+
+
+
[| no | -| [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | `[]` | no | -| [cluster\_encryption\_config](#input\_cluster\_encryption\_config) | Configuration block with encryption configuration for the cluster. See examples/secrets\_encryption/main.tf for example format |
"0.0.0.0/0"
]
list(object({
provider_key_arn = string
resources = list(string)
})) | `[]` | no |
-| [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled. | `bool` | `false` | no |
-| [cluster\_endpoint\_private\_access\_cidrs](#input\_cluster\_endpoint\_private\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS private API server endpoint. To use this `cluster_endpoint_private_access` and `cluster_create_endpoint_private_access_sg_rule` must be set to `true`. | `list(string)` | `null` | no |
-| [cluster\_endpoint\_private\_access\_sg](#input\_cluster\_endpoint\_private\_access\_sg) | List of security group IDs which can access the Amazon EKS private API server endpoint. To use this `cluster_endpoint_private_access` and `cluster_create_endpoint_private_access_sg_rule` must be set to `true`. | `list(string)` | `null` | no |
-| [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled. When it's set to `false` ensure to have a proper private access with `cluster_endpoint_private_access = true`. | `bool` | `true` | no |
-| [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint. | `list(string)` | [| no | -| [cluster\_iam\_role\_name](#input\_cluster\_iam\_role\_name) | IAM role name for the cluster. If manage\_cluster\_iam\_resources is set to false, set this to reuse an existing IAM role. If manage\_cluster\_iam\_resources is set to true, set this to force the created role name. | `string` | `""` | no | -| [cluster\_log\_kms\_key\_id](#input\_cluster\_log\_kms\_key\_id) | If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) | `string` | `""` | no | -| [cluster\_log\_retention\_in\_days](#input\_cluster\_log\_retention\_in\_days) | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no | -| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster. Also used as a prefix in names of related resources. | `string` | `""` | no | -| [cluster\_security\_group\_id](#input\_cluster\_security\_group\_id) | If provided, the EKS cluster will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the workers | `string` | `""` | no | -| [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | service ipv4 cidr for the kubernetes cluster | `string` | `null` | no | -| [cluster\_tags](#input\_cluster\_tags) | A map of tags to add to just the eks resource. | `map(string)` | `{}` | no | -| [cluster\_update\_timeout](#input\_cluster\_update\_timeout) | Timeout value when updating the EKS cluster. | `string` | `"60m"` | no | -| [cluster\_version](#input\_cluster\_version) | Kubernetes minor version to use for the EKS cluster (for example 1.21). | `string` | `null` | no | -| [create\_eks](#input\_create\_eks) | Controls if EKS resources should be created (it affects almost all resources) | `bool` | `true` | no | -| [create\_fargate\_pod\_execution\_role](#input\_create\_fargate\_pod\_execution\_role) | Controls if the EKS Fargate pod execution IAM role should be created. | `bool` | `true` | no | -| [default\_platform](#input\_default\_platform) | Default platform name. Valid options are `linux` and `windows`. | `string` | `"linux"` | no | -| [eks\_oidc\_root\_ca\_thumbprint](#input\_eks\_oidc\_root\_ca\_thumbprint) | Thumbprint of Root CA for EKS OIDC, Valid until 2037 | `string` | `"9e99a48a9960b14926bb7f3b02e22da2b0ab7280"` | no | -| [enable\_irsa](#input\_enable\_irsa) | Whether to create OpenID Connect Provider for EKS to enable IRSA | `bool` | `false` | no | -| [fargate\_pod\_execution\_role\_name](#input\_fargate\_pod\_execution\_role\_name) | The IAM Role that provides permissions for the EKS Fargate Profile. | `string` | `null` | no | -| [fargate\_profiles](#input\_fargate\_profiles) | Fargate profiles to create. See `fargate_profile` keys section in fargate submodule's README.md for more details | `any` | `{}` | no | -| [fargate\_subnets](#input\_fargate\_subnets) | A list of subnets to place fargate