Home

Awesome

<!-- BEGIN_TF_DOCS -->

Kubespot (AWS)

AWS EKS Setup for PCI-DSS, SOC2, HIPAA

Kubespot is AWS EKS customized to add security postures around SOC2, HIPAA, and PCI compliance. It is distributed as an open source terraform module allowing you to run it within your own AWS account without lock-in. Kubespot has been developed over a half a decade evolving with the AWS EKS distribution and before that kops. It is in use within multiple startups that have scaled from a couple founders in an apartment to billion dollar unicorns. By using Kubespot they were able to achieve the technical requirements for compliance while being able to deploy software fast.

Kubespot is a light wrapper around AWS EKS. The primary changes included in Kubespot are:

Tools & Setup

brew install kubectl kubernetes-helm awscli terraform

Cluster Usage

If the infrastructure is using the opsZero infrastructure as code template then you access the resources like the following:

Add your IAM credentials in ~/.aws/credentials.

[profile_name]
aws_access_key_id=<>key>
aws_secret_access_key=<secret_key>
region=us-west-2
cd environments/<nameofenv>
make kubeconfig
export KUBECONFIG=./kubeconfig # add to a .zshrc
kubectl get pods

Autoscaler

Kubespot uses Karpenter as the default autoscaler. To configure the autoscaler we need to create a file like the one below and run:

kubectl apply -f karpenter.yml
apiVersion: karpenter.sh/v1beta1
kind: NodePool
metadata:
  name: default
spec:
  template:
    spec:
      requirements:
        - key: "karpenter.k8s.aws/instance-category"
          operator: In
          values: ["t", "c", "m"]
        - key: "kubernetes.io/arch"
          operator: In
          values: ["amd64"]
        - key: "karpenter.k8s.aws/instance-cpu"
          operator: In
          values: ["1", "2", "4", "8", "16"]
        - key: "karpenter.k8s.aws/instance-hypervisor"
          operator: In
          values: ["nitro"]
        - key: karpenter.sh/capacity-type
          operator: In
          values: ["spot", "on-demand"]
      nodeClassRef:
        name: default
  disruption:
    consolidationPolicy: WhenUnderutilized
    expireAfter: 2h # 30 * 24h = 720h
---
apiVersion: karpenter.k8s.aws/v1beta1
kind: EC2NodeClass
metadata:
  name: default
spec:
  amiFamily: Bottlerocket # Amazon Linux 2
  role: "Karpenter-opszero" # Set the name of the cluster
  subnetSelectorTerms:
    - tags:
        Name: opszero-public
  securityGroupSelectorTerms:
    - tags:
        Name: eks-cluster-sg-opszero-1249901478

Cluster Setup

aws iam create-service-linked-role --aws-service-name spot.amazonaws.com

CIS Kubernetes Benchmark

Note: PodSecurityPolicy (PSP) is deprecated and PodSecurity admission controller is the new standard. The CIS Benchmark is still using PSP. We have converted the PSP to the equivalent new standard.

