launch_template = false and/oruse_custom_launch_template = false), this will interfere with the EFA functionality provided. In addition, if you do not supply aninstance_type for self-managed node group(s), orinstance_types for the managed node group(s), this will also interfere with the functionality. In order to support the EFA functionality provided byenable_efa_support = true, you must utilize the custom launch template created/provided by this module, and supply aninstance_type/instance_types for the respective node group.

The logic behind supporting EFA uses a data source to lookup the instance type to retrieve the number of interfaces that the instance supports in order to enumerate and expose those interfaces on the launch template created. For managed node groups where a list of instance types are supported, the first instance type in the list is used to calculate the number of EFA interfaces supported. Mixing instance types with varying number of interfaces is not recommended for EFA (or in some cases, mixing instance types is not supported - i.e. - p5.48xlarge and p4d.24xlarge). In addition to exposing the EFA interfaces and updating the security group rules, a placement group is created per the EFA requirements and only the availability zones that support the instance type selected are used in the subnets provided to the node group.

In order to enable EFA support, you will have to specifyenable_efa_support = true on both the cluster and each node group that you wish to enable EFA support for:

module"eks" {source="terraform-aws-modules/eks/aws"version="~> 21.0"# Truncated for brevity ...# Adds the EFA required security group rules to the shared# security group created for the node group(s)enable_efa_support=trueeks_managed_node_groups={    example= {# The EKS AL2023 NVIDIA AMI provides all of the necessary components# for accelerated workloads w/ EFA      ami_type="AL2023_x86_64_NVIDIA"      instance_types= ["p5.48xlarge"]# Exposes all EFA interfaces on the launch template created by the node group(s)# This would expose all 32 EFA interfaces for the p5.48xlarge instance type      enable_efa_support=true# Mount instance store volumes in RAID-0 for kubelet and containerd# https://github.com/awslabs/amazon-eks-ami/blob/master/doc/USER_GUIDE.md#raid-0-for-kubelet-and-containerd-raid0      cloudinit_pre_nodeadm= [        {          content_type="application/node.eks.aws"          content=<<-EOT            ---            apiVersion: node.eks.aws/v1alpha1            kind: NodeConfig            spec:              instance:                localStorage:                  strategy: RAID0          EOT        }      ]# EFA should only be enabled when connecting 2 or more nodes# Do not use EFA on a single node workload      min_size=2      max_size=10      desired_size=2    }  }}

Examples

EKS Auto Mode: EKS Cluster with EKS Auto Mode
EKS Hybrid Nodes: EKS Cluster with EKS Hybrid nodes
EKS Managed Node Group: EKS Cluster with EKS managed node group(s)
Karpenter: EKS Cluster withKarpenter provisioned for intelligent data plane management
Self Managed Node Group: EKS Cluster with self-managed node group(s)

Contributing

We are grateful to the community for contributing bugfixes and improvements! Please see below to learn how you can take part.

Requirements

Name	Version
terraform	>= 1.5.7
aws	>= 6.23
time	>= 0.9
tls	>= 4.0

Providers

Name	Version
aws	>= 6.23
time	>= 0.9
tls	>= 4.0

Modules

Name	Source	Version
eks_managed_node_group	./modules/eks-managed-node-group	n/a
fargate_profile	./modules/fargate-profile	n/a
kms	terraform-aws-modules/kms/aws	4.0.0
self_managed_node_group	./modules/self-managed-node-group	n/a

Resources

Name	Type
aws_cloudwatch_log_group.this	resource
aws_ec2_tag.cluster_primary_security_group	resource
aws_eks_access_entry.this	resource
aws_eks_access_policy_association.this	resource
aws_eks_addon.before_compute	resource
aws_eks_addon.this	resource
aws_eks_cluster.this	resource
aws_eks_identity_provider_config.this	resource
aws_iam_openid_connect_provider.oidc_provider	resource
aws_iam_policy.cluster_encryption	resource
aws_iam_policy.cni_ipv6_policy	resource
aws_iam_policy.custom	resource
aws_iam_role.eks_auto	resource
aws_iam_role.this	resource
aws_iam_role_policy_attachment.additional	resource
aws_iam_role_policy_attachment.cluster_encryption	resource
aws_iam_role_policy_attachment.custom	resource
aws_iam_role_policy_attachment.eks_auto	resource
aws_iam_role_policy_attachment.eks_auto_additional	resource
aws_iam_role_policy_attachment.this	resource
aws_security_group.cluster	resource
aws_security_group.node	resource
aws_security_group_rule.cluster	resource
aws_security_group_rule.node	resource
time_sleep.this	resource
aws_caller_identity.current	data source
aws_eks_addon_version.this	data source
aws_iam_policy_document.assume_role_policy	data source
aws_iam_policy_document.cni_ipv6_policy	data source
aws_iam_policy_document.custom	data source
aws_iam_policy_document.node_assume_role_policy	data source
aws_iam_session_context.current	data source
aws_partition.current	data source
tls_certificate.this	data source

