Module: eks-cluster
Terraform module to provision an EKS cluster on AWS.
This Terraform module provisions a fully-configured AWS EKS (Elastic Kubernetes Service) cluster. It's engineered to integrate smoothly with Karpenter and EKS addons, forming a critical part of Cloud Posse's reference architecture. Ideal for teams looking to deploy scalable and manageable Kubernetes clusters on AWS with minimal fuss.
Introduction
The module provisions the following resources:
- EKS cluster of master nodes that can be used together with the
terraform-aws-eks-node-group and
terraform-aws-eks-fargate-profile
modules to create a full-blown EKS/Kubernetes cluster. You can also use the terraform-aws-eks-workers
module to provision worker nodes for the cluster, but it is now rare for that to be a better choice than to use
terraform-aws-eks-node-group
. - IAM Role to allow the cluster to access other AWS services
- EKS access entries to allow IAM users to access and administer the cluster
Usage
For a complete example, see examples/complete.
For automated tests of the complete example using bats and Terratest (which tests and deploys the example on AWS), see test/src.
Other examples:
- terraform-aws-components/eks/cluster - Cloud Posse's service catalog of "root module" invocations for provisioning reference architectures
provider "aws" {
region = var.region
}
# Note: This example creates an explicit access entry for the current user,
# but in practice, you should use a static map of IAM users or roles that should have access to the cluster.
# Granting access to the current user in this way is not recommended for production use.
data "aws_caller_identity" "current" {}
# IAM session context converts an assumed role ARN into an IAM Role ARN.
# Again, this is primarily to simplify the example, and in practice, you should use a static map of IAM users or roles.
data "aws_iam_session_context" "current" {
arn = data.aws_caller_identity.current.arn
}
locals {
# The usage of the specific kubernetes.io/cluster/* resource tags below are required
# for EKS and Kubernetes to discover and manage networking resources
# https://aws.amazon.com/premiumsupport/knowledge-center/eks-vpc-subnet-discovery/
# https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/deploy/subnet_discovery.md
tags = { "kubernetes.io/cluster/${module.label.id}" = "shared" }
# required tags to make ALB ingress work https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
public_subnets_additional_tags = {
"kubernetes.io/role/elb" : 1
}
private_subnets_additional_tags = {
"kubernetes.io/role/internal-elb" : 1
}
# Enable the IAM user creating the cluster to administer it,
# without using the bootstrap_cluster_creator_admin_permissions option,
# as an example of how to use the access_entry_map feature.
# In practice, this should be replaced with a static map of IAM users or roles
# that should have access to the cluster, but we use the current user
# to simplify the example.
access_entry_map = {
(data.aws_iam_session_context.current.issuer_arn) = {
access_policy_associations = {
ClusterAdmin = {}
}
}
}
}
module "label" {
source = "cloudposse/label/null"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
namespace = var.namespace
name = var.name
stage = var.stage
delimiter = var.delimiter
tags = var.tags
}
module "vpc" {
source = "cloudposse/vpc/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
ipv4_primary_cidr_block = "172.16.0.0/16"
tags = local.tags
context = module.label.context
}
module "subnets" {
source = "cloudposse/dynamic-subnets/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
availability_zones = var.availability_zones
vpc_id = module.vpc.vpc_id
igw_id = [module.vpc.igw_id]
ipv4_cidr_block = [module.vpc.vpc_cidr_block]
nat_gateway_enabled = true
nat_instance_enabled = false
public_subnets_additional_tags = local.public_subnets_additional_tags
private_subnets_additional_tags = local.private_subnets_additional_tags
tags = local.tags
context = module.label.context
}
module "eks_node_group" {
source = "cloudposse/eks-node-group/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
instance_types = [var.instance_type]
subnet_ids = module.subnets.private_subnet_ids
health_check_type = var.health_check_type
min_size = var.min_size
max_size = var.max_size
cluster_name = module.eks_cluster.eks_cluster_id
# Enable the Kubernetes cluster auto-scaler to find the auto-scaling group
cluster_autoscaler_enabled = var.autoscaling_policies_enabled
context = module.label.context
}
module "eks_cluster" {
source = "cloudposse/eks-cluster/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