ControlRecommendationLevelStatusDescription
1Control Plane Components
2Control Plane Configuration
2.1Logging
2.1.1Enable audit logsL1Activecluster_logging is configured
3Worker Nodes
3.1Worker Node Configuration Files
3.1.1Ensure that the kubeconfig file permissions are set to 644 or more restrictiveL1Won't FixUse NodeGroups or Fargate
3.1.2Ensure that the kubelet kubeconfig file ownership is set to root:rootL1Won't FixUse NodeGroups or Fargate
3.1.3Ensure that the kubelet configuration file has permissions set to 644 or more restrictiveL1Won't FixUse NodeGroups or Fargate
3.1.4Ensure that the kubelet configuration file ownership is set to root:rootL1Won't FixUse NodeGroups or Fargate
3.2Kubelet
3.2.1Ensure that the Anonymous Auth is Not EnabledL1Won't FixUse NodeGroups or Fargate
3.2.2Ensure that the --authorization-mode argument is not set to AlwaysAllowL1Won't FixUse NodeGroups or Fargate
3.2.3Ensure that a Client CA File is ConfiguredL1Won't FixUse NodeGroups or Fargate
3.2.4Ensure that the --read-only-port is disabledL1Won't FixUse NodeGroups or Fargate
3.2.5Ensure that the --streaming-connection-idle-timeout argument is not set to 0L1Won't FixUse NodeGroups or Fargate
3.2.6Ensure that the --protect-kernel-defaults argument is set to trueL1Won't FixUse NodeGroups or Fargate
3.2.7Ensure that the --make-iptables-util-chains argument is set to trueL1Won't FixUse NodeGroups or Fargate
3.2.8Ensure that the --hostname-override argument is not setL1Won't FixUse NodeGroups or Fargate
3.2.9Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event captureL2Won't FixUse NodeGroups or Fargate
3.2.10Ensure that the --rotate-certificates argument is not present or is set to trueL1Won't FixUse NodeGroups or Fargate
3.2.11Ensure that the RotateKubeletServerCertificate argument is set to trueL1Won't FixUse NodeGroups or Fargate
3.3Container Optimized OS
3.3.1Prefer using a container-optimized OS when possibleL2ActiveBottlerocket ContainerOS is used.
4Policies
4.1RBAC and Service Accounts
4.1.1Ensure that the cluster-admin role is only used where requiredL1ActiveDefault Configuration
4.1.2Minimize access to secretsL1Activeiam_roles pass limited RBAC
4.1.3Minimize wildcard use in Roles and ClusterRolesL1Manualterraform-kubernetes-rbac Set role
4.1.4Minimize access to create podsL1Manualterraform-kubernetes-rbac Limit role with pod create
4.1.5Ensure that default service accounts are not actively usedL1Manualkubectl patch serviceaccount default -p $'automountServiceAccountToken: false'
4.1.6Ensure that Service Account Tokens are only mounted where necessaryL1Activetiphys Default set to false
4.1.7Avoid use of system:masters groupL1ActiveMust manually add users and roles to system:masters
4.1.8Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes clusterL1ManualLimit users with system:masters role
4.2Pod Security Policies
4.2.1Minimize the admission of privileged containersL1Activetiphys defaultSecurityContext.allowPrivilegeEscalation=false
4.2.2Minimize the admission of containers wishing to share the host process ID namespaceL1Activetiphys hostPID defaults to false
4.2.3Minimize the admission of containers wishing to share the host IPC namespaceL1Activetiphys hostIPC defaults to false
4.2.4Minimize the admission of containers wishing to share the host network namespaceL1Activetiphys hostNetwork defaults to false
4.2.5Minimize the admission of containers with allowPrivilegeEscalationL1Activetiphys defaultSecurityContext.allowPrivilegeEscalation=false
4.2.6Minimize the admission of root containersL2Activetiphys defaultSecurityContext.[runAsNonRoot=true,runAsUser=1001]
4.2.7Minimize the admission of containers with added capabilitiesL1Activetiphys defaultSecurityContext.allowPrivilegeEscalation=false
4.2.8Minimize the admission of containers with capabilities assignedL1Activetiphys defaultSecurityContext.capabilities.drop: ALL
4.3CNI Plugin
4.3.1Ensure CNI plugin supports network policies.L1Manualcalico_enabled=true
4.3.2Ensure that all Namespaces have Network Policies definedL1ManualAdd Network Policy manually
4.4Secrets Management
4.4.1Prefer using secrets as files over secrets as environment variablesL2Activetiphys writes secrets to file
4.4.2Consider external secret storageL2ManualPull secrets using AWS Secret Manager.
4.5Extensible Admission Control
4.6General Policies
4.6.1Create administrative boundaries between resources using namespacesL1Manultiphys deploy on different namespace
4.6.2Apply Security Context to Your Pods and ContainersL2Activetiphys defaultSecurityContext is set
4.6.3The default namespace should not be usedL2Activetiphys select namespace
5Managed services
5.1Image Registry and Image Scanning
5.1.1Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party providerL1ActiveExample
5.1.2Minimize user access to Amazon ECRL1Activeterraform-aws-mrmgr
5.1.3Minimize cluster access to read-only for Amazon ECRL1Activeterraform-aws-mrmgr with OIDC
5.1.4Minimize Container Registries to only those approvedL2Activeterraform-aws-mrmgr
5.2Identity and Access Management (IAM)
5.2.1Prefer using dedicated EKS Service AccountsL1Activeterraform-aws-mrmgr with OIDC
5.3AWS EKS Key Management Service
5.3.1Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMSL1Active
5.4Cluster Networking
5.4.1Restrict Access to the Control Plane EndpointL1ActiveSet cluster_public_access_cidrs
5.4.2Ensure clusters are created with Private Endpoint Enabled and Public Access DisabledL2ActiveSet cluster_private_access = true and cluster_public_access = false
5.4.3Ensure clusters are created with Private NodesL1ActiveSet enable_nat = true and set nodes_in_public_subnet = false
5.4.4Ensure Network Policy is Enabled and set as appropriateL1Manualcalico_enabled=true
5.4.5Encrypt traffic to HTTPS load balancers with TLS certificatesL2Activeterraform-helm-kubespot
5.5Authentication and Authorization
5.5.1Manage Kubernetes RBAC users with AWS IAM Authenticator for KubernetesL2Activeiam_users use AWS IAM Authenticator
5.6Other Cluster Configurations
5.6.1Consider Fargate for running untrusted workloadsL1ActiveSet the fargate_selector

