Home

Awesome

AWS EKS Terraform module

Terraform module which creates Amazon EKS (Kubernetes) resources

SWUbanner

Documentation

External Documentation

Please note that we strive to provide a comprehensive suite of documentation for configuring and utilizing the module(s) defined here, and that documentation regarding EKS (including EKS managed node group, self managed node group, and Fargate profile) and/or Kubernetes features, usage, etc. are better left up to their respective sources:

Usage

EKS Auto Mode

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 20.31"

  cluster_name    = "example"
  cluster_version = "1.31"

  # Optional
  cluster_endpoint_public_access = true

  # Optional: Adds the current caller identity as an administrator via cluster access entry
  enable_cluster_creator_admin_permissions = true

  cluster_compute_config = {
    enabled    = true
    node_pools = ["general-purpose"]
  }

  vpc_id     = "vpc-1234556abcdef"
  subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

EKS Hybrid Nodes

locals {
  # RFC 1918 IP ranges supported
  remote_network_cidr = "172.16.0.0/16"
  remote_node_cidr    = cidrsubnet(local.remote_network_cidr, 2, 0)
  remote_pod_cidr     = cidrsubnet(local.remote_network_cidr, 2, 1)
}

# SSM and IAM Roles Anywhere supported - SSM is default
module "eks_hybrid_node_role" {
  source  = "terraform-aws-modules/eks/aws//modules/hybrid-node-role"
  version = "~> 20.31"

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 20.31"

  cluster_name    = "example"
  cluster_version = "1.31"

  cluster_addons = {
    coredns                = {}
    eks-pod-identity-agent = {}
    kube-proxy             = {}
  }

  # Optional
  cluster_endpoint_public_access = true

  # Optional: Adds the current caller identity as an administrator via cluster access entry
  enable_cluster_creator_admin_permissions = true

  create_node_security_group = false
  cluster_security_group_additional_rules = {
    hybrid-all = {
      cidr_blocks = [local.remote_network_cidr]
      description = "Allow all traffic from remote node/pod network"
      from_port   = 0
      to_port     = 0
      protocol    = "all"
      type        = "ingress"
    }
  }

  # Optional
  cluster_compute_config = {
    enabled    = true
    node_pools = ["system"]
  }

  access_entries = {
    hybrid-node-role = {
      principal_arn = module.eks_hybrid_node_role.arn
      type          = "HYBRID_LINUX"
    }
  }

  vpc_id     = "vpc-1234556abcdef"
  subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]

  cluster_remote_network_config = {
    remote_node_networks = {
      cidrs = [local.remote_node_cidr]
    }
    # Required if running webhooks on Hybrid nodes
    remote_pod_networks = {
      cidrs = [local.remote_pod_cidr]
    }
  }

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

EKS Managed Node Group

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 20.0"

  cluster_name    = "my-cluster"
  cluster_version = "1.31"

  bootstrap_self_managed_addons = false
  cluster_addons = {
    coredns                = {}
    eks-pod-identity-agent = {}
    kube-proxy             = {}
    vpc-cni                = {}
  }

  # Optional
  cluster_endpoint_public_access = true

  # Optional: Adds the current caller identity as an administrator via cluster access entry
  enable_cluster_creator_admin_permissions = true

  vpc_id                   = "vpc-1234556abcdef"
  subnet_ids               = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
  control_plane_subnet_ids = ["subnet-xyzde987", "subnet-slkjf456", "subnet-qeiru789"]

  # EKS Managed Node Group(s)
  eks_managed_node_group_defaults = {
    instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"]
  }

  eks_managed_node_groups = {
    example = {
      # Starting on 1.30, AL2023 is the default AMI type for EKS managed node groups
      ami_type       = "AL2023_x86_64_STANDARD"
      instance_types = ["m5.xlarge"]

      min_size     = 2
      max_size     = 10
      desired_size = 2
    }
  }

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

Cluster Access Entry

When enabling authentication_mode = "API_AND_CONFIG_MAP", EKS will automatically create an access entry for the IAM role(s) used by managed node group(s) and Fargate profile(s). There are no additional actions required by users. For self-managed node groups and the Karpenter sub-module, this project automatically adds the access entry on behalf of users so there are no additional actions required by users.

