terraform-aws-eks

Requirements

Name	Version
terraform	~> 1.6
aws	~> 5.0
helm	~> 2.9.0
kubectl	~> 1.14.0
kubernetes	~> 2.10.0

Providers

Name	Version
aws	~> 5.0
aws.us-east-1	~> 5.0
helm	~> 2.9.0
kubectl	~> 1.14.0
kubernetes	~> 2.10.0

Modules

Name	Source	Version
cert_manager	truemark/eks-certmanager/aws	0.0.4
ebs_csi_irsa_role	terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks	n/a
eks	terraform-aws-modules/eks/aws	~> 19.0
external_secrets_irsa	terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks	n/a
ingress_istio	truemark/istio/kubernetes	~> 0.0.4
ingress_traefik	truemark/traefik/kubernetes	~> 0.0.1
karpenter	terraform-aws-modules/eks/aws//modules/karpenter	~> 19.0
monitoring	truemark/eks-monitoring/aws	~> 0.0.15
vpc_cni_irsa	terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks	n/a

Resources

Name	Type
aws_iam_policy.aws_load_balancer_controller	resource
aws_iam_role.aws_load_balancer_controller	resource
aws_iam_role_policy_attachment.aws_load_balancer_controller	resource
helm_release.aws_load_balancer_controller	resource
helm_release.external_secrets	resource
helm_release.karpenter	resource
helm_release.metrics_server	resource
kubectl_manifest.gp2	resource
kubectl_manifest.karpenter_node_class	resource
kubectl_manifest.karpenter_node_pool	resource
kubernetes_namespace.external_secrets	resource
kubernetes_storage_class.gp3	resource
kubernetes_storage_class.gp3_xfs_encrypted	resource
aws_caller_identity.current	data source
aws_ecrpublic_authorization_token.token	data source
aws_eks_cluster_auth.cluster	data source
aws_iam_policy_document.aws_load_balancer_controller_full	data source
aws_iam_roles.iam_role	data source
aws_iam_roles.support_role	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
alerts_sns_topics_arn	The ARN of the SNS topic to send alerts to	string	null	no
amp_alerting_rules_exclude_namespace	Namespaces to exclude from alerting	string	""	no
amp_arn	The AMP workspace arn	string	null	no
amp_custom_alerting_rules	Prometheus K8s custom alerting rules	string	""	no
amp_id	The AMP workspace id	string	null	no
cluster_additional_security_group_ids	List of additional, externally created security group IDs to attach to the cluster control plane	list(string)	[]	no
cluster_endpoint_private_access	Indicates whether or not the Amazon EKS private API server endpoint is enabled.	bool	true	no
cluster_endpoint_public_access	Indicates whether or not the Amazon EKS public API server endpoint is enabled.	bool	false	no
cluster_name	Name of the EKS cluster.	string	""	no
cluster_security_group_additional_rules	List of additional security group rules to add to the cluster security group created. Set source_node_security_group = true inside rules to set the node_security_group as source	any	{}	no
cluster_version	Kubernetes <major>.<minor> version to use for the EKS cluster (i.e.: 1.24)	string	"1.26"	no
eks_managed_node_group_defaults	Map of EKS managed node group default configurations.	any	{}	no
eks_managed_node_groups	Map of EKS managed node group definitions to create.	any	{}	no
enable_cert_manager	Enables cert-manager deployment.	bool	false	no
enable_istio	Enables istio deployment	bool	false	no
enable_karpenter	Add karpenter to the cluster	bool	true	no
enable_monitoring	Enable monitoring	bool	false	no
enable_traefik	Enables traefik deployment.	bool	false	no
external_secrets_kms_key_arns	List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets	list(string)	[ "arn:aws:kms:::key/*" ]	no
external_secrets_secrets_manager_arns	List of Secrets Manager ARNs that contain secrets to mount using External Secrets	list(string)	[ "arn:aws:secretsmanager:::secret:*" ]	no
external_secrets_ssm_parameter_arns	List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets	list(string)	[ "arn:aws:ssm:::parameter/*" ]	no
iam_roles	AWS IAM roles that will be mapped to RBAC roles.	list(any)	[]	no
istio_enable_external_gateway	Determines whether to enable an external gateway for Istio, allowing external traffic to reach Istio services.	bool	true	no
istio_enable_internal_gateway	Controls the enabling of an internal gateway for Istio, which manages traffic within the Kubernetes cluster.	bool	false	no
istio_external_gateway_lb_certs	The certificates for the Istio external gateway load balancer.	list(string)	[]	no
istio_external_gateway_scaling_max_replicas	The maximum number of replicas for scaling the Istio external gateway.	number	5	no
istio_external_gateway_scaling_target_cpu_utilization	The target CPU utilization percentage for scaling the external gateway.	number	80	no
istio_external_gateway_service_kind	The type of service for the Istio external gateway.	string	"NodePort"	no
istio_internal_gateway_lb_certs	The certificates for the Istio internal gateway load balancer.	list(string)	[]	no
istio_internal_gateway_scaling_max_replicas	The maximum number of replicas for scaling the Istio internal gateway.	number	5	no
istio_internal_gateway_scaling_target_cpu_utilization	The target CPU utilization percentage for scaling the internal gateway.	number	80	no
istio_internal_gateway_service_kind	The type of service for the Istio internal gateway.	string	"NodePort"	no
karpenter_node_template_default	Config for default node template for karpenter	map(any)	{ "subnetSelector": { "network": "private" } }	no
karpenter_nodepool_default_expireAfter	The amount of time a Node can live on the cluster before being removed	string	"720h"	no
karpenter_provisioner_default_ami_family	Specifies the default Amazon Machine Image (AMI) family to be used by the Karpenter provisioner.	string	"Bottlerocket"	no
karpenter_provisioner_default_block_device_mappings	Specifies the default size and characteristics of the volumes used by the Karpenter provisioner. It defines the volume size, type, and encryption settings.	map(any)	{ "specs": [ { "deviceName": "/dev/xvda", "ebs": { "encrypted": true, "volumeSize": "30Gi", "volumeType": "gp3" } }, { "deviceName": "/dev/xvdb", "ebs": { "encrypted": true, "volumeSize": "100Gi", "volumeType": "gp3" } } ] }	no
karpenter_provisioner_default_cpu_limits	Defines the default CPU limits for the Karpenter default provisioner, ensuring resource allocation and utilization.	number	300	no
karpenter_provisioner_default_requirements	Specifies the default requirements for the Karpenter provisioner template, including instance category, CPU, hypervisor, architecture, and capacity type.	map(any)	{ "requirements": [ { "key": "karpenter.k8s.aws/instance-category", "operator": "In", "values": [ "m" ] }, { "key": "karpenter.k8s.aws/instance-cpu", "operator": "In", "values": [ "4", "8", "16" ] }, { "key": "karpenter.k8s.aws/instance-hypervisor", "operator": "In", "values": [ "nitro" ] }, { "key": "kubernetes.io/arch", "operator": "In", "values": [ "amd64" ] }, { "key": "karpenter.sh/capacity-type", "operator": "In", "values": [ "on-demand" ] } ] }	no
karpenter_provisioner_default_ttl_after_empty	Sets the default Time to Live (TTL) for provisioned resources by the Karpenter default provisioner after they become empty or idle.	number	300	no
karpenter_provisioner_default_ttl_until_expired	Specifies the default Time to Live (TTL) for provisioned resources by the Karpenter default provisioner until they expire or are reclaimed.	number	2592000	no
karpenter_settings_featureGates_drift	Enable or disable drift feature of karpenter	bool	true	no
node_security_group_additional_rules	List of additional security group rules to add to the node security group created. Set source_cluster_security_group = true inside rules to set the cluster_security_group as source	any	{}	no
prometheus_server_data_volume_size	Volume size for prometheus data	string	"150Gi"	no
sso_roles	AWS SSO roles that will be mapped to RBAC roles.	list(object({ role_name = string, groups = list(string), }))	[]	no
subnets_ids	A list of subnet IDs where the nodes/node groups will be provisioned.	list(string)	[]	no
tags	A map of tags to add to all resources.	map(string)	{}	no
vpc_id	ID of the VPC where the cluster and its nodes will be provisioned.	string	null	no

