Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Terraform module to create an Elastic Kubernetes (EKS) cluster and associated worker instances on AWS

License

NotificationsYou must be signed in to change notification settings

opensource-terraform-modules/terraform-aws-eks

 
 

Repository files navigation

Terraform module which creates AWS EKS (Kubernetes) resources

External Documentation

Please note that we strive to provide a comprehensive suite of documentation forconfiguring and utilizing the module(s) defined here, and that documentation regarding EKS (including EKS managed node group, self managed node group, and Fargate profile) and/or Kubernetes features, usage, etc. are better left up to their respective sources:

Available Features

  • AWS EKS Cluster Addons
  • AWS EKS Identity Provider Configuration
  • Allnode types are supported:
  • Support for custom AMI, custom launch template, and custom user data including custom user data template
  • Support for Amazon Linux 2 EKS Optimized AMI and Bottlerocket nodes
    • Windows based node support is limited to a default user data template that is provided due to the lack of Windows support and manual steps required to provision Windows based EKS nodes
  • Support for module created security group, bring your own security groups, as well as adding additional security group rules to the module created security group(s)
  • Support for creating node groups/profiles separate from the cluster through the use of sub-modules (same as what is used by root module)
  • Support for node group/profile "default" settings - useful for when creating multiple node groups/Fargate profiles where you want to set a common set of configurations once, and then individually control only select features on certain node groups/profiles

An IAM role for service accounts (IRSA) sub-module has been created to make deploying common addons/controllers easier. Instead of users having to create a custom IAM role with the necessary federated role assumption required for IRSA plus find and craft the associated policy required for the addon/controller, users can create the IRSA role and policy with a few lines of code. See theterraform-aws-iam/examples/iam-role-for-service-accounts directory for examples on how to use the IRSA sub-module in conjunction with this (terraform-aws-eks) module.

Some of the addon/controller policies that are currently supported include:

Seeterraform-aws-iam/modules/iam-role-for-service-accounts for current list of supported addon/controller policies as more are added to the project.

Usage

module"eks" {source="terraform-aws-modules/eks/aws"version="~> 18.0"cluster_name="my-cluster"cluster_version="1.21"cluster_endpoint_private_access=truecluster_endpoint_public_access=truecluster_addons={    coredns= {      resolve_conflicts="OVERWRITE"    }    kube-proxy= {}    vpc-cni= {      resolve_conflicts="OVERWRITE"    }  }cluster_encryption_config=[{    provider_key_arn="ac01234b-00d9-40f6-ac95-e42345f78b00"    resources= ["secrets"]  }]vpc_id="vpc-1234556abcdef"subnet_ids=["subnet-abcde012","subnet-bcde012a","subnet-fghi345a"]# Self Managed Node Group(s)self_managed_node_group_defaults={    instance_type="m6i.large"    update_launch_template_default_version=true    iam_role_additional_policies= ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"    ]  }self_managed_node_groups={    one= {      name="mixed-1"      max_size=5      desired_size=2      use_mixed_instances_policy=true      mixed_instances_policy= {        instances_distribution= {          on_demand_base_capacity=0          on_demand_percentage_above_base_capacity=10          spot_allocation_strategy="capacity-optimized"        }        override= [          {            instance_type="m5.large"            weighted_capacity="1"          },          {            instance_type="m6i.large"            weighted_capacity="2"          },        ]      }    }  }# EKS Managed Node Group(s)eks_managed_node_group_defaults={    disk_size=50    instance_types= ["m6i.large","m5.large","m5n.large","m5zn.large"]  }eks_managed_node_groups={    blue= {}    green= {      min_size=1      max_size=10      desired_size=1      instance_types= ["t3.large"]      capacity_type="SPOT"    }  }# Fargate Profile(s)fargate_profiles={    default= {      name="default"      selectors= [        {          namespace="default"        }      ]    }  }# aws-auth configmapmanage_aws_auth_configmap=trueaws_auth_roles=[    {      rolearn="arn:aws:iam::66666666666:role/role1"      username="role1"      groups= ["system:masters"]    },  ]aws_auth_users=[    {      userarn="arn:aws:iam::66666666666:user/user1"      username="user1"      groups= ["system:masters"]    },    {      userarn="arn:aws:iam::66666666666:user/user2"      username="user2"      groups= ["system:masters"]    },  ]aws_auth_accounts=["777777777777","888888888888",  ]tags={    Environment="dev"    Terraform="true"  }}