On clusters that were created prior to cluster access management (CAM) support, there will be an existing access entry for the cluster creator. This was previously not visible when using aws-auth ConfigMap, but will become visible when access entry is enabled.

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 20.0"

  # Truncated for brevity ...

  access_entries = {
    # One access entry with a policy associated
    example = {
      principal_arn = "arn:aws:iam::123456789012:role/something"

      policy_associations = {
        example = {
          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
          access_scope = {
            namespaces = ["default"]
            type       = "namespace"
          }
        }
      }
    }
  }
}

Bootstrap Cluster Creator Admin Permissions

Setting the bootstrap_cluster_creator_admin_permissions is a one time operation when the cluster is created; it cannot be modified later through the EKS API. In this project we are hardcoding this to false. If users wish to achieve the same functionality, we will do that through an access entry which can be enabled or disabled at any time of their choosing using the variable enable_cluster_creator_admin_permissions

Enabling EFA Support

When enabling EFA support via enable_efa_support = true, there are two locations this can be specified - one at the cluster level, and one at the node group level. Enabling at the cluster level will add the EFA required ingress/egress rules to the shared security group created for the node group(s). Enabling at the node group level will do the following (per node group where enabled):

  1. All EFA interfaces supported by the instance will be exposed on the launch template used by the node group
  2. A placement group with strategy = "clustered" per EFA requirements is created and passed to the launch template used by the node group
  3. Data sources will reverse lookup the availability zones that support the instance type selected based on the subnets provided, ensuring that only the associated subnets are passed to the launch template and therefore used by the placement group. This avoids the placement group being created in an availability zone that does not support the instance type selected.

[!TIP] Use the aws-efa-k8s-device-plugin Helm chart to expose the EFA interfaces on the nodes as an extended resource, and allow pods to request the interfaces be mounted to their containers.

The EKS AL2 GPU AMI comes with the necessary EFA components pre-installed - you just need to expose the EFA devices on the nodes via their launch templates, ensure the required EFA security group rules are in place, and deploy the aws-efa-k8s-device-plugin in order to start utilizing EFA within your cluster. Your application container will need to have the necessary libraries and runtime in order to utilize communication over the EFA interfaces (NCCL, aws-ofi-nccl, hwloc, libfabric, aws-neuornx-collectives, CUDA, etc.).

If you disable the creation and use of the managed node group custom launch template (create_launch_template = false and/or use_custom_launch_template = false), this will interfere with the EFA functionality provided. In addition, if you do not supply an instance_type for self-managed node group(s), or instance_types for the managed node group(s), this will also interfere with the functionality. In order to support the EFA functionality provided by enable_efa_support = true, you must utilize the custom launch template created/provided by this module, and supply an instance_type/instance_types for the respective node group.

The logic behind supporting EFA uses a data source to lookup the instance type to retrieve the number of interfaces that the instance supports in order to enumerate and expose those interfaces on the launch template created. For managed node groups where a list of instance types are supported, the first instance type in the list is used to calculate the number of EFA interfaces supported. Mixing instance types with varying number of interfaces is not recommended for EFA (or in some cases, mixing instance types is not supported - i.e. - p5.48xlarge and p4d.24xlarge). In addition to exposing the EFA interfaces and updating the security group rules, a placement group is created per the EFA requirements and only the availability zones that support the instance type selected are used in the subnets provided to the node group.