Outputs

Name	Description
amp_workspace_id	The ID of the AMP workspace
cluster_arn	The Amazon Resource Name (ARN) of the cluster
cluster_certificate_authority_data	Base64 encoded certificate data required to communicate with the cluster
cluster_endpoint	Endpoint of the Kubernetes API server
cluster_iam_role_arn	IAM role ARN of the EKS cluster
cluster_id	The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready
cluster_identity_providers	Map of attribute maps for all EKS identity providers enabled
cluster_oidc_issuer_url	The URL on the EKS cluster for the OpenID Connect identity provider
cluster_security_group_arn	Amazon Resource Name (ARN) of the cluster security group
cluster_security_group_id	ID of the cluster security group
cluster_tls_certificate_sha1_fingerprint	The SHA1 fingerprint of the public key of the cluster's certificate
custer_name	The name of the EKS cluster
eks_managed_node_groups	Map of attribute maps for all EKS managed node groups created
eks_managed_node_groups_autoscaling_group_names	List of the autoscaling group names created by EKS managed node groups
fargate_profiles	Map of attribute maps for all EKS Fargate Profiles created
node_security_group_arn	Amazon Resource Name (ARN) of the node shared security group
node_security_group_id	ID of the node shared security group
oidc_provider	The OpenID Connect identity provider (issuer URL without leading https://)
oidc_provider_arn	The ARN of the OIDC Provider if enable_irsa = true
self_managed_node_groups	Map of attribute maps for all self managed node groups created
self_managed_node_groups_autoscaling_group_names	List of the autoscaling group names created by self-managed node groups