Component: eks
No description available.
Component: eks
This component is responsible for provisioning an end-to-end EKS Cluster, including managed node groups and spotinst ocean node pools.
Usage
Stack Level: Regional
Here’s an example snippet for how to use this component.
components:
terraform:
eks:
vars:
cluster_kubernetes_version: "1.19"
region_availability_zones: ["us-east-1b", "us-east-1c", "us-east-1d"]
spotinst_instance_profile: example-gbl-dev-spotinst-worker
map_additional_worker_roles: ["arn:aws:iam::xxxxxxxxxx:role/example-ue1-dev-spotinst-worker"]
public_access_cidrs: ["72.107.0.0/24"]
spotinst_oceans:
main: &standard_node_group
desired_group_size: 1
max_group_size: 10
min_group_size: 1
# Can only set one of ami_release_version or kubernetes_version
# Leave both null to use latest AMI for Cluster Kubernetes version
kubernetes_version: null # use cluster Kubernetes version
ami_release_version: null # use latest AMI for Kubernetes version
attributes: null
disk_size: 100
instance_types: null
ami_type: null # use "AL2_x86_64" for standard instances, "AL2_x86_64_GPU" for GPU instances
tags: null
Requirements
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | >= 3.0 |
| local | >= 1.3 |
| template | >= 2.0 |
Providers
| Name | Version |
|---|---|
| terraform | n/a |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_tag_map | Additional tags for appending to tags_as_list_of_maps. Not added to tags. |
map(string) |
{} |
no |
| allowed_cidr_blocks | List of CIDR blocks to be allowed to connect to the EKS cluster | list(string) |
[] |
no |
| allowed_security_groups | List of Security Group IDs to be allowed to connect to the EKS cluster | list(string) |
[] |
no |
| apply_config_map_aws_auth | Whether to execute kubectl apply to apply the ConfigMap to allow worker nodes to join the EKS cluster |
bool |
true |
no |
| attributes | Additional attributes (e.g. 1) |
list(string) |
[] |
no |
| cluster_endpoint_private_access | Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default to AWS EKS resource and it is false |
bool |
false |
no |
| cluster_endpoint_public_access | Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default to AWS EKS resource and it is true |
bool |
true |
no |
| cluster_kubernetes_version | Desired Kubernetes master version. If you do not specify a value, the latest available version is used | string |
null |
no |
| cluster_log_retention_period | Number of days to retain cluster logs. Requires enabled_cluster_log_types to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. |
number |
0 |
no |
| color | The cluster stage represented by a color; e.g. blue, green | string |
"" |
no |
| context | Single object for setting entire context at once.See description of individual variables for details.Leave string and numeric variables as null to use default value.Individual variable settings (non-null) override settings in context object,except for attributes, tags, and additional_tag_map, which are merged. |
object({ enabled = bool namespace = string environment = string stage = string name = string delimiter = string attributes = list(string) tags = map(string) additional_tag_map = map(string) regex_replace_chars = string label_order = list(string) id_length_limit = number }) | { “additional_tag_map”: {}, “attributes”: [], “delimiter”: null, “enabled”: true, “environment”: null, “id_length_limit”: null, “label_order”: [], “name”: null, “namespace”: null, “regex_replace_chars”: null, “stage”: null, “tags”: {}} | no |
| delegated_iam_roles | Delegated IAM roles to add to config-map-aws-auth ConfigMap |
list(object({ role = string groups = list(string) })) | [] |
no |
| delimiter | Delimiter to be used between namespace, environment, stage, name and attributes.Defaults to - (hyphen). Set to "" to use no delimiter at all. |
string |
null |
no |
| enable_vpn_access | Enable VPN access via the HAL VPN; see vpn project | bool |
false |
no |
| enabled | Set to false to prevent the module from creating any resources | bool |
null |
no |
| enabled_cluster_log_types | A list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [api, audit, authenticator, controllerManager, scheduler] |
list(string) |
[] |
no |
| environment | Environment, e.g. ‘uw2’, ‘us-west-2’, OR ‘prod’, ‘staging’, ‘dev’, ‘UAT’ | string |
null |
no |
| iam_primary_roles_stage_name | The name of the stage where the IAM primary roles are provisioned | string |
"identity" |
no |
| iam_roles_environment_name | The name of the environment where the IAM roles are provisioned | string |
"gbl" |
no |
| id_length_limit | Limit id to this many characters.Set to 0 for unlimited length.Set to null for default, which is 0.Does not affect id_full. |
number |
null |
no |
| import_role_arn | IAM Role ARN to use when importing a resource | string |
null |
no |
| label_order | The naming order of the id output and Name tag.Defaults to [“namespace”, “environment”, “stage”, “name”, “attributes”].You can omit any of the 5 elements, but at least one must be present. | list(string) |
null |
no |
| map_additional_aws_accounts | Additional AWS account numbers to add to config-map-aws-auth ConfigMap |
list(string) |
[] |
no |
| map_additional_iam_users | Additional IAM users to add to config-map-aws-auth ConfigMap |
list(object({ userarn = string username = string groups = list(string) })) | [] |
no |
| name | Solution name, e.g. ‘app’ or ‘jenkins’ | string |
null |
no |
| namespace | Namespace, which could be your organization name or abbreviation, e.g. ‘eg’ or ‘cp’ | string |