subnet_ids = concat(module.subnets.private_subnet_ids, module.subnets.public_subnet_ids)
kubernetes_version = var.kubernetes_version
oidc_provider_enabled = true
addons = [
# https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#vpc-cni-latest-available-version
{
addon_name = "vpc-cni"
addon_version = var.vpc_cni_version
resolve_conflicts_on_create = "OVERWRITE"
resolve_conflicts_on_update = "OVERWRITE"
service_account_role_arn = var.vpc_cni_service_account_role_arn # Creating this role is outside the scope of this example
},
# https://docs.aws.amazon.com/eks/latest/userguide/managing-kube-proxy.html
{
addon_name = "kube-proxy"
addon_version = var.kube_proxy_version
resolve_conflicts_on_create = "OVERWRITE"
resolve_conflicts_on_update = "OVERWRITE"
service_account_role_arn = null
},
# https://docs.aws.amazon.com/eks/latest/userguide/managing-coredns.html
{
addon_name = "coredns"
addon_version = var.coredns_version
resolve_conflicts_on_create = "OVERWRITE"
resolve_conflicts_on_update = "OVERWRITE"
service_account_role_arn = null
},
]
addons_depends_on = [module.eks_node_group]
context = module.label.context
cluster_depends_on = [module.subnets]
}
Module usage with two unmanaged worker groups:
locals {
# Unfortunately, the `aws_ami` data source attribute `most_recent` (https://github.com/cloudposse/terraform-aws-eks-workers/blob/34a43c25624a6efb3ba5d2770a601d7cb3c0d391/main.tf#L141)
# does not work as you might expect. If you are not going to use a custom AMI you should
# use the `eks_worker_ami_name_filter` variable to set the right kubernetes version for EKS workers,
# otherwise the first version of Kubernetes supported by AWS (v1.11) for EKS workers will be selected, but the
# EKS control plane will ignore it to use one that matches the version specified by the `kubernetes_version` variable.
eks_worker_ami_name_filter = "amazon-eks-node-${var.kubernetes_version}*"
}
module "eks_workers" {
source = "cloudposse/eks-workers/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
attributes = ["small"]
instance_type = "t3.small"
eks_worker_ami_name_filter = local.eks_worker_ami_name_filter
vpc_id = module.vpc.vpc_id
subnet_ids = module.subnets.public_subnet_ids
health_check_type = var.health_check_type
min_size = var.min_size
max_size = var.max_size
wait_for_capacity_timeout = var.wait_for_capacity_timeout
cluster_name = module.label.id
cluster_endpoint = module.eks_cluster.eks_cluster_endpoint
cluster_certificate_authority_data = module.eks_cluster.eks_cluster_certificate_authority_data
cluster_security_group_id = module.eks_cluster.eks_cluster_managed_security_group_id
# Auto-scaling policies and CloudWatch metric alarms
autoscaling_policies_enabled = var.autoscaling_policies_enabled
cpu_utilization_high_threshold_percent = var.cpu_utilization_high_threshold_percent
cpu_utilization_low_threshold_percent = var.cpu_utilization_low_threshold_percent
context = module.label.context
}
module "eks_workers_2" {
source = "cloudposse/eks-workers/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
attributes = ["medium"]
instance_type = "t3.medium"
eks_worker_ami_name_filter = local.eks_worker_ami_name_filter
vpc_id = module.vpc.vpc_id
subnet_ids = module.subnets.public_subnet_ids
health_check_type = var.health_check_type
min_size = var.min_size
max_size = var.max_size
wait_for_capacity_timeout = var.wait_for_capacity_timeout
cluster_name = module.label.id
cluster_endpoint = module.eks_cluster.eks_cluster_endpoint
cluster_certificate_authority_data = module.eks_cluster.eks_cluster_certificate_authority_data
cluster_security_group_id = module.eks_cluster.eks_cluster_managed_security_group_id
# Auto-scaling policies and CloudWatch metric alarms
autoscaling_policies_enabled = var.autoscaling_policies_enabled
cpu_utilization_high_threshold_percent = var.cpu_utilization_high_threshold_percent
cpu_utilization_low_threshold_percent = var.cpu_utilization_low_threshold_percent
context = module.label.context
}
module "eks_cluster" {
source = "cloudposse/eks-cluster/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
subnet_ids = concat(module.subnets.private_subnet_ids, module.subnets.public_subnet_ids)
kubernetes_version = var.kubernetes_version
oidc_provider_enabled = true # needed for VPC CNI
access_entries_for_nodes = {
EC2_LINUX = [module.eks_workers.workers_role_arn, module.eks_workers_2.workers_role_arn]
}
context = module.label.context
}
Release 4.0.0
contains major breaking changes that will require you to update your existing EKS cluster
and configuration to use this module. Please see the v3 to v4 migration path for more information.