workers within (if different from subnets). | `list(string)` | `[]` | no | -| [iam\_path](#input\_iam\_path) | If provided, all IAM roles will be created on this path. | `string` | `"/"` | no | -| [kubeconfig\_api\_version](#input\_kubeconfig\_api\_version) | KubeConfig API version. Defaults to client.authentication.k8s.io/v1alpha1 | `string` | `"client.authentication.k8s.io/v1alpha1"` | no | -| [kubeconfig\_aws\_authenticator\_additional\_args](#input\_kubeconfig\_aws\_authenticator\_additional\_args) | Any additional arguments to pass to the authenticator such as the role to assume. e.g. ["-r", "MyEksRole"]. | `list(string)` | `[]` | no | -| [kubeconfig\_aws\_authenticator\_command](#input\_kubeconfig\_aws\_authenticator\_command) | Command to use to fetch AWS EKS credentials. | `string` | `"aws-iam-authenticator"` | no | -| [kubeconfig\_aws\_authenticator\_command\_args](#input\_kubeconfig\_aws\_authenticator\_command\_args) | Default arguments passed to the authenticator command. Defaults to [token -i $cluster\_name]. | `list(string)` | `[]` | no | -| [kubeconfig\_aws\_authenticator\_env\_variables](#input\_kubeconfig\_aws\_authenticator\_env\_variables) | Environment variables that should be used when executing the authenticator. e.g. { AWS\_PROFILE = "eks"}. | `map(string)` | `{}` | no | -| [kubeconfig\_file\_permission](#input\_kubeconfig\_file\_permission) | File permission of the Kubectl config file containing cluster configuration saved to `kubeconfig_output_path.` | `string` | `"0600"` | no | -| [kubeconfig\_name](#input\_kubeconfig\_name) | Override the default name used for items kubeconfig. | `string` | `""` | no | -| [kubeconfig\_output\_path](#input\_kubeconfig\_output\_path) | Where to save the Kubectl config file (if `write_kubeconfig = true`). Assumed to be a directory if the value ends with a forward slash `/`. | `string` | `"./"` | no | -| [manage\_aws\_auth](#input\_manage\_aws\_auth) | Whether to apply the aws-auth configmap file. | `bool` | `true` | no | -| [manage\_cluster\_iam\_resources](#input\_manage\_cluster\_iam\_resources) | Whether to let the module manage cluster IAM resources. If set to false, cluster\_iam\_role\_name must be specified. | `bool` | `true` | no | -| [manage\_worker\_iam\_resources](#input\_manage\_worker\_iam\_resources) | Whether to let the module manage worker IAM resources. If set to false, iam\_instance\_profile\_name must be specified for workers. | `bool` | `true` | no | -| [map\_accounts](#input\_map\_accounts) | Additional AWS account numbers to add to the aws-auth configmap. | `list(string)` | `[]` | no | -| [map\_roles](#input\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. |
"0.0.0.0/0"
]
list(object({
rolearn = string
username = string
groups = list(string)
})) | `[]` | no |
-| [map\_users](#input\_map\_users) | Additional IAM users to add to the aws-auth configmap. | list(object({
userarn = string
username = string
groups = list(string)
})) | `[]` | no |
-| [node\_groups](#input\_node\_groups) | Map of map of node groups to create. See `node_groups` module's documentation for more details | `any` | `{}` | no |
-| [node\_groups\_defaults](#input\_node\_groups\_defaults) | Map of values to be applied to all node groups. See `node_groups` module's documentation for more details | `any` | `{}` | no |
-| [openid\_connect\_audiences](#input\_openid\_connect\_audiences) | List of OpenID Connect audience client IDs to add to the IRSA provider. | `list(string)` | `[]` | no |
-| [permissions\_boundary](#input\_permissions\_boundary) | If provided, all IAM roles will be created with this permissions boundary attached. | `string` | `null` | no |
-| [subnets](#input\_subnets) | A list of subnets to place the EKS cluster and workers within. | `list(string)` | `[]` | no |
-| [tags](#input\_tags) | A map of tags to add to all resources. Tags added to launch configuration or templates override these values for ASG Tags only. | `map(string)` | `{}` | no |
-| [vpc\_id](#input\_vpc\_id) | VPC where the cluster and workers will be deployed. | `string` | `null` | no |
