Amazon EKS

Deploy Kubernetes on top of Amazon Elastic Kubernetes Service (EKS)

View on GitHub

Reference

Inputs

• additional_security_groups_for_control_plane — A list of additional security group IDs to attach to the control plane.

• additional_security_groups_for_workers — A list of additional security group IDs to attach to the worker nodes.

• alarms_sns_topic_arn — The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications.

• allow_inbound_api_access_from_cidr_blocks — The list of CIDR blocks to allow inbound access to the Kubernetes API.

• allow_inbound_ssh_from_cidr_blocks — The list of CIDR blocks to allow inbound SSH access to the worker groups.

• allow_inbound_ssh_from_security_groups — The list of security group IDs to allow inbound SSH access to the worker groups.

• allow_private_api_access_from_cidr_blocks — The list of CIDR blocks to allow inbound access to the private Kubernetes API endpoint (e.g. the endpoint within the VPC, not the public endpoint).

• allow_private_api_access_from_security_groups — The list of security groups to allow inbound access to the private Kubernetes API endpoint (e.g. the endpoint within the VPC, not the public endpoint).

• asg_default_instance_root_volume_encryption — Default value for the asg_instance_root_volume_encryption field of autoscaling_group_configurations. Any map entry that does not specify asg_instance_root_volume_encryption will use this value.

• asg_default_instance_root_volume_size — Default value for the asg_instance_root_volume_size field of autoscaling_group_configurations. Any map entry that does not specify asg_instance_root_volume_size will use this value.

• asg_default_instance_root_volume_type — Default value for the asg_instance_root_volume_type field of autoscaling_group_configurations. Any map entry that does not specify asg_instance_root_volume_type will use this value.

• asg_default_instance_type — Default value for the asg_instance_type field of autoscaling_group_configurations. Any map entry that does not specify asg_instance_type will use this value.

• asg_default_max_size — Default value for the max_size field of autoscaling_group_configurations. Any map entry that does not specify max_size will use this value.

• asg_default_min_size — Default value for the min_size field of autoscaling_group_configurations. Any map entry that does not specify min_size will use this value.

• asg_default_multi_instance_overrides — Default value for the multi_instance_overrides field of autoscaling_group_configurations. Any map entry that does not specify multi_instance_overrides will use this value.

• asg_default_on_demand_allocation_strategy — Default value for the on_demand_allocation_strategy field of autoscaling_group_configurations. Any map entry that does not specify on_demand_allocation_strategy will use this value.

• asg_default_on_demand_base_capacity — Default value for the on_demand_base_capacity field of autoscaling_group_configurations. Any map entry that does not specify on_demand_base_capacity will use this value.

• asg_default_on_demand_percentage_above_base_capacity — Default value for the on_demand_percentage_above_base_capacity field of autoscaling_group_configurations. Any map entry that does not specify on_demand_percentage_above_base_capacity will use this value.

• asg_default_spot_allocation_strategy — Default value for the spot_allocation_strategy field of autoscaling_group_configurations. Any map entry that does not specify spot_allocation_strategy will use this value.

• asg_default_spot_instance_pools — Default value for the spot_instance_pools field of autoscaling_group_configurations. Any map entry that does not specify spot_instance_pools will use this value.

• asg_default_spot_max_price — Default value for the spot_max_price field of autoscaling_group_configurations. Any map entry that does not specify spot_max_price will use this value. Set to empty string (default) to mean on-demand price.

• asg_default_tags — Default value for the tags field of autoscaling_group_configurations. Any map entry that does not specify tags will use this value.

• asg_default_use_multi_instances_policy — Default value for the use_multi_instances_policy field of autoscaling_group_configurations. Any map entry that does not specify use_multi_instances_policy will use this value.

• asg_iam_instance_profile_name — Custom name for the IAM instance profile for the Self-managed workers. When null, the IAM role name will be used. If asg_use_resource_name_prefix is true, this will be used as a name prefix.

• asg_iam_permissions_boundary — ARN of a permission boundary to apply on the IAM role created for the self managed workers.

• asg_security_group_tags — A map of tags to apply to the Security Group of the ASG for the self managed worker pool. The key is the tag name and the value is the tag value.