Providers

NameVersion
<a name="provider_aws"></a> awsn/a
<a name="provider_helm"></a> helmn/a
<a name="provider_http"></a> httpn/a
<a name="provider_kubernetes"></a> kubernetesn/a
<a name="provider_null"></a> nulln/a
<a name="provider_tls"></a> tlsn/a

Inputs

NameDescriptionTypeDefaultRequired
<a name="input_access_policies"></a> access_policiesaccess policieslist[]no
<a name="input_alb_controller_version"></a> alb_controller_versionThe chart version of the ALB controller helm chartstring"1.4.4"no
<a name="input_asg_nodes"></a> asg_nodesMap of ASG node configurations<pre>map(object({<br/> instance_type = string<br/> max_instance_lifetime = number<br/> nodes_desired_capacity = number<br/> nodes_max_size = number<br/> nodes_min_size = number<br/> nodes_in_public_subnet = bool<br/> node_disk_size = number<br/> node_enabled_metrics = list(string)<br/> spot_price = string<br/> subnet_ids = list(string)<br/> }))</pre>{}no
<a name="input_aws_load_balancer_controller_enabled"></a> aws_load_balancer_controller_enabledEnable ALB controller by defaultbooltrueno
<a name="input_calico_enabled"></a> calico_enabledWhether calico add-on is installedboolfalseno
<a name="input_calico_version"></a> calico_versionThe version of the calico helm chartstring"v3.26.1"no
<a name="input_cidr_block"></a> cidr_blockThe CIDR block used by the VPCstring"10.2.0.0/16"no
<a name="input_cidr_block_private_subnet"></a> cidr_block_private_subnetThe CIDR block used by the private subnetlist<pre>[<br/> "10.2.2.0/24",<br/> "10.2.3.0/24"<br/>]</pre>no
<a name="input_cidr_block_public_subnet"></a> cidr_block_public_subnetThe CIDR block used by the private subnetlist<pre>[<br/> "10.2.0.0/24",<br/> "10.2.1.0/24"<br/>]</pre>no
<a name="input_cloudwatch_pod_logs_enabled"></a> cloudwatch_pod_logs_enabledStream EKS pod logs to cloudwatchboolfalseno
<a name="input_cloudwatch_retention_in_days"></a> cloudwatch_retention_in_daysHow long to keep CloudWatch logs in daysnumber30no
<a name="input_cluster_authentication_mode"></a> cluster_authentication_modeDesired Kubernetes authentication. API or API_AND_CONFIG_MAPstring"API"no
<a name="input_cluster_encryption_config"></a> cluster_encryption_configCluster Encryption Config Resources to encrypt, e.g. ['secrets']list(any)<pre>[<br/> "secrets"<br/>]</pre>no
<a name="input_cluster_kms_policy"></a> cluster_kms_policyCluster Encryption Config KMS Key Resource argument - key policystringnullno
<a name="input_cluster_logging"></a> cluster_loggingList of the desired control plane logging to enable. https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.htmllist<pre>[<br/> "api",<br/> "audit",<br/> "authenticator",<br/> "controllerManager",<br/> "scheduler"<br/>]</pre>no
<a name="input_cluster_private_access"></a> cluster_private_accessWhether the Amazon EKS private API server endpoint is enabledbooltrueno
<a name="input_cluster_public_access"></a> cluster_public_accessWhether the Amazon EKS private API server endpoint is enabledbooltrueno
<a name="input_cluster_public_access_cidrs"></a> cluster_public_access_cidrsList of CIDR blocks. Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabledlist<pre>[<br/> "0.0.0.0/0"<br/>]</pre>no
