Terraform module which creates AWS EKS (Kubernetes) resources
- Frequently Asked Questions
- Compute Resources
- IRSA Integration
- User Data
- Network Connectivity
- Upgrade Guides
Please note that we strive to provide a comprehensive suite of documentation for configuring and utilizing the module(s) defined here, and that documentation regarding EKS (including EKS managed node group, self managed node group, and Fargate profile) and/or Kubernetes features, usage, etc. are better left up to their respective sources:
The examples provided under examples/ provide a comprehensive suite of configurations that demonstrate nearly all of the possible different configurations and settings that can be used with this module. However, these examples are not representative of clusters that you would normally find in use for production workloads. For reference architectures that utilize this module, please see the following:
- AWS EKS Cluster Addons
- AWS EKS Identity Provider Configuration
- AWS EKS on Outposts support
- All node types are supported:
- Support for creating Karpenter related AWS infrastructure resources (e.g. IAM roles, SQS queue, EventBridge rules, etc.)
- Support for custom AMI, custom launch template, and custom user data including custom user data template
- Support for Amazon Linux 2 EKS Optimized AMI and Bottlerocket nodes
- Windows based node support is limited to a default user data template that is provided due to the lack of Windows support and manual steps required to provision Windows based EKS nodes
- Support for module created security group, bring your own security groups, as well as adding additional security group rules to the module created security group(s)
- Support for creating node groups/profiles separate from the cluster through the use of sub-modules (same as what is used by root module)
- Support for node group/profile "default" settings - useful for when creating multiple node groups/Fargate profiles where you want to set a common set of configurations once, and then individually control only select features on certain node groups/profiles
An IAM role for service accounts (IRSA) sub-module has been created to make deploying common addons/controllers easier. Instead of users having to create a custom IAM role with the necessary federated role assumption required for IRSA plus find and craft the associated policy required for the addon/controller, users can create the IRSA role and policy with a few lines of code. See the terraform-aws-iam/examples/iam-role-for-service-accounts directory for examples on how to use the IRSA sub-module in conjunction with this (terraform-aws-eks) module.
Some of the addon/controller policies that are currently supported include:
- Cert-Manager
- Cluster Autoscaler
- EBS CSI Driver
- EFS CSI Driver
- External DNS
- External Secrets
- FSx for Lustre CSI Driver
- Karpenter
- Load Balancer Controller
- App Mesh Controller
- Managed Service for Prometheus
- Node Termination Handler
- Velero
- VPC CNI
See terraform-aws-iam/modules/iam-role-for-service-accounts for current list of supported addon/controller policies as more are added to the project.
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "~> 19.0"
cluster_name = "my-cluster"
cluster_version = "1.27"
cluster_endpoint_public_access = true
cluster_addons = {
coredns = {
most_recent = true
}
kube-proxy = {
most_recent = true
}
vpc-cni = {
most_recent = true
}
}
vpc_id = "vpc-1234556abcdef"
subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
control_plane_subnet_ids = ["subnet-xyzde987", "subnet-slkjf456", "subnet-qeiru789"]
# Self Managed Node Group(s)
self_managed_node_group_defaults = {
instance_type = "m6i.large"
update_launch_template_default_version = true
iam_role_additional_policies = {
AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
}
self_managed_node_groups = {
one = {
name = "mixed-1"
max_size = 5
desired_size = 2
use_mixed_instances_policy = true
mixed_instances_policy = {
instances_distribution = {
on_demand_base_capacity = 0
on_demand_percentage_above_base_capacity = 10
spot_allocation_strategy = "capacity-optimized"
}
override = [
{
instance_type = "m5.large"
weighted_capacity = "1"
},
{
instance_type = "m6i.large"
weighted_capacity = "2"
},
]
}
}
}
# EKS Managed Node Group(s)
eks_managed_node_group_defaults = {
instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"]
}
eks_managed_node_groups = {
blue = {}
green = {
min_size = 1
max_size = 10
desired_size = 1
instance_types = ["t3.large"]
capacity_type = "SPOT"
}
}
# Fargate Profile(s)
fargate_profiles = {
default = {
name = "default"
selectors = [
{
namespace = "default"
}
]
}
}
# aws-auth configmap
manage_aws_auth_configmap = true
aws_auth_roles = [
{
rolearn = "arn:aws:iam::66666666666:role/role1"
username = "role1"
groups = ["system:masters"]
},
]
aws_auth_users = [
{
userarn = "arn:aws:iam::66666666666:user/user1"
username = "user1"
groups = ["system:masters"]
},
{
userarn = "arn:aws:iam::66666666666:user/user2"
username = "user2"
groups = ["system:masters"]
},
]
aws_auth_accounts = [
"777777777777",
"888888888888",
]
tags = {
Environment = "dev"
Terraform = "true"
}
}- Complete: EKS Cluster using all available node group types in various combinations demonstrating many of the supported features and configurations
- EKS Managed Node Group: EKS Cluster using EKS managed node groups
- Fargate Profile: EKS cluster using Fargate Profiles
- Karpenter: EKS Cluster with Karpenter provisioned for intelligent data plane management
- Outposts: EKS local cluster provisioned on AWS Outposts
- Self Managed Node Group: EKS Cluster using self-managed node groups
- User Data: Various supported methods of providing necessary bootstrap scripts and configuration settings via user data
We are grateful to the community for contributing bugfixes and improvements! Please see below to learn how you can take part.
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.57 |
| kubernetes | >= 2.10 |
| time | >= 0.9 |
| tls | >= 3.0 |
| Name | Version |
|---|---|
| aws | >= 4.57 |
| kubernetes | >= 2.10 |
| time | >= 0.9 |
| tls | >= 3.0 |
| Name | Source | Version |
|---|---|---|
| eks_managed_node_group | ./modules/eks-managed-node-group | n/a |
| fargate_profile | ./modules/fargate-profile | n/a |
| kms | terraform-aws-modules/kms/aws | 2.1.0 |
| self_managed_node_group | ./modules/self-managed-node-group | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| attach_cluster_encryption_policy | Indicates whether or not to attach an additional policy for the cluster IAM role to utilize the encryption key provided | bool |
true |
no |
| aws_auth_accounts | List of account maps to add to the aws-auth configmap | list(any) |
[] |
no |
| aws_auth_fargate_profile_pod_execution_role_arns | List of Fargate profile pod execution role ARNs to add to the aws-auth configmap | list(string) |
[] |
no |
| aws_auth_node_iam_role_arns_non_windows | List of non-Windows based node IAM role ARNs to add to the aws-auth configmap | list(string) |
[] |
no |
| aws_auth_node_iam_role_arns_windows | List of Windows based node IAM role ARNs to add to the aws-auth configmap | list(string) |
[] |
no |
| aws_auth_roles | List of role maps to add to the aws-auth configmap | list(any) |
[] |
no |
| aws_auth_users | List of user maps to add to the aws-auth configmap | list(any) |
[] |
no |
| cloudwatch_log_group_kms_key_id | If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) | string |
null |
no |
| cloudwatch_log_group_retention_in_days | Number of days to retain log events. Default retention - 90 days | number |
90 |
no |
| cloudwatch_log_group_tags | A map of additional tags to add to the cloudwatch log group created | map(string) |
{} |
no |
| cluster_additional_security_group_ids | List of additional, externally created security group IDs to attach to the cluster control plane | list(string) |
[] |
no |
| cluster_addons | Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with name |
any |
{} |
no |
| cluster_addons_timeouts | Create, update, and delete timeout configurations for the cluster addons | map(string) |
{} |
no |
| cluster_enabled_log_types | A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | list(string) |
[ |
no |
| cluster_encryption_config | Configuration block with encryption configuration for the cluster. To disable secret encryption, set this value to {} |
any |
{ |
no |
| cluster_encryption_policy_description | Description of the cluster encryption policy created | string |
"Cluster encryption policy to allow cluster role to utilize CMK provided" |
no |
| cluster_encryption_policy_name | Name to use on cluster encryption policy created | string |