In order to enable EFA support, you will have to specify enable_efa_support = true on both the cluster and each node group that you wish to enable EFA support for:

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 20.0"

  # Truncated for brevity ...

  # Adds the EFA required security group rules to the shared
  # security group created for the node group(s)
  enable_efa_support = true

  eks_managed_node_groups = {
    example = {
      # The EKS AL2023 NVIDIA AMI provides all of the necessary components
      # for accelerated workloads w/ EFA
      ami_type       = "AL2023_x86_64_NVIDIA"
      instance_types = ["p5.48xlarge"]

      # Exposes all EFA interfaces on the launch template created by the node group(s)
      # This would expose all 32 EFA interfaces for the p5.48xlarge instance type
      enable_efa_support = true

      # Mount instance store volumes in RAID-0 for kubelet and containerd
      # https://github.com/awslabs/amazon-eks-ami/blob/master/doc/USER_GUIDE.md#raid-0-for-kubelet-and-containerd-raid0
      cloudinit_pre_nodeadm = [
        {
          content_type = "application/node.eks.aws"
          content      = <<-EOT
            ---
            apiVersion: node.eks.aws/v1alpha1
            kind: NodeConfig
            spec:
              instance:
                localStorage:
                  strategy: RAID0
          EOT
        }
      ]

      # EFA should only be enabled when connecting 2 or more nodes
      # Do not use EFA on a single node workload
      min_size     = 2
      max_size     = 10
      desired_size = 2
    }
  }
}

Examples

Contributing

We are grateful to the community for contributing bugfixes and improvements! Please see below to learn how you can take part.

<!-- BEGIN_TF_DOCS -->

Requirements

NameVersion
<a name="requirement_terraform"></a> terraform>= 1.3.2
<a name="requirement_aws"></a> aws>= 5.81
<a name="requirement_time"></a> time>= 0.9
<a name="requirement_tls"></a> tls>= 3.0

Providers

NameVersion
<a name="provider_aws"></a> aws>= 5.81
<a name="provider_time"></a> time>= 0.9
<a name="provider_tls"></a> tls>= 3.0

Modules

NameSourceVersion
<a name="module_eks_managed_node_group"></a> eks_managed_node_group./modules/eks-managed-node-groupn/a
<a name="module_fargate_profile"></a> fargate_profile./modules/fargate-profilen/a
<a name="module_kms"></a> kmsterraform-aws-modules/kms/aws2.1.0
<a name="module_self_managed_node_group"></a> self_managed_node_group./modules/self-managed-node-groupn/a

Resources

NameType
aws_cloudwatch_log_group.thisresource
aws_ec2_tag.cluster_primary_security_groupresource
aws_eks_access_entry.thisresource
aws_eks_access_policy_association.thisresource
aws_eks_addon.before_computeresource
aws_eks_addon.thisresource
aws_eks_cluster.thisresource
aws_eks_identity_provider_config.thisresource
aws_iam_openid_connect_provider.oidc_providerresource
aws_iam_policy.cluster_encryptionresource
aws_iam_policy.cni_ipv6_policyresource
aws_iam_policy.customresource
aws_iam_role.eks_autoresource
aws_iam_role.thisresource
aws_iam_role_policy_attachment.additionalresource
aws_iam_role_policy_attachment.cluster_encryptionresource
aws_iam_role_policy_attachment.customresource
aws_iam_role_policy_attachment.eks_autoresource
aws_iam_role_policy_attachment.eks_auto_additionalresource
aws_iam_role_policy_attachment.thisresource
aws_security_group.clusterresource
aws_security_group.noderesource
aws_security_group_rule.clusterresource
aws_security_group_rule.noderesource
time_sleep.thisresource
aws_caller_identity.currentdata source
aws_eks_addon_version.thisdata source
aws_iam_policy_document.assume_role_policydata source
aws_iam_policy_document.cni_ipv6_policydata source
aws_iam_policy_document.customdata source
aws_iam_policy_document.node_assume_role_policydata source
aws_iam_session_context.currentdata source
aws_partition.currentdata source
tls_certificate.thisdata source