Inputs

Name	Description	Type	Default	Required
access_entries	Map of access entries to add to the cluster	map(object({ # Access entry kubernetes_groups = optional(list(string)) principal_arn = string type = optional(string, "STANDARD") user_name = optional(string) tags = optional(map(string), {}) # Access policy association policy_associations = optional(map(object({ policy_arn = string access_scope = object({ namespaces = optional(list(string)) type = string }) })), {}) }))	`{}`	no
additional_security_group_ids	List of additional, externally created security group IDs to attach to the cluster control plane	`list(string)`	`[]`	no
addons	Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with`name`	map(object({ name = optional(string) # will fall back to map key before_compute = optional(bool, false) most_recent = optional(bool, true) addon_version = optional(string) configuration_values = optional(string) pod_identity_association = optional(list(object({ role_arn = string service_account = string }))) preserve = optional(bool, true) resolve_conflicts_on_create = optional(string, "NONE") resolve_conflicts_on_update = optional(string, "OVERWRITE") service_account_role_arn = optional(string) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) tags = optional(map(string), {}) }))	`null`	no
addons_timeouts	Create, update, and delete timeout configurations for the cluster addons	object({ create = optional(string) update = optional(string) delete = optional(string) })	`{}`	no
attach_encryption_policy	Indicates whether or not to attach an additional policy for the cluster IAM role to utilize the encryption key provided	`bool`	`true`	no
authentication_mode	The authentication mode for the cluster. Valid values are`CONFIG_MAP`,`API` or`API_AND_CONFIG_MAP`	`string`	`"API_AND_CONFIG_MAP"`	no
cloudwatch_log_group_class	Specified the log class of the log group. Possible values are:`STANDARD` or`INFREQUENT_ACCESS`	`string`	`null`	no
cloudwatch_log_group_kms_key_id	If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)	`string`	`null`	no
cloudwatch_log_group_retention_in_days	Number of days to retain log events. Default retention - 90 days	`number`	`90`	no
cloudwatch_log_group_tags	A map of additional tags to add to the cloudwatch log group created	`map(string)`	`{}`	no
cluster_tags	A map of additional tags to add to the cluster	`map(string)`	`{}`	no
compute_config	Configuration block for the cluster compute configuration	object({ enabled = optional(bool, false) node_pools = optional(list(string)) node_role_arn = optional(string) })	`null`	no
control_plane_scaling_config	Configuration block for the EKS Provisioned Control Plane scaling tier. Valid values for tier are`standard`,`tier-xl`,`tier-2xl`, and`tier-4xl`	object({ tier = string })	`null`	no
control_plane_subnet_ids	A list of subnet IDs where the EKS cluster control plane (ENIs) will be provisioned. Used for expanding the pool of subnets used by nodes/node groups without replacing the EKS control plane	`list(string)`	`[]`	no
create	Controls if resources should be created (affects nearly all resources)	`bool`	`true`	no
create_auto_mode_iam_resources	Determines whether to create/attach IAM resources for EKS Auto Mode. Useful for when using only custom node pools and not built-in EKS Auto Mode node pools	`bool`	`false`	no
create_cloudwatch_log_group	Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled	`bool`	`true`	no
create_cni_ipv6_iam_policy	Determines whether to create an`AmazonEKS_CNI_IPv6_Policy`	`bool`	`false`	no
create_iam_role	Determines whether an IAM role is created for the cluster	`bool`	`true`	no
create_kms_key	Controls if a KMS key for cluster encryption should be created	`bool`	`true`	no
create_node_iam_role	Determines whether an EKS Auto node IAM role is created	`bool`	`true`	no
create_node_security_group	Determines whether to create a security group for the node groups or use the existing`node_security_group_id`	`bool`	`true`	no
create_primary_security_group_tags	Indicates whether or not to tag the cluster's primary security group. This security group is created by the EKS service, not the module, and therefore tagging is handled after cluster creation	`bool`	`true`	no
create_security_group	Determines if a security group is created for the cluster. Note: the EKS service creates a primary security group for the cluster by default	`bool`	`true`	no
custom_oidc_thumbprints	Additional list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s)	`list(string)`	`[]`	no
dataplane_wait_duration	Duration to wait after the EKS cluster has become active before creating the dataplane components (EKS managed node group(s), self-managed node group(s), Fargate profile(s))	`string`	`"30s"`	no
deletion_protection	Whether to enable deletion protection for the cluster. When enabled, the cluster cannot be deleted unless deletion protection is first disabled	`bool`	`null`	no
eks_managed_node_groups	Map of EKS managed node group definitions to create	map(object({ create = optional(bool) kubernetes_version = optional(string) # EKS Managed Node Group name = optional(string) # Will fall back to map key use_name_prefix = optional(bool) subnet_ids = optional(list(string)) min_size = optional(number) max_size = optional(number) desired_size = optional(number) ami_id = optional(string) ami_type = optional(string) ami_release_version = optional(string) use_latest_ami_release_version = optional(bool) capacity_type = optional(string) disk_size = optional(number) force_update_version = optional(bool) instance_types = optional(list(string)) labels = optional(map(string)) node_repair_config = optional(object({ enabled = optional(bool) max_parallel_nodes_repaired_count = optional(number) max_parallel_nodes_repaired_percentage = optional(number) max_unhealthy_node_threshold_count = optional(number) max_unhealthy_node_threshold_percentage = optional(number) node_repair_config_overrides = optional(list(object({ min_repair_wait_time_mins = number node_monitoring_condition = string node_unhealthy_reason = string repair_action = string }))) })) remote_access = optional(object({ ec2_ssh_key = optional(string) source_security_group_ids = optional(list(string)) })) taints = optional(map(object({ key = string value = optional(string) effect = string }))) update_config = optional(object({ max_unavailable = optional(number) max_unavailable_percentage = optional(number) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) })) # User data enable_bootstrap_user_data = optional(bool) pre_bootstrap_user_data = optional(string) post_bootstrap_user_data = optional(string) bootstrap_extra_args = optional(string) user_data_template_path = optional(string) cloudinit_pre_nodeadm = optional(list(object({ content = string content_type = optional(string) filename = optional(string) merge_type = optional(string) }))) cloudinit_post_nodeadm = optional(list(object({ content = string content_type = optional(string) filename = optional(string) merge_type = optional(string) }))) # Launch Template create_launch_template = optional(bool) use_custom_launch_template = optional(bool) launch_template_id = optional(string) launch_template_name = optional(string) # Will fall back to map key launch_template_use_name_prefix = optional(bool) launch_template_version = optional(string) launch_template_default_version = optional(string) update_launch_template_default_version = optional(bool) launch_template_description = optional(string) launch_template_tags = optional(map(string)) tag_specifications = optional(list(string)) ebs_optimized = optional(bool) key_name = optional(string) disable_api_termination = optional(bool) kernel_id = optional(string) ram_disk_id = optional(string) block_device_mappings = optional(map(object({ device_name = optional(string) ebs = optional(object({ delete_on_termination = optional(bool) encrypted = optional(bool) iops = optional(number) kms_key_id = optional(string) snapshot_id = optional(string) throughput = optional(number) volume_initialization_rate = optional(number) volume_size = optional(number) volume_type = optional(string) })) no_device = optional(string) virtual_name = optional(string) }))) capacity_reservation_specification = optional(object({ capacity_reservation_preference = optional(string) capacity_reservation_target = optional(object({ capacity_reservation_id = optional(string) capacity_reservation_resource_group_arn = optional(string) })) })) cpu_options = optional(object({ amd_sev_snp = optional(string) core_count = optional(number) threads_per_core = optional(number) })) credit_specification = optional(object({ cpu_credits = optional(string) })) enclave_options = optional(object({ enabled = optional(bool) })) instance_market_options = optional(object({ market_type = optional(string) spot_options = optional(object({ block_duration_minutes = optional(number) instance_interruption_behavior = optional(string) max_price = optional(string) spot_instance_type = optional(string) valid_until = optional(string) })) })) license_specifications = optional(list(object({ license_configuration_arn = string }))) metadata_options = optional(object({ http_endpoint = optional(string) http_protocol_ipv6 = optional(string) http_put_response_hop_limit = optional(number) http_tokens = optional(string) instance_metadata_tags = optional(string) })) enable_monitoring = optional(bool) enable_efa_support = optional(bool) enable_efa_only = optional(bool) efa_indices = optional(list(string)) create_placement_group = optional(bool) placement = optional(object({ affinity = optional(string) availability_zone = optional(string) group_name = optional(string) host_id = optional(string) host_resource_group_arn = optional(string) partition_number = optional(number) spread_domain = optional(string) tenancy = optional(string) })) network_interfaces = optional(list(object({ associate_carrier_ip_address = optional(bool) associate_public_ip_address = optional(bool) connection_tracking_specification = optional(object({ tcp_established_timeout = optional(number) udp_stream_timeout = optional(number) udp_timeout = optional(number) })) delete_on_termination = optional(bool) description = optional(string) device_index = optional(number) ena_srd_specification = optional(object({ ena_srd_enabled = optional(bool) ena_srd_udp_specification = optional(object({ ena_srd_udp_enabled = optional(bool) })) })) interface_type = optional(string) ipv4_address_count = optional(number) ipv4_addresses = optional(list(string)) ipv4_prefix_count = optional(number) ipv4_prefixes = optional(list(string)) ipv6_address_count = optional(number) ipv6_addresses = optional(list(string)) ipv6_prefix_count = optional(number) ipv6_prefixes = optional(list(string)) network_card_index = optional(number) network_interface_id = optional(string) primary_ipv6 = optional(bool) private_ip_address = optional(string) security_groups = optional(list(string), []) subnet_id = optional(string) }))) maintenance_options = optional(object({ auto_recovery = optional(string) })) private_dns_name_options = optional(object({ enable_resource_name_dns_aaaa_record = optional(bool) enable_resource_name_dns_a_record = optional(bool) hostname_type = optional(string) })) # IAM role create_iam_role = optional(bool) iam_role_arn = optional(string) iam_role_name = optional(string) iam_role_use_name_prefix = optional(bool) iam_role_path = optional(string) iam_role_description = optional(string) iam_role_permissions_boundary = optional(string) iam_role_tags = optional(map(string)) iam_role_attach_cni_policy = optional(bool) iam_role_additional_policies = optional(map(string)) create_iam_role_policy = optional(bool) iam_role_policy_statements = optional(list(object({ sid = optional(string) actions = optional(list(string)) not_actions = optional(list(string)) effect = optional(string) resources = optional(list(string)) not_resources = optional(list(string)) principals = optional(list(object({ type = string identifiers = list(string) }))) not_principals = optional(list(object({ type = string identifiers = list(string) }))) condition = optional(list(object({ test = string values = list(string) variable = string }))) }))) # Security group vpc_security_group_ids = optional(list(string), []) attach_cluster_primary_security_group = optional(bool, false) cluster_primary_security_group_id = optional(string) create_security_group = optional(bool) security_group_name = optional(string) security_group_use_name_prefix = optional(bool) security_group_description = optional(string) security_group_ingress_rules = optional(map(object({ name = optional(string) cidr_ipv4 = optional(string) cidr_ipv6 = optional(string) description = optional(string) from_port = optional(string) ip_protocol = optional(string) prefix_list_id = optional(string) referenced_security_group_id = optional(string) self = optional(bool) tags = optional(map(string)) to_port = optional(string) }))) security_group_egress_rules = optional(map(object({ name = optional(string) cidr_ipv4 = optional(string) cidr_ipv6 = optional(string) description = optional(string) from_port = optional(string) ip_protocol = optional(string) prefix_list_id = optional(string) referenced_security_group_id = optional(string) self = optional(bool) tags = optional(map(string)) to_port = optional(string) })), {}) security_group_tags = optional(map(string)) tags = optional(map(string)) }))	`null`	no
