Skip to content

terraform-aws-arc-eks-addon

Known Vulnerabilities

Overview

EKS Blueprints helps you compose complete EKS clusters that are fully bootstrapped with the operational software that is needed to deploy and operate workloads. With EKS Blueprints, you describe the configuration for the desired state of your EKS environment, such as the control plane, worker nodes, and Kubernetes add-ons, as an IaC blueprint. Once a blueprint is configured, you can use it to stamp out consistent environments across multiple AWS accounts and Regions using continuous deployment automation.

You can use EKS Blueprints to easily bootstrap an EKS cluster with Amazon EKS add-ons as well as a wide range of popular open-source add-ons, including Prometheus, Karpenter, Nginx, Traefik, AWS Load Balancer Controller, Fluent Bit, Keda, ArgoCD, and more. EKS Blueprints also helps you implement relevant security controls needed to operate workloads from multiple teams in the same cluster.

Architecture

Architecture

The module assumes that upstream dependencies, namely networking dependencies, are created upstream and the values are passed into this module via mechanisms such as Terraform data source queries. Similarly bations and related load balancers are shown as per best practices and has to be deployed separately from upstream module. The shown addons are example addons and may and may not be a fit for your architecture please enable them accordingly.

Usage

Note: the example below is does not have a pinned version. Be sure to pin your version. Refer to the example folder for a working example version.

To checkout the Full example Please visit example

module "eks" {
  source                             = "git::https://github.com/sourcefuse/terraform-aws-arc-eks-addon?ref=v1.0.0"
  tags                               = module.tags.tags
  vpc_id                             = data.aws_vpc.vpc.id
  private_subnet_ids                 = data.aws_subnets.private.ids
  public_subnet_ids                  = data.aws_subnets.public.ids
  control_plane_subnet_ids           = concat(data.aws_subnets.private.ids, data.aws_subnets.public.ids)
  create_eks                         = var.create_eks
  cluster_timeouts                   = var.cluster_timeouts
  cluster_name                       = var.cluster_name
  cluster_version                    = var.cluster_version
  create_cluster_security_group      = var.create_cluster_security_group
  cluster_security_group_name        = var.cluster_security_group_name
  cluster_kms_key_arn                = var.cluster_kms_key_arn

  .............................................................
}

Requirements

Name Version
terraform >= 1.0
aws >= 4.47
bcrypt >= 0.1.2
helm >= 2.8
kubernetes >= 2.17
random 3.3.2

Providers

Name Version
aws 5.4.0

Modules

Name Source Version
eks ./modules/eks n/a
eks_blueprints_addons ./modules/eks-addons n/a

Resources

Name Type
aws_eks_cluster.cluster data source
aws_eks_cluster_auth.cluster data source

