Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Configure and deploy complete EKS clusters.

License

NotificationsYou must be signed in to change notification settings

haicasgox/terraform-aws-eks-blueprints

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

e2e-terratestplan-examplespre-commit

Welcome to Amazon EKS Blueprints for Terraform!

This repository contains a collection of Terraform modules that aim to make it easier and faster for customers to adoptAmazon EKS. It can be used by AWS customers, partners, and internal AWS teams to configure and manage complete EKS clusters that are fully bootstrapped with the operational software that is needed to deploy and operate workloads.

This project leverages the communityterraform-aws-eks modules for deploying EKS Clusters.

Getting Started

The easiest way to get started with EKS Blueprints is to follow ourGetting Started guide.

Documentation

For complete project documentation, please visit ourdocumentation site.

Examples

To view examples for how you can leverage EKS Blueprints, please see theexamples directory.

Add-ons

EKS Blueprints makes it easy to provision a wide range of popular Kubernetes add-ons into an EKS cluster. By default, theTerraform Helm provider is used to deploy add-ons with publicly availableHelm Charts.EKS Blueprints provides support for leveraging self-hosted Helm Chart as well.

For complete documentation on deploying add-ons, please visit ouradd-on documentation

Motivation

Kubernetes is a powerful and extensible container orchestration technology that allows you to deploy and manage containerized applications at scale. The extensible nature of Kubernetes also allows you to use a wide range of popular open-source tools, commonly referred to as add-ons, in Kubernetes clusters. With such a large number of tooling and design choices available however, building a tailored EKS cluster that meets your application’s specific needs can take a significant amount of time. It involves integrating a wide range of open-source tools and AWS services and requires deep expertise in AWS and Kubernetes.

AWS customers have asked for examples that demonstrate how to integrate the landscape of Kubernetes tools and make it easy for them to provision complete, opinionated EKS clusters that meet specific application requirements. Customers can use EKS Blueprints to configure and deploy purpose built EKS clusters, and start onboarding workloads in days, rather than months.

Support & Feedback

EKS Blueprints for Terraform is maintained by AWS Solution Architects. It is not part of an AWS service and support is provided best-effort by the EKS Blueprints community.

To post feedback, submit feature ideas, or report bugs, please use theIssues section of this GitHub repo.

If you are interested in contributing to EKS Blueprints, see theContribution guide.

Requirements

NameVersion
terraform>= 1.0.0
aws>= 3.72
helm>= 2.4.1
http2.4.1
kubectl>= 1.14
kubernetes>= 2.10
local>= 2.1
null>= 3.1

Providers

NameVersion
aws>= 3.72
http2.4.1
kubernetes>= 2.10

Modules

NameSourceVersion
aws_eksterraform-aws-modules/eks/awsv18.29.1
aws_eks_fargate_profiles./modules/aws-eks-fargate-profilesn/a
aws_eks_managed_node_groups./modules/aws-eks-managed-node-groupsn/a
aws_eks_self_managed_node_groups./modules/aws-eks-self-managed-node-groupsn/a
aws_eks_teams./modules/aws-eks-teamsn/a
emr_on_eks./modules/emr-on-eksn/a
kms./modules/aws-kmsn/a

Resources

NameType
kubernetes_config_map.amazon_vpc_cniresource
kubernetes_config_map.aws_authresource
aws_caller_identity.currentdata source
aws_eks_cluster.clusterdata source
aws_iam_policy_document.eks_keydata source
aws_iam_session_context.currentdata source
aws_partition.currentdata source
aws_region.currentdata source
http_http.eks_cluster_readinessdata source