enable_auto_mode_custom_tags	Determines whether to enable permissions for custom tags resources created by EKS Auto Mode	`bool`	`true`	no
enable_cluster_creator_admin_permissions	Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry	`bool`	`false`	no
enable_irsa	Determines whether to create an OpenID Connect Provider for EKS to enable IRSA	`bool`	`true`	no
enable_kms_key_rotation	Specifies whether key rotation is enabled	`bool`	`true`	no
enabled_log_types	A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)	`list(string)`	[ "audit", "api", "authenticator" ]	no
encryption_config	Configuration block with encryption configuration for the cluster	object({ provider_key_arn = optional(string) resources = optional(list(string), ["secrets"]) })	`{}`	no
encryption_policy_description	Description of the cluster encryption policy created	`string`	`"Cluster encryption policy to allow cluster role to utilize CMK provided"`	no
encryption_policy_name	Name to use on cluster encryption policy created	`string`	`null`	no
encryption_policy_path	Cluster encryption policy path	`string`	`null`	no
encryption_policy_tags	A map of additional tags to add to the cluster encryption policy created	`map(string)`	`{}`	no
encryption_policy_use_name_prefix	Determines whether cluster encryption policy name (`cluster_encryption_policy_name`) is used as a prefix	`bool`	`true`	no
endpoint_private_access	Indicates whether or not the Amazon EKS private API server endpoint is enabled	`bool`	`true`	no
endpoint_public_access	Indicates whether or not the Amazon EKS public API server endpoint is enabled	`bool`	`false`	no
endpoint_public_access_cidrs	List of CIDR blocks which can access the Amazon EKS public API server endpoint	`list(string)`	[ "0.0.0.0/0" ]	no
fargate_profiles	Map of Fargate Profile definitions to create	map(object({ create = optional(bool) # Fargate profile name = optional(string) # Will fall back to map key subnet_ids = optional(list(string)) selectors = optional(list(object({ labels = optional(map(string)) namespace = string }))) timeouts = optional(object({ create = optional(string) delete = optional(string) })) # IAM role create_iam_role = optional(bool) iam_role_arn = optional(string) iam_role_name = optional(string) iam_role_use_name_prefix = optional(bool) iam_role_path = optional(string) iam_role_description = optional(string) iam_role_permissions_boundary = optional(string) iam_role_tags = optional(map(string)) iam_role_attach_cni_policy = optional(bool) iam_role_additional_policies = optional(map(string)) create_iam_role_policy = optional(bool) iam_role_policy_statements = optional(list(object({ sid = optional(string) actions = optional(list(string)) not_actions = optional(list(string)) effect = optional(string) resources = optional(list(string)) not_resources = optional(list(string)) principals = optional(list(object({ type = string identifiers = list(string) }))) not_principals = optional(list(object({ type = string identifiers = list(string) }))) condition = optional(list(object({ test = string values = list(string) variable = string }))) }))) tags = optional(map(string)) }))	`null`	no
force_update_version	Force version update by overriding upgrade-blocking readiness checks when updating a cluster	`bool`	`null`	no
iam_role_additional_policies	Additional policies to be added to the IAM role	`map(string)`	`{}`	no
iam_role_arn	Existing IAM role ARN for the cluster. Required if`create_iam_role` is set to`false`	`string`	`null`	no
iam_role_description	Description of the role	`string`	`null`	no
iam_role_name	Name to use on IAM role created	`string`	`null`	no
iam_role_path	The IAM role path	`string`	`null`	no
iam_role_permissions_boundary	ARN of the policy that is used to set the permissions boundary for the IAM role	`string`	`null`	no
iam_role_tags	A map of additional tags to add to the IAM role created	`map(string)`	`{}`	no
iam_role_use_name_prefix	Determines whether the IAM role name (`iam_role_name`) is used as a prefix	`bool`	`true`	no
identity_providers	Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA	map(object({ client_id = string groups_claim = optional(string) groups_prefix = optional(string) identity_provider_config_name = optional(string) # will fall back to map key issuer_url = string required_claims = optional(map(string)) username_claim = optional(string) username_prefix = optional(string) tags = optional(map(string), {}) }))	`null`	no
include_oidc_root_ca_thumbprint	Determines whether to include the root CA thumbprint in the OpenID Connect (OIDC) identity provider's server certificate(s)	`bool`	`true`	no
ip_family	The IP family used to assign Kubernetes pod and service addresses. Valid values are`ipv4` (default) and`ipv6`. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created	`string`	`"ipv4"`	no
kms_key_administrators	A list of IAM ARNs forkey administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available	`list(string)`	`[]`	no
kms_key_aliases	A list of aliases to create. Note - due to the use of`toset()`, values must be static strings and not computed values	`list(string)`	`[]`	no
kms_key_deletion_window_in_days	The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between`7` and`30`, inclusive. If you do not specify a value, it defaults to`30`	`number`	`null`	no
kms_key_description	The description of the key as viewed in AWS console	`string`	`null`	no
kms_key_enable_default_policy	Specifies whether to enable the default key policy	`bool`	`true`	no
kms_key_override_policy_documents	List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank`sid`s will override statements with the same`sid`	`list(string)`	`[]`	no
kms_key_owners	A list of IAM ARNs for those who will have full key permissions (`kms:*`)	`list(string)`	`[]`	no