null |
no |
| cluster_encryption_policy_path | Cluster encryption policy path | string |
null |
no |
| cluster_encryption_policy_tags | A map of additional tags to add to the cluster encryption policy created | map(string) |
{} |
no |
| cluster_encryption_policy_use_name_prefix | Determines whether cluster encryption policy name (cluster_encryption_policy_name) is used as a prefix |
bool |
true |
no |
| cluster_endpoint_private_access | Indicates whether or not the Amazon EKS private API server endpoint is enabled | bool |
true |
no |
| cluster_endpoint_public_access | Indicates whether or not the Amazon EKS public API server endpoint is enabled | bool |
false |
no |
| cluster_endpoint_public_access_cidrs | List of CIDR blocks which can access the Amazon EKS public API server endpoint | list(string) |
[ |
no |
| cluster_iam_role_dns_suffix | Base DNS domain name for the current partition (e.g., amazonaws.com in AWS Commercial, amazonaws.com.cn in AWS China) | string |
null |
no |
| cluster_identity_providers | Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA | any |
{} |
no |
| cluster_ip_family | The IP family used to assign Kubernetes pod and service addresses. Valid values are ipv4 (default) and ipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created |
string |
null |
no |
| cluster_name | Name of the EKS cluster | string |
"" |
no |
| cluster_security_group_additional_rules | List of additional security group rules to add to the cluster security group created. Set source_node_security_group = true inside rules to set the node_security_group as source |
any |
{} |
no |
| cluster_security_group_description | Description of the cluster security group created | string |
"EKS cluster security group" |
no |
| cluster_security_group_id | Existing security group ID to be attached to the cluster | string |
"" |
no |
| cluster_security_group_name | Name to use on cluster security group created | string |
null |
no |
| cluster_security_group_tags | A map of additional tags to add to the cluster security group created | map(string) |
{} |
no |
| cluster_security_group_use_name_prefix | Determines whether cluster security group name (cluster_security_group_name) is used as a prefix |
bool |
true |
no |
| cluster_service_ipv4_cidr | The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | string |
null |
no |
| cluster_service_ipv6_cidr | The CIDR block to assign Kubernetes pod and service IP addresses from if ipv6 was specified when the cluster was created. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster |
string |
null |
no |
| cluster_tags | A map of additional tags to add to the cluster | map(string) |
{} |
no |
| cluster_timeouts | Create, update, and delete timeout configurations for the cluster | map(string) |
{} |
no |
| cluster_version | Kubernetes <major>.<minor> version to use for the EKS cluster (i.e.: 1.27) |
string |
null |
no |
| control_plane_subnet_ids | A list of subnet IDs where the EKS cluster control plane (ENIs) will be provisioned. Used for expanding the pool of subnets used by nodes/node groups without replacing the EKS control plane | list(string) |
[] |
no |
| create | Controls if EKS resources should be created (affects nearly all resources) | bool |
true |
no |
| create_aws_auth_configmap | Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use manage_aws_auth_configmap |
bool |
false |
no |
| create_cloudwatch_log_group | Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled | bool |
true |
no |
| create_cluster_primary_security_group_tags | Indicates whether or not to tag the cluster's primary security group. This security group is created by the EKS service, not the module, and therefore tagging is handled after cluster creation | bool |
true |
no |
| create_cluster_security_group | Determines if a security group is created for the cluster. Note: the EKS service creates a primary security group for the cluster by default | bool |
true |
no |
| create_cni_ipv6_iam_policy | Determines whether to create an AmazonEKS_CNI_IPv6_Policy |
bool |
false |
no |
| create_iam_role | Determines whether a an IAM role is created or to use an existing IAM role | bool |
true |
no |
| create_kms_key | Controls if a KMS key for cluster encryption should be created | bool |
true |
no |