<a name="input_cluster_version"></a> cluster_versionDesired Kubernetes master versionstring"1.30"no
<a name="input_csi_enabled_namespaces"></a> csi_enabled_namespacesn/alist(string)[]no
<a name="input_csi_secrets_store_enabled"></a> csi_secrets_store_enabledSpecify whether the CSI driver is enabled on the EKS clusterboolfalseno
<a name="input_csi_secrets_store_version"></a> csi_secrets_store_versionThe version of the CSI store helm chartstring"1.4.6"no
<a name="input_efs_enabled"></a> efs_enabledSpecify whether the EFS is enabled on the EKS clusterboolfalseno
<a name="input_eips"></a> eipsList of Elastic IPslist[]no
<a name="input_enable_egress_only_internet_gateway"></a> enable_egress_only_internet_gatewayCreate an egress-only Internet gateway for your VPC0boolfalseno
<a name="input_enable_ipv6"></a> enable_ipv6Enable an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPCboolfalseno
<a name="input_environment_name"></a> environment_nameName of the environment to create AWS resourcesstringn/ayes
<a name="input_fargate_selector"></a> fargate_selectorTerraform object to create the EKS fargate profilesmap<pre>{<br/> "serverless": {}<br/>}</pre>no
<a name="input_iam_roles"></a> iam_rolesTerraform object of the IAM rolesmap{}no
<a name="input_iam_users"></a> iam_usersList of IAM userslist[]no
<a name="input_karpenter_ami_family"></a> karpenter_ami_familyAMI family to use for the EC2 Node Class. Possible values: AL2 or Bottlerocketstring"Bottlerocket"no
<a name="input_karpenter_enabled"></a> karpenter_enabledSpecify whether the karpenter is enabledboolfalseno
<a name="input_karpenter_version"></a> karpenter_versionThe version of the karpenter helm chartstring"1.0.1"no
<a name="input_metrics_server_version"></a> metrics_server_versionThe version of the metric server helm chartstring"3.11.0"no
<a name="input_nat_enabled"></a> nat_enabledWhether the NAT gateway is enabledbooltrueno
<a name="input_node_group_cpu_threshold"></a> node_group_cpu_thresholdThe value of the CPU thresholdstring"70"no
<a name="input_node_groups"></a> node_groupsTerraform object to create the EKS node groupsmap{}no
<a name="input_node_role_policies"></a> node_role_policiesA list of The ARN of the policies you want to attachlist[]no
<a name="input_redis_enabled"></a> redis_enabledWhether the redis cluster is enabledboolfalseno
<a name="input_redis_engine_version"></a> redis_engine_versionVersion number of the cache engine to be used for the cache clusters in this replication groupstring"7.1"no
<a name="input_redis_node_type"></a> redis_node_typeInstance class of the redis cluster to be usedstring"cache.t4g.micro"no
<a name="input_redis_num_nodes"></a> redis_num_nodesNumber of nodes for redisnumber1no
<a name="input_s3_csi_bucket_names"></a> s3_csi_bucket_namesThe name of the S3 bucket for the CSI driverlist(string)<pre>[<br/> ""<br/>]</pre>no
<a name="input_s3_csi_driver_enabled"></a> s3_csi_driver_enabledEnable or disable the S3 CSI driverboolfalseno
<a name="input_sql_cluster_enabled"></a> sql_cluster_enabledWhether the sql cluster is enabledboolfalseno
<a name="input_sql_cluster_monitoring_interval"></a> sql_cluster_monitoring_intervalMonitoring Interval for SQL Clusteranynullno