kms_key_rotation_period_in_days	Custom period of time between each key rotation date. If you specify a value, it must be between`90` and`2560`, inclusive. If you do not specify a value, it defaults to`365`	`number`	`null`	no
kms_key_service_users	A list of IAM ARNs forkey service users	`list(string)`	`[]`	no
kms_key_source_policy_documents	List of IAM policy documents that are merged together into the exported document. Statements must have unique`sid`s	`list(string)`	`[]`	no
kms_key_users	A list of IAM ARNs forkey users	`list(string)`	`[]`	no
kubernetes_version	Kubernetes`<major>.<minor>` version to use for the EKS cluster (i.e.:`1.33`)	`string`	`null`	no
name	Name of the EKS cluster	`string`	`""`	no
node_iam_role_additional_policies	Additional policies to be added to the EKS Auto node IAM role	`map(string)`	`{}`	no
node_iam_role_description	Description of the EKS Auto node IAM role	`string`	`null`	no
node_iam_role_name	Name to use on the EKS Auto node IAM role created	`string`	`null`	no
node_iam_role_path	The EKS Auto node IAM role path	`string`	`null`	no
node_iam_role_permissions_boundary	ARN of the policy that is used to set the permissions boundary for the EKS Auto node IAM role	`string`	`null`	no
node_iam_role_tags	A map of additional tags to add to the EKS Auto node IAM role created	`map(string)`	`{}`	no
node_iam_role_use_name_prefix	Determines whether the EKS Auto node IAM role name (`node_iam_role_name`) is used as a prefix	`bool`	`true`	no
node_security_group_additional_rules	List of additional security group rules to add to the node security group created. Set`source_cluster_security_group = true` inside rules to set the`cluster_security_group` as source	map(object({ protocol = optional(string, "tcp") from_port = number to_port = number type = optional(string, "ingress") description = optional(string) cidr_blocks = optional(list(string)) ipv6_cidr_blocks = optional(list(string)) prefix_list_ids = optional(list(string)) self = optional(bool) source_cluster_security_group = optional(bool, false) source_security_group_id = optional(string) }))	`{}`	no
node_security_group_description	Description of the node security group created	`string`	`"EKS node shared security group"`	no
node_security_group_enable_recommended_rules	Determines whether to enable recommended security group rules for the node security group created. This includes node-to-node TCP ingress on ephemeral ports and allows all egress traffic	`bool`	`true`	no
node_security_group_id	ID of an existing security group to attach to the node groups created	`string`	`""`	no
node_security_group_name	Name to use on node security group created	`string`	`null`	no
node_security_group_tags	A map of additional tags to add to the node security group created	`map(string)`	`{}`	no
node_security_group_use_name_prefix	Determines whether node security group name (`node_security_group_name`) is used as a prefix	`bool`	`true`	no
openid_connect_audiences	List of OpenID Connect audience client IDs to add to the IRSA provider	`list(string)`	`[]`	no
outpost_config	Configuration for the AWS Outpost to provision the cluster on	object({ control_plane_instance_type = optional(string) control_plane_placement = optional(object({ group_name = string })) outpost_arns = list(string) })	`null`	no
prefix_separator	The separator to use between the prefix and the generated timestamp for resource names	`string`	`"-"`	no
putin_khuylo	Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info:https://en.wikipedia.org/wiki/Putin_khuylo!	`bool`	`true`	no
region	Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration	`string`	`null`	no
remote_network_config	Configuration block for the cluster remote network configuration	object({ remote_node_networks = object({ cidrs = optional(list(string)) }) remote_pod_networks = optional(object({ cidrs = optional(list(string)) })) })	`null`	no
security_group_additional_rules	List of additional security group rules to add to the cluster security group created. Set`source_node_security_group = true` inside rules to set the`node_security_group` as source	map(object({ protocol = optional(string, "tcp") from_port = number to_port = number type = optional(string, "ingress") description = optional(string) cidr_blocks = optional(list(string)) ipv6_cidr_blocks = optional(list(string)) prefix_list_ids = optional(list(string)) self = optional(bool) source_node_security_group = optional(bool, false) source_security_group_id = optional(string) }))	`{}`	no
security_group_description	Description of the cluster security group created	`string`	`"EKS cluster security group"`	no
security_group_id	Existing security group ID to be attached to the cluster	`string`	`""`	no
security_group_name	Name to use on cluster security group created	`string`	`null`	no
security_group_tags	A map of additional tags to add to the cluster security group created	`map(string)`	`{}`	no
security_group_use_name_prefix	Determines whether cluster security group name (`cluster_security_group_name`) is used as a prefix	`bool`	`true`	no
self_managed_node_groups	Map of self-managed node group definitions to create	map(object({ create = optional(bool) kubernetes_version = optional(string) # Autoscaling Group create_autoscaling_group = optional(bool) name = optional(string) # Will fall back to map key use_name_prefix = optional(bool) availability_zones = optional(list(string)) subnet_ids = optional(list(string)) min_size = optional(number) max_size = optional(number) desired_size = optional(number) desired_size_type = optional(string) capacity_rebalance = optional(bool) default_instance_warmup = optional(number) protect_from_scale_in = optional(bool) context = optional(string) create_placement_group = optional(bool) placement_group = optional(string) health_check_type = optional(string) health_check_grace_period = optional(number) ignore_failed_scaling_activities = optional(bool) force_delete = optional(bool) termination_policies = optional(list(string)) suspended_processes = optional(list(string)) max_instance_lifetime = optional(number) enabled_metrics = optional(list(string)) metrics_granularity = optional(string) initial_lifecycle_hooks = optional(list(object({ default_result = optional(string) heartbeat_timeout = optional(number) lifecycle_transition = string name = string notification_metadata = optional(string) notification_target_arn = optional(string) role_arn = optional(string) }))) instance_maintenance_policy = optional(object({ max_healthy_percentage = number min_healthy_percentage = number })) instance_refresh = optional(object({ preferences = optional(object({ alarm_specification = optional(object({ alarms = optional(list(string)) })) auto_rollback = optional(bool) checkpoint_delay = optional(number) checkpoint_percentages = optional(list(number)) instance_warmup = optional(number) max_healthy_percentage = optional(number) min_healthy_percentage = optional(number) scale_in_protected_instances = optional(string) skip_matching = optional(bool) standby_instances = optional(string) })) strategy = optional(string) triggers = optional(list(string)) }) ) use_mixed_instances_policy = optional(bool) mixed_instances_policy = optional(object({ instances_distribution = optional(object({ on_demand_allocation_strategy = optional(string) on_demand_base_capacity = optional(number) on_demand_percentage_above_base_capacity = optional(number) spot_allocation_strategy = optional(string) spot_instance_pools = optional(number) spot_max_price = optional(string) })) launch_template = object({ override = optional(list(object({ instance_requirements = optional(object({ accelerator_count = optional(object({ max = optional(number) min = optional(number) })) accelerator_manufacturers = optional(list(string)) accelerator_names = optional(list(string)) accelerator_total_memory_mib = optional(object({ max = optional(number) min = optional(number) })) accelerator_types = optional(list(string)) allowed_instance_types = optional(list(string)) bare_metal = optional(string) baseline_ebs_bandwidth_mbps = optional(object({ max = optional(number) min = optional(number) })) burstable_performance = optional(string) cpu_manufacturers = optional(list(string)) excluded_instance_types = optional(list(string)) instance_generations = optional(list(string)) local_storage = optional(string) local_storage_types = optional(list(string)) max_spot_price_as_percentage_of_optimal_on_demand_price = optional(number) memory_gib_per_vcpu = optional(object({ max = optional(number) min = optional(number) })) memory_mib = optional(object({ max = optional(number) min = optional(number) })) network_bandwidth_gbps = optional(object({ max = optional(number) min = optional(number) })) network_interface_count = optional(object({ max = optional(number) min = optional(number) })) on_demand_max_price_percentage_over_lowest_price = optional(number) require_hibernate_support = optional(bool) spot_max_price_percentage_over_lowest_price = optional(number) total_local_storage_gb = optional(object({ max = optional(number) min = optional(number) })) vcpu_count = optional(object({ max = optional(number) min = optional(number) })) })) instance_type = optional(string) launch_template_specification = optional(object({ launch_template_id = optional(string) launch_template_name = optional(string) version = optional(string) })) weighted_capacity = optional(string) }))) }) })) timeouts = optional(object({ delete = optional(string) })) autoscaling_group_tags = optional(map(string)) # User data ami_type = optional(string) additional_cluster_dns_ips = optional(list(string)) pre_bootstrap_user_data = optional(string) post_bootstrap_user_data = optional(string) bootstrap_extra_args = optional(string) user_data_template_path = optional(string) cloudinit_pre_nodeadm = optional(list(object({ content = string content_type = optional(string) filename = optional(string) merge_type = optional(string) }))) cloudinit_post_nodeadm = optional(list(object({ content = string content_type = optional(string) filename = optional(string) merge_type = optional(string) }))) # Launch Template create_launch_template = optional(bool) use_custom_launch_template = optional(bool) launch_template_id = optional(string) launch_template_name = optional(string) # Will fall back to map key launch_template_use_name_prefix = optional(bool) launch_template_version = optional(string) launch_template_default_version = optional(string) update_launch_template_default_version = optional(bool) launch_template_description = optional(string) launch_template_tags = optional(map(string)) tag_specifications = optional(list(string)) ebs_optimized = optional(bool) ami_id = optional(string) instance_type = optional(string) key_name = optional(string) disable_api_termination = optional(bool) instance_initiated_shutdown_behavior = optional(string) kernel_id = optional(string) ram_disk_id = optional(string) block_device_mappings = optional(map(object({ device_name = optional(string) ebs = optional(object({ delete_on_termination = optional(bool) encrypted = optional(bool) iops = optional(number) kms_key_id = optional(string) snapshot_id = optional(string) throughput = optional(number) volume_initialization_rate = optional(number) volume_size = optional(number) volume_type = optional(string) })) no_device = optional(string) virtual_name = optional(string) }))) capacity_reservation_specification = optional(object({ capacity_reservation_preference = optional(string) capacity_reservation_target = optional(object({ capacity_reservation_id = optional(string) capacity_reservation_resource_group_arn = optional(string) })) })) cpu_options = optional(object({ amd_sev_snp = optional(string) core_count = optional(number) threads_per_core = optional(number) })) credit_specification = optional(object({ cpu_credits = optional(string) })) enclave_options = optional(object({ enabled = optional(bool) })) instance_requirements = optional(object({ accelerator_count = optional(object({ max = optional(number) min = optional(number) })) accelerator_manufacturers = optional(list(string)) accelerator_names = optional(list(string)) accelerator_total_memory_mib = optional(object({ max = optional(number) min = optional(number) })) accelerator_types = optional(list(string)) allowed_instance_types = optional(list(string)) bare_metal = optional(string) baseline_ebs_bandwidth_mbps = optional(object({ max = optional(number) min = optional(number) })) burstable_performance = optional(string) cpu_manufacturers = optional(list(string)) excluded_instance_types = optional(list(string)) instance_generations = optional(list(string)) local_storage = optional(string) local_storage_types = optional(list(string)) max_spot_price_as_percentage_of_optimal_on_demand_price = optional(number) memory_gib_per_vcpu = optional(object({ max = optional(number) min = optional(number) })) memory_mib = optional(object({ max = optional(number) min = optional(number) })) network_bandwidth_gbps = optional(object({ max = optional(number) min = optional(number) })) network_interface_count = optional(object({ max = optional(number) min = optional(number) })) on_demand_max_price_percentage_over_lowest_price = optional(number) require_hibernate_support = optional(bool) spot_max_price_percentage_over_lowest_price = optional(number) total_local_storage_gb = optional(object({ max = optional(number) min = optional(number) })) vcpu_count = optional(object({ max = optional(number) min = string })) })) instance_market_options = optional(object({ market_type = optional(string) spot_options = optional(object({ block_duration_minutes = optional(number) instance_interruption_behavior = optional(string) max_price = optional(string) spot_instance_type = optional(string) valid_until = optional(string) })) })) license_specifications = optional(list(object({ license_configuration_arn = string }))) metadata_options = optional(object({ http_endpoint = optional(string) http_protocol_ipv6 = optional(string) http_put_response_hop_limit = optional(number) http_tokens = optional(string) instance_metadata_tags = optional(string) })) enable_monitoring = optional(bool) enable_efa_support = optional(bool) enable_efa_only = optional(bool) efa_indices = optional(list(string)) network_interfaces = optional(list(object({ associate_carrier_ip_address = optional(bool) associate_public_ip_address = optional(bool) connection_tracking_specification = optional(object({ tcp_established_timeout = optional(number) udp_stream_timeout = optional(number) udp_timeout = optional(number) })) delete_on_termination = optional(bool) description = optional(string) device_index = optional(number) ena_srd_specification = optional(object({ ena_srd_enabled = optional(bool) ena_srd_udp_specification = optional(object({ ena_srd_udp_enabled = optional(bool) })) })) interface_type = optional(string) ipv4_address_count = optional(number) ipv4_addresses = optional(list(string)) ipv4_prefix_count = optional(number) ipv4_prefixes = optional(list(string)) ipv6_address_count = optional(number) ipv6_addresses = optional(list(string)) ipv6_prefix_count = optional(number) ipv6_prefixes = optional(list(string)) network_card_index = optional(number) network_interface_id = optional(string) primary_ipv6 = optional(bool) private_ip_address = optional(string) security_groups = optional(list(string)) subnet_id = optional(string) }))) placement = optional(object({ affinity = optional(string) availability_zone = optional(string) group_name = optional(string) host_id = optional(string) host_resource_group_arn = optional(string) partition_number = optional(number) spread_domain = optional(string) tenancy = optional(string) })) maintenance_options = optional(object({ auto_recovery = optional(string) })) private_dns_name_options = optional(object({ enable_resource_name_dns_aaaa_record = optional(bool) enable_resource_name_dns_a_record = optional(bool) hostname_type = optional(string) })) # IAM role create_iam_instance_profile = optional(bool) iam_instance_profile_arn = optional(string) iam_role_name = optional(string) iam_role_use_name_prefix = optional(bool) iam_role_path = optional(string) iam_role_description = optional(string) iam_role_permissions_boundary = optional(string) iam_role_tags = optional(map(string)) iam_role_attach_cni_policy = optional(bool) iam_role_additional_policies = optional(map(string)) create_iam_role_policy = optional(bool) iam_role_policy_statements = optional(list(object({ sid = optional(string) actions = optional(list(string)) not_actions = optional(list(string)) effect = optional(string) resources = optional(list(string)) not_resources = optional(list(string)) principals = optional(list(object({ type = string identifiers = list(string) }))) not_principals = optional(list(object({ type = string identifiers = list(string) }))) condition = optional(list(object({ test = string values = list(string) variable = string }))) }))) # Access entry create_access_entry = optional(bool) iam_role_arn = optional(string) # Security group vpc_security_group_ids = optional(list(string), []) attach_cluster_primary_security_group = optional(bool, false) create_security_group = optional(bool) security_group_name = optional(string) security_group_use_name_prefix = optional(bool) security_group_description = optional(string) security_group_ingress_rules = optional(map(object({ name = optional(string) cidr_ipv4 = optional(string) cidr_ipv6 = optional(string) description = optional(string) from_port = optional(string) ip_protocol = optional(string) prefix_list_id = optional(string) referenced_security_group_id = optional(string) self = optional(bool) tags = optional(map(string)) to_port = optional(string) }))) security_group_egress_rules = optional(map(object({ name = optional(string) cidr_ipv4 = optional(string) cidr_ipv6 = optional(string) description = optional(string) from_port = optional(string) ip_protocol = optional(string) prefix_list_id = optional(string) referenced_security_group_id = optional(string) self = optional(bool) tags = optional(map(string)) to_port = optional(string) }))) security_group_tags = optional(map(string)) tags = optional(map(string)) }))	`null`	no
service_ipv4_cidr	The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks	`string`	`null`	no
service_ipv6_cidr	The CIDR block to assign Kubernetes pod and service IP addresses from if`ipv6` was specified when the cluster was created. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster	`string`	`null`	no
subnet_ids	A list of subnet IDs where the nodes/node groups will be provisioned. If`control_plane_subnet_ids` is not provided, the EKS cluster control plane (ENIs) will be provisioned in these subnets	`list(string)`	`[]`	no
tags	A map of tags to add to all resources	`map(string)`	`{}`	no
timeouts	Create, update, and delete timeout configurations for the cluster	object({ create = optional(string) update = optional(string) delete = optional(string) })	`null`	no
upgrade_policy	Configuration block for the cluster upgrade policy	object({ support_type = optional(string) })	`null`	no
vpc_id	ID of the VPC where the cluster security group will be provisioned	`string`	`null`	no
zonal_shift_config	Configuration block for the cluster zonal shift	object({ enabled = optional(bool) })	`null`	no