Inputs

Name Description Type Default Required
argo_rollouts Argo Rollouts addon configuration values any {} no
argo_workflows Argo Workflows addon configuration values any {} no
argocd ArgoCD addon configuration values any {} no
aws_cloudwatch_metrics Cloudwatch Metrics addon configuration values any {} no
aws_efs_csi_driver EFS CSI Driver addon configuration values any {} no
aws_for_fluentbit AWS Fluentbit add-on configurations any {} no
aws_for_fluentbit_cw_log_group AWS Fluentbit CloudWatch Log Group configurations any {} no
aws_fsx_csi_driver FSX CSI Driver addon configuration values any {} no
aws_load_balancer_controller AWS Load Balancer Controller addon configuration values any {} no
aws_node_termination_handler AWS Node Termination Handler addon configuration values any {} no
aws_node_termination_handler_asg_arns List of Auto Scaling group ARNs that AWS Node Termination Handler will monitor for EC2 events list(string) [] no
aws_node_termination_handler_sqs AWS Node Termination Handler SQS queue configuration values any {} no
aws_privateca_issuer AWS PCA Issuer add-on configurations any {} no
cert_manager cert-manager addon configuration values any {} no
cert_manager_route53_hosted_zone_arns List of Route53 Hosted Zone ARNs that are used by cert-manager to create DNS records list(string)
[
"arn:aws:route53:::hostedzone/*"
]
no
cloudwatch_log_group_kms_key_id If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) string null no
cloudwatch_log_group_retention_in_days Number of days to retain log events. Default retention - 90 days number 90 no
cluster_additional_security_group_ids List of additional, externally created security group IDs to attach to the cluster control plane list(string) [] no
cluster_autoscaler Cluster Autoscaler addon configuration values any {} no
cluster_enabled_log_types A list of the desired control plane logging to enable list(string)
[
"api",
"audit",
"authenticator",
"controllerManager",
"scheduler"
]
no
cluster_encryption_config Configuration block with encryption configuration for the cluster
list(object({
provider_key_arn = string
resources = list(string)
}))
[] no
cluster_endpoint_private_access Indicates whether or not the EKS private API server endpoint is enabled. Default to EKS resource and it is false bool false no
cluster_endpoint_public_access Indicates whether or not the EKS public API server endpoint is enabled. Default to EKS resource and it is true bool true no
cluster_endpoint_public_access_cidrs List of CIDR blocks which can access the Amazon EKS public API server endpoint list(string)
[
"0.0.0.0/0"
]
no
cluster_identity_providers Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA any {} no
cluster_ip_family The IP family used to assign Kubernetes pod and service addresses. Valid values are ipv4 (default) and ipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created string "ipv4" no
cluster_name EKS Cluster Name string "" no
cluster_proportional_autoscaler Cluster Proportional Autoscaler add-on configurations any {} no
cluster_security_group_additional_rules List of additional security group rules to add to the cluster security group created. Set source_node_security_group = true inside rules to set the node_security_group as source any {} no
cluster_security_group_description Description of the cluster security group created string "EKS cluster security group" no
cluster_security_group_id Security group to be used if creation of cluster security group is turned off string "" no
cluster_security_group_name Name to use on cluster security group created string null no
cluster_security_group_tags A map of additional tags to add to the cluster security group created map(string) {} no
cluster_security_group_use_name_prefix Determines whether cluster security group name (cluster_security_group_name) is used as a prefix bool true no
cluster_service_ipv4_cidr The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks string null no
cluster_timeouts Create, update, and delete timeout configurations for the cluster map(string) {} no
cluster_version Kubernetes <major>.<minor> version to use for the EKS cluster (i.e.: 1.24) string "1.24" no
control_plane_subnet_ids A list of subnet IDs where the EKS cluster control plane (ENIs) will be provisioned. Used for expanding the pool of subnets used by nodes/node groups without replacing the EKS control plane list(string) [] no
create_cloudwatch_log_group Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled bool false no
create_cluster_primary_security_group_tags Indicates whether or not to tag the cluster's primary security group. This security group is created by the EKS service, not the module, and therefore tagging is handled after cluster creation bool true no
create_cluster_security_group Toggle to create or assign cluster security group bool true no
create_eks Create EKS cluster bool true no
create_iam_role Determines whether a an IAM role is created or to use an existing IAM role bool true no
create_node_security_group Determines whether to create a security group for the node groups or use the existing node_security_group_id bool true no
custom_oidc_thumbprints Additional list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s) list(string) [] no
eks_addons_timeouts Create, update, and delete timeout configurations for the EKS addons map(string) {} no
enable_argo_rollouts Enable Argo Rollouts add-on bool false no
enable_argo_workflows Enable Argo workflows add-on bool false no
enable_argocd Enable Argo CD Kubernetes add-on bool false no
enable_aws_cloudwatch_metrics Enable AWS Cloudwatch Metrics add-on for Container Insights bool false no
enable_aws_efs_csi_driver Enable AWS EFS CSI Driver add-on bool false no
enable_aws_for_fluentbit Enable AWS for FluentBit add-on bool false no