<a name="input_sql_cluster_monitoring_role_arn"></a> sql_cluster_monitoring_role_arnThe ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logsanynullno
<a name="input_sql_database_name"></a> sql_database_nameThe name of the database to create when the DB instance is createdstring""no
<a name="input_sql_encrypted"></a> sql_encryptedSpecify whether the DB instance is encryptedbooltrueno
<a name="input_sql_engine"></a> sql_engineThe name of the database engine to be used for this DB clusterstring"aurora-postgresql"no
<a name="input_sql_engine_mode"></a> sql_engine_modeThe database engine modestring"provisioned"no
<a name="input_sql_engine_version"></a> sql_engine_versionThe SQL engine version to usestring"15.3"no
<a name="input_sql_iam_auth_enabled"></a> sql_iam_auth_enabledSpecifies whether or not mappings of IAM accounts to database accounts is enabledbooltrueno
<a name="input_sql_identifier"></a> sql_identifierThe name of the databasestring""no
<a name="input_sql_instance_allocated_storage"></a> sql_instance_allocated_storageThe allocated storage in gibibytesnumber20no
<a name="input_sql_instance_class"></a> sql_instance_classThe instance type of the RDS instance.string"db.t4g.micro"no
<a name="input_sql_instance_enabled"></a> sql_instance_enabledWhether the sql instance is enabledboolfalseno
<a name="input_sql_instance_engine"></a> sql_instance_engineThe database engine to usestring"postgres"no
<a name="input_sql_instance_max_allocated_storage"></a> sql_instance_max_allocated_storagethe upper limit to which Amazon RDS can automatically scale the storage of the DB instancenumber200no
<a name="input_sql_master_password"></a> sql_master_passwordPassword for the master DB userstring""no
<a name="input_sql_master_username"></a> sql_master_usernameUsername for the master DB userstring""no
<a name="input_sql_node_count"></a> sql_node_countThe number of instances to be used for this DB clusternumber0no
<a name="input_sql_parameter_group_name"></a> sql_parameter_group_nameName of the DB parameter group to associatestring""no
<a name="input_sql_performance_insights_enabled"></a> sql_performance_insights_enabledSpecifies whether Performance Insights are enabled. Defaults to falseboolfalseno
<a name="input_sql_rds_multi_az"></a> sql_rds_multi_azSpecify if the RDS instance is enabled multi-AZboolfalseno
<a name="input_sql_serverless_seconds_until_auto_pause"></a> sql_serverless_seconds_until_auto_pauseThe time, in seconds, before the DB cluster in serverless mode is pausednumber300no
<a name="input_sql_skip_final_snapshot"></a> sql_skip_final_snapshotDetermines whether a final DB snapshot is created before the DB instance is deleted.boolfalseno
<a name="input_sql_storage_type"></a> sql_storage_typeThe allocated storage type for DB Instancestring"gp3"no
<a name="input_sql_subnet_group_include_public"></a> sql_subnet_group_include_publicInclude public subnets as part of the clusters subnet configuration.boolfalseno
<a name="input_tags"></a> tagsTerraform map to create custom tags for the AWS resourcesmap{}no
<a name="input_vpc_flow_logs_enabled"></a> vpc_flow_logs_enabledSpecify whether the vpc flow log is enabledboolfalseno
<a name="input_zones"></a> zonesAZs for the subnetslist<pre>[<br/> "us-west-2a",<br/> "us-west-2b"<br/>]</pre>no

Resources

NameType
aws_autoscaling_group.asg_nodesresource
aws_cloudwatch_log_group.vpcresource
aws_cloudwatch_metric_alarm.asg_nodes_cpu_thresholdresource
aws_cloudwatch_metric_alarm.database_cpu_databaseresource
aws_cloudwatch_metric_alarm.database_cpu_database-rdsresource
aws_cloudwatch_metric_alarm.database_disk_databaseresource
aws_cloudwatch_metric_alarm.database_free_disk_databaseresource
aws_cloudwatch_metric_alarm.database_free_disk_database2resource
aws_cloudwatch_metric_alarm.database_free_disk_database3resource
aws_cloudwatch_metric_alarm.database_free_disk_database4resource
aws_cloudwatch_metric_alarm.database_free_disk_database5resource
aws_cloudwatch_metric_alarm.database_io_mysqlresource
aws_cloudwatch_metric_alarm.database_io_postgresresource
aws_cloudwatch_metric_alarm.database_io_rdsresource
aws_cloudwatch_metric_alarm.node_group_cpu_thresholdresource
aws_db_instance.defaultresource
aws_db_subnet_group.defaultresource
aws_egress_only_internet_gateway.egressresource
aws_eip.eipsresource
aws_eks_access_entry.entriesresource
aws_eks_access_policy_association.policiesresource
aws_eks_addon.coreresource
aws_eks_cluster.clusterresource
aws_eks_fargate_profile.fargateresource
aws_eks_node_group.node_groupresource
aws_elasticache_cluster.defaultresource
aws_elasticache_subnet_group.defaultresource
aws_flow_log.vpcresource
aws_iam_instance_profile.noderesource
aws_iam_openid_connect_provider.clusterresource
aws_iam_policy.albresource
aws_iam_policy.ebsresource
aws_iam_policy.eks_pod_logs_to_cloudwatchresource
aws_iam_policy.s3_policyresource
aws_iam_policy.secrets_policyresource
aws_iam_role.clusterresource
aws_iam_role.fargateresource
aws_iam_role.noderesource
aws_iam_role.secrets_manager_roleresource
aws_iam_role.vpcresource
aws_iam_role_policy.vpcresource
aws_iam_role_policy_attachment.albresource
aws_iam_role_policy_attachment.cluster-AmazonEKSClusterPolicyresource
aws_iam_role_policy_attachment.cluster-AmazonEKSServicePolicyresource
aws_iam_role_policy_attachment.csiresource
aws_iam_role_policy_attachment.ebsresource
aws_iam_role_policy_attachment.fargate-AmazonEKSFargatePodExecutionRolePolicyresource
aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnlyresource
aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicyresource
aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policyresource
aws_iam_role_policy_attachment.node_eks_pod_logs_to_cloudwatchresource
aws_iam_role_policy_attachment.node_role_policiesresource
aws_iam_role_policy_attachment.secrets_manager_attachmentresource
aws_internet_gateway.publicresource
aws_kms_key.cloudwatch_logresource
aws_kms_key.cluster_secretsresource
aws_launch_configuration.asg_nodesresource
aws_launch_template.encrypted_launch_templateresource
aws_nat_gateway.gwresource
aws_rds_cluster.defaultresource
aws_rds_cluster_instance.cluster_instancesresource
aws_route.igresource
aws_route.ipv6resource
aws_route.natresource
aws_route_table.privateresource
aws_route_table.publicresource
aws_route_table_association.privateresource
aws_route_table_association.publicresource
aws_security_group.clusterresource
aws_security_group.noderesource
aws_security_group_rule.cluster-ingress-node-httpsresource
aws_security_group_rule.eksresource
aws_security_group_rule.node-ingress-clusterresource
aws_security_group_rule.node-ingress-selfresource
aws_security_group_rule.private_subnetresource
aws_security_group_rule.public_subnetresource
aws_subnet.privateresource
aws_subnet.publicresource
aws_vpc.vpcresource
helm_release.aws_load_balancerresource
helm_release.calicoresource
helm_release.csi_secrets_storeresource
helm_release.karpenterresource
helm_release.karpenter_crdresource
helm_release.metrics-serverresource
kubernetes_config_map.aws_authresource
kubernetes_config_map.fluent_bit_cluster_inforesource
kubernetes_namespace.amazon_cloudwatchresource
kubernetes_service_account.efs_csi_controller_saresource
kubernetes_service_account.efs_csi_node_saresource
kubernetes_service_account.mainresource
null_resource.csi_secrets_store_aws_providerresource
null_resource.delete_aws_noderesource
null_resource.karpenter_ec2_node_class_applyresource
aws_availability_zones.availabledata source
aws_caller_identity.currentdata source
aws_eks_cluster_auth.clusterdata source
aws_iam_policy.ssm_managed_instancedata source
aws_iam_policy_document.cloudwatchdata source
aws_iam_policy_document.trust_relationshipdata source
aws_partition.currentdata source
aws_region.currentdata source
aws_ssm_parameter.bottlerocket_amidata source
aws_ssm_parameter.eks_al2_amidata source
aws_ssm_parameter.eks_amidata source
http_http.csi_secrets_store_aws_providerdata source
tls_certificate.clusterdata source