Release 2.0.0
(previously released as version 0.45.0
) contains some changes that,
if applied to a cluster created with an earlier version of this module,
could result in your existing EKS cluster being replaced (destroyed and recreated).
To prevent this, follow the instructions in the v1 to v2 migration path.
Prior to v4 of this module, AWS did not provide an API to manage access to the EKS cluster, causing numerous challenges. With v4 of this module, it exclusively uses the AWS API, resolving many issues you may read about that had affected prior versions. See the version 2 README and release notes for more information on the challenges and workarounds that were required prior to v3.
Variables
Required Variables
subnet_ids
(list(string)
) requiredA list of subnet IDs to launch the cluster in
Optional Variables
access_config
optionalAccess configuration for the EKS cluster.
Type:
object({
authentication_mode = optional(string, "API")
bootstrap_cluster_creator_admin_permissions = optional(bool, false)
})Default value:
{ }
access_entries
optionalList of IAM principles to allow to access the EKS cluster.
It is recommended to use the defaultuser_name
because the default includes
the IAM role or user name and the session name for assumed roles.
Use when Principal ARN is not known at plan time.Type:
list(object({
principal_arn = string
user_name = optional(string, null)
kubernetes_groups = optional(list(string), null)
}))Default value:
[ ]
access_entries_for_nodes
(map(list(string))
) optionalMap of list of IAM roles for the EKS non-managed worker nodes.
The map key is the node type, eitherEC2_LINUX
orEC2_WINDOWS
,
and the list contains the IAM roles of the nodes of that type.
There is no need for or utility in creating Fargate access entries, as those
are always created automatically by AWS, just as with managed nodes.
Use when Principal ARN is not known at plan time.Default value:
{ }
access_entry_map
optionalMap of IAM Principal ARNs to access configuration.
Preferred over other inputs as this configuration remains stable
when elements are added or removed, but it requires that the Principal ARNs
and Policy ARNs are known at plan time.
Can be used along with otheraccess_*
inputs, but do not duplicate entries.
Mapaccess_policy_associations
keys are policy ARNs, policy
full name (AmazonEKSViewPolicy), or short name (View).
It is recommended to use the defaultuser_name
because the default includes
IAM role or user name and the session name for assumed roles.
As a special case in support of backwards compatibility, membership in the
system:masters
group is is translated to an association with the ClusterAdmin policy.
In all other cases, including anysystem:*
group inkubernetes_groups
is prohibited.Type:
map(object({
# key is principal_arn
user_name = optional(string)
# Cannot assign "system:*" groups to IAM users, use ClusterAdmin and Admin instead
kubernetes_groups = optional(list(string), [])
type = optional(string, "STANDARD")
access_policy_associations = optional(map(object({
# key is policy_arn or policy_name
access_scope = optional(object({
type = optional(string, "cluster")
namespaces = optional(list(string))
}), {}) # access_scope
})), {}) # access_policy_associations
}))Default value:
{ }
access_policy_associations
optionalList of AWS managed EKS access policies to associate with IAM principles.
Use when Principal ARN or Policy ARN is not known at plan time.
policy_arn
can be the full ARN, the full name (AmazonEKSViewPolicy) or short name (View).Type:
list(object({
principal_arn = string
policy_arn = string
access_scope = object({
type = optional(string, "cluster")
namespaces = optional(list(string))
})
}))Default value:
[ ]
addons
optionalManages
aws_eks_addon
resources.
