terraform-aws-arc-eks-addon¶
Overview¶
EKS Blueprints helps you compose complete EKS clusters that are fully bootstrapped with the operational software that is needed to deploy and operate workloads. With EKS Blueprints, you describe the configuration for the desired state of your EKS environment, such as the control plane, worker nodes, and Kubernetes add-ons, as an IaC blueprint. Once a blueprint is configured, you can use it to stamp out consistent environments across multiple AWS accounts and Regions using continuous deployment automation.
You can use EKS Blueprints to easily bootstrap an EKS cluster with Amazon EKS add-ons as well as a wide range of popular open-source add-ons, including Prometheus, Karpenter, Nginx, Traefik, AWS Load Balancer Controller, Fluent Bit, Keda, ArgoCD, and more. EKS Blueprints also helps you implement relevant security controls needed to operate workloads from multiple teams in the same cluster.
Architecture¶
The module assumes that upstream dependencies, namely networking dependencies, are created upstream and the values are passed into this module via mechanisms such as Terraform data source queries. Similarly bations and related load balancers are shown as per best practices and has to be deployed separately from upstream module. The shown addons are example addons and may and may not be a fit for your architecture please enable them accordingly.
Usage¶
Note: the example below is does not have a pinned version. Be sure to pin your version. Refer to the example
folder for a working example version.
To checkout the Full example Please visit example
Requirements¶
Name | Version |
---|---|
terraform | >= 1.0 |
aws | >= 4.47 |
bcrypt | >= 0.1.2 |
helm | >= 2.8 |
kubernetes | >= 2.17 |
random | 3.3.2 |
Providers¶
Name | Version |
---|---|
aws | 5.4.0 |
Modules¶
Name | Source | Version |
---|---|---|
eks | ./modules/eks | n/a |
eks_blueprints_addons | ./modules/eks-addons | n/a |
Resources¶
Name | Type |
---|---|
aws_eks_cluster.cluster | data source |
aws_eks_cluster_auth.cluster | data source |
Inputs¶
Name | Description | Type | Default | Required |
---|---|---|---|---|
argo_rollouts | Argo Rollouts addon configuration values | any |
{} |
no |
argo_workflows | Argo Workflows addon configuration values | any |
{} |
no |
argocd | ArgoCD addon configuration values | any |
{} |
no |
aws_cloudwatch_metrics | Cloudwatch Metrics addon configuration values | any |
{} |
no |
aws_efs_csi_driver | EFS CSI Driver addon configuration values | any |
{} |
no |
aws_for_fluentbit | AWS Fluentbit add-on configurations | any |
{} |
no |
aws_for_fluentbit_cw_log_group | AWS Fluentbit CloudWatch Log Group configurations | any |
{} |
no |
aws_fsx_csi_driver | FSX CSI Driver addon configuration values | any |
{} |
no |
aws_load_balancer_controller | AWS Load Balancer Controller addon configuration values | any |
{} |
no |
aws_node_termination_handler | AWS Node Termination Handler addon configuration values | any |
{} |
no |
aws_node_termination_handler_asg_arns | List of Auto Scaling group ARNs that AWS Node Termination Handler will monitor for EC2 events | list(string) |
[] |
no |
aws_node_termination_handler_sqs | AWS Node Termination Handler SQS queue configuration values | any |
{} |
no |
aws_privateca_issuer | AWS PCA Issuer add-on configurations | any |
{} |
no |
cert_manager | cert-manager addon configuration values | any |
{} |
no |
cert_manager_route53_hosted_zone_arns | List of Route53 Hosted Zone ARNs that are used by cert-manager to create DNS records | list(string) |
[ |
no |
cloudwatch_log_group_kms_key_id | If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) | string |
null |
no |
cloudwatch_log_group_retention_in_days | Number of days to retain log events. Default retention - 90 days | number |
90 |
no |
cluster_additional_security_group_ids | List of additional, externally created security group IDs to attach to the cluster control plane | list(string) |
[] |
no |
cluster_autoscaler | Cluster Autoscaler addon configuration values | any |
{} |
no |
cluster_enabled_log_types | A list of the desired control plane logging to enable | list(string) |
[ |
no |
cluster_encryption_config | Configuration block with encryption configuration for the cluster | list(object({ |
[] |
no |
cluster_endpoint_private_access | Indicates whether or not the EKS private API server endpoint is enabled. Default to EKS resource and it is false | bool |
false |
no |
cluster_endpoint_public_access | Indicates whether or not the EKS public API server endpoint is enabled. Default to EKS resource and it is true | bool |
true |
no |
cluster_endpoint_public_access_cidrs | List of CIDR blocks which can access the Amazon EKS public API server endpoint | list(string) |
[ |
no |
cluster_identity_providers | Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA | any |
{} |
no |
cluster_ip_family | The IP family used to assign Kubernetes pod and service addresses. Valid values are ipv4 (default) and ipv6 . You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created |
string |
"ipv4" |
no |
cluster_name | EKS Cluster Name | string |
"" |
no |
cluster_proportional_autoscaler | Cluster Proportional Autoscaler add-on configurations | any |
{} |
no |
cluster_security_group_additional_rules | List of additional security group rules to add to the cluster security group created. Set source_node_security_group = true inside rules to set the node_security_group as source |
any |
{} |
no |
cluster_security_group_description | Description of the cluster security group created | string |
"EKS cluster security group" |
no |
cluster_security_group_id | Security group to be used if creation of cluster security group is turned off | string |
"" |
no |
cluster_security_group_name | Name to use on cluster security group created | string |
null |
no |
cluster_security_group_tags | A map of additional tags to add to the cluster security group created | map(string) |
{} |
no |
cluster_security_group_use_name_prefix | Determines whether cluster security group name (cluster_security_group_name ) is used as a prefix |
bool |
true |
no |
cluster_service_ipv4_cidr | The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | string |
null |
no |
cluster_timeouts | Create, update, and delete timeout configurations for the cluster | map(string) |
{} |
no |
cluster_version | Kubernetes <major>.<minor> version to use for the EKS cluster (i.e.: 1.24 ) |
string |
"1.24" |
no |
control_plane_subnet_ids | A list of subnet IDs where the EKS cluster control plane (ENIs) will be provisioned. Used for expanding the pool of subnets used by nodes/node groups without replacing the EKS control plane | list(string) |
[] |
no |
create_cloudwatch_log_group | Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled | bool |
false |
no |
create_cluster_primary_security_group_tags | Indicates whether or not to tag the cluster's primary security group. This security group is created by the EKS service, not the module, and therefore tagging is handled after cluster creation | bool |
true |
no |
create_cluster_security_group | Toggle to create or assign cluster security group | bool |
true |
no |
create_eks | Create EKS cluster | bool |
true |
no |
create_iam_role | Determines whether a an IAM role is created or to use an existing IAM role | bool |
true |
no |
create_node_security_group | Determines whether to create a security group for the node groups or use the existing node_security_group_id |
bool |
true |
no |
custom_oidc_thumbprints | Additional list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s) | list(string) |
[] |
no |
eks_addons_timeouts | Create, update, and delete timeout configurations for the EKS addons | map(string) |
{} |
no |
enable_argo_rollouts | Enable Argo Rollouts add-on | bool |
false |
no |
enable_argo_workflows | Enable Argo workflows add-on | bool |
false |
no |
enable_argocd | Enable Argo CD Kubernetes add-on | bool |
false |
no |
enable_aws_cloudwatch_metrics | Enable AWS Cloudwatch Metrics add-on for Container Insights | bool |
false |
no |
enable_aws_efs_csi_driver | Enable AWS EFS CSI Driver add-on | bool |
false |
no |
enable_aws_for_fluentbit | Enable AWS for FluentBit add-on | bool |
false |
no |
enable_aws_fsx_csi_driver | Enable AWS FSX CSI Driver add-on | bool |
false |
no |
enable_aws_load_balancer_controller | Enable AWS Load Balancer Controller add-on | bool |
false |
no |
enable_aws_node_termination_handler | Enable AWS Node Termination Handler add-on | bool |
false |
no |
enable_aws_privateca_issuer | Enable AWS PCA Issuer | bool |
false |
no |
enable_cert_manager | Enable cert-manager add-on | bool |
false |
no |
enable_cluster_autoscaler | Enable Cluster autoscaler add-on | bool |
false |
no |
enable_cluster_encryption | Determines whether cluster encryption is enabled | bool |
true |
no |
enable_cluster_proportional_autoscaler | Enable Cluster Proportional Autoscaler | bool |
false |
no |
enable_external_dns | Enable external-dns operator add-on | bool |
false |
no |
enable_external_secrets | Enable External Secrets operator add-on | bool |
false |
no |
enable_fargate_fluentbit | Enable Fargate FluentBit add-on | bool |
false |
no |
enable_gatekeeper | Enable Gatekeeper add-on | bool |
false |
no |
enable_ingress_nginx | Enable Ingress Nginx | bool |
false |
no |
enable_irsa | Determines whether to create an OpenID Connect Provider for EKS to enable IRSA | bool |
true |
no |
enable_karpenter | Enable Karpenter controller add-on | bool |
false |
no |
enable_kube_prometheus_stack | Enable Kube Prometheus Stack | bool |
false |
no |