Outputs

NameDescription
<a name="output_eks_cluster"></a> eks_clustern/a
<a name="output_eks_cluster_oidc_provider_arn"></a> eks_cluster_oidc_provider_arnn/a
<a name="output_eks_cluster_token"></a> eks_cluster_tokenn/a
<a name="output_internet_gateway_id"></a> internet_gateway_idn/a
<a name="output_nat_gateway_ids"></a> nat_gateway_idsn/a
<a name="output_node_role"></a> node_rolen/a
<a name="output_node_security_group_id"></a> node_security_group_idn/a
<a name="output_private_route_table"></a> private_route_tablen/a
<a name="output_private_subnet_ids"></a> private_subnet_idsn/a
<a name="output_public_route_table"></a> public_route_tablen/a
<a name="output_public_subnet_ids"></a> public_subnet_idsn/a
<a name="output_vpc_id"></a> vpc_idn/a

🚀 Built by opsZero!

<a href="https://opszero.com"><img src="https://opszero.com/wp-content/uploads/2024/07/opsZero_logo_svg.svg" width="300px"/></a>

Since 2016 opsZero has been providing Kubernetes expertise to companies of all sizes on any Cloud. With a focus on AI and Compliance we can say we seen it all whether SOC2, HIPAA, PCI-DSS, ITAR, FedRAMP, CMMC we have you and your customers covered.

We provide support to organizations in the following ways:

We do this with a high-touch support model where you:

Please schedule a call if you need support.

<br/><br/>

<div style="display: block"> <img src="https://opszero.com/wp-content/uploads/2024/07/aws-advanced.png" width="150px" /> <img src="https://opszero.com/wp-content/uploads/2024/07/AWS-public-sector.png" width="150px" /> <img src="https://opszero.com/wp-content/uploads/2024/07/AWS-eks.png" width="150px" /> </div> <!-- END_TF_DOCS -->