Note:resolve_conflicts
is deprecated. Ifresolve_conflicts
is set and
resolve_conflicts_on_create
orresolve_conflicts_on_update
is not set,
resolve_conflicts
will be used instead. Ifresolve_conflicts_on_create
is
not set andresolve_conflicts
isPRESERVE
,resolve_conflicts_on_create
will be set toNONE
.Type:
list(object({
addon_name = string
addon_version = optional(string, null)
configuration_values = optional(string, null)
# resolve_conflicts is deprecated, but we keep it for backwards compatibility
# and because if not declared, Terraform will silently ignore it.
resolve_conflicts = optional(string, null)
resolve_conflicts_on_create = optional(string, null)
resolve_conflicts_on_update = optional(string, null)
service_account_role_arn = optional(string, null)
create_timeout = optional(string, null)
update_timeout = optional(string, null)
delete_timeout = optional(string, null)
}))Default value:
[ ]
addons_depends_on
(any
) optionalIf provided, all addons will depend on this object, and therefore not be installed until this object is finalized.
This is useful if you want to ensure that addons are not applied before some other condition is met, e.g. node groups are created.
See issue #170 for more details.Default value:
null
allowed_cidr_blocks
(list(string)
) optionalA list of IPv4 CIDRs to allow access to the cluster.
The length of this list must be known at "plan" time.Default value:
[ ]
allowed_security_group_ids
(list(string)
) optionalA list of IDs of Security Groups to allow access to the cluster.
Default value:
[ ]
associated_security_group_ids
(list(string)
) optionalA list of IDs of Security Groups to associate the cluster with.
These security groups will not be modified.Default value:
[ ]
bootstrap_self_managed_addons_enabled
(bool
) optionalManages bootstrap of default networking addons after cluster has been created
Default value:
null
cloudwatch_log_group_class
(string
) optionalSpecified the log class of the log group. Possible values are:
STANDARD
orINFREQUENT_ACCESS
Default value:
null
cloudwatch_log_group_kms_key_id
(string
) optionalIf provided, the KMS Key ID to use to encrypt AWS CloudWatch logs
Default value:
null
cluster_attributes
(list(string)
) optionalOverride label module default cluster attributes
Default value:
[
"cluster"
]cluster_depends_on
(any
) optionalIf provided, the EKS will depend on this object, and therefore not be created until this object is finalized.
This is useful if you want to ensure that the cluster is not created before some other condition is met, e.g. VPNs into the subnet are created.Default value:
null
cluster_encryption_config_enabled
(bool
) optionalSet to
true
to enable Cluster Encryption ConfigurationDefault value:
true
cluster_encryption_config_kms_key_deletion_window_in_days
(number
) optionalCluster Encryption Config KMS Key Resource argument - key deletion windows in days post destruction
Default value:
10
cluster_encryption_config_kms_key_enable_key_rotation
(bool
) optionalCluster Encryption Config KMS Key Resource argument - enable kms key rotation
Default value:
true
cluster_encryption_config_kms_key_id
(string
) optionalKMS Key ID to use for cluster encryption config
Default value:
""
cluster_encryption_config_kms_key_policy
(string
) optionalCluster Encryption Config KMS Key Resource argument - key policy
Default value:
null
cluster_encryption_config_resources
(list(any)
) optionalCluster Encryption Config Resources to encrypt, e.g. ['secrets']
Default value:
[
"secrets"
]cluster_log_retention_period
(number
) optionalNumber of days to retain cluster logs. Requires
enabled_cluster_log_types
to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html.Default value:
0
create_eks_service_role
(bool
) optionalSet
false
to use existingeks_cluster_service_role_arn
instead of creating oneDefault value:
true
custom_ingress_rules
optionalA List of Objects, which are custom security group rules that
Type:
list(object({
description = string
from_port = number
to_port = number
protocol = string
source_security_group_id = string
}))Default value:
[ ]
eks_cluster_service_role_arn
(string
) optionalThe ARN of an IAM role for the EKS cluster to use that provides permissions
for the Kubernetes control plane to perform needed AWS API operations.
Required ifcreate_eks_service_role
isfalse
, ignored otherwise.Default value:
null
enabled_cluster_log_types
(list(string)
) optionalA list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [
api
,audit
,authenticator
,controllerManager
,scheduler
]Default value:
[ ]
endpoint_private_access
(bool
) optionalIndicates whether or not the Amazon EKS private API server endpoint is enabled. Default to AWS EKS resource and it is false
Default value:
false
endpoint_public_access
(bool
) optionalIndicates whether or not the Amazon EKS public API server endpoint is enabled. Default to AWS EKS resource and it is true
Default value:
true
kubernetes_network_ipv6_enabled
(bool
) optionalSet true to use IPv6 addresses for Kubernetes pods and services
Default value:
false
kubernetes_version
(string
) optionalDesired Kubernetes master version. If you do not specify a value, the latest available version is used
Default value:
"1.21"
managed_security_group_rules_enabled
(bool
) optionalFlag to enable/disable the ingress and egress rules for the EKS managed Security Group
Default value:
true
oidc_provider_enabled
(bool
) optionalCreate an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a
service account in the cluster, instead of using kiam or kube2iam. For more information,
see EKS User Guide.Default value:
false
permissions_boundary
(string
) optionalIf provided, all IAM roles will be created with this permissions boundary attached
Default value:
null
public_access_cidrs
(list(string)
) optionalIndicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0.