Outputs

Name	Description
access_entries	Map of access entries created and their attributes
access_policy_associations	Map of eks cluster access policy associations created and their attributes
cloudwatch_log_group_arn	Arn of cloudwatch log group created
cloudwatch_log_group_name	Name of cloudwatch log group created
cluster_addons	Map of attribute maps for all EKS cluster addons enabled
cluster_arn	The Amazon Resource Name (ARN) of the cluster
cluster_certificate_authority_data	Base64 encoded certificate data required to communicate with the cluster
cluster_control_plane_scaling_tier	The EKS Provisioned Control Plane scaling tier for the cluster
cluster_dualstack_oidc_issuer_url	Dual-stack compatible URL on the EKS cluster for the OpenID Connect identity provider
cluster_endpoint	Endpoint for your Kubernetes API server
cluster_iam_role_arn	Cluster IAM role ARN
cluster_iam_role_name	Cluster IAM role name
cluster_iam_role_unique_id	Stable and unique string identifying the IAM role
cluster_id	The ID of the EKS cluster. Note: currently a value is returned only for local EKS clusters created on Outposts
cluster_identity_providers	Map of attribute maps for all EKS identity providers enabled
cluster_ip_family	The IP family used by the cluster (e.g.`ipv4` or`ipv6`)
cluster_name	The name of the EKS cluster
cluster_oidc_issuer_url	The URL on the EKS cluster for the OpenID Connect identity provider
cluster_platform_version	Platform version for the cluster
cluster_primary_security_group_id	Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console
cluster_security_group_arn	Amazon Resource Name (ARN) of the cluster security group
cluster_security_group_id	ID of the cluster security group
cluster_service_cidr	The CIDR block where Kubernetes pod and service IP addresses are assigned from
cluster_status	Status of the EKS cluster. One of`CREATING`,`ACTIVE`,`DELETING`,`FAILED`
cluster_tls_certificate_sha1_fingerprint	The SHA1 fingerprint of the public key of the cluster's certificate
cluster_version	The Kubernetes version for the cluster
eks_managed_node_groups	Map of attribute maps for all EKS managed node groups created
eks_managed_node_groups_autoscaling_group_names	List of the autoscaling group names created by EKS managed node groups
fargate_profiles	Map of attribute maps for all EKS Fargate Profiles created
kms_key_arn	The Amazon Resource Name (ARN) of the key
kms_key_id	The globally unique identifier for the key
kms_key_policy	The IAM resource policy set on the key
node_iam_role_arn	EKS Auto node IAM role ARN
node_iam_role_name	EKS Auto node IAM role name
node_iam_role_unique_id	Stable and unique string identifying the IAM role
node_security_group_arn	Amazon Resource Name (ARN) of the node shared security group
node_security_group_id	ID of the node shared security group
oidc_provider	The OpenID Connect identity provider (issuer URL without leading`https://`)
oidc_provider_arn	The ARN of the OIDC Provider if`enable_irsa = true`
self_managed_node_groups	Map of attribute maps for all self managed node groups created
self_managed_node_groups_autoscaling_group_names	List of the autoscaling group names created by self-managed node groups

License

Apache 2 Licensed. SeeLICENSE for full details.

Additional information for users from Russia and Belarus

Russia hasillegally annexed Crimea in 2014 andbrought the war in Donbas followed byfull-scale invasion of Ukraine in 2022.
Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
Putin khuylo!