Inputs

NameDescriptionTypeDefaultRequired
<a name="input_access_entries"></a> access_entriesMap of access entries to add to the clusterany{}no
<a name="input_attach_cluster_encryption_policy"></a> attach_cluster_encryption_policyIndicates whether or not to attach an additional policy for the cluster IAM role to utilize the encryption key providedbooltrueno
<a name="input_authentication_mode"></a> authentication_modeThe authentication mode for the cluster. Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAPstring"API_AND_CONFIG_MAP"no
<a name="input_bootstrap_self_managed_addons"></a> bootstrap_self_managed_addonsIndicates whether or not to bootstrap self-managed addons after the cluster has been createdboolnullno
<a name="input_cloudwatch_log_group_class"></a> cloudwatch_log_group_classSpecified the log class of the log group. Possible values are: STANDARD or INFREQUENT_ACCESSstringnullno
<a name="input_cloudwatch_log_group_kms_key_id"></a> cloudwatch_log_group_kms_key_idIf a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)stringnullno
<a name="input_cloudwatch_log_group_retention_in_days"></a> cloudwatch_log_group_retention_in_daysNumber of days to retain log events. Default retention - 90 daysnumber90no
<a name="input_cloudwatch_log_group_tags"></a> cloudwatch_log_group_tagsA map of additional tags to add to the cloudwatch log group createdmap(string){}no
<a name="input_cluster_additional_security_group_ids"></a> cluster_additional_security_group_idsList of additional, externally created security group IDs to attach to the cluster control planelist(string)[]no
<a name="input_cluster_addons"></a> cluster_addonsMap of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with nameany{}no
<a name="input_cluster_addons_timeouts"></a> cluster_addons_timeoutsCreate, update, and delete timeout configurations for the cluster addonsmap(string){}no
<a name="input_cluster_compute_config"></a> cluster_compute_configConfiguration block for the cluster compute configurationany{}no
<a name="input_cluster_enabled_log_types"></a> cluster_enabled_log_typesA list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)list(string)<pre>[<br/> "audit",<br/> "api",<br/> "authenticator"<br/>]</pre>no
<a name="input_cluster_encryption_config"></a> cluster_encryption_configConfiguration block with encryption configuration for the cluster. To disable secret encryption, set this value to {}any<pre>{<br/> "resources": [<br/> "secrets"<br/> ]<br/>}</pre>no
<a name="input_cluster_encryption_policy_description"></a> cluster_encryption_policy_descriptionDescription of the cluster encryption policy createdstring"Cluster encryption policy to allow cluster role to utilize CMK provided"no
<a name="input_cluster_encryption_policy_name"></a> cluster_encryption_policy_nameName to use on cluster encryption policy createdstringnullno
<a name="input_cluster_encryption_policy_path"></a> cluster_encryption_policy_pathCluster encryption policy pathstringnullno
<a name="input_cluster_encryption_policy_tags"></a> cluster_encryption_policy_tagsA map of additional tags to add to the cluster encryption policy createdmap(string){}no
<a name="input_cluster_encryption_policy_use_name_prefix"></a> cluster_encryption_policy_use_name_prefixDetermines whether cluster encryption policy name (cluster_encryption_policy_name) is used as a prefixbooltrueno
<a name="input_cluster_endpoint_private_access"></a> cluster_endpoint_private_accessIndicates whether or not the Amazon EKS private API server endpoint is enabledbooltrueno
<a name="input_cluster_endpoint_public_access"></a> cluster_endpoint_public_accessIndicates whether or not the Amazon EKS public API server endpoint is enabledboolfalseno
<a name="input_cluster_endpoint_public_access_cidrs"></a> cluster_endpoint_public_access_cidrsList of CIDR blocks which can access the Amazon EKS public API server endpointlist(string)<pre>[<br/> "0.0.0.0/0"<br/>]</pre>no
<a name="input_cluster_identity_providers"></a> cluster_identity_providersMap of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSAany{}no
