feat: Add encryption_config capabilities, default to EKS v1.15

README.md

@@ -78,6 +78,8 @@ No provider.
 | cluster\_create\_timeout | Timeout value when creating the EKS cluster. | `string` | `"30m"` | no |
 | cluster\_delete\_timeout | Timeout value when deleting the EKS cluster. | `string` | `"15m"` | no |
 | cluster\_enabled\_log\_types | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | `[]` | no |
+| cluster\_encryption\_key\_arn | KMS Key ARN to encrypt EKS secrets with. | `string` | `""` | no |
+| cluster\_encryption\_resources | A list of the EKS resources to encrypt. | `list(string)` | <pre>[<br>  "secrets"<br>]</pre> | no |
 | cluster\_endpoint\_private\_access | Indicates whether or not the Amazon EKS private API server endpoint is enabled. | `bool` | `false` | no |
 | cluster\_endpoint\_public\_access | Indicates whether or not the Amazon EKS public API server endpoint is enabled. | `bool` | `true` | no |
 | cluster\_endpoint\_public\_access\_cidrs | List of CIDR blocks which can access the Amazon EKS public API server endpoint. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
@@ -86,7 +88,7 @@ No provider.
 | cluster\_log\_retention\_in\_days | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no |
 | cluster\_name | Name of the EKS cluster. Also used as a prefix in names of related resources. | `string` | n/a | yes |
 | cluster\_security\_group\_id | If provided, the EKS cluster will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the workers | `string` | `""` | no |
-| cluster\_version | Kubernetes version to use for the EKS cluster. | `string` | `"1.14"` | no |
+| cluster\_version | Kubernetes version to use for the EKS cluster. | `string` | `"1.15"` | no |
 | config\_output\_path | Where to save the Kubectl config file (if `write_kubeconfig = true`). Assumed to be a directory if the value ends with a forward slash `/`. | `string` | `"./"` | no |
 | create\_eks | Controls if EKS resources should be created (it affects almost all resources) | `bool` | `true` | no |
 | eks\_oidc\_root\_ca\_thumbprint | Thumbprint of Root CA for EKS OIDC, Valid until 2037 | `string` | `"9e99a48a9960b14926bb7f3b02e22da2b0ab7280"` | no |

main.tf

@@ -5,6 +5,8 @@ module "control_plane" {
   cluster_create_timeout                       = var.cluster_create_timeout
   cluster_delete_timeout                       = var.cluster_delete_timeout
   cluster_enabled_log_types                    = var.cluster_enabled_log_types
+  cluster_encryption_key_arn                   = var.cluster_encryption_key_arn
+  cluster_encryption_resources                 = var.cluster_encryption_resources
   cluster_endpoint_private_access              = var.cluster_endpoint_private_access
   cluster_endpoint_public_access               = var.cluster_endpoint_public_access
   cluster_endpoint_public_access_cidrs         = var.cluster_endpoint_public_access_cidrs

modules/aws_auth/versions.tf

@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 0.12.9"
 
   required_providers {
-    aws        = ">= 2.44.0"
+    aws        = ">= 2.52.0"
     null       = ">= 2.1"
     template   = ">= 2.1"
     kubernetes = ">= 1.6.2"

modules/control_plane/README.md

@@ -7,7 +7,7 @@ This submodule is designed for use by both the parent `eks` module and by the us
 
 | Name | Version |
 |------|---------|
-| aws | >= 2.44.0 |
+| aws | >= 2.52.0 |
 | local | >= 1.2 |
 | template | >= 2.1 |
 
@@ -19,6 +19,8 @@ This submodule is designed for use by both the parent `eks` module and by the us
 | cluster\_create\_timeout | Timeout value when creating the EKS cluster. | `string` | `"30m"` | no |
 | cluster\_delete\_timeout | Timeout value when deleting the EKS cluster. | `string` | `"15m"` | no |
 | cluster\_enabled\_log\_types | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | `[]` | no |
+| cluster\_encryption\_key\_arn | KMS Key ARN to encrypt EKS resources with. | `string` | `""` | no |
+| cluster\_encryption\_resources | A list of the EKS resources to encrypt. | `list(string)` | <pre>[<br>  "secrets"<br>]</pre> | no |
 | cluster\_endpoint\_private\_access | Indicates whether or not the Amazon EKS private API server endpoint is enabled. | `bool` | `false` | no |
 | cluster\_endpoint\_public\_access | Indicates whether or not the Amazon EKS public API server endpoint is enabled. | `bool` | `true` | no |
 | cluster\_endpoint\_public\_access\_cidrs | List of CIDR blocks which can access the Amazon EKS public API server endpoint. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
@@ -27,7 +29,7 @@ This submodule is designed for use by both the parent `eks` module and by the us
 | cluster\_log\_retention\_in\_days | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no |
 | cluster\_name | Name of the EKS cluster. Also used as a prefix in names of related resources. | `string` | n/a | yes |
 | cluster\_security\_group\_id | If provided, the EKS cluster will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the workers | `string` | `""` | no |
-| cluster\_version | Kubernetes version to use for the EKS cluster. | `string` | `"1.14"` | no |
+| cluster\_version | Kubernetes version to use for the EKS cluster. | `string` | `"1.15"` | no |
 | config\_output\_path | Where to save the Kubectl config file (if `write_kubeconfig = true`). Assumed to be a directory if the value ends with a forward slash `/`. | `string` | `"./"` | no |
 | create\_eks | Controls if EKS resources should be created (it affects almost all resources) | `bool` | `true` | no |
 | eks\_oidc\_root\_ca\_thumbprint | Thumbprint of Root CA for EKS OIDC, Valid until 2037 | `string` | `"9e99a48a9960b14926bb7f3b02e22da2b0ab7280"` | no |