Examples

Contributing

We are grateful to the community for contributing bugfixes and improvements! Please see below to learn how you can take part.

Requirements

NameVersion
terraform>= 0.13.1
aws>= 3.72
kubernetes>= 2.10
tls>= 3.0

Providers

NameVersion
aws>= 3.72
kubernetes>= 2.10
tls>= 3.0

Modules

NameSourceVersion
eks_managed_node_group./modules/eks-managed-node-groupn/a
fargate_profile./modules/fargate-profilen/a
self_managed_node_group./modules/self-managed-node-groupn/a

Resources

NameType
aws_cloudwatch_log_group.thisresource
aws_ec2_tag.cluster_primary_security_groupresource
aws_eks_addon.thisresource
aws_eks_cluster.thisresource
aws_eks_identity_provider_config.thisresource
aws_iam_openid_connect_provider.oidc_providerresource
aws_iam_policy.cluster_encryptionresource
aws_iam_policy.cni_ipv6_policyresource
aws_iam_role.thisresource
aws_iam_role_policy_attachment.cluster_encryptionresource
aws_iam_role_policy_attachment.thisresource
aws_security_group.clusterresource
aws_security_group.noderesource
aws_security_group_rule.clusterresource
aws_security_group_rule.noderesource
kubernetes_config_map.aws_authresource
kubernetes_config_map_v1_data.aws_authresource
aws_iam_policy_document.assume_role_policydata source
aws_iam_policy_document.cni_ipv6_policydata source
aws_partition.currentdata source
tls_certificate.thisdata source

Inputs

NameDescriptionTypeDefaultRequired
attach_cluster_encryption_policyIndicates whether or not to attach an additional policy for the cluster IAM role to utilize the encryption key providedbooltrueno
aws_auth_accountsList of account maps to add to the aws-auth configmaplist(any)[]no
aws_auth_fargate_profile_pod_execution_role_arnsList of Fargate profile pod execution role ARNs to add to the aws-auth configmaplist(string)[]no
aws_auth_node_iam_role_arns_non_windowsList of non-Windows based node IAM role ARNs to add to the aws-auth configmaplist(string)[]no
aws_auth_node_iam_role_arns_windowsList of Windows based node IAM role ARNs to add to the aws-auth configmaplist(string)[]no
aws_auth_rolesList of role maps to add to the aws-auth configmaplist(any)[]no
aws_auth_usersList of user maps to add to the aws-auth configmaplist(any)[]no
cloudwatch_log_group_kms_key_idIf a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)stringnullno
cloudwatch_log_group_retention_in_daysNumber of days to retain log events. Default retention - 90 daysnumber90no
cluster_additional_security_group_idsList of additional, externally created security group IDs to attach to the cluster control planelist(string)[]no
cluster_addonsMap of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set withnameany{}no
cluster_enabled_log_typesA list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)list(string)
[
  "audit",
  "api",
  "authenticator"
]
no
cluster_encryption_configConfiguration block with encryption configuration for the cluster
list(object({
    provider_key_arn = string
    resources        = list(string)
  }))
[]no
cluster_encryption_policy_descriptionDescription of the cluster encryption policy createdstring"Cluster encryption policy to allow cluster role to utilize CMK provided"no
cluster_encryption_policy_nameName to use on cluster encryption policy createdstringnullno
cluster_encryption_policy_pathCluster encryption policy pathstringnullno
cluster_encryption_policy_tagsA map of additional tags to add to the cluster encryption policy createdmap(string){}no
cluster_encryption_policy_use_name_prefixDetermines whether cluster encryption policy name (cluster_encryption_policy_name) is used as a prefixstringtrueno
cluster_endpoint_private_accessIndicates whether or not the Amazon EKS private API server endpoint is enabledboolfalseno
cluster_endpoint_public_accessIndicates whether or not the Amazon EKS public API server endpoint is enabledbooltrueno
cluster_endpoint_public_access_cidrsList of CIDR blocks which can access the Amazon EKS public API server endpointlist(string)
[
  "0.0.0.0/0"
]
no
cluster_iam_role_dns_suffixBase DNS domain name for the current partition (e.g., amazonaws.com in AWS Commercial, amazonaws.com.cn in AWS China)stringnullno
cluster_identity_providersMap of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSAany{}no
cluster_ip_familyThe IP family used to assign Kubernetes pod and service addresses. Valid values areipv4 (default) andipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be createdstringnullno
cluster_nameName of the EKS clusterstring""no
cluster_security_group_additional_rulesList of additional security group rules to add to the cluster security group created. Setsource_node_security_group = true inside rules to set thenode_security_group as sourceany{}no
cluster_security_group_descriptionDescription of the cluster security group createdstring"EKS cluster security group"no
cluster_security_group_idExisting security group ID to be attached to the cluster. Required ifcreate_cluster_security_group =falsestring""no
cluster_security_group_nameName to use on cluster security group createdstringnullno
cluster_security_group_tagsA map of additional tags to add to the cluster security group createdmap(string){}no
cluster_security_group_use_name_prefixDetermines whether cluster security group name (cluster_security_group_name) is used as a prefixstringtrueno
cluster_service_ipv4_cidrThe CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocksstringnullno
cluster_tagsA map of additional tags to add to the clustermap(string){}no
cluster_timeoutsCreate, update, and delete timeout configurations for the clustermap(string){}no
cluster_versionKubernetes<major>.<minor> version to use for the EKS cluster (i.e.:1.21)stringnullno
createControls if EKS resources should be created (affects nearly all resources)booltrueno
create_aws_auth_configmapDetermines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should usemanage_aws_auth_configmapboolfalseno
create_cloudwatch_log_groupDetermines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabledbooltrueno
create_cluster_primary_security_group_tagsIndicates whether or not to tag the cluster's primary security group. This security group is created by the EKS service, not the module, and therefore tagging is handled after cluster creationbooltrueno
create_cluster_security_groupDetermines if a security group is created for the cluster or use the existingcluster_security_group_idbooltrueno
create_cni_ipv6_iam_policyDetermines whether to create anAmazonEKS_CNI_IPv6_Policyboolfalseno
create_iam_roleDetermines whether a an IAM role is created or to use an existing IAM rolebooltrueno
create_node_security_groupDetermines whether to create a security group for the node groups or use the existingnode_security_group_idbooltrueno
custom_oidc_thumbprintsAdditional list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s)list(string)[]no
eks_managed_node_group_defaultsMap of EKS managed node group default configurationsany{}no
eks_managed_node_groupsMap of EKS managed node group definitions to createany{}no
enable_irsaDetermines whether to create an OpenID Connect Provider for EKS to enable IRSAbooltrueno
fargate_profile_defaultsMap of Fargate Profile default configurationsany{}no
fargate_profilesMap of Fargate Profile definitions to createany{}no
iam_role_additional_policiesAdditional policies to be added to the IAM rolelist(string)[]no
iam_role_arnExisting IAM role ARN for the cluster. Required ifcreate_iam_role is set tofalsestringnullno
iam_role_descriptionDescription of the rolestringnullno
iam_role_nameName to use on IAM role createdstringnullno
iam_role_pathCluster IAM role pathstringnullno
iam_role_permissions_boundaryARN of the policy that is used to set the permissions boundary for the IAM rolestringnullno
iam_role_tagsA map of additional tags to add to the IAM role createdmap(string){}no
iam_role_use_name_prefixDetermines whether the IAM role name (iam_role_name) is used as a prefixbooltrueno
manage_aws_auth_configmapDetermines whether to manage the aws-auth configmapboolfalseno
node_security_group_additional_rulesList of additional security group rules to add to the node security group created. Setsource_cluster_security_group = true inside rules to set thecluster_security_group as sourceany{}no
node_security_group_descriptionDescription of the node security group createdstring"EKS node shared security group"no
node_security_group_idID of an existing security group to attach to the node groups createdstring""no
node_security_group_nameName to use on node security group createdstringnullno
node_security_group_tagsA map of additional tags to add to the node security group createdmap(string){}no
node_security_group_use_name_prefixDetermines whether node security group name (node_security_group_name) is used as a prefixstringtrueno
openid_connect_audiencesList of OpenID Connect audience client IDs to add to the IRSA providerlist(string)[]no
prefix_separatorThe separator to use between the prefix and the generated timestamp for resource namesstring"-"no
self_managed_node_group_defaultsMap of self-managed node group default configurationsany{}no
self_managed_node_groupsMap of self-managed node group definitions to createany{}no
subnet_idsA list of subnet IDs where the EKS cluster (ENIs) will be provisioned along with the nodes/node groups. Node groups can be deployed within a different set of subnet IDs from within the node group configurationlist(string)[]no
tagsA map of tags to add to all resourcesmap(string){}no
vpc_idID of the VPC where the cluster and its nodes will be provisionedstringnullno

Outputs

NameDescription
aws_auth_configmap_yaml[DEPRECATED - usevar.manage_aws_auth_configmap] Formatted yaml output for base aws-auth configmap containing roles used in cluster node groups/fargate profiles
cloudwatch_log_group_arnArn of cloudwatch log group created
cloudwatch_log_group_nameName of cloudwatch log group created
cluster_addonsMap of attribute maps for all EKS cluster addons enabled
cluster_arnThe Amazon Resource Name (ARN) of the cluster
cluster_certificate_authority_dataBase64 encoded certificate data required to communicate with the cluster
cluster_endpointEndpoint for your Kubernetes API server
cluster_iam_role_arnIAM role ARN of the EKS cluster
cluster_iam_role_nameIAM role name of the EKS cluster
cluster_iam_role_unique_idStable and unique string identifying the IAM role
cluster_idThe name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready
cluster_identity_providersMap of attribute maps for all EKS identity providers enabled
cluster_oidc_issuer_urlThe URL on the EKS cluster for the OpenID Connect identity provider
cluster_platform_versionPlatform version for the cluster
cluster_primary_security_group_idCluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console
cluster_security_group_arnAmazon Resource Name (ARN) of the cluster security group
cluster_security_group_idID of the cluster security group
cluster_statusStatus of the EKS cluster. One ofCREATING,ACTIVE,DELETING,FAILED
cluster_versionThe Kubernetes version for the cluster
eks_managed_node_groupsMap of attribute maps for all EKS managed node groups created
eks_managed_node_groups_autoscaling_group_namesList of the autoscaling group names created by EKS managed node groups
fargate_profilesMap of attribute maps for all EKS Fargate Profiles created
node_security_group_arnAmazon Resource Name (ARN) of the node shared security group
node_security_group_idID of the node shared security group
oidc_providerThe OpenID Connect identity provider (issuer URL without leadinghttps://)
oidc_provider_arnThe ARN of the OIDC Provider ifenable_irsa = true
self_managed_node_groupsMap of attribute maps for all self managed node groups created
self_managed_node_groups_autoscaling_group_namesList of the autoscaling group names created by self-managed node groups

License

Apache 2 Licensed. SeeLICENSE for full details.

About

Terraform module to create an Elastic Kubernetes (EKS) cluster and associated worker instances on AWS

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • HCL98.7%
  • Smarty1.3%
[8]ページ先頭
©2009-2025 Movatter.jp