Inputs

NameDescriptionTypeDefaultRequired
application_teamsMap of maps of Application Teams to createany{}no
aws_auth_additional_labelsAdditional kubernetes labels applied on aws-auth ConfigMapmap(string){}no
cloudwatch_log_group_kms_key_idIf a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)stringnullno
cloudwatch_log_group_retention_in_daysNumber of days to retain log events. Default retention - 90 daysnumber90no
cluster_additional_security_group_idsList of additional, externally created security group IDs to attach to the cluster control planelist(string)[]no
cluster_enabled_log_typesA list of the desired control plane logging to enablelist(string)
[
  "api",
  "audit",
  "authenticator",
  "controllerManager",
  "scheduler"
]
no
cluster_encryption_configConfiguration block with encryption configuration for the cluster
list(object({
    provider_key_arn = string
    resources        = list(string)
  }))
[]no
cluster_endpoint_private_accessIndicates whether or not the EKS private API server endpoint is enabled. Default to EKS resource and it is falseboolfalseno
cluster_endpoint_public_accessIndicates whether or not the EKS public API server endpoint is enabled. Default to EKS resource and it is truebooltrueno
cluster_endpoint_public_access_cidrsList of CIDR blocks which can access the Amazon EKS public API server endpointlist(string)
[
  "0.0.0.0/0"
]
no
cluster_identity_providersMap of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSAany{}no
cluster_ip_familyThe IP family used to assign Kubernetes pod and service addresses. Valid values areipv4 (default) andipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be createdstring"ipv4"no
cluster_kms_key_additional_admin_arnsA list of additional IAM ARNs that should have FULL access (kms:*) in the KMS key policylist(string)[]no
cluster_kms_key_arnA valid EKS Cluster KMS Key ARN to encrypt Kubernetes secretsstringnullno
cluster_kms_key_deletion_window_in_daysThe waiting period, specified in number of days (7 - 30). After the waiting period ends, AWS KMS deletes the KMS keynumber30no
cluster_nameEKS Cluster Namestring""no
cluster_security_group_additional_rulesList of additional security group rules to add to the cluster security group created. Setsource_node_security_group = true inside rules to set thenode_security_group as sourceany{}no
cluster_security_group_descriptionDescription of the cluster security group createdstring"EKS cluster security group"no
cluster_security_group_idSecurity group to be used if creation of cluster security group is turned offstring""no
cluster_security_group_nameName to use on cluster security group createdstringnullno
cluster_security_group_tagsA map of additional tags to add to the cluster security group createdmap(string){}no
cluster_security_group_use_name_prefixDetermines whether cluster security group name (cluster_security_group_name) is used as a prefixbooltrueno
cluster_service_ipv4_cidrThe CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocksstringnullno
cluster_service_ipv6_cidrThe IPV6 Service CIDR block to assign Kubernetes service IP addressesstringnullno
cluster_timeoutsCreate, update, and delete timeout configurations for the clustermap(string){}no
cluster_versionKubernetes<major>.<minor> version to use for the EKS cluster (i.e.:1.24)string"1.24"no
control_plane_subnet_idsA list of subnet IDs where the EKS cluster control plane (ENIs) will be provisioned. Used for expanding the pool of subnets used by nodes/node groups without replacing the EKS control planelist(string)[]no
create_cloudwatch_log_groupDetermines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabledboolfalseno
create_cluster_security_groupToggle to create or assign cluster security groupbooltrueno
create_eksCreate EKS clusterbooltrueno
create_iam_roleDetermines whether a an IAM role is created or to use an existing IAM rolebooltrueno
create_node_security_groupDetermines whether to create a security group for the node groups or use the existingnode_security_group_idbooltrueno
custom_oidc_thumbprintsAdditional list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s)list(string)[]no
eks_readiness_timeoutThe maximum time (in seconds) to wait for EKS API server endpoint to become healthynumber"600"no
emr_on_eks_teamsEMR on EKS Teams configany{}no
enable_cluster_encryptionDetermines whether cluster encryption is enabledbooltrueno
enable_emr_on_eksEnable EMR on EKSboolfalseno
enable_irsaDetermines whether to create an OpenID Connect Provider for EKS to enable IRSAbooltrueno
enable_windows_supportEnable Windows supportboolfalseno
fargate_profilesFargate profile configurationany{}no
iam_role_additional_policiesAdditional policies to be added to the IAM rolelist(string)[]no
iam_role_arnExisting IAM role ARN for the cluster. Required ifcreate_iam_role is set tofalsestringnullno
iam_role_descriptionDescription of the rolestringnullno
iam_role_nameName to use on IAM role createdstringnullno
iam_role_pathCluster IAM role pathstringnullno
iam_role_permissions_boundaryARN of the policy that is used to set the permissions boundary for the IAM rolestringnullno
managed_node_groupsManaged node groups configurationany{}no
map_accountsAdditional AWS account numbers to add to the aws-auth ConfigMaplist(string)[]no
map_rolesAdditional IAM roles to add to the aws-auth ConfigMap
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
[]no
map_usersAdditional IAM users to add to the aws-auth ConfigMap
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
[]no
node_security_group_additional_rulesList of additional security group rules to add to the node security group created. Setsource_cluster_security_group = true inside rules to set thecluster_security_group as sourceany{}no
node_security_group_descriptionDescription of the node security group createdstring"EKS node shared security group"no
node_security_group_nameName to use on node security group createdstringnullno
node_security_group_tagsA map of additional tags to add to the node security group createdmap(string){}no
node_security_group_use_name_prefixDetermines whether node security group name (node_security_group_name) is used as a prefixbooltrueno
openid_connect_audiencesList of OpenID Connect audience client IDs to add to the IRSA providerlist(string)[]no
platform_teamsMap of maps of platform teams to createany{}no
private_subnet_idsList of private subnets Ids for the cluster and worker nodeslist(string)[]no
public_subnet_idsList of public subnets Ids for the worker nodeslist(string)[]no
self_managed_node_groupsSelf-managed node groups configurationany{}no
tagsAdditional tags (e.g.map('BusinessUnit,XYZ)map(string){}no
vpc_idVPC Idstringn/ayes
worker_additional_security_group_idsA list of additional security group ids to attach to worker instanceslist(string)[]no