Default value:
[
"0.0.0.0/0"
]region
(string
) optionalOBSOLETE (not needed): AWS Region
Default value:
null
service_ipv4_cidr
(string
) optionalThe CIDR block to assign Kubernetes service IP addresses from.
You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.Default value:
null
upgrade_policy
optionalConfiguration block for the support policy to use for the cluster
Type:
object({
support_type = optional(string, null)
})Default value:
null
zonal_shift_config
optionalConfiguration block with zonal shift configuration for the cluster
Type:
object({
enabled = optional(bool, null)
})Default value:
null
Context Variables
The following variables are defined in the context.tf
file of this module and part of the terraform-null-label pattern.
context.tf
file of this module and part of the terraform-null-label pattern.additional_tag_map
(map(string)
) optionalAdditional key-value pairs to add to each map in
tags_as_list_of_maps
. Not added totags
orid
.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration.Required: No
Default value:
{ }
attributes
(list(string)
) optionalID element. Additional attributes (e.g.
workers
orcluster
) to add toid
,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by thedelimiter
and treated as a single ID element.Required: No
Default value:
[ ]
context
(any
) optionalSingle object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables asnull
to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.Required: No
Default value:
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}delimiter
(string
) optionalDelimiter to be used between ID elements.
Defaults to-
(hyphen). Set to""
to use no delimiter at all.Required: No
Default value:
null
descriptor_formats
(any
) optionalDescribe additional descriptors to be output in the
descriptors
output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
\{<br/> format = string<br/> labels = list(string)<br/> \}
(Type isany
so the map values can later be enhanced to provide additional options.)
format
is a Terraform format string to be passed to theformat()
function.
labels
is a list of labels, in order, to pass toformat()
function.
Label values will be normalized before being passed toformat()
so they will be
identical to how they appear inid
.
Default is{}
(descriptors
output will be empty).Required: No
Default value:
{ }
enabled
(bool
) optionalSet to false to prevent the module from creating any resources
Required: NoDefault value:
null
environment
(string
) optionalID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'
Required: NoDefault value:
null
id_length_limit
(number
) optionalLimit
id
to this many characters (minimum 6).
Set to0
for unlimited length.
Set tonull
for keep the existing setting, which defaults to0
.
Does not affectid_full
.Required: No
Default value:
null
label_key_case
(string
) optionalControls the letter case of the
tags
keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via thetags
input.
Possible values:lower
,title
,upper
.
Default value:title
.Required: No
Default value:
null
label_order
(list(string)
) optionalThe order in which the labels (ID elements) appear in the
id
.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.Required: No
Default value:
null
label_value_case
(string
) optionalControls the letter case of ID elements (labels) as included in
id
,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via thetags
input.
Possible values:lower
,title
,upper
andnone
(no transformation).
Set this totitle
and setdelimiter
to""
to yield Pascal Case IDs.
Default value:lower
.Required: No
Default value:
null
labels_as_tags
(set(string)
) optionalSet of labels (ID elements) to include as tags in the
tags
output.
Default is to include all labels.
Tags with empty values will not be included in thetags
output.
Set to[]
to suppress all generated tags.
Notes:
The value of thename
tag, if included, will be theid
, not thename
.
Unlike othernull-label
inputs, the initial setting oflabels_as_tags
cannot be
changed in later chained modules. Attempts to change it will be silently ignored.Required: No
Default value:
[
"default"
]name
(string
) optionalID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as atag
.