<a name="input_cluster_ip_family"></a> cluster_ip_familyThe IP family used to assign Kubernetes pod and service addresses. Valid values are ipv4 (default) and ipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be createdstring"ipv4"no
<a name="input_cluster_name"></a> cluster_nameName of the EKS clusterstring""no
<a name="input_cluster_remote_network_config"></a> cluster_remote_network_configConfiguration block for the cluster remote network configurationany{}no
<a name="input_cluster_security_group_additional_rules"></a> cluster_security_group_additional_rulesList of additional security group rules to add to the cluster security group created. Set source_node_security_group = true inside rules to set the node_security_group as sourceany{}no
<a name="input_cluster_security_group_description"></a> cluster_security_group_descriptionDescription of the cluster security group createdstring"EKS cluster security group"no
<a name="input_cluster_security_group_id"></a> cluster_security_group_idExisting security group ID to be attached to the clusterstring""no
<a name="input_cluster_security_group_name"></a> cluster_security_group_nameName to use on cluster security group createdstringnullno
<a name="input_cluster_security_group_tags"></a> cluster_security_group_tagsA map of additional tags to add to the cluster security group createdmap(string){}no
<a name="input_cluster_security_group_use_name_prefix"></a> cluster_security_group_use_name_prefixDetermines whether cluster security group name (cluster_security_group_name) is used as a prefixbooltrueno
<a name="input_cluster_service_ipv4_cidr"></a> cluster_service_ipv4_cidrThe CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocksstringnullno
<a name="input_cluster_service_ipv6_cidr"></a> cluster_service_ipv6_cidrThe CIDR block to assign Kubernetes pod and service IP addresses from if ipv6 was specified when the cluster was created. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the clusterstringnullno
<a name="input_cluster_tags"></a> cluster_tagsA map of additional tags to add to the clustermap(string){}no
<a name="input_cluster_timeouts"></a> cluster_timeoutsCreate, update, and delete timeout configurations for the clustermap(string){}no
<a name="input_cluster_upgrade_policy"></a> cluster_upgrade_policyConfiguration block for the cluster upgrade policyany{}no
<a name="input_cluster_version"></a> cluster_versionKubernetes <major>.<minor> version to use for the EKS cluster (i.e.: 1.27)stringnullno
<a name="input_cluster_zonal_shift_config"></a> cluster_zonal_shift_configConfiguration block for the cluster zonal shiftany{}no
<a name="input_control_plane_subnet_ids"></a> control_plane_subnet_idsA list of subnet IDs where the EKS cluster control plane (ENIs) will be provisioned. Used for expanding the pool of subnets used by nodes/node groups without replacing the EKS control planelist(string)[]no
<a name="input_create"></a> createControls if resources should be created (affects nearly all resources)booltrueno
<a name="input_create_cloudwatch_log_group"></a> create_cloudwatch_log_groupDetermines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabledbooltrueno
<a name="input_create_cluster_primary_security_group_tags"></a> create_cluster_primary_security_group_tagsIndicates whether or not to tag the cluster's primary security group. This security group is created by the EKS service, not the module, and therefore tagging is handled after cluster creationbooltrueno
<a name="input_create_cluster_security_group"></a> create_cluster_security_groupDetermines if a security group is created for the cluster. Note: the EKS service creates a primary security group for the cluster by defaultbooltrueno
<a name="input_create_cni_ipv6_iam_policy"></a> create_cni_ipv6_iam_policyDetermines whether to create an AmazonEKS_CNI_IPv6_Policyboolfalseno
<a name="input_create_iam_role"></a> create_iam_roleDetermines whether an IAM role is created for the clusterbooltrueno
<a name="input_create_kms_key"></a> create_kms_keyControls if a KMS key for cluster encryption should be createdbooltrueno
<a name="input_create_node_iam_role"></a> create_node_iam_roleDetermines whether an EKS Auto node IAM role is createdbooltrueno