enable_metrics_server | Enable metrics server add-on | bool |
false |
no |
enable_secrets_store_csi_driver | Enable CSI Secrets Store Provider | bool |
false |
no |
enable_secrets_store_csi_driver_provider_aws | Enable AWS CSI Secrets Store Provider | bool |
false |
no |
enable_velero | Enable Kubernetes Dashboard add-on | bool |
false |
no |
enable_vpa | Enable Vertical Pod Autoscaler add-on | bool |
false |
no |
external_dns | external-dns addon configuration values | any |
{} |
no |
external_dns_route53_zone_arns | List of Route53 zones ARNs which external-dns will have access to create/manage records (if using Route53) | list(string) |
[] |
no |
external_secrets | External Secrets addon configuration values | any |
{} |
no |
external_secrets_kms_key_arns | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | list(string) |
[ |
no |
external_secrets_secrets_manager_arns | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | list(string) |
[ |
no |
external_secrets_ssm_parameter_arns | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | list(string) |
[ |
no |
fargate_fluentbit | Fargate fluentbit add-on config | any |
{} |
no |
fargate_fluentbit_cw_log_group | AWS Fargate Fluentbit CloudWatch Log Group configurations | any |
{} |
no |
fargate_profiles | Fargate profile configuration | any |
{} |
no |
gatekeeper | Gatekeeper add-on configuration | any |
{} |
no |
iam_role_additional_policies | Additional policies to be added to the IAM role | list(string) |
[] |
no |
iam_role_arn | Existing IAM role ARN for the cluster. Required if create_iam_role is set to false |
string |
null |
no |
iam_role_description | Description of the role | string |
null |
no |
iam_role_name | Name to use on IAM role created | string |
null |
no |
iam_role_path | Cluster IAM role path | string |
null |
no |
iam_role_permissions_boundary | ARN of the policy that is used to set the permissions boundary for the IAM role | string |
null |
no |
ingress_nginx | Ingress Nginx add-on configurations | any |
{} |
no |
karpenter | Karpenter addon configuration values | any |
{} |
no |
karpenter_enable_spot_termination | Determines whether to enable native node termination handling | bool |
true |
no |
karpenter_node | Karpenter IAM role and IAM instance profile configuration values | any |
{} |
no |
karpenter_sqs | Karpenter SQS queue for native node termination handling configuration values | any |
{} |
no |
kube_prometheus_stack | Kube Prometheus Stack add-on configurations | any |
{} |
no |
managed_node_groups | Managed node groups configuration | any |
{} |
no |
metrics_server | Metrics Server add-on configurations | any |
{} |
no |
node_security_group_additional_rules | List of additional security group rules to add to the node security group created. Set source_cluster_security_group = true inside rules to set the cluster_security_group as source |
any |
{} |
no |
node_security_group_description | Description of the node security group created | string |
"EKS node shared security group" |
no |
node_security_group_name | Name to use on node security group created | string |
null |
no |
node_security_group_tags | A map of additional tags to add to the node security group created | map(string) |
{} |
no |
node_security_group_use_name_prefix | Determines whether node security group name (node_security_group_name ) is used as a prefix |
bool |
true |
no |
openid_connect_audiences | List of OpenID Connect audience client IDs to add to the IRSA provider | list(string) |
[] |
no |
private_subnet_ids | List of private subnets Ids for the cluster and worker nodes | list(string) |
[] |
no |
secrets_store_csi_driver | CSI Secrets Store Provider add-on configurations | any |
{} |
no |
secrets_store_csi_driver_provider_aws | CSI Secrets Store Provider add-on configurations | any |
{} |
no |
self_managed_node_groups | Self-managed node groups configuration | any |
{} |
no |
tags | Additional tags (e.g. map('BusinessUnit ,XYZ ) |
map(string) |
{} |
no |
velero | Velero addon configuration values | any |
{} |
no |
vpa | Vertical Pod Autoscaler addon configuration values | any |
{} |
no |
vpc_id | VPC Id | string |
n/a | yes |
Outputs¶
Name | Description |
---|---|
cluster_endpoint | The endpoint of the EKS cluster |
cluster_id | The name/id of the EKS cluster |
cluster_version | The version of the EKS cluster |
oidc_provider_arn | The oidc arn the EKS cluster |
Versioning¶
This project uses a .version
file at the root of the repo which the pipeline reads from and does a git tag.
When you intend to commit to main
, you will need to increment this version. Once the project is merged,
the pipeline will kick off and tag the latest git commit.
Development¶
Prerequisites¶
Configurations¶
- Configure pre-commit hooks
Authors¶
This project is authored by below people
- SourceFuse ARC Team