-| [wait\_for\_cluster\_timeout](#input\_wait\_for\_cluster\_timeout) | A timeout (in seconds) to wait for cluster to be available. | `number` | `300` | no |
-| [worker\_additional\_security\_group\_ids](#input\_worker\_additional\_security\_group\_ids) | A list of additional security group ids to attach to worker instances | `list(string)` | `[]` | no |
-| [worker\_ami\_name\_filter](#input\_worker\_ami\_name\_filter) | Name filter for AWS EKS worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no |
-| [worker\_ami\_name\_filter\_windows](#input\_worker\_ami\_name\_filter\_windows) | Name filter for AWS EKS Windows worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no |
-| [worker\_ami\_owner\_id](#input\_worker\_ami\_owner\_id) | The ID of the owner for the AMI to use for the AWS EKS workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"amazon"` | no |
-| [worker\_ami\_owner\_id\_windows](#input\_worker\_ami\_owner\_id\_windows) | The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"amazon"` | no |
-| [worker\_create\_cluster\_primary\_security\_group\_rules](#input\_worker\_create\_cluster\_primary\_security\_group\_rules) | Whether to create security group rules to allow communication between pods on workers and pods using the primary cluster security group. | `bool` | `false` | no |
-| [worker\_create\_initial\_lifecycle\_hooks](#input\_worker\_create\_initial\_lifecycle\_hooks) | Whether to create initial lifecycle hooks provided in worker groups. | `bool` | `false` | no |
-| [worker\_create\_security\_group](#input\_worker\_create\_security\_group) | Whether to create a security group for the workers or attach the workers to `worker_security_group_id`. | `bool` | `true` | no |
-| [worker\_groups](#input\_worker\_groups) | A list of maps defining worker group configurations to be defined using AWS Launch Configurations. See workers\_group\_defaults for valid keys. | `any` | `[]` | no |
-| [worker\_groups\_launch\_template](#input\_worker\_groups\_launch\_template) | A list of maps defining worker group configurations to be defined using AWS Launch Templates. See workers\_group\_defaults for valid keys. | `any` | `[]` | no |
-| [worker\_security\_group\_id](#input\_worker\_security\_group\_id) | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the EKS cluster. | `string` | `""` | no |
-| [worker\_sg\_ingress\_from\_port](#input\_worker\_sg\_ingress\_from\_port) | Minimum port number from which pods will accept communication. Must be changed to a lower value if some pods in your cluster will expose a port lower than 1025 (e.g. 22, 80, or 443). | `number` | `1025` | no |
-| [workers\_additional\_policies](#input\_workers\_additional\_policies) | Additional policies to be added to workers | `list(string)` | `[]` | no |
-| [workers\_egress\_cidrs](#input\_workers\_egress\_cidrs) | List of CIDR blocks that are permitted for workers egress traffic. | `list(string)` | [| no | -| [workers\_group\_defaults](#input\_workers\_group\_defaults) | Override default values for target groups. See workers\_group\_defaults\_defaults in local.tf for valid keys. | `any` | `{}` | no | -| [workers\_role\_name](#input\_workers\_role\_name) | User defined workers role name. | `string` | `""` | no | -| [write\_kubeconfig](#input\_write\_kubeconfig) | Whether to write a Kubectl config file containing the cluster configuration. Saved to `kubeconfig_output_path`. | `bool` | `true` | no | +| [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) | `string` | `null` | no | +| [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain log events. Default retention - 90 days | `number` | `90` | no | +| [cluster\_additional\_security\_group\_ids](#input\_cluster\_additional\_security\_group\_ids) | List of additional, externally created security group IDs to attach to the cluster control plane | `list(string)` | `[]` | no | +| [cluster\_addons](#input\_cluster\_addons) | Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with `name` | `any` | `{}` | no | +| [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` |
"0.0.0.0/0"
]
[| no | +| [cluster\_encryption\_config](#input\_cluster\_encryption\_config) | Configuration block with encryption configuration for the cluster |