| create_node_security_group | Determines whether to create a security group for the node groups or use the existing node_security_group_id |
bool |
true |
no |
| custom_oidc_thumbprints | Additional list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s) | list(string) |
[] |
no |
| dataplane_wait_duration | Duration to wait after the EKS cluster has become active before creating the dataplane components (EKS managed nodegroup(s), self-managed nodegroup(s), Fargate profile(s)) | string |
"30s" |
no |
| eks_managed_node_group_defaults | Map of EKS managed node group default configurations | any |
{} |
no |
| eks_managed_node_groups | Map of EKS managed node group definitions to create | any |
{} |
no |
| enable_irsa | Determines whether to create an OpenID Connect Provider for EKS to enable IRSA | bool |
true |
no |
| enable_kms_key_rotation | Specifies whether key rotation is enabled. Defaults to true |
bool |
true |
no |
| fargate_profile_defaults | Map of Fargate Profile default configurations | any |
{} |
no |
| fargate_profiles | Map of Fargate Profile definitions to create | any |
{} |
no |
| iam_role_additional_policies | Additional policies to be added to the IAM role | map(string) |
{} |
no |
| iam_role_arn | Existing IAM role ARN for the cluster. Required if create_iam_role is set to false |
string |
null |
no |
| iam_role_description | Description of the role | string |
null |
no |
| iam_role_name | Name to use on IAM role created | string |
null |
no |
| iam_role_path | Cluster IAM role path | string |
null |
no |
| iam_role_permissions_boundary | ARN of the policy that is used to set the permissions boundary for the IAM role | string |
null |
no |
| iam_role_tags | A map of additional tags to add to the IAM role created | map(string) |
{} |
no |
| iam_role_use_name_prefix | Determines whether the IAM role name (iam_role_name) is used as a prefix |
bool |
true |
no |
| include_oidc_root_ca_thumbprint | Determines whether to include the root CA thumbprint in the OpenID Connect (OIDC) identity provider's server certificate(s) | bool |
true |
no |
| kms_key_administrators | A list of IAM ARNs for key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available | list(string) |
[] |
no |
| kms_key_aliases | A list of aliases to create. Note - due to the use of toset(), values must be static strings and not computed values |
list(string) |
[] |
no |
| kms_key_deletion_window_in_days | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30 |
number |
null |
no |
| kms_key_description | The description of the key as viewed in AWS console | string |
null |
no |
| kms_key_enable_default_policy | Specifies whether to enable the default key policy. Defaults to false |
bool |
false |
no |
| kms_key_override_policy_documents | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid |
list(string) |
[] |
no |
| kms_key_owners | A list of IAM ARNs for those who will have full key permissions (kms:*) |
list(string) |
[] |
no |
| kms_key_service_users | A list of IAM ARNs for key service users | list(string) |
[] |
no |
| kms_key_source_policy_documents | List of IAM policy documents that are merged together into the exported document. Statements must have unique sids |
list(string) |
[] |
no |
| kms_key_users | A list of IAM ARNs for key users | list(string) |
[] |
no |
| manage_aws_auth_configmap | Determines whether to manage the aws-auth configmap | bool |
false |
no |
| node_security_group_additional_rules | List of additional security group rules to add to the node security group created. Set source_cluster_security_group = true inside rules to set the cluster_security_group as source |
any |
{} |
no |
| node_security_group_description | Description of the node security group created | string |
"EKS node shared security group" |
no |
| node_security_group_enable_recommended_rules | Determines whether to enable recommended security group rules for the node security group created. This includes node-to-node TCP ingress on ephemeral ports and allows all egress traffic | bool |
true |
no |
| node_security_group_id | ID of an existing security group to attach to the node groups created | string |
"" |
no |
| node_security_group_name | Name to use on node security group created | string |
null |
no |
| node_security_group_tags | A map of additional tags to add to the node security group created | map(string) |