• asg_use_resource_name_prefix — When true, all the relevant resources for self managed workers will be set to use the name_prefix attribute so that unique names are generated for them. This allows those resources to support recreation through create_before_destroy lifecycle rules. Set to false if you were using any version before 0.65.0 and wish to avoid recreating the entire worker pool on your cluster.

• autoscaling_group_configurations — Configure one or more Auto Scaling Groups (ASGs) to manage the EC2 instances in this cluster. If any of the values are not provided, the specified default variable will be used to lookup a default value.

• autoscaling_group_include_autoscaler_discovery_tags — Adds additional tags to each ASG that allow a cluster autoscaler to auto-discover them.

• aws_auth_merger_default_configmap_name — Name of the default aws-auth ConfigMap to use. This will be the name of the ConfigMap that gets created by this module in the aws-auth-merger namespace to seed the initial aws-auth ConfigMap.

• aws_auth_merger_image — Location of the container image to use for the aws-auth-merger app. You can use the Dockerfile provided in terraform-aws-eks to construct an image. See https://github.com/gruntwork-io/terraform-aws-eks/blob/master/modules/eks-aws-auth-merger/core-concepts.md#how-do-i-use-the-aws-auth-merger for more info.

• aws_auth_merger_namespace — Namespace to deploy the aws-auth-merger into. The app will watch for ConfigMaps in this Namespace to merge into the aws-auth ConfigMap.

• cloud_init_parts — Cloud init scripts to run on the EKS worker nodes when it is booting. See the part blocks in https://www.terraform.io/docs/providers/template/d/cloudinit_config.html for syntax. To override the default boot script installed as part of the module, use the key default.

• cluster_iam_role_permissions_boundary — ARN of permissions boundary to apply to the cluster IAM role - the IAM role created for the EKS cluster.

• cluster_instance_ami — The AMI to run on each instance in the EKS cluster. You can build the AMI using the Packer template eks-node-al2.json. One of cluster_instance_ami or cluster_instance_ami_filters is required. Only used if cluster_instance_ami_filters is null. Set to null if cluster_instance_ami_filters is set.

• cluster_instance_ami_filters — Properties on the AMI that can be used to lookup a prebuilt AMI for use with self managed workers. You can build the AMI using the Packer template eks-node-al2.json. One of cluster_instance_ami or cluster_instance_ami_filters is required. If both are defined, cluster_instance_ami_filters will be used. Set to null if cluster_instance_ami is set.

• cluster_instance_associate_public_ip_address — Whether or not to associate a public IP address to the instances of the self managed ASGs. Will only work if the instances are launched in a public subnet.

• cluster_instance_keypair_name — The name of the Key Pair that can be used to SSH to each instance in the EKS cluster

• cluster_name — The name of the EKS cluster

• control_plane_disallowed_availability_zones — A list of availability zones in the region that we CANNOT use to deploy the EKS control plane. You can use this to avoid availability zones that may not be able to provision the resources (e.g ran out of capacity). If empty, will allow all availability zones.

• control_plane_vpc_subnet_ids — List of IDs of the subnets that can be used for the EKS Control Plane.

• create_default_fargate_iam_role — When true, IAM role will be created and attached to Fargate control plane services.

• custom_default_fargate_iam_role_name — The name to use for the default Fargate execution IAM role that is created when create_default_fargate_iam_role is true. When null, defaults to CLUSTER_NAME-fargate-role.

• custom_worker_egress_security_group_rules — A map of unique identifiers to egress security group rules to attach to the worker groups.

• custom_worker_ingress_security_group_rules — A map of unique identifiers to ingress security group rules to attach to the worker groups.

• dashboard_cpu_usage_widget_parameters — Parameters for the worker cpu usage widget to output for use in a CloudWatch dashboard.

• dashboard_disk_usage_widget_parameters — Parameters for the worker disk usage widget to output for use in a CloudWatch dashboard.

• dashboard_memory_usage_widget_parameters — Parameters for the worker memory usage widget to output for use in a CloudWatch dashboard.

• eks_cluster_security_group_tags — A map of custom tags to apply to the Security Group for the EKS Cluster Control Plane. The key is the tag name and the value is the tag value.

• eks_cluster_tags — A map of custom tags to apply to the EKS Cluster Control Plane. The key is the tag name and the value is the tag value.

• enable_aws_auth_merger — If set to true, installs the aws-auth-merger to manage the aws-auth configuration. When true, requires setting the aws_auth_merger_image variable.