<a name="input_create_node_security_group"></a> create_node_security_groupDetermines whether to create a security group for the node groups or use the existing node_security_group_idbooltrueno
<a name="input_custom_oidc_thumbprints"></a> custom_oidc_thumbprintsAdditional list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s)list(string)[]no
<a name="input_dataplane_wait_duration"></a> dataplane_wait_durationDuration to wait after the EKS cluster has become active before creating the dataplane components (EKS managed node group(s), self-managed node group(s), Fargate profile(s))string"30s"no
<a name="input_eks_managed_node_group_defaults"></a> eks_managed_node_group_defaultsMap of EKS managed node group default configurationsany{}no
<a name="input_eks_managed_node_groups"></a> eks_managed_node_groupsMap of EKS managed node group definitions to createany{}no
<a name="input_enable_auto_mode_custom_tags"></a> enable_auto_mode_custom_tagsDetermines whether to enable permissions for custom tags resources created by EKS Auto Modebooltrueno
<a name="input_enable_cluster_creator_admin_permissions"></a> enable_cluster_creator_admin_permissionsIndicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entryboolfalseno
<a name="input_enable_efa_support"></a> enable_efa_supportDetermines whether to enable Elastic Fabric Adapter (EFA) supportboolfalseno
<a name="input_enable_irsa"></a> enable_irsaDetermines whether to create an OpenID Connect Provider for EKS to enable IRSAbooltrueno
<a name="input_enable_kms_key_rotation"></a> enable_kms_key_rotationSpecifies whether key rotation is enabledbooltrueno
<a name="input_enable_security_groups_for_pods"></a> enable_security_groups_for_podsDetermines whether to add the necessary IAM permission policy for security groups for podsbooltrueno
<a name="input_fargate_profile_defaults"></a> fargate_profile_defaultsMap of Fargate Profile default configurationsany{}no
<a name="input_fargate_profiles"></a> fargate_profilesMap of Fargate Profile definitions to createany{}no
<a name="input_iam_role_additional_policies"></a> iam_role_additional_policiesAdditional policies to be added to the IAM rolemap(string){}no
<a name="input_iam_role_arn"></a> iam_role_arnExisting IAM role ARN for the cluster. Required if create_iam_role is set to falsestringnullno
<a name="input_iam_role_description"></a> iam_role_descriptionDescription of the rolestringnullno
<a name="input_iam_role_name"></a> iam_role_nameName to use on IAM role createdstringnullno
<a name="input_iam_role_path"></a> iam_role_pathThe IAM role pathstringnullno
<a name="input_iam_role_permissions_boundary"></a> iam_role_permissions_boundaryARN of the policy that is used to set the permissions boundary for the IAM rolestringnullno
<a name="input_iam_role_tags"></a> iam_role_tagsA map of additional tags to add to the IAM role createdmap(string){}no
<a name="input_iam_role_use_name_prefix"></a> iam_role_use_name_prefixDetermines whether the IAM role name (iam_role_name) is used as a prefixbooltrueno
<a name="input_include_oidc_root_ca_thumbprint"></a> include_oidc_root_ca_thumbprintDetermines whether to include the root CA thumbprint in the OpenID Connect (OIDC) identity provider's server certificate(s)booltrueno
<a name="input_kms_key_administrators"></a> kms_key_administratorsA list of IAM ARNs for key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is availablelist(string)[]no
<a name="input_kms_key_aliases"></a> kms_key_aliasesA list of aliases to create. Note - due to the use of toset(), values must be static strings and not computed valueslist(string)[]no
<a name="input_kms_key_deletion_window_in_days"></a> kms_key_deletion_window_in_daysThe waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30numbernullno
<a name="input_kms_key_description"></a> kms_key_descriptionThe description of the key as viewed in AWS consolestringnullno
<a name="input_kms_key_enable_default_policy"></a> kms_key_enable_default_policySpecifies whether to enable the default key policybooltrueno
<a name="input_kms_key_override_policy_documents"></a> kms_key_override_policy_documentsList of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sidlist(string)[]no
<a name="input_kms_key_owners"></a> kms_key_ownersA list of IAM ARNs for those who will have full key permissions (kms:*)list(string)[]no
<a name="input_kms_key_service_users"></a> kms_key_service_usersA list of IAM ARNs for key service userslist(string)[]no
<a name="input_kms_key_source_policy_documents"></a> kms_key_source_policy_documentsList of IAM policy documents that are merged together into the exported document. Statements must have unique sidslist(string)[]no
<a name="input_kms_key_users"></a> kms_key_usersA list of IAM ARNs for key userslist(string)[]no
<a name="input_node_iam_role_additional_policies"></a> node_iam_role_additional_policiesAdditional policies to be added to the EKS Auto node IAM rolemap(string){}no
<a name="input_node_iam_role_description"></a> node_iam_role_descriptionDescription of the EKS Auto node IAM rolestringnullno
<a name="input_node_iam_role_name"></a> node_iam_role_nameName to use on the EKS Auto node IAM role createdstringnullno
<a name="input_node_iam_role_path"></a> node_iam_role_pathThe EKS Auto node IAM role pathstringnullno
<a name="input_node_iam_role_permissions_boundary"></a> node_iam_role_permissions_boundaryARN of the policy that is used to set the permissions boundary for the EKS Auto node IAM rolestringnullno
<a name="input_node_iam_role_tags"></a> node_iam_role_tagsA map of additional tags to add to the EKS Auto node IAM role createdmap(string){}no
<a name="input_node_iam_role_use_name_prefix"></a> node_iam_role_use_name_prefixDetermines whether the EKS Auto node IAM role name (node_iam_role_name) is used as a prefixbooltrueno
<a name="input_node_security_group_additional_rules"></a> node_security_group_additional_rulesList of additional security group rules to add to the node security group created. Set source_cluster_security_group = true inside rules to set the cluster_security_group as sourceany{}no
<a name="input_node_security_group_description"></a> node_security_group_descriptionDescription of the node security group createdstring"EKS node shared security group"no
<a name="input_node_security_group_enable_recommended_rules"></a> node_security_group_enable_recommended_rulesDetermines whether to enable recommended security group rules for the node security group created. This includes node-to-node TCP ingress on ephemeral ports and allows all egress trafficbooltrueno
<a name="input_node_security_group_id"></a> node_security_group_idID of an existing security group to attach to the node groups createdstring""no
<a name="input_node_security_group_name"></a> node_security_group_nameName to use on node security group createdstringnullno
<a name="input_node_security_group_tags"></a> node_security_group_tagsA map of additional tags to add to the node security group createdmap(string){}no
<a name="input_node_security_group_use_name_prefix"></a> node_security_group_use_name_prefixDetermines whether node security group name (node_security_group_name) is used as a prefixbooltrueno
<a name="input_openid_connect_audiences"></a> openid_connect_audiencesList of OpenID Connect audience client IDs to add to the IRSA providerlist(string)[]no
<a name="input_outpost_config"></a> outpost_configConfiguration for the AWS Outpost to provision the cluster onany{}no
<a name="input_prefix_separator"></a> prefix_separatorThe separator to use between the prefix and the generated timestamp for resource namesstring"-"no
<a name="input_putin_khuylo"></a> putin_khuyloDo you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!booltrueno
<a name="input_self_managed_node_group_defaults"></a> self_managed_node_group_defaultsMap of self-managed node group default configurationsany{}no
<a name="input_self_managed_node_groups"></a> self_managed_node_groupsMap of self-managed node group definitions to createany{}no
<a name="input_subnet_ids"></a> subnet_idsA list of subnet IDs where the nodes/node groups will be provisioned. If control_plane_subnet_ids is not provided, the EKS cluster control plane (ENIs) will be provisioned in these subnetslist(string)[]no
<a name="input_tags"></a> tagsA map of tags to add to all resourcesmap(string){}no
<a name="input_vpc_id"></a> vpc_idID of the VPC where the cluster security group will be provisionedstringnullno