null |
no |
| node_group_defaults | Defaults for node groups in the cluster | object({ availability_zones = list(string) # set to null to use var.region_availability_zones attributes = list(string) create_before_destroy = bool desired_group_size = number disk_size = number enable_cluster_autoscaler = bool instance_types = list(string) ami_type = string ami_release_version = string kubernetes_version = string # set to null to use cluster_kubernetes_version kubernetes_labels = map(string) kubernetes_taints = map(string) max_group_size = number min_group_size = number resources_to_tag = list(string) tags = map(string) }) | n/a | yes |
| node_groups | List of objects defining a node group for the cluster | map(object({ # will create 1 auto scaling group in each specified availability zone availability_zones = list(string) # Additional attributes (e.g. 1) for the node group attributes = list(string) # True to create new node_groups before deleting old ones, avoiding a temporary outage create_before_destroy = bool # Desired number of worker nodes when initially provisioned desired_group_size = number # Disk size in GiB for worker nodes. Terraform will only perform drift detection if a configuration value is provided. disk_size = number # Whether to enable Node Group to scale its AutoScaling Group enable_cluster_autoscaler = bool # Set of instance types associated with the EKS Node Group. Terraform will only perform drift detection if a configuration value is provided. instance_types = list(string) # Type of Amazon Machine Image (AMI) associated with the EKS Node Group ami_type = string # EKS AMI version to use, e.g. “1.16.13-20200821” (no “v”). ami_release_version = string # Key-value mapping of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed kubernetes_labels = map(string) # Key-value mapping of Kubernetes taints. kubernetes_taints = map(string) # Desired Kubernetes master version. If you do not specify a value, the latest available version is used kubernetes_version = string # The maximum size of the AutoScaling Group max_group_size = number # The minimum size of the AutoScaling Group min_group_size = number # List of auto-launched resource types to tag resources_to_tag = list(string) tags = map(string) })) |
null |
no |
| oidc_provider_enabled | Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html | bool |
n/a | yes |
| primary_iam_roles | Primary IAM roles to add to config-map-aws-auth ConfigMap |
list(object({ role = string groups = list(string) })) | [] |
no |
| public_access_cidrs | Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0. | list(string) |
[ “0.0.0.0/0”] | no |
| regex_replace_chars | Regex to replace chars with empty string in namespace, environment, stage and name.If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits. |
string |
null |
no |
| region | AWS Region | string |
n/a | yes |
| region_availability_zones | AWS Availability Zones in which to deploy multi-AZ resources | list(string) |
n/a | yes |
| stage | Stage, e.g. ‘prod’, ‘staging’, ‘dev’, OR ‘source’, ‘build’, ‘test’, ‘deploy’, ‘release’ | string |
null |
no |
| subnet_type_tag_key | The tag used to find the private subnets to find by availability zone | string |
n/a | yes |
| tags | Additional tags (e.g. map('BusinessUnit','XYZ') |
map(string) |
{} |
no |
| tfstate_account_id | The ID of the account where the Terraform remote state backend is provisioned | string |
"" |
no |
| tfstate_assume_role | Set to false to use the caller’s role to access the Terraform remote state | bool |
true |
no |
| tfstate_bucket_environment_name | The name of the environment for Terraform state bucket | string |
"" |
no |
| tfstate_bucket_stage_name | The name of the stage for Terraform state bucket | string |
"root" |
no |
| tfstate_existing_role_arn | The ARN of the existing IAM Role to access the Terraform remote state. If not provided and remote_state_assume_role is true, a role will be constructed from remote_state_role_arn_template |
string |
"" |
no |
| tfstate_role_arn_template | IAM Role ARN template for accessing the Terraform remote state | string |
"arn:aws:iam::%s:role/%s-%s-%s-%s" |
no |
| tfstate_role_environment_name | The name of the environment for Terraform state IAM role | string |
"gbl" |
no |
| tfstate_role_name | IAM Role name for accessing the Terraform remote state | string |
"terraform" |
no |
| tfstate_role_stage_name | The name of the stage for Terraform state IAM role | string |
"root" |
no |
Outputs
| Name | Description |
|---|---|
| eks_cluster_arn | The Amazon Resource Name (ARN) of the cluster |
| eks_cluster_endpoint | The endpoint for the Kubernetes API server |
| eks_cluster_id | The name of the cluster |
| eks_cluster_identity_oidc_issuer | The OIDC Identity issuer for the cluster |
| eks_cluster_managed_security_group_id | Security Group ID that was created by EKS for the cluster. EKS creates a Security Group and applies it to ENI that is attached to EKS Control Plane master nodes and to any managed workloads |
| eks_cluster_version | The Kubernetes server version of the cluster |
| eks_managed_node_workers_role_arns | List of ARNs for workers in managed node groups |
| eks_node_group_arns | ARN of the worker nodes IAM role |
| eks_node_group_count | Count of the worker nodes |
| eks_node_group_ids | EKS Cluster name and EKS Node Group name separated by a colon |
| eks_node_group_role_names | Name of the worker nodes IAM role |
References
- cloudposse/terraform-aws-components - Cloud Posse’s upstream component