diff --git a/.auth.tf.swp b/.auth.tf.swp new file mode 100755 index 0000000..6a51810 Binary files /dev/null and b/.auth.tf.swp differ diff --git a/.gitignore b/.gitignore old mode 100644 new mode 100755 diff --git a/LICENSE b/LICENSE old mode 100644 new mode 100755 diff --git a/Makefile b/Makefile old mode 100644 new mode 100755 diff --git a/README.md b/README.md old mode 100644 new mode 100755 index d93a320..85f7ba9 --- a/README.md +++ b/README.md @@ -1,628 +1,303 @@ - -[![README Header][readme_header_img]][readme_header_link] - -[![Cloud Posse][logo]](https://cpco.io/homepage) - -# terraform-aws-eks-cluster [![Codefresh Build Status](https://g.codefresh.io/api/badges/pipeline/cloudposse/terraform-modules%2Fterraform-aws-eks-cluster?type=cf-1)](https://g.codefresh.io/public/accounts/cloudposse/pipelines/5d8cd583941e46a098d3992d) [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-eks-cluster.svg)](https://github.com/cloudposse/terraform-aws-eks-cluster/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) - - -Terraform module to provision an [EKS](https://aws.amazon.com/eks/) cluster on AWS. - - ---- - -This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps. -[][share_email] -[][share_googleplus] -[][share_facebook] -[][share_reddit] -[][share_linkedin] -[][share_twitter] - - -[![Terraform Open Source Modules](https://docs.cloudposse.com/images/terraform-open-source-modules.svg)][terraform_modules] - - - -It's 100% Open Source and licensed under the [APACHE2](LICENSE). - - - - - - - -We literally have [*hundreds of terraform modules*][terraform_modules] that are Open Source and well-maintained. Check them out! - - - - - - -## Introduction - -The module provisions the following resources: - -- EKS cluster of master nodes that can be used together with the [terraform-aws-eks-workers](https://github.com/cloudposse/terraform-aws-eks-workers) module to create a full-blown cluster -- IAM Role to allow the cluster to access other AWS services -- Security Group which is used by EKS workers to connect to the cluster and kubelets and pods to receive communication from the cluster control plane (see [terraform-aws-eks-workers](https://github.com/cloudposse/terraform-aws-eks-workers)) -- The module creates and automatically applies (via `kubectl apply`) an authentication ConfigMap to allow the wrokers nodes to join the cluster and to add additional users/roles/accounts - -### Works with [Terraform Cloud](https://www.terraform.io/docs/cloud/index.html) - -To run on Terraform Cloud, set the following variables: - - ```hcl - install_aws_cli = true - install_kubectl = true - external_packages_install_path = "~/.terraform/bin" - kubeconfig_path = "~/.kube/config" - configmap_auth_file = "/home/terraform/.terraform/configmap-auth.yaml" - - # Optional - aws_eks_update_kubeconfig_additional_arguments = "--verbose" - aws_cli_assume_role_arn = "arn:aws:iam::xxxxxxxxxxx:role/OrganizationAccountAccessRole" - aws_cli_assume_role_session_name = "eks_cluster_example_session" - ``` - - Terraform Cloud executes `terraform plan/apply` on workers running Ubuntu. - For the module to provision the authentication ConfigMap (to allow the EKS worker nodes to join the EKS cluster and to add additional users/roles/accounts), - AWS CLI and `kubectl` need to be installed on Terraform Cloud workers. - - To install the required external packages, set the variables `install_aws_cli` and `install_kubectl` to `true` and specify `external_packages_install_path`, `kubeconfig_path` and `configmap_auth_file`. - - See [auth.tf](auth.tf) and [Installing Software in the Run Environment](https://www.terraform.io/docs/cloud/run/install-software.html) for more details. - - In a multi-account architecture, we might have a separate identity account where we provision all IAM users, and other accounts (e.g. `prod`, `staging`, `dev`, `audit`, `testing`) - where all other AWS resources are provisioned. The IAM Users from the identity account can assume IAM roles to access the other accounts. - - In this case, we provide Terraform Cloud with access keys (`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`) for an IAM User from the identity account - and allow it to assume an IAM Role into the AWS account where the module gets provisioned. - - To support this, the module can assume an IAM role before executing the command `aws eks update-kubeconfig` when applying the auth ConfigMap. - - Set variable `aws_cli_assume_role_arn` to the Amazon Resource Name (ARN) of the role to assume and variable `aws_cli_assume_role_session_name` to the identifier for the assumed role session. - - See [auth.tf](auth.tf) and [assume-role](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html) for more details. +# Terraform AWS EKS Cluster Module + +## Overview + +This Terraform module provisions an Amazon EKS (Elastic Kubernetes Service) cluster with comprehensive configuration options including VPC integration, IAM roles, security groups, OIDC provider support, and ConfigMap authentication management for worker nodes. + +## Features + +- Complete EKS cluster provisioning +- Configurable Kubernetes version +- VPC and subnet integration +- Security group management with flexible ingress rules +- IAM roles and policies for cluster