The "name" tag is set to the fullid
string. There is no tag with the value of thename
input.Required: No
Default value:
null
namespace
(string
) optionalID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique
Required: NoDefault value:
null
regex_replace_chars
(string
) optionalTerraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set,"/[^a-zA-Z0-9-]/"
is used to remove all characters other than hyphens, letters and digits.Required: No
Default value:
null
stage
(string
) optionalID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'
Required: NoDefault value:
null
tags
(map(string)
) optionalAdditional tags (e.g.
{'BusinessUnit': 'XYZ'}
).
Neither the tag keys nor the tag values will be modified by this module.Required: No
Default value:
{ }
tenant
(string
) optionalID element (Rarely used, not included by default). A customer identifier, indicating who this instance of a resource is for
Required: NoDefault value:
null
Outputs
cloudwatch_log_group_kms_key_id
KMS Key ID to encrypt AWS CloudWatch logs
cloudwatch_log_group_name
The name of the log group created in cloudwatch where cluster logs are forwarded to if enabled
cluster_encryption_config_enabled
If true, Cluster Encryption Configuration is enabled
cluster_encryption_config_provider_key_alias
Cluster Encryption Config KMS Key Alias ARN
cluster_encryption_config_provider_key_arn
Cluster Encryption Config KMS Key ARN
cluster_encryption_config_resources
Cluster Encryption Config Resources
eks_addons_versions
Map of enabled EKS Addons names and versions
eks_cluster_arn
The Amazon Resource Name (ARN) of the cluster
eks_cluster_certificate_authority_data
The Kubernetes cluster certificate authority data
eks_cluster_endpoint
The endpoint for the Kubernetes API server
eks_cluster_id
The name of the cluster
eks_cluster_identity_oidc_issuer
The OIDC Identity issuer for the cluster
eks_cluster_identity_oidc_issuer_arn
The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account
eks_cluster_ipv4_service_cidr
The IPv4 CIDR block that Kubernetes pod and service IP addresses are assigned from
ifkubernetes_network_ipv6_enabled
is set to false. If set to true this output will be null.eks_cluster_ipv6_service_cidr
The IPv6 CIDR block that Kubernetes pod and service IP addresses are assigned from
ifkubernetes_network_ipv6_enabled
is set to true. If set to false this output will be null.eks_cluster_managed_security_group_id
Security Group ID that was created by EKS for the cluster.
EKS creates a Security Group and applies it to the ENI that are attached to EKS Control Plane master nodes and to any managed workloads.eks_cluster_role_arn
ARN of the EKS cluster IAM role
eks_cluster_version
The Kubernetes server version of the cluster
Dependencies
Requirements
terraform
, version:>= 1.3.0
aws
, version:>= 5.74.0
tls
, version:>= 3.1.0, != 4.0.0
Providers
aws
, version:>= 5.74.0
tls
, version:>= 3.1.0, != 4.0.0
Modules
Name | Version | Source | Description |
---|---|---|---|
label | 0.25.0 | cloudposse/label/null | n/a |
this | 0.25.0 | cloudposse/label/null | n/a |
Resources
The following resources are used by this module:
aws_cloudwatch_log_group.default
(resource)aws_eks_access_entry.linux
(resource)aws_eks_access_entry.map
(resource)aws_eks_access_entry.standard
(resource)aws_eks_access_entry.windows
(resource)aws_eks_access_policy_association.list
(resource)aws_eks_access_policy_association.map
(resource)aws_eks_addon.cluster
(resource)aws_eks_cluster.default
(resource)aws_iam_openid_connect_provider.default
(resource)aws_iam_policy.cluster_elb_service_role
(resource)aws_iam_role.default
(resource)aws_iam_role_policy_attachment.amazon_eks_cluster_policy
(resource)aws_iam_role_policy_attachment.amazon_eks_service_policy
(resource)aws_iam_role_policy_attachment.cluster_elb_service_role
(resource)aws_kms_alias.cluster
(resource)aws_kms_key.cluster
(resource)aws_vpc_security_group_ingress_rule.custom_ingress_rules
(resource)aws_vpc_security_group_ingress_rule.managed_ingress_cidr_blocks
(resource)aws_vpc_security_group_ingress_rule.managed_ingress_security_groups
(resource)
Data Sources
The following data sources are used by this module:
aws_iam_policy_document.assume_role
(data source)aws_iam_policy_document.cluster_elb_service_role
(data source)aws_partition.current
(data source)tls_certificate.cluster
(data source)