• enable_aws_auth_merger_fargate — When true, deploy the aws-auth-merger into Fargate. It is recommended to run the aws-auth-merger on Fargate to avoid chicken and egg issues between the aws-auth-merger and having an authenticated worker pool.

• enable_cloudwatch_alarms — Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using alarms_sns_topic_arn.

• enable_cloudwatch_metrics — Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/agents/cloudwatch-agent to get memory and disk metrics in CloudWatch for your Bastion host.

• enable_fail2ban — Enable fail2ban to block brute force log in attempts. Defaults to true.

• enabled_control_plane_log_types — A list of the desired control plane logging to enable. See https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html for the list of available logs.

• endpoint_public_access — Whether or not to enable public API endpoints which allow access to the Kubernetes API from outside of the VPC. Note that private access within the VPC is always enabled.

• external_account_ssh_grunt_role_arn — If you are using ssh-grunt and your IAM users / groups are defined in a separate AWS account, you can use this variable to specify the ARN of an IAM role that ssh-grunt can assume to retrieve IAM group and public SSH key info from that account. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain).

• fargate_profile_executor_iam_role_arns_for_k8s_role_mapping — List of ARNs of AWS IAM roles corresponding to Fargate Profiles that should be mapped as Kubernetes Nodes.

• fargate_worker_disallowed_availability_zones — A list of availability zones in the region that we CANNOT use to deploy the EKS Fargate workers. You can use this to avoid availability zones that may not be able to provision the resources (e.g ran out of capacity). If empty, will allow all availability zones.

• iam_role_to_rbac_group_mapping — Mapping of IAM role ARNs to Kubernetes RBAC groups that grant permissions to the user.

• iam_user_to_rbac_group_mapping — Mapping of IAM user ARNs to Kubernetes RBAC groups that grant permissions to the user.

• kubernetes_version — Version of Kubernetes to use. Refer to EKS docs for list of available versions (https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html).

• managed_node_group_configurations — Configure one or more Node Groups to manage the EC2 instances in this cluster. Set to empty object ({}) if you do not wish to configure managed node groups.

• node_group_default_capacity_type — Default value for capacity_type field of managed_node_group_configurations.

• node_group_default_desired_size — Default value for desired_size field of managed_node_group_configurations.

• node_group_default_instance_root_volume_encryption — Default value for the instance_root_volume_encryption field of managed_node_group_configurations.

• node_group_default_instance_root_volume_size — Default value for the instance_root_volume_size field of managed_node_group_configurations.

• node_group_default_instance_root_volume_type — Default value for the instance_root_volume_type field of managed_node_group_configurations.

• node_group_default_instance_types — Default value for instance_types field of managed_node_group_configurations.

• node_group_default_labels — Default value for labels field of managed_node_group_configurations. Unlike common_labels which will always be merged in, these labels are only used if the labels field is omitted from the configuration.

• node_group_default_max_size — Default value for max_size field of managed_node_group_configurations.

• node_group_default_min_size — Default value for min_size field of managed_node_group_configurations.

• node_group_default_subnet_ids — Default value for subnet_ids field of managed_node_group_configurations.

• node_group_default_tags — Default value for tags field of managed_node_group_configurations. Unlike common_tags which will always be merged in, these tags are only used if the tags field is omitted from the configuration.

• node_group_iam_permissions_boundary — ARN of a permission boundary to apply on the IAM role created for the managed node groups.

• node_group_launch_template_instance_type — The instance type to configure in the launch template. This value will be used when the instance_types field is set to null (NOT omitted, in which case node_group_default_instance_types will be used).

• node_group_security_group_tags — A map of tags to apply to the Security Group of the ASG for the managed node group pool. The key is the tag name and the value is the tag value.

• num_control_plane_vpc_subnet_ids — Number of subnets provided in the control_plane_vpc_subnet_ids variable. When null (default), this is computed dynamically from the list. This is used to workaround terraform limitations where resource count and for_each can not depend on dynamic resources (e.g., if you are creating the subnets and the EKS cluster in the same module).

• num_worker_vpc_subnet_ids — Number of subnets provided in the worker_vpc_subnet_ids variable. When null (default), this is computed dynamically from the list. This is used to workaround terraform limitations where resource count and for_each can not depend on dynamic resources (e.g., if you are creating the subnets and the EKS cluster in the same module).

