terraform-aws-arc-eks¶
Overview¶
SourceFuse AWS Reference Architecture (ARC) Terraform module provisions a EKS (Elastic Kubernetes Service) cluster with support for multiple operational modes and integrations:
- EKS Cluster Creation: Automates the setup of the EKS control plane and associated IAM roles, VPC configurations, and security groups.
- EKS Auto Mode Support: Enables simplified node management with AWS-managed node groups and automatic provisioning.
- Karpenter Installation: Optionally installs and configures Karpenter, a flexible autoscaler that dynamically launches compute based on pod requirements.
- Fargate Support: Allows deployment of serverless workloads on AWS Fargate by creating the required Fargate profiles and IAM roles.
This module helps streamline EKS provisioning while offering flexibility in compute optionsβideal for both production and cost-optimized environments.
For more information about this repository and its usage, please see Terraform AWS ARC EKS Module Usage Guide.
Usage¶
See examples
directory for usage examples, including configurations for auto-mode
, fargate-profile
, karpenter
, and nodegroup
. Below is the example for a simple EKS cluster creation.
Requirements¶
Name | Version |
---|---|
terraform | >= 1.6.0 |
aws | >= 5.0.0 |
helm | 2.12.1 |
kubernetes | = 2.24.0 |
null | >= 2.0 |
tls | >= 3.1.0, != 4.0.0 |
Providers¶
Name | Version |
---|---|
aws | 5.94.1 |
helm | 2.12.1 |
kubernetes | 2.24.0 |
tls | 4.0.6 |
Modules¶
Name | Source | Version |
---|---|---|
kms | sourcefuse/arc-kms/aws | 1.0.9 |
Resources¶
Inputs¶
Name | Description | Type | Default | Required |
---|---|---|---|---|
access_config | Access configuration for the cluster. - authentication_mode : One of "API" or "API_AND_CONFIG_MAP"- bootstrap_cluster_creator_admin_permissions : Grant creator admin access- aws_auth_config_map : (optional) Config for aws-auth ConfigMap- eks_access_entries : (optional) List of principals and their policy associations |
object({ |
{ |
no |
additional_cluster_security_group_rules | List of ingress security group rules to apply to the EKS cluster security group | list(object({ |
[] |
no |
additional_node_group_policy_arns | Optional additional policies to attach to node group role | list(string) |
[] |
no |
auto_mode_config | (optional) EKS automates routine cluster tasks for compute, storage, and networking. When a new pod can't fit onto existing nodes, EKS creates a new node. EKS combines cluster infrastructure managed by AWS with integrated Kubernetes capabilities to meet application compute needs. |
object({ |
{ |
no |
bootstrap_self_managed_addons_enabled | (optional) Install default unmanaged add-ons, such as aws-cni, kube-proxy, and CoreDNS during cluster creation. If false, you must manually install desired add-ons. Changing this value will force a new cluster to be created. | bool |
true |
no |
eks_additional_policy_arns | Optional additional policy ARNs that user wants to attach | list(string) |
[] |
no |
eks_addons | Map of EKS Add-ons to create | map(object({ |
{} |
no |
eks_policy_arns | List of IAM policy ARNs to attach to the EKS role | list(string) |
[ |
no |
enable_arc_zonal_shift | (optional) Whether to enable ARC Zonal shift , it shift application traffic away from an impaired Availability Zone (AZ) in your EKS cluster. | bool |
false |
no |
enable_oidc_provider | Whether to enable OIDC provider | bool |
true |
no |
enabled_cluster_log_types | A list of the desired control plane logging to enable. Valid values [api , audit , authenticator , controllerManager , scheduler ] |
list(string) |
[] |
no |
envelope_encryption | Whether to enable Envelope encryption | object({ |
{ |
no |
environment | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | string |
n/a | yes |
fargate_profile_config | Combined configuration for the EKS Fargate profile, including IAM policies. | object({ |
{ |
no |
karpenter_config | Configuration for Karpenter | object({ |
{ |
no |
kubernetes_network_config | Configuration block for Kubernetes network. - service_ipv4_cidr : Optional custom CIDR block for Kubernetes service IPs. Must be within 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 and have a netmask between /12 and /24.- ip_family : The IP family to assign (ipv4 or ipv6). Default is ipv4. |
object({ |
{ |
no |
kubernetes_version | Desired Kubernetes master version | string |
n/a | yes |
name | EKS Cluster name | string |
n/a | yes |
namespace | Namespace your resource belongs to. Usually an abbreviation of your organization name, e.g. 'example' or 'arc', to help ensure generated IDs are globally unique" |