Outputs

NameDescription
<a name="output_access_entries"></a> access_entriesMap of access entries created and their attributes
<a name="output_access_policy_associations"></a> access_policy_associationsMap of eks cluster access policy associations created and their attributes
<a name="output_cloudwatch_log_group_arn"></a> cloudwatch_log_group_arnArn of cloudwatch log group created
<a name="output_cloudwatch_log_group_name"></a> cloudwatch_log_group_nameName of cloudwatch log group created
<a name="output_cluster_addons"></a> cluster_addonsMap of attribute maps for all EKS cluster addons enabled
<a name="output_cluster_arn"></a> cluster_arnThe Amazon Resource Name (ARN) of the cluster
<a name="output_cluster_certificate_authority_data"></a> cluster_certificate_authority_dataBase64 encoded certificate data required to communicate with the cluster
<a name="output_cluster_dualstack_oidc_issuer_url"></a> cluster_dualstack_oidc_issuer_urlDual-stack compatible URL on the EKS cluster for the OpenID Connect identity provider
<a name="output_cluster_endpoint"></a> cluster_endpointEndpoint for your Kubernetes API server
<a name="output_cluster_iam_role_arn"></a> cluster_iam_role_arnCluster IAM role ARN
<a name="output_cluster_iam_role_name"></a> cluster_iam_role_nameCluster IAM role name
<a name="output_cluster_iam_role_unique_id"></a> cluster_iam_role_unique_idStable and unique string identifying the IAM role
<a name="output_cluster_id"></a> cluster_idThe ID of the EKS cluster. Note: currently a value is returned only for local EKS clusters created on Outposts
<a name="output_cluster_identity_providers"></a> cluster_identity_providersMap of attribute maps for all EKS identity providers enabled
<a name="output_cluster_ip_family"></a> cluster_ip_familyThe IP family used by the cluster (e.g. ipv4 or ipv6)
<a name="output_cluster_name"></a> cluster_nameThe name of the EKS cluster
<a name="output_cluster_oidc_issuer_url"></a> cluster_oidc_issuer_urlThe URL on the EKS cluster for the OpenID Connect identity provider
<a name="output_cluster_platform_version"></a> cluster_platform_versionPlatform version for the cluster
<a name="output_cluster_primary_security_group_id"></a> cluster_primary_security_group_idCluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console
<a name="output_cluster_security_group_arn"></a> cluster_security_group_arnAmazon Resource Name (ARN) of the cluster security group
<a name="output_cluster_security_group_id"></a> cluster_security_group_idID of the cluster security group
<a name="output_cluster_service_cidr"></a> cluster_service_cidrThe CIDR block where Kubernetes pod and service IP addresses are assigned from
<a name="output_cluster_status"></a> cluster_statusStatus of the EKS cluster. One of CREATING, ACTIVE, DELETING, FAILED
<a name="output_cluster_tls_certificate_sha1_fingerprint"></a> cluster_tls_certificate_sha1_fingerprintThe SHA1 fingerprint of the public key of the cluster's certificate
<a name="output_cluster_version"></a> cluster_versionThe Kubernetes version for the cluster
<a name="output_eks_managed_node_groups"></a> eks_managed_node_groupsMap of attribute maps for all EKS managed node groups created
<a name="output_eks_managed_node_groups_autoscaling_group_names"></a> eks_managed_node_groups_autoscaling_group_namesList of the autoscaling group names created by EKS managed node groups
<a name="output_fargate_profiles"></a> fargate_profilesMap of attribute maps for all EKS Fargate Profiles created
<a name="output_kms_key_arn"></a> kms_key_arnThe Amazon Resource Name (ARN) of the key
<a name="output_kms_key_id"></a> kms_key_idThe globally unique identifier for the key
<a name="output_kms_key_policy"></a> kms_key_policyThe IAM resource policy set on the key
<a name="output_node_iam_role_arn"></a> node_iam_role_arnEKS Auto node IAM role ARN
<a name="output_node_iam_role_name"></a> node_iam_role_nameEKS Auto node IAM role name
<a name="output_node_iam_role_unique_id"></a> node_iam_role_unique_idStable and unique string identifying the IAM role
<a name="output_node_security_group_arn"></a> node_security_group_arnAmazon Resource Name (ARN) of the node shared security group
<a name="output_node_security_group_id"></a> node_security_group_idID of the node shared security group
<a name="output_oidc_provider"></a> oidc_providerThe OpenID Connect identity provider (issuer URL without leading https://)
<a name="output_oidc_provider_arn"></a> oidc_provider_arnThe ARN of the OIDC Provider if enable_irsa = true
<a name="output_self_managed_node_groups"></a> self_managed_node_groupsMap of attribute maps for all self managed node groups created
<a name="output_self_managed_node_groups_autoscaling_group_names"></a> self_managed_node_groups_autoscaling_group_namesList of the autoscaling group names created by self-managed node groups
<!-- END_TF_DOCS -->

License

Apache 2 Licensed. See LICENSE for full details.

Additional information for users from Russia and Belarus