operation +- OIDC Identity Provider for IAM roles for service accounts (IRSA) +- ConfigMap-based authentication for worker nodes +- Support for private and public API endpoints +- Control plane logging configuration +- CloudPosse naming conventions +- Conditional module enablement + +## Resources Created + +### EKS +- AWS EKS Cluster +- EKS Cluster IAM Role +- EKS Cluster Security Group + +### IAM +- IAM Role for EKS cluster +- IAM Policy Attachments: + - AmazonEKSClusterPolicy + - AmazonEKSServicePolicy +- IAM OIDC Identity Provider (optional) + +### Security +- Security Group for cluster +- Security Group Rules (egress, worker ingress, custom ingress) + +### Authentication +- ConfigMap for AWS auth (optional) +- Kubeconfig file generation (optional) ## Usage - -**IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases. -Instead pin to the release tag (e.g. `?ref=tags/x.y.z`) of one of our [latest releases](https://github.com/cloudposse/terraform-aws-eks-cluster/releases). - - - -For a complete example, see [examples/complete](examples/complete). - -For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest) (which tests and deploys the example on AWS), see [test](test). - -Other examples: - -- [terraform-root-modules/eks](https://github.com/cloudposse/terraform-root-modules/tree/master/aws/eks) - Cloud Posse's service catalog of "root module" invocations for provisioning reference architectures -- [terraform-root-modules/eks-backing-services-peering](https://github.com/cloudposse/terraform-root-modules/tree/master/aws/eks-backing-services-peering) - example of VPC peering between the EKS VPC and backing services VPC +### Basic Example ```hcl - provider "aws" { - region = var.region - } - - module "label" { - source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=master" - namespace = var.namespace - name = var.name - stage = var.stage - delimiter = var.delimiter - attributes = compact(concat(var.attributes, list("cluster"))) - tags = var.tags - } - - locals { - # The usage of the specific kubernetes.io/cluster/* resource tags below are required - # for EKS and Kubernetes to discover and manage networking resources - # https://www.terraform.io/docs/providers/aws/guides/eks-getting-started.html#base-vpc-networking - tags = merge(var.tags, map("kubernetes.io/cluster/${module.label.id}", "shared")) - - # Unfortunately, most_recent (https://github.com/cloudposse/terraform-aws-eks-workers/blob/34a43c25624a6efb3ba5d2770a601d7cb3c0d391/main.tf#L141) - # variable does not work as expected, if you are not going to use custom AMI you should - # enforce usage of eks_worker_ami_name_filter variable to set the right kubernetes version for EKS workers, - # otherwise the first version of Kubernetes supported by AWS (v1.11) for EKS workers will be used, but - # EKS control plane will use the version specified by kubernetes_version variable. - eks_worker_ami_name_filter = "amazon-eks-node-${var.kubernetes_version}*" - } - - module "vpc" { - source = "git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=master" - namespace = var.namespace - stage = var.stage - name = var.name - attributes = var.attributes - cidr_block = "172.16.0.0/16" - tags = local.tags - } - - module "subnets" { - source = "git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=master" - availability_zones = var.availability_zones - namespace = var.namespace - stage = var.stage - name = var.name - attributes = var.attributes - vpc_id = module.vpc.vpc_id - igw_id = module.vpc.igw_id - cidr_block = module.vpc.vpc_cidr_block - nat_gateway_enabled = false - nat_instance_enabled = false - tags = local.tags - } - - module "eks_workers" { - source = "git::https://github.com/cloudposse/terraform-aws-eks-workers.git?ref=master" - namespace = var.namespace - stage = var.stage - name = var.name - attributes = var.attributes - tags = var.tags - instance_type = var.instance_type - eks_worker_ami_name_filter = local.eks_worker_ami_name_filter - vpc_id = module.vpc.vpc_id - subnet_ids = module.subnets.public_subnet_ids - health_check_type = var.health_check_type - min_size = var.min_size - max_size = var.max_size - wait_for_capacity_timeout = var.wait_for_capacity_timeout - cluster_name = module.label.id - cluster_endpoint = module.eks_cluster.eks_cluster_endpoint - cluster_certificate_authority_data = module.eks_cluster.eks_cluster_certificate_authority_data - cluster_security_group_id = module.eks_cluster.security_group_id - - # Auto-scaling policies and CloudWatch metric alarms - autoscaling_policies_enabled = var.autoscaling_policies_enabled - cpu_utilization_high_threshold_percent = var.cpu_utilization_high_threshold_percent - cpu_utilization_low_threshold_percent = var.cpu_utilization_low_threshold_percent - } - - module "eks_cluster" { - source = "git::https://github.com/cloudposse/terraform-aws-eks-cluster.git?ref=master" - namespace = var.namespace - stage = var.stage - name = var.name - attributes = var.attributes - tags = var.tags - vpc_id = module.vpc.vpc_id - subnet_ids = module.subnets.public_subnet_ids - - kubernetes_version = var.kubernetes_version - kubeconfig_path = var.kubeconfig_path - - oidc_provider_enabled = false - - workers_security_group_ids = [module.eks_workers.security_group_id] - workers_role_arns = [module.eks_workers.workers_role_arn] +module "eks_cluster" { + source = "git@github.com:webuildyourcloud/terraform-aws-eks-cluster.git?ref=tags/0.0.3" + + # Naming + namespace = "myorg" + stage = "prod" + name = "app" + region = "us-east-1" + + # Network Configuration + vpc_id = "vpc-12345678" + subnet_ids = ["subnet-12345678", "subnet-87654321", "subnet-11111111"] + + # Kubernetes Configuration + kubernetes_version = "1.21" + + # Worker Nodes + workers_role_arns = [module.eks_node_group.eks_node_group_role_arn] + workers_security_group_ids = [module.eks_node_group.security_group_id] + + # Kubeconfig + kubeconfig_path = "./kubeconfig" + + # Tags + tags = { + Environment = "production" + ManagedBy = "terraform" } +} ``` -Module usage with two worker groups: +### Advanced Example with OIDC and Private Access ```hcl - module "eks_workers" { - source = "git::https://github.com/cloudposse/terraform-aws-eks-workers.git?ref=master" - namespace = var.namespace - stage = var.stage - name = "small" - attributes = var.attributes - tags = var.tags - instance_type = "t3.small" - vpc_id = module.vpc.vpc_id - subnet_ids = module.subnets.public_subnet_ids - health_check_type = var.health_check_type - min_size = var.min_size - max_size = var.max_size - wait_for_capacity_timeout = var.wait_for_capacity_timeout - cluster_name = module.label.id - cluster_endpoint = module.eks_cluster.eks_cluster_endpoint - cluster_certificate_authority_data = module.eks_cluster.eks_cluster_certificate_authority_data - cluster_security_group_id = module.eks_cluster.security_group_id +module "eks_cluster" { + source = "git@github.com:webuildyourcloud/terraform-aws-eks-cluster.git?ref=tags/0.0.3" - # Auto-scaling policies and CloudWatch metric alarms - autoscaling_policies_enabled = var.autoscaling_policies_enabled - cpu_utilization_high_threshold_percent = var.cpu_utilization_high_threshold_percent - cpu_utilization_low_threshold_percent = var.cpu_utilization_low_threshold_percent - } + namespace = "myorg" + stage = "prod" + name = "secure-app" + region = "us-east-1" - module "eks_workers_2" { - source = "git::https://github.com/cloudposse/terraform-aws-eks-workers.git?ref=master" - namespace = var.namespace - stage = var.stage - name = "medium" - attributes = var.attributes - tags = var.tags - instance_type = "t3.medium" - vpc_id = module.vpc.vpc_id - subnet_ids = module.subnets.public_subnet_ids - health_check_type = var.health_check_type - min_size = var.min_size - max_size = var.max_size - wait_for_capacity_timeout = var.wait_for_capacity_timeout - cluster_name = module.label.id - cluster_endpoint = module.eks_cluster.eks_cluster_endpoint - cluster_certificate_authority_data = module.eks_cluster.eks_cluster_certificate_authority_data - cluster_security_group_id = module.eks_cluster.security_group_id + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnet_ids - # Auto-scaling policies and CloudWatch metric alarms - autoscaling_policies_enabled = var.autoscaling_policies_enabled - cpu_utilization_high_threshold_percent = var.cpu_utilization_high_threshold_percent - cpu_utilization_low_threshold_percent = var.cpu_utilization_low_threshold_percent - } + # Kubernetes Version + kubernetes_version = "1.24" - module "eks_cluster" { - source = "git::https://github.com/cloudposse/terraform-aws-eks-cluster.git?ref=master" - namespace = var.namespace - stage = var.stage - name = var.name - attributes = var.attributes - tags = var.tags - vpc_id = module.vpc.vpc_id - subnet_ids = module.subnets.public_subnet_ids + # API Endpoint Access + endpoint_private_access = true + endpoint_public_access = false - kubernetes_version = var.kubernetes_version - kubeconfig_path = var.kubeconfig_path + # Worker Configuration + workers_role_arns = [ + module.eks_node_group.eks_node_group_role_arn, + module.eks_fargate.role_arn + ] + workers_security_group_ids = [module.vpc.default_security_group_id] - oidc_provider_enabled = false + # Security + allowed_security_groups = ["sg-12345678"] + allowed_cidr_blocks = ["10.0.0.0/8"] - workers_role_arns = [module.eks_workers.workers_role_arn, module.eks_workers_2.workers_role_arn] - workers_security_group_ids = [module.eks_workers.security_group_id, module.eks_workers_2.security_group_id] - } -``` + # OIDC for IRSA + oidc_provider_enabled = true -Module usage on [Terraform Cloud](https://www.terraform.io/docs/cloud/index.html): + # Control Plane Logging + enabled_cluster_log_types = [ + "api", + "audit", + "authenticator", + "controllerManager", + "scheduler" + ] -```hcl - provider "aws" { - region = "us-east-2" - - assume_role { - role_arn = "arn:aws:iam::xxxxxxxxxxx:role/OrganizationAccountAccessRole" + # Additional IAM Mappings + map_additional_iam_roles = [ + { + rolearn = "arn:aws:iam::123456789012:role/DevOpsRole" + username = "devops" + groups = ["system:masters"] } + ] + + map_additional_iam_users = [ + { + userarn = "arn:aws:iam::123456789012:user/admin" + username = "admin" + groups = ["system:masters"] + } + ] + + kubeconfig_path = "./kubeconfig" + + tags = { + Environment = "production" + Security = "high" } - - module "eks_cluster" { - source = "git::https://github.com/cloudposse/terraform-aws-eks-cluster.git?ref=master" - namespace = var.namespace - stage = var.stage - name = var.name - attributes = var.attributes - tags = var.tags - region = "us-east-2" - vpc_id = module.vpc.vpc_id - subnet_ids = module.subnets.public_subnet_ids - - local_exec_interpreter = "/bin/bash" - kubernetes_version = "1.14" - - workers_role_arns = [module.eks_workers.workers_role_arn] - workers_security_group_ids = [module.eks_workers.security_group_id] - - # Terraform Cloud configurations - kubeconfig_path = "~/.kube/config" - configmap_auth_file = "/home/terraform/.terraform/configmap-auth.yaml" - install_aws_cli = true - install_kubectl = true - external_packages_install_path = "~/.terraform/bin" - aws_eks_update_kubeconfig_additional_arguments = "--verbose" - aws_cli_assume_role_arn = "arn:aws:iam::xxxxxxxxxxx:role/OrganizationAccountAccessRole" - aws_cli_assume_role_session_name = "eks_cluster_example_session" - } +} ``` - - - - - -## Makefile Targets -``` -Available targets: - - help Help screen - help/all Display help for all targets - help/short This help short screen - lint Lint terraform code - -``` -## Inputs +## Variables | Name | Description | Type | Default | Required | -|------|-------------|:----:|:-----:|:-----:| -| allowed_cidr_blocks | List of CIDR blocks to be allowed to connect to the EKS cluster | list(string) | `` | no | -| allowed_security_groups | List of Security Group IDs to be allowed to connect to the EKS cluster | list(string) | `` | no | -| apply_config_map_aws_auth | Whether to generate local files from `kubeconfig` and `config-map-aws-auth` templates and perform `kubectl apply` to apply the ConfigMap to allow worker nodes to join the EKS cluster | bool | `true` | no | -| associate_public_ip_address | Associate a public IP address with an instance in a VPC | bool | `true` | no | -| attributes | Additional attributes (e.g. `1`) | list(string) | `` | no | -| aws_cli_assume_role_arn | IAM Role ARN for AWS CLI to assume before calling `aws eks` to update `kubeconfig` | string | `` | no | -| aws_cli_assume_role_session_name | An identifier for the assumed role session when assuming the IAM Role for AWS CLI before calling `aws eks` to update `kubeconfig` | string | `` | no | -| aws_eks_update_kubeconfig_additional_arguments | Additional arguments for `aws eks update-kubeconfig` command, e.g. `--role-arn xxxxxxxxx`. For more info, see https://docs.aws.amazon.com/cli/latest/reference/eks/update-kubeconfig.html | string | `` | no | -| configmap_auth_file | Path to `configmap_auth_file` | string | `` | no | -| configmap_auth_template_file | Path to `config_auth_template_file` | string | `` | no | -| delimiter | Delimiter to be used between `name`, `namespace`, `stage`, etc. | string | `-` | no | -| enabled | Whether to create the resources. Set to `false` to prevent the module from creating any resources | bool | `true` | no | -| enabled_cluster_log_types | A list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [`api`, `audit`, `authenticator`, `controllerManager`, `scheduler`] | list(string) | `` | no | -| endpoint_private_access | Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default to AWS EKS resource and it is false | bool | `false` | no | -| endpoint_public_access | Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default to AWS EKS resource and it is true | bool | `true` | no | -| external_packages_install_path | Path to install external packages, e.g. AWS CLI and `kubectl`. Used when the module is provisioned on workstations where the external packages are not installed by default, e.g. Terraform Cloud workers | string | `` | no | -| install_aws_cli | Set to `true` to install AWS CLI if the module is provisioned on workstations where AWS CLI is not installed by default, e.g. Terraform Cloud workers | bool | `false` | no | -| install_kubectl | Set to `true` to install `kubectl` if the module is provisioned on workstations where `kubectl` is not installed by default, e.g. Terraform Cloud workers | bool | `false` | no | -| jq_version | Version of `jq` to download to extract temporaly credentials after running `aws sts assume-role` if AWS CLI needs to assume role to access the cluster (if variable `aws_cli_assume_role_arn` is set) | string | `1.6` | no | -| kubeconfig_path | The path to `kubeconfig` file | string | `~/.kube/config` | no | -| kubectl_version | `kubectl` version to install. If not specified, the latest version will be used | string | `` | no | -| kubernetes_version | Desired Kubernetes master version. If you do not specify a value, the latest available version is used | string | `1.14` | no | -| local_exec_interpreter | shell to use for local exec | string | `/bin/bash` | no | -| map_additional_aws_accounts | Additional AWS account numbers to add to `config-map-aws-auth` ConfigMap | list(string) | `` | no | -| map_additional_iam_roles | Additional IAM roles to add to `config-map-aws-auth` ConfigMap | object | `` | no | -| map_additional_iam_users | Additional IAM users to add to `config-map-aws-auth` ConfigMap | object | `` | no | -| name | Solution name, e.g. 'app' or 'cluster' | string | - | yes | -| namespace | Namespace, which could be your organization name, e.g. 'eg' or 'cp' | string | `` | no | -| oidc_provider_enabled | Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html | bool | `false` | no | -| region | AWS Region | string | - | yes | -| stage | Stage, e.g. 