{} |
no |
| node_security_group_use_name_prefix | Determines whether node security group name (node_security_group_name) is used as a prefix |
bool |
true |
no |
| openid_connect_audiences | List of OpenID Connect audience client IDs to add to the IRSA provider | list(string) |
[] |
no |
| outpost_config | Configuration for the AWS Outpost to provision the cluster on | any |
{} |
no |
| prefix_separator | The separator to use between the prefix and the generated timestamp for resource names | string |
"-" |
no |
| putin_khuylo | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | bool |
true |
no |
| self_managed_node_group_defaults | Map of self-managed node group default configurations | any |
{} |
no |
| self_managed_node_groups | Map of self-managed node group definitions to create | any |
{} |
no |
| subnet_ids | A list of subnet IDs where the nodes/node groups will be provisioned. If control_plane_subnet_ids is not provided, the EKS cluster control plane (ENIs) will be provisioned in these subnets |
list(string) |
[] |
no |
| tags | A map of tags to add to all resources | map(string) |
{} |
no |
| vpc_id | ID of the VPC where the cluster security group will be provisioned | string |
null |
no |
| Name | Description |
|---|---|
| aws_auth_configmap_yaml | [DEPRECATED - use var.manage_aws_auth_configmap] Formatted yaml output for base aws-auth configmap containing roles used in cluster node groups/fargate profiles |
| cloudwatch_log_group_arn | Arn of cloudwatch log group created |
| cloudwatch_log_group_name | Name of cloudwatch log group created |
| cluster_addons | Map of attribute maps for all EKS cluster addons enabled |
| cluster_arn | The Amazon Resource Name (ARN) of the cluster |
| cluster_certificate_authority_data | Base64 encoded certificate data required to communicate with the cluster |
| cluster_endpoint | Endpoint for your Kubernetes API server |
| cluster_iam_role_arn | IAM role ARN of the EKS cluster |
| cluster_iam_role_name | IAM role name of the EKS cluster |
| cluster_iam_role_unique_id | Stable and unique string identifying the IAM role |
| cluster_id | The ID of the EKS cluster. Note: currently a value is returned only for local EKS clusters created on Outposts |
| cluster_identity_providers | Map of attribute maps for all EKS identity providers enabled |
| cluster_name | The name of the EKS cluster |
| cluster_oidc_issuer_url | The URL on the EKS cluster for the OpenID Connect identity provider |
| cluster_platform_version | Platform version for the cluster |
| cluster_primary_security_group_id | Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console |
| cluster_security_group_arn | Amazon Resource Name (ARN) of the cluster security group |
| cluster_security_group_id | ID of the cluster security group |
| cluster_status | Status of the EKS cluster. One of CREATING, ACTIVE, DELETING, FAILED |
| cluster_tls_certificate_sha1_fingerprint | The SHA1 fingerprint of the public key of the cluster's certificate |
| cluster_version | The Kubernetes version for the cluster |
| eks_managed_node_groups | Map of attribute maps for all EKS managed node groups created |
| eks_managed_node_groups_autoscaling_group_names | List of the autoscaling group names created by EKS managed node groups |
| fargate_profiles | Map of attribute maps for all EKS Fargate Profiles created |
| kms_key_arn | The Amazon Resource Name (ARN) of the key |
| kms_key_id | The globally unique identifier for the key |
| kms_key_policy | The IAM resource policy set on the key |
| node_security_group_arn | Amazon Resource Name (ARN) of the node shared security group |
| node_security_group_id | ID of the node shared security group |
| oidc_provider | The OpenID Connect identity provider (issuer URL without leading https://) |
| oidc_provider_arn | The ARN of the OIDC Provider if enable_irsa = true |
| self_managed_node_groups | Map of attribute maps for all self managed node groups created |
| self_managed_node_groups_autoscaling_group_names | List of the autoscaling group names created by self-managed node groups |
Apache 2 Licensed. See LICENSE for full details.
- Russia has illegally annexed Crimea in 2014 and brought the war in Donbas followed by full-scale invasion of Ukraine in 2022.
- Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
- Putin khuylo!