"audit",
"api",
"authenticator"
]
list(object({
provider_key_arn = string
resources = list(string)
})) | `[]` | no |
+| [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled | `bool` | `false` | no |
+| [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled | `bool` | `true` | no |
+| [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | [| no | +| [cluster\_identity\_providers](#input\_cluster\_identity\_providers) | Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA | `any` | `{}` | no | +| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | `""` | no | +| [cluster\_security\_group\_additional\_rules](#input\_cluster\_security\_group\_additional\_rules) | List of additional security group rules to add to the cluster security group created | `map(any)` | `{}` | no | +| [cluster\_security\_group\_description](#input\_cluster\_security\_group\_description) | Description of the cluster security group created | `string` | `"EKS cluster security group"` | no | +| [cluster\_security\_group\_id](#input\_cluster\_security\_group\_id) | Existing security group ID to be attached to the cluster. Required if `create_cluster_security_group` = `false` | `string` | `""` | no | +| [cluster\_security\_group\_name](#input\_cluster\_security\_group\_name) | Name to use on cluster security group created | `string` | `null` | no | +| [cluster\_security\_group\_tags](#input\_cluster\_security\_group\_tags) | A map of additional tags to add to the cluster security group created | `map(string)` | `{}` | no | +| [cluster\_security\_group\_use\_name\_prefix](#input\_cluster\_security\_group\_use\_name\_prefix) | Determines whether cluster security group name (`cluster_security_group_name`) is used as a prefix | `string` | `true` | no | +| [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | `string` | `null` | no | +| [cluster\_tags](#input\_cluster\_tags) | A map of additional tags to add to the cluster | `map(string)` | `{}` | no | +| [cluster\_timeouts](#input\_cluster\_timeouts) | Create, update, and delete timeout configurations for the cluster | `map(string)` | `{}` | no | +| [cluster\_version](#input\_cluster\_version) | Kubernetes `
"0.0.0.0/0"
]
[| no | -| [map\_roles](#input\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. |
"777777777777",
"888888888888"
]
list(object({
rolearn = string
username = string
groups = list(string)
})) | [| no | -| [map\_users](#input\_map\_users) | Additional IAM users to add to the aws-auth configmap. |
{
"groups": [
"system:masters"
],
"rolearn": "arn:aws:iam::66666666666:role/role1",
"username": "role1"
}
]
list(object({
userarn = string
username = string
groups = list(string)
})) | [| no | - -## Outputs - -| Name | Description | -|------|-------------| -| [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for EKS control plane. | -| [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | Security group ids attached to the cluster control plane. | -| [config\_map\_aws\_auth](#output\_config\_map\_aws\_auth) | A kubernetes configuration to authenticate to this EKS cluster. | -| [kubectl\_config](#output\_kubectl\_config) | kubectl config as generated by the module. | -| [node\_groups](#output\_node\_groups) | Outputs from node groups | - diff --git a/examples/managed_node_groups/main.tf b/examples/managed_node_groups/main.tf deleted file mode 100644 index 56a2b05346..0000000000 --- a/examples/managed_node_groups/main.tf +++ /dev/null @@ -1,148 +0,0 @@ -provider "aws" { - region = local.region -} - -locals { - name = "managed_node_groups-${random_string.suffix.result}" - cluster_version = "1.20" - region = "eu-west-1" -} - -################################################################################ -# EKS Module -################################################################################ - -module "eks" { - source = "../.." - - cluster_name = local.name - cluster_version = local.cluster_version - - vpc_id = module.vpc.vpc_id - subnets = module.vpc.private_subnets - - cluster_endpoint_private_access = true - cluster_endpoint_public_access = true - - node_groups_defaults = { - ami_type = "AL2_x86_64" - disk_size = 50 - } - - node_groups = { - example = { - desired_capacity = 1 - max_capacity = 10 - min_capacity = 1 - - instance_types = ["t3.large"] - capacity_type = "SPOT" - k8s_labels = { - Example = "managed_node_groups" - GithubRepo = "terraform-aws-eks" - GithubOrg = "terraform-aws-modules" - } - additional_tags = { - ExtraTag = "example" - } - taints = [ - { - key = "dedicated" - value = "gpuGroup" - effect = "NO_SCHEDULE" - } - ] - update_config = { - max_unavailable_percentage = 50 # or set `max_unavailable` - } - } - example2 = { - desired_capacity = 1 - max_capacity = 10 - min_capacity = 1 - - instance_types = ["t3.medium"] - k8s_labels = { - Example = "managed_node_groups" - GithubRepo = "terraform-aws-eks" - GithubOrg = "terraform-aws-modules" - } - additional_tags = { - ExtraTag = "example2" - } - update_config = { - max_unavailable_percentage = 50 # or set `max_unavailable` - } - } - } - - map_roles = var.map_roles - map_users = var.map_users - map_accounts = var.map_accounts - - tags = { - Example = local.name - GithubRepo = "terraform-aws-eks" - GithubOrg = "terraform-aws-modules" - } -} - -################################################################################ -# Kubernetes provider configuration -################################################################################ - -data "aws_eks_cluster" "cluster" { - name = module.eks.cluster_id -} - -data "aws_eks_cluster_auth" "cluster" { - name = module.eks.cluster_id -} - -provider "kubernetes" { - host = data.aws_eks_cluster.cluster.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data) - token = data.aws_eks_cluster_auth.cluster.token -} - -################################################################################ -# Supporting Resources -################################################################################ - -data "aws_availability_zones" "available" { -} - -resource "random_string" "suffix" { - length = 8 - special = false -} - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "~> 3.0" - - name = local.name - cidr = "10.0.0.0/16" - azs = data.aws_availability_zones.available.names - private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] - public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] - enable_nat_gateway = true - single_nat_gateway = true - enable_dns_hostnames = true - - public_subnet_tags = { - "kubernetes.io/cluster/${local.name}" = "shared" - "kubernetes.io/role/elb" = "1" - } - - private_subnet_tags = { - "kubernetes.io/cluster/${local.name}" = "shared" - "kubernetes.io/role/internal-elb" = "1" - } - - tags = { - Example = local.name - GithubRepo = "terraform-aws-eks" - GithubOrg = "terraform-aws-modules" - } -} diff --git a/examples/managed_node_groups/outputs.tf b/examples/managed_node_groups/outputs.tf deleted file mode 100644 index 10a3a96604..0000000000 --- a/examples/managed_node_groups/outputs.tf +++ /dev/null @@ -1,24 +0,0 @@ -output "cluster_endpoint" { - description = "Endpoint for EKS control plane." - value = module.eks.cluster_endpoint -} - -output "cluster_security_group_id" { - description = "Security group ids attached to the cluster control plane." - value = module.eks.cluster_security_group_id -} - -output "kubectl_config" { - description = "kubectl config as generated by the module." - value = module.eks.kubeconfig -} - -output "config_map_aws_auth" { - description = "A kubernetes configuration to authenticate to this EKS cluster." - value = module.eks.config_map_aws_auth -} - -output "node_groups" { - description = "Outputs from node groups" - value = module.eks.node_groups -} diff --git a/examples/managed_node_groups/variables.tf b/examples/managed_node_groups/variables.tf deleted file mode 100644 index 57853d8b4d..0000000000 --- a/examples/managed_node_groups/variables.tf +++ /dev/null @@ -1,48 +0,0 @@ -variable "map_accounts" { - description = "Additional AWS account numbers to add to the aws-auth configmap." - type = list(string) - - default = [ - "777777777777", - "888888888888", - ] -} - -variable "map_roles" { - description = "Additional IAM roles to add to the aws-auth configmap." - type = list(object({ - rolