terraform-aws-eks

An opinionated Terraform module that can be used to create and manage an EKS cluster in AWS in a simplified way.

Requirements

Name	Version
terraform	>= 1.3.0
aws	>= 4.31.0
null	>= 3.1.1
tls	< 4.0.0

Providers

Name	Version
aws	>= 4.31.0
null	>= 3.1.1
tls	< 4.0.0

Modules

Name	Source	Version
iam_assumable_role_aws_ebs_csi_driver	terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc	5.4.0
iam_assumable_role_aws_load_balancer_controller	terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc	5.4.0
iam_assumable_role_cert_manager	terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc	5.4.0
iam_assumable_role_cluster_autoscaler	terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc	5.4.0
iam_assumable_role_external_dns	terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc	5.4.0
iam_assumable_role_log_shipping	terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc	5.4.0
iam_assumable_role_phlare	terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc	5.4.0
iam_assumable_role_velero	terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc	5.9.2
main	terraform-aws-modules/eks/aws	19.4.2

Resources

Name	Type
aws_iam_policy.aws_ebs_csi_driver	resource
aws_iam_policy.aws_load_balancer_controller	resource
aws_iam_policy.cert_manager	resource
aws_iam_policy.cluster_autoscaler	resource
aws_iam_policy.external_dns	resource
aws_iam_policy.log_shipping	resource
aws_iam_policy.phlare	resource
aws_iam_policy.velero	resource
aws_instance.echo-server	resource
aws_key_pair.ssh_access	resource
aws_s3_bucket.log_shipping	resource
aws_s3_bucket.phlare	resource
aws_s3_bucket.velero	resource
aws_s3_bucket_acl.log_shipping	resource
aws_s3_bucket_acl.phlare	resource
aws_s3_bucket_acl.velero	resource
aws_s3_bucket_lifecycle_configuration.velero	resource
aws_s3_bucket_ownership_controls.log_shipping_ownership_controls	resource
aws_s3_bucket_ownership_controls.phlare_ownership_controls	resource
aws_s3_bucket_ownership_controls.velero_ownership_controls	resource
aws_s3_bucket_public_access_block.log_shipping_block_public_access	resource
aws_s3_bucket_public_access_block.phlare_block_public_access	resource
aws_s3_bucket_public_access_block.velero_block_public_access	resource
aws_security_group_rule.cluster_to_workers_ingress_all	resource
aws_security_group_rule.workers_egress_dns_tcp	resource
aws_security_group_rule.workers_egress_dns_udp	resource
aws_security_group_rule.workers_egress_http	resource
aws_security_group_rule.workers_egress_ssh	resource
aws_security_group_rule.workers_to_workers_egress_all	resource
aws_security_group_rule.workers_to_workers_ingress_all	resource
null_resource.disable_aws_vpc_cni_plugin	resource
null_resource.kubeconfig	resource
null_resource.wait_for_control_plane_subnets	resource
tls_private_key.ssh_key	resource
aws_ami.ubuntu	data source
aws_ami.workers	data source
aws_caller_identity.current	data source
aws_iam_policy_document.log_shipping	data source
aws_iam_policy_document.phlare	data source
aws_iam_policy_document.velero	data source
aws_subnets.eks_control_plane	data source
aws_subnets.private	data source
aws_subnets.public	data source
aws_vpc.vpc	data source

Inputs

Name	Description	Type	Default	Required
allow_imdsv1	Whether to allow IMDSv1 access (insecure).	bool	false	no
ami_owners	The list of acceptable owners of AMIs to be used for worker nodes.	list(string)	[ "099720109477", "679593333241", "amazon", "self" ]	no
aws_ebs_csi_driver_oidc_fully_qualified_subjects	The list of trusted resources which can assume the 'aws-ebs-csi-driver' role using OpenID Connect.	list(string)	[]	no
aws_load_balancer_controller_oidc_fully_qualified_subjects	The list of trusted resources which can assume the 'aws-load-balancer-controller' role using OpenID Connect.	list(string)	[]	no
cert_manager_oidc_fully_qualified_subjects	The list of trusted resources which can assume the 'cert-manager' role using OpenID Connect.	list(string)	[]	no
cluster_autoscaler_oidc_fully_qualified_subjects	The list of trusted resources which can assume the 'cluster-autoscaler' role using OpenID Connect.	list(string)	[]	no
cluster_service_ipv4_cidr	The CIDR block to assign Kubernetes service IP addresses from.	string	null	no
control_plane_subnet_ids	Can be used to override the list of subnet IDs to use for the EKS control-plane. If not defined, subnets tagged with 'eks-control-plane: true' will be used.	list(string)	[]	no
disable_aws_vpc_cni_plugin	Whether to disable the AWS VPC CNI plugin. Unless running in chaining mode, this should usually be 'true'.	bool	n/a	yes
echo_server_instance_enabled	Whether to create an EC2 instance outside the cluster that can act as 'echo-server'.	bool	false	no
echo_server_instance_user_data	The user data script to use for the 'echo-server' instance.	string	""	no
external_dns_oidc_fully_qualified_subjects	The list of trusted resources which can assume the 'external-dns' role using OpenID Connect.	list(string)	[]	no
include_public_subnets	Whether to include public subnets in the list of subnets usable by the EKS cluster.	bool	true	no
kubernetes_version	The version of Kubernetes/EKS to use.	string	n/a	yes
log_shipping_bucket_name	The name of the S3 bucket that will be used to store logs.	string	""	no
log_shipping_oidc_fully_qualified_subjects	The list of trusted resources which can assume the 'log-shipping' role using OpenID Connect.	list(string)	[]	no
manage_aws_auth_configmap	Whether the upstream 'terraform-aws-eks' module should manage the 'kube-system/aws-auth' configmap. If using Flux, this should probably be 'false'. If not, this should probably be set to 'true'.	bool	true	no
name	The name of the EKS cluster.	string	n/a	yes
phlare_bucket_name	The name of the S3 bucket that will be used by Phlare	string	""	no
phlare_oidc_fully_qualified_subjects	The list of trusted resources which can assume the 'phlare' role using OpenID Connect.	list(string)	[]	no
region	The region in which to create the EKS cluster.	string	n/a	yes
self_managed_node_groups	A map describing the set of self-managed node groups to create. Other types of node groups besides self-managed are currently not supported.	map(object({ platform = optional(string) ami_name_filter = string extra_tags = map(string) instance_type = string kubelet_extra_args = string max_nodes = number min_nodes = number name = string pre_bootstrap_user_data = string post_bootstrap_user_data = string root_volume_id = string root_volume_size = number root_volume_type = string subnet_ids = list(string) iam_role_additional_policies = map(string) iam_role_use_name_prefix = optional(bool, true) key_name = optional(string) }))	n/a	yes
tags	The set of tags to place on the EKS cluster.	map(string)	n/a	yes
velero_bucket_name	The name of the S3 bucket that will be used to upload Velero backups.	string	""	no
velero_oidc_fully_qualified_subjects	The list of trusted resources which can assume the 'velero' role using OpenID Connect.	list(string)	[]	no
vpc_id	The ID of the VPC in which to create the EKS cluster.	string	n/a	yes
worker_node_additional_policies	A list of additional policies to add to worker nodes.	list(string)	[]	no

Outputs

Name	Description
aws_ebs_csi_driver_role_arn	n/a
aws_load_balancer_controller_role_arn	n/a
cert_manager_role_arn	n/a
cluster_arn	n/a
cluster_autoscaler_role_arn	n/a
cluster_endpoint	n/a
cluster_version	n/a
external_dns_role_arn	n/a
id	n/a
log_shipping_bucket_name	n/a
log_shipping_role_arn	n/a
oidc_provider_arn	n/a
oidc_provider_url	n/a
path_to_kubeconfig_file	n/a
ssh_key_name	n/a
ssh_private_key_pem	n/a
workers_iam_role_arns	n/a
workers_security_group_id	n/a