'prod', 'staging', 'dev', or 'test' | string | `` | no | -| subnet_ids | A list of subnet IDs to launch the cluster in | list(string) | - | yes | -| tags | Additional tags (e.g. `map('BusinessUnit`,`XYZ`) | map(string) | `` | no | -| vpc_id | VPC ID for the EKS cluster | string | - | yes | -| workers_role_arns | List of Role ARNs of the worker nodes | list(string) | - | yes | -| workers_security_group_ids | Security Group IDs of the worker nodes | list(string) | - | yes | +|------|-------------|------|---------|----------| +| region | AWS Region | `string` | n/a | yes | +| namespace | Namespace (e.g., 'eg' or 'cp') | `string` | `""` | no | +| stage | Stage (e.g., 'prod', 'staging', 'dev') | `string` | `""` | no | +| name | Solution name (e.g., 'app' or 'cluster') | `string` | n/a | yes | +| delimiter | Delimiter between namespace, stage, name | `string` | `"-"` | no | +| attributes | Additional attributes | `list(string)` | `[]` | no | +| tags | Additional tags | `map(string)` | `{}` | no | +| enabled | Enable/disable module resources | `bool` | `true` | no | +| vpc_id | VPC ID for the EKS cluster | `string` | n/a | yes | +| subnet_ids | List of subnet IDs to launch the cluster in | `list(string)` | n/a | yes | +| associate_public_ip_address | Associate public IP with instances in VPC | `bool` | `true` | no | +| allowed_security_groups | Security Group IDs allowed to connect to EKS cluster | `list(string)` | `[]` | no | +| allowed_cidr_blocks | CIDR blocks allowed to connect to EKS cluster | `list(string)` | `[]` | no | +| workers_role_arns | List of Role ARNs of worker nodes | `list(string)` | n/a | yes | +| workers_security_group_ids | Security Group IDs of worker nodes | `list(string)` | n/a | yes | +| kubernetes_version | Desired Kubernetes master version | `string` | `"1.14"` | no | +| oidc_provider_enabled | Create IAM OIDC identity provider | `bool` | `false` | no | +| endpoint_private_access | Enable private API server endpoint | `bool` | `false` | no | +| endpoint_public_access | Enable public API server endpoint | `bool` | `true` | no | +| enabled_cluster_log_types | List of control plane logging types to enable | `list(string)` | `[]` | no | +| apply_config_map_aws_auth | Apply ConfigMap to allow worker nodes to join | `bool` | `true` | no | +| map_additional_aws_accounts | Additional AWS account numbers for config-map-aws-auth | `list(string)` | `[]` | no | +| map_additional_iam_roles | Additional IAM roles for config-map-aws-auth | `list(object)` | `[]` | no | +| map_additional_iam_users | Additional IAM users for config-map-aws-auth | `list(object)` | `[]` | no | +| kubeconfig_path | Path to kubeconfig file | `string` | `"./files/config"` | no | +| local_exec_interpreter | Shell to use for local exec | `string` | `"/bin/bash"` | no | +| install_aws_cli | Install AWS CLI if not present | `bool` | `false` | no | +| install_kubectl | Install kubectl if not present | `bool` | `false` | no | +| kubectl_version | kubectl version to install | `string` | `""` | no | +| aws_eks_update_kubeconfig_additional_arguments | Additional arguments for aws eks update-kubeconfig | `string` | `""` | no | +| aws_cli_assume_role_arn | IAM Role ARN for AWS CLI to assume | `string` | `""` | no | ## Outputs | Name | Description | |------|-------------| -| eks_cluster_arn | The Amazon Resource Name (ARN) of the cluster | -| eks_cluster_certificate_authority_data | The Kubernetes cluster certificate authority data | -| eks_cluster_endpoint | The endpoint for the Kubernetes API server | -| eks_cluster_id | The name of the cluster | -| eks_cluster_identity_oidc_issuer | The OIDC Identity issuer for the cluster | -| eks_cluster_identity_oidc_issuer_arn | The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account | -| eks_cluster_version | The Kubernetes server version of the cluster | -| security_group_arn | ARN of the EKS cluster Security Group | | security_group_id | ID of the EKS cluster Security Group | +| security_group_arn | ARN of the EKS cluster Security Group | | security_group_name | Name of the EKS cluster Security Group | - - - - -## Share the Love - -Like this project? Please give it a ★ on [our GitHub](https://github.com/cloudposse/terraform-aws-eks-cluster)! (it helps us **a lot**) - -Are you using this project or any of our other projects? Consider [leaving a testimonial][testimonial]. =) - - -## Related Projects - -Check out these related projects. - -- [terraform-aws-eks-workers](https://github.com/cloudposse/terraform-aws-eks-workers) - Terraform module to provision an AWS AutoScaling Group, IAM Role, and Security Group for EKS Workers -- [terraform-aws-ec2-autoscale-group](https://github.com/cloudposse/terraform-aws-ec2-autoscale-group) - Terraform module to provision Auto Scaling Group and Launch Template on AWS -- [terraform-aws-ecs-container-definition](https://github.com/cloudposse/terraform-aws-ecs-container-definition) - Terraform module to generate well-formed JSON documents (container definitions) that are passed to the aws_ecs_task_definition Terraform resource -- [terraform-aws-ecs-alb-service-task](https://github.com/cloudposse/terraform-aws-ecs-alb-service-task) - Terraform