Outputs

NameDescription
cluster_primary_security_group_idCluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console
cluster_security_group_arnAmazon Resource Name (ARN) of the cluster security group
cluster_security_group_idEKS Control Plane Security Group ID
configure_kubectlConfigure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig
eks_cluster_arnAmazon EKS Cluster Name
eks_cluster_certificate_authority_dataBase64 encoded certificate data required to communicate with the cluster
eks_cluster_endpointEndpoint for your Kubernetes API server
eks_cluster_idAmazon EKS Cluster Name
eks_cluster_statusAmazon EKS Cluster Status
eks_cluster_versionThe Kubernetes version for the cluster
eks_oidc_issuer_urlThe URL on the EKS cluster OIDC Issuer
eks_oidc_provider_arnThe ARN of the OIDC Provider ifenable_irsa = true.
emr_on_eks_role_arnIAM execution role ARN for EMR on EKS
emr_on_eks_role_idIAM execution role ID for EMR on EKS
fargate_profilesOutputs from EKS Fargate profiles groups
fargate_profiles_aws_auth_config_mapFargate profiles AWS auth map
fargate_profiles_iam_role_arnsIAM role arn's for Fargate Profiles
managed_node_group_arnManaged node group arn
managed_node_group_aws_auth_config_mapManaged node groups AWS auth map
managed_node_group_iam_instance_profile_arnsIAM instance profile arn's of managed node groups
managed_node_group_iam_instance_profile_idIAM instance profile id of managed node groups
managed_node_group_iam_role_arnsIAM role arn's of managed node groups
managed_node_group_iam_role_namesIAM role names of managed node groups
managed_node_groupsOutputs from EKS Managed node groups
managed_node_groups_idEKS Managed node groups id
managed_node_groups_statusEKS Managed node groups status
oidc_providerThe OpenID Connect identity provider (issuer URL without leadinghttps://)
self_managed_node_group_autoscaling_groupsAutoscaling group names of self managed node groups
self_managed_node_group_aws_auth_config_mapSelf managed node groups AWS auth map
self_managed_node_group_iam_instance_profile_idIAM instance profile id of managed node groups
self_managed_node_group_iam_role_arnsIAM role arn's of self managed node groups
self_managed_node_groupsOutputs from EKS Self-managed node groups
teamsOutputs from EKS Fargate profiles groups
windows_node_group_aws_auth_config_mapWindows node groups AWS auth map
worker_node_security_group_arnAmazon Resource Name (ARN) of the worker node shared security group
worker_node_security_group_idID of the worker node shared security group

Security

SeeCONTRIBUTING for more information.

License

Apache-2.0 Licensed. SeeLICENSE.

About

Configure and deploy complete EKS clusters.

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • HCL95.3%
  • Go3.3%
  • Other1.4%
[8]ページ先頭
©2009-2025 Movatter.jp