string |
n/a | yes |
node_group_config | Configuration for EKS managed node groups. - enable: Controls whether EKS node groups should be created. - config: A map of node group configurations, where each key is an identifier for a node group. Each node group object may include: - node_group_name: (Optional) Custom name for the node group. If not specified, a default will be used. - node_role_arn: (Optional) ARN of the IAM role for the node group. - release_version: (Optional) AMI version for the node group. - scaling_config: Required settings for desired, minimum, and maximum node counts. - taints: (Optional) List of taints applied to nodes, each with a key, value (optional), and effect. - update_config: (Optional) Configuration for rolling updates, such as max unavailable nodes. - remote_access: (Optional) SSH access configuration, including key name and allowed source security group IDs. - launch_template: (Optional) Launch template settings, including ID, name, and version. - node_repair_config: (Optional) Node auto-repair configuration (e.g., self-healing). - instance_types: (Optional) List of EC2 instance types to use (default is ["t3.medium"]). - ami_type: (Optional) AMI type (e.g., "AL2_x86_64", "BOTTLEROCKET_x86_64"). - disk_size: (Optional) Size in GiB of the root EBS volume. - capacity_type: (Optional) Capacity type ("ON_DEMAND" or "SPOT"), defaults to "ON_DEMAND". - labels: (Optional) Key-value map of Kubernetes labels to apply to the nodes. - ignore_desired_size: (Optional) If true, the desired size will be ignored during updates (default: false). - subnet_ids: Required list of subnet IDs where the node group will be deployed. - kubernetes_version: (Optional) Kubernetes version to use for the node group. |
object({ |
{ |
no |
node_group_policy_arns | Default policies for EKS node group | list(string) |
[ |
no |
tags | Tags for EKS resources | map(string) |
{} |
no |
upgrade_policy | (optional) Support type to use for the cluster. If the cluster is set to EXTENDED, it will enter extended support at the end of standard support. If the cluster is set to STANDARD, it will be automatically upgraded at the end of standard support. Valid values are EXTENDED, STANDARD" STANDARD - This option supports the Kubernetes version for 14 months after the release date. There is no additional cost. When standard support ends, your cluster will be auto upgraded to the next version. EXTENDED - This option supports the Kubernetes version for 26 months after the release date. The extended support period has an additional hourly cost that begins after the standard support period ends. When extended support ends, your cluster will be auto upgraded to the next version. |
string |
"STANDARD" |
no |
vpc_config | Configuration block for VPC settings: - security_group_ids: List of security group IDs associated with the VPC. - subnet_ids: List of subnet IDs where resources will be deployed. - endpoint_private_access: Enable or disable private access to the cluster endpoint. - endpoint_public_access: Enable or disable public access to the cluster endpoint. - public_access_cidrs: CIDR blocks that can access the public endpoint (if enabled). |
object({ |
n/a | yes |
Outputs¶
Name | Description |
---|---|
arn | The Amazon Resource Name (ARN) of the EKS cluster |
certificate_authority_data | The base64-encoded certificate data required to communicate with the EKS cluster |
eks_cluster_id | The unique identifier of the EKS cluster |
eks_cluster_security_group_id | The ID of the security group associated with the EKS cluster's control plane |
endpoint | The endpoint for the EKS cluster API server |
name | The name of the EKS cluster |
oidc_provider_url | The OIDC identity provider URL for the EKS cluster (without the https:// prefix) |
Kubernetes dashboard¶
To view the dashboard, run the following commands:
Then navigate to:
and use the copied token to login
Development¶
Prerequisites¶
Configurations¶
- Configure pre-commit hooks
- Configure golang deps for tests
Git commits¶
while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch
For Example
Tests¶
- Tests are available in
test
directory
- In the test directory, run the below command
Authors¶
This project is authored by below people
- SourceFuse ARC Team
Contributors ⨶
Thanks goes to these wonderful people (emoji key):
vijay-stephen π» π π π§ π§βπ« |
Shubham Sinha π» π π π§ π§βπ« |
Travis Saucier π» π π π§ π§βπ« |
Mayank Sharma π» π π π§ π§βπ« |
This project follows the all-contributors specification. Contributions of any kind welcome!