module which implements an ECS service which exposes a web service via ALB -- [terraform-aws-ecs-web-app](https://github.com/cloudposse/terraform-aws-ecs-web-app) - Terraform module that implements a web app on ECS and supports autoscaling, CI/CD, monitoring, ALB integration, and much more -- [terraform-aws-ecs-codepipeline](https://github.com/cloudposse/terraform-aws-ecs-codepipeline) - Terraform module for CI/CD with AWS Code Pipeline and Code Build for ECS -- [terraform-aws-ecs-cloudwatch-autoscaling](https://github.com/cloudposse/terraform-aws-ecs-cloudwatch-autoscaling) - Terraform module to autoscale ECS Service based on CloudWatch metrics -- [terraform-aws-ecs-cloudwatch-sns-alarms](https://github.com/cloudposse/terraform-aws-ecs-cloudwatch-sns-alarms) - Terraform module to create CloudWatch Alarms on ECS Service level metrics -- [terraform-aws-ec2-instance](https://github.com/cloudposse/terraform-aws-ec2-instance) - Terraform module for providing a general purpose EC2 instance -- [terraform-aws-ec2-instance-group](https://github.com/cloudposse/terraform-aws-ec2-instance-group) - Terraform module for provisioning multiple general purpose EC2 hosts for stateful applications - - - -## Help - -**Got a question?** We got answers. - -File a GitHub [issue](https://github.com/cloudposse/terraform-aws-eks-cluster/issues), send us an [email][email] or join our [Slack Community][slack]. - -[![README Commercial Support][readme_commercial_support_img]][readme_commercial_support_link] - -## DevOps Accelerator for Startups - - -We are a [**DevOps Accelerator**][commercial_support]. We'll help you build your cloud infrastructure from the ground up so you can own it. Then we'll show you how to operate it and stick around for as long as you need us. - -[![Learn More](https://img.shields.io/badge/learn%20more-success.svg?style=for-the-badge)][commercial_support] - -Work directly with our team of DevOps experts via email, slack, and video conferencing. - -We deliver 10x the value for a fraction of the cost of a full-time engineer. Our track record is not even funny. If you want things done right and you need it done FAST, then we're your best bet. - -- **Reference Architecture.** You'll get everything you need from the ground up built using 100% infrastructure as code. -- **Release Engineering.** You'll have end-to-end CI/CD with unlimited staging environments. -- **Site Reliability Engineering.** You'll have total visibility into your apps and microservices. -- **Security Baseline.** You'll have built-in governance with accountability and audit logs for all changes. -- **GitOps.** You'll be able to operate your infrastructure via Pull Requests. -- **Training.** You'll receive hands-on training so your team can operate what we build. -- **Questions.** You'll have a direct line of communication between our teams via a Shared Slack channel. -- **Troubleshooting.** You'll get help to triage when things aren't working. -- **Code Reviews.** You'll receive constructive feedback on Pull Requests. -- **Bug Fixes.** We'll rapidly work with you to fix any bugs in our projects. - -## Slack Community - -Join our [Open Source Community][slack] on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure. - -## Newsletter - -Sign up for [our newsletter][newsletter] that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover. - -## Office Hours - -[Join us every Wednesday via Zoom][office_hours] for our weekly "Lunch & Learn" sessions. It's **FREE** for everyone! - -[![zoom](https://img.cloudposse.com/fit-in/200x200/https://cloudposse.com/wp-content/uploads/2019/08/Powered-by-Zoom.png")][office_hours] - -## Contributing - -### Bug Reports & Feature Requests - -Please use the [issue tracker](https://github.com/cloudposse/terraform-aws-eks-cluster/issues) to report any bugs or file feature requests. - -### Developing - -If you are interested in being a contributor and want to get involved in developing this project or [help out](https://cpco.io/help-out) with our other projects, we would love to hear from you! Shoot us an [email][email]. - -In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow. - - 1. **Fork** the repo on GitHub - 2. **Clone** the project to your own machine - 3. **Commit** changes to your own branch - 4. **Push** your work back up to your fork - 5. Submit a **Pull Request** so that we can review your changes - -**NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request! - - -## Copyright - -Copyright © 2017-2019 [Cloud Posse, LLC](https://cpco.io/copyright) - - - -## License - -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -See [LICENSE](LICENSE) for full details. - - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - https://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. - - - - - - - - - -## Trademarks - -All other trademarks referenced herein are the property of their respective owners. - -## About - -This project is maintained and funded by [Cloud Posse, LLC][website]. Like it? Please let us know by [leaving a testimonial][testimonial]! - -[![Cloud Posse][logo]][website] - -We're a [DevOps Professional Services][hire] company based in Los Angeles, CA. We ❤️ [Open Source Software][we_love_open_source]. - -We offer [paid support][commercial_support] on all of our projects. - -Check out [our other projects][github], [follow us on twitter][twitter], [apply for a job][jobs], or [hire us][hire] to help with your cloud strategy and implementation. - - - -### Contributors - -| [![Erik Osterman][osterman_avatar]][osterman_homepage]