enable_aws_fsx_csi_driver Enable AWS FSX CSI Driver add-on bool false no
enable_aws_load_balancer_controller Enable AWS Load Balancer Controller add-on bool false no
enable_aws_node_termination_handler Enable AWS Node Termination Handler add-on bool false no
enable_aws_privateca_issuer Enable AWS PCA Issuer bool false no
enable_cert_manager Enable cert-manager add-on bool false no
enable_cluster_autoscaler Enable Cluster autoscaler add-on bool false no
enable_cluster_encryption Determines whether cluster encryption is enabled bool true no
enable_cluster_proportional_autoscaler Enable Cluster Proportional Autoscaler bool false no
enable_external_dns Enable external-dns operator add-on bool false no
enable_external_secrets Enable External Secrets operator add-on bool false no
enable_fargate_fluentbit Enable Fargate FluentBit add-on bool false no
enable_gatekeeper Enable Gatekeeper add-on bool false no
enable_ingress_nginx Enable Ingress Nginx bool false no
enable_irsa Determines whether to create an OpenID Connect Provider for EKS to enable IRSA bool true no
enable_karpenter Enable Karpenter controller add-on bool false no
enable_kube_prometheus_stack Enable Kube Prometheus Stack bool false no
enable_metrics_server Enable metrics server add-on bool false no
enable_secrets_store_csi_driver Enable CSI Secrets Store Provider bool false no
enable_secrets_store_csi_driver_provider_aws Enable AWS CSI Secrets Store Provider bool false no
enable_velero Enable Kubernetes Dashboard add-on bool false no
enable_vpa Enable Vertical Pod Autoscaler add-on bool false no
external_dns external-dns addon configuration values any {} no
external_dns_route53_zone_arns List of Route53 zones ARNs which external-dns will have access to create/manage records (if using Route53) list(string) [] no
external_secrets External Secrets addon configuration values any {} no
external_secrets_kms_key_arns List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets list(string)
[
"arn:aws:kms:::key/*"
]
no
external_secrets_secrets_manager_arns List of Secrets Manager ARNs that contain secrets to mount using External Secrets list(string)
[
"arn:aws:secretsmanager::㊙️*"
]
no
external_secrets_ssm_parameter_arns List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets list(string)
[
"arn:aws:ssm:::parameter/*"
]
no
fargate_fluentbit Fargate fluentbit add-on config any {} no
fargate_fluentbit_cw_log_group AWS Fargate Fluentbit CloudWatch Log Group configurations any {} no
fargate_profiles Fargate profile configuration any {} no
gatekeeper Gatekeeper add-on configuration any {} no
iam_role_additional_policies Additional policies to be added to the IAM role list(string) [] no
iam_role_arn Existing IAM role ARN for the cluster. Required if create_iam_role is set to false string null no
iam_role_description Description of the role string null no
iam_role_name Name to use on IAM role created string null no
iam_role_path Cluster IAM role path string null no
iam_role_permissions_boundary ARN of the policy that is used to set the permissions boundary for the IAM role string null no
ingress_nginx Ingress Nginx add-on configurations any {} no
karpenter Karpenter addon configuration values any {} no
karpenter_enable_spot_termination Determines whether to enable native node termination handling bool true no
karpenter_node Karpenter IAM role and IAM instance profile configuration values any {} no
karpenter_sqs Karpenter SQS queue for native node termination handling configuration values any {} no
kube_prometheus_stack Kube Prometheus Stack add-on configurations any {} no
managed_node_groups Managed node groups configuration any {} no
metrics_server Metrics Server add-on configurations any {} no
node_security_group_additional_rules List of additional security group rules to add to the node security group created. Set source_cluster_security_group = true inside rules to set the cluster_security_group as source any {} no
node_security_group_description Description of the node security group created string "EKS node shared security group" no
node_security_group_name Name to use on node security group created string null no
node_security_group_tags A map of additional tags to add to the node security group created map(string) {} no
node_security_group_use_name_prefix Determines whether node security group name (node_security_group_name) is used as a prefix bool true no
openid_connect_audiences List of OpenID Connect audience client IDs to add to the IRSA provider list(string) [] no
private_subnet_ids List of private subnets Ids for the cluster and worker nodes list(string) [] no
secrets_store_csi_driver CSI Secrets Store Provider add-on configurations any {} no
secrets_store_csi_driver_provider_aws CSI Secrets Store Provider add-on configurations any {} no
self_managed_node_groups Self-managed node groups configuration any {} no
tags Additional tags (e.g. map('BusinessUnit,XYZ) map(string) {} no
velero Velero addon configuration values any {} no
vpa Vertical Pod Autoscaler addon configuration values any {} no
vpc_id VPC Id string n/a yes

Outputs

Name Description
cluster_endpoint The endpoint of the EKS cluster
cluster_id The name/id of the EKS cluster
cluster_version The version of the EKS cluster
oidc_provider_arn The oidc arn the EKS cluster

Versioning

This project uses a .version file at the root of the repo which the pipeline reads from and does a git tag.

When you intend to commit to main, you will need to increment this version. Once the project is merged, the pipeline will kick off and tag the latest git commit.

Development

Prerequisites

Configurations

  • Configure pre-commit hooks
    pre-commit install
    

Authors

This project is authored by below people

  • SourceFuse ARC Team