• schedule_control_plane_services_on_fargate — When true, configures control plane services to run on Fargate so that the cluster can run without worker nodes. If true, requires kubergrunt to be available on the system, and create_default_fargate_iam_role be set to true.

• secret_envelope_encryption_kms_key_arn — ARN for KMS Key to use for envelope encryption of Kubernetes Secrets. By default Secrets in EKS are encrypted at rest at the EBS layer in the managed etcd cluster using shared AWS managed keys. Setting this variable will configure Kubernetes to use envelope encryption to encrypt Secrets using this KMS key on top of the EBS layer encryption.

• ssh_grunt_iam_group — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the EKS workers. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain).

• ssh_grunt_iam_group_sudo — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the EKS workers with sudo permissions. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain).

• tenancy — The tenancy of this server. Must be one of: default, dedicated, or host.

• use_exec_plugin_for_auth — If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens.

• use_kubergrunt_sync_components — When set to true, this will enable kubergrunt based component syncing. This step ensures that the core EKS components that are installed are upgraded to a matching version everytime the cluster's Kubernetes version is updated.

• use_kubergrunt_to_fetch_token — EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true.

• use_kubergrunt_verification — When set to true, this will enable kubergrunt verification to wait for the Kubernetes API server to come up before completing. If false, reverts to a 30 second timed wait instead.

• vpc_id — ID of the VPC where the EKS resources will be deployed.

• worker_iam_role_arns_for_k8s_role_mapping — List of ARNs of AWS IAM roles corresponding to EC2 instances that should be mapped as Kubernetes Nodes.

• worker_name_prefix — Prefix EKS worker resource names with this string. When you have multiple worker groups for the cluster, you can use this to namespace the resources. Defaults to empty string so that resource names are not excessively long by default.

• worker_vpc_subnet_ids — A list of the subnets into which the EKS Cluster's administrative pods will be launched. These should usually be all private subnets and include one in each AWS Availability Zone. Required when schedule_control_plane_services_on_fargate is true.

Outputs

• aws_auth_merger_namespace — The namespace name for the aws-auth-merger add on, if created.

• eks_cluster_arn — The ARN of the EKS cluster that was deployed.

• eks_cluster_name — The name of the EKS cluster that was deployed.

• eks_default_fargate_execution_role_arn — A basic IAM Role ARN that has the minimal permissions to pull images from ECR that can be used for most Pods as Fargate Execution Role that do not need to interact with AWS.

• eks_iam_role_for_service_accounts_config — Configuration for using the IAM role with Service Accounts feature to provide permissions to the applications. This outputs a map with two properties: `openid_connect_provider_arn and [``openid_connect_provider_url](#openid_connect_provider_url). The `openid_connect_provider_arn is the ARN of the OpenID Connect Provider for EKS to retrieve IAM credentials, while [``openid_connect_provider_url](#openid_connect_provider_url) is the URL.

• eks_kubeconfig — Minimal configuration for kubectl to authenticate with the created EKS cluster.

• eks_worker_asg_names — The list of names of the ASGs that were deployed to act as EKS workers.

• managed_node_group_worker_iam_role_arn — The ARN of the IAM role associated with the Managed Node Group EKS workers.

• managed_node_group_worker_iam_role_name — The name of the IAM role associated with the Managed Node Group EKS workers.

• managed_node_group_worker_shared_security_group_id — The ID of the common AWS Security Group associated with all the managed EKS workers.

• metric_widget_worker_cpu_usage — A CloudWatch Dashboard widget that graphs CPU usage (percentage) of the EKS workers (self-managed and managed node groups).

• metric_widget_worker_disk_usage — A CloudWatch Dashboard widget that graphs disk usage (percentage) of the EKS workers (self-managed and managed node groups).

• metric_widget_worker_memory_usage — A CloudWatch Dashboard widget that graphs memory usage (percentage) of the EKS workers (self-managed and managed node groups).

• self_managed_worker_iam_role_arn — The ARN of the IAM role associated with the self-managed EKS workers.

• self_managed_worker_iam_role_name — The name of the IAM role associated with the self-managed EKS workers.

• self_managed_worker_security_group_id — The ID of the AWS Security Group associated with the self-managed EKS workers.