[Erik Osterman][osterman_homepage] | [![Andriy Knysh][aknysh_avatar]][aknysh_homepage]
[Andriy Knysh][aknysh_homepage] | [![Igor Rodionov][goruha_avatar]][goruha_homepage]
[Igor Rodionov][goruha_homepage] | [![Oscar][osulli_avatar]][osulli_homepage]
[Oscar][osulli_homepage] | -|---|---|---|---| - - - [osterman_homepage]: https://github.com/osterman - [osterman_avatar]: http://s.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb?s=144 - - - [aknysh_homepage]: https://github.com/aknysh/ - [aknysh_avatar]: https://avatars0.githubusercontent.com/u/7356997?v=4&u=ed9ce1c9151d552d985bdf5546772e14ef7ab617&s=144 - - - [goruha_homepage]: https://github.com/goruha/ - [goruha_avatar]: http://s.gravatar.com/avatar/bc70834d32ed4517568a1feb0b9be7e2?s=144 - - - [osulli_homepage]: https://github.com/osulli/ - [osulli_avatar]: https://avatars1.githubusercontent.com/u/46930728?v=4&s=144 - - -[![README Footer][readme_footer_img]][readme_footer_link] -[![Beacon][beacon]][website] - - [logo]: https://cloudposse.com/logo-300x69.svg - [docs]: https://cpco.io/docs?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=docs - [website]: https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=website - [github]: https://cpco.io/github?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=github - [jobs]: https://cpco.io/jobs?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=jobs - [hire]: https://cpco.io/hire?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=hire - [slack]: https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=slack - [linkedin]: https://cpco.io/linkedin?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=linkedin - [twitter]: https://cpco.io/twitter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=twitter - [testimonial]: https://cpco.io/leave-testimonial?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=testimonial - [office_hours]: https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=office_hours - [newsletter]: https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=newsletter - [email]: https://cpco.io/email?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=email - [commercial_support]: https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=commercial_support - [we_love_open_source]: https://cpco.io/we-love-open-source?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=we_love_open_source - [terraform_modules]: https://cpco.io/terraform-modules?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=terraform_modules - [readme_header_img]: https://cloudposse.com/readme/header/img - [readme_header_link]: https://cloudposse.com/readme/header/link?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=readme_header_link - [readme_footer_img]: https://cloudposse.com/readme/footer/img - [readme_footer_link]: https://cloudposse.com/readme/footer/link?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=readme_footer_link - [readme_commercial_support_img]: https://cloudposse.com/readme/commercial-support/img - [readme_commercial_support_link]: https://cloudposse.com/readme/commercial-support/link?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-eks-cluster&utm_content=readme_commercial_support_link - [share_twitter]: https://twitter.com/intent/tweet/?text=terraform-aws-eks-cluster&url=https://github.com/cloudposse/terraform-aws-eks-cluster - [share_linkedin]: https://www.linkedin.com/shareArticle?mini=true&title=terraform-aws-eks-cluster&url=https://github.com/cloudposse/terraform-aws-eks-cluster - [share_reddit]: https://reddit.com/submit/?url=https://github.com/cloudposse/terraform-aws-eks-cluster - [share_facebook]: https://facebook.com/sharer/sharer.php?u=https://github.com/cloudposse/terraform-aws-eks-cluster - [share_googleplus]: https://plus.google.com/share?url=https://github.com/cloudposse/terraform-aws-eks-cluster - [share_email]: mailto:?subject=terraform-aws-eks-cluster&body=https://github.com/cloudposse/terraform-aws-eks-cluster - [beacon]: https://ga-beacon.cloudposse.com/UA-76589703-4/cloudposse/terraform-aws-eks-cluster?pixel&cs=github&cm=readme&an=terraform-aws-eks-cluster +| eks_cluster_id | Name of the cluster | +| eks_cluster_arn | Amazon Resource Name (ARN) of the cluster | +| eks_cluster_endpoint | Endpoint for Kubernetes API server | +| eks_cluster_version | Kubernetes server version of the cluster | +| eks_cluster_identity_oidc_issuer | OIDC Identity issuer for the cluster | +| eks_cluster_identity_oidc_issuer_arn | OIDC Identity issuer ARN for IRSA | +| eks_cluster_certificate_authority_data | Kubernetes cluster certificate authority data | +| eks_cluster_auth_token | Cluster authentication token | +| workers_security_group_ids | Security group of worker nodes | + +## Requirements + +| Name | Version | +|------|---------| +| terraform | >= 0.13 | +| aws | ~> 3.27 | +| template | ~> 2.2 | +| null | ~> 3.0 | +| local | ~> 2.0 | + +## Dependencies + +- [cloudposse/terraform-null-label](https://github.com/cloudposse/terraform-null-label) - Resource naming + +## IAM Roles for Service Accounts (IRSA) + +When `oidc_provider_enabled = true`, the module creates an OIDC identity provider that enables IRSA. This allows Kubernetes service accounts to assume IAM roles: + +```hcl +# Example: Create IAM role for a service account +data "aws_iam_policy_document" "s3_access" { + statement { + actions = [ + "sts:AssumeRoleWithWebIdentity" + ] + effect = "Allow" + principals { + identifiers = [module.eks_cluster.eks_cluster_identity_oidc_issuer_arn] + type = "Federated" + } + condition { + test = "StringEquals" + variable = "${replace(module.eks_cluster.eks_cluster_identity_oidc_issuer, "https://", "")}:sub" + values = ["system:serviceaccount:default:s3-reader"] + } + } +} + +resource "aws_iam_role" "s3_reader" { + name = "eks-s3-reader" + assume_role_policy = data.aws_iam_policy_document.s3_access.json +} +``` + +## Control Plane Logging + +Enable comprehensive control plane logging for audit and debugging: + +```hcl +enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] +``` + +Log types: +- **api**: API server logs +- **audit**: Audit logs +- **authenticator**: Authenticator logs +- **controllerManager**: Controller manager logs +- **scheduler**: Scheduler logs + +## Important Notes + +1. **Cluster Creation Time**: EKS cluster creation takes 10-15 minutes +2. **Subnets**: Use private subnets for worker nodes; public subnets for public load balancers +3. **Kubernetes Version**: Specify a version or use latest available +4. **OIDC Provider**: Enable for using IAM roles for service accounts +5. **Worker Authentication**: Workers need proper IAM roles and security group configuration +6. **API Endpoints**: + - Public access: Accessible from internet (with optional CIDR restrictions) + - Private access: Only accessible from within VPC +7. **ConfigMap Auth**: The module can automatically configure aws-auth ConfigMap for worker node authentication + +## Best Practices + +1. **Private API Endpoint**: Use private endpoint for production clusters +2. **Enable Logging**: Enable all control plane log types for production +3. **Use OIDC**: Enable OIDC provider for better security with IRSA +4. **Network Security**: Restrict `allowed_cidr_blocks` and `allowed_security_groups` +5. **Version Pinning**: Pin Kubernetes version for consistency +6. **Multiple Subnets**: Use subnets across multiple AZs for high availability +7. **IAM Permissions**: Follow principle of least privilege for worker roles +8. **Tagging**: Use consistent tagging for cost allocation and management + +## Troubleshooting + +### Cluster creation fails +- Verify IAM permissions for creating EKS clusters +- Check subnet tags include `kubernetes.io/cluster/ = "shared"` +- Ensure subnets have sufficient IP addresses + +### Workers cannot join cluster +- Verify workers_role_arns are correctly specified +- Check security group rules allow communication +- Ensure aws-auth ConfigMap is properly configured + +### Cannot access cluster API +- Verify endpoint access settings +- Check security group and CIDR restrictions +- Ensure kubeconfig is correctly generated + +## License + +This module is provided as-is for use within your organization. diff --git a/README.yaml b/README.yaml old mode 100644 new mode 100755 diff --git a/auth.tf b/auth.tf old mode 100644 new mode 100755 diff --git a/codefresh/test.yml b/codefresh/test.yml old mode 100644 new mode 100755 diff --git a/configmap-auth.yaml.tpl b/configmap-auth.yaml.tpl old mode 100644 new mode 100755 diff --git a/data.tf b/data.tf old mode 100644 new mode 100755 diff --git a/docs/targets.md b/docs/targets.md old mode 100644 new mode 100755 diff --git a/docs/terraform.md b/docs/terraform.md old mode 100644 new mode 100755 diff --git a/examples/complete/fixtures.us-east-2.tfvars b/examples/complete/fixtures.us-east-2.tfvars old mode 100644 new mode 100755 diff --git a/examples/complete/main.tf b/examples/complete/main.tf old mode 100644 new mode 100755 diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf old mode 100644 new mode 100755 diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf old mode 100644 new mode 100755 diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf old mode 100644 new mode 100755 diff --git a/main.tf b/main.tf old mode 100644 new mode 100755 diff --git a/outputs.tf b/outputs.tf old mode 100644 new mode 100755 diff --git a/test/.gitignore b/test/.gitignore old mode 100644 new mode 100755 diff --git a/test/Makefile b/test/Makefile old mode 100644 new mode 100755 diff --git a/test/Makefile.alpine b/test/Makefile.alpine old mode 100644 new mode 100755 diff --git a/test/src/.gitignore b/test/src/.gitignore old mode 100644 new mode 100755 diff --git a/test/src/Gopkg.lock b/test/src/Gopkg.lock old mode 100644 new mode 100755 diff --git a/test/src/Gopkg.toml b/test/src/Gopkg.toml old mode 100644 new mode 100755 diff --git a/test/src/Makefile b/test/src/Makefile old mode 100644 new mode 100755 diff --git a/test/src/examples_complete_test.go b/test/src/examples_complete_test.go old mode 100644 new mode 100755 diff --git a/variables.tf b/variables.tf old mode 100644 new mode 100755 diff --git a/versions.tf b/versions.tf old mode 100644 new mode 100755