modules/control_plane/cluster.tf

@@ -22,6 +22,17 @@ resource "aws_eks_cluster" "this" {
     public_access_cidrs     = var.cluster_endpoint_public_access_cidrs
   }
 
+  dynamic encryption_config {
+    for_each = toset(var.cluster_encryption_key_arn != "" ? ["encryption_enabled"] : [])
+
+    content {
+      provider {
+        key_arn = var.cluster_encryption_key_arn
+      }
+      resources = var.cluster_encryption_resources
+    }
+  }
+
   timeouts {
     create = var.cluster_create_timeout
     delete = var.cluster_delete_timeout

modules/control_plane/variables.tf

@@ -7,7 +7,7 @@ variable "create_eks" {
 variable "cluster_version" {
   description = "Kubernetes version to use for the EKS cluster."
   type        = string
-  default     = "1.14"
+  default     = "1.15"
 }
 
 variable "cluster_enabled_log_types" {
@@ -166,3 +166,15 @@ variable "eks_oidc_root_ca_thumbprint" {
   description = "Thumbprint of Root CA for EKS OIDC, Valid until 2037"
   default     = "9e99a48a9960b14926bb7f3b02e22da2b0ab7280"
 }
+
+variable "cluster_encryption_key_arn" {
+  type        = string
+  description = "KMS Key ARN to encrypt EKS resources with."
+  default     = ""
+}
+
+variable "cluster_encryption_resources" {
+  type        = list(string)
+  description = "A list of the EKS resources to encrypt."
+  default     = ["secrets"]
+}

modules/control_plane/versions.tf

@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 0.12.9"
 
   required_providers {
-    aws      = ">= 2.44.0"
+    aws      = ">= 2.52.0"
     local    = ">= 1.2"
     template = ">= 2.1"
   }

modules/node_groups/README.md

@@ -28,7 +28,7 @@ This submodule is designed for use by both the parent `eks` module and by the us
 
 | Name | Version |
 |------|---------|
-| aws | >= 2.44.0 |
+| aws | >= 2.52.0 |
 | random | >= 2.1 |
 
 ## Inputs

modules/node_groups/versions.tf

@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 0.12.9"
 
   required_providers {
-    aws    = ">= 2.44.0"
+    aws    = ">= 2.52.0"
     random = ">= 2.1"
   }
 }

modules/worker_groups/README.md

@@ -11,7 +11,7 @@ This submodule is designed for use by both the parent `eks` module and by the us
 
 | Name | Version |
 |------|---------|
-| aws | >= 2.44.0 |
+| aws | >= 2.52.0 |
 | random | >= 2.1 |
 | template | >= 2.1 |
 

modules/worker_groups/versions.tf

@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 0.12.9"
 
   required_providers {
-    aws      = ">= 2.44.0"
+    aws      = ">= 2.52.0"
     template = ">= 2.1"
     random   = ">= 2.1"
   }

variables.tf

@@ -28,7 +28,7 @@ variable "cluster_security_group_id" {
 variable "cluster_version" {
   description = "Kubernetes version to use for the EKS cluster."
   type        = string
-  default     = "1.14"
+  default     = "1.15"
 }
 
 variable "config_output_path" {
@@ -335,3 +335,15 @@ variable "eks_oidc_root_ca_thumbprint" {
   description = "Thumbprint of Root CA for EKS OIDC, Valid until 2037"
   default     = "9e99a48a9960b14926bb7f3b02e22da2b0ab7280"
 }
+
+variable "cluster_encryption_key_arn" {
+  type        = string
+  description = "KMS Key ARN to encrypt EKS secrets with."
+  default     = ""
+}
+
+variable "cluster_encryption_resources" {
+  type        = list(string)
+  description = "A list of the EKS resources to encrypt."
+  default     = ["secrets"]
+}

versions.tf

@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 0.12.9"
 
   required_providers {
-    aws        = ">= 2.44.0"
+    aws        = ">= 2.52.0"
     local      = ">= 1.2"
     null       = ">= 2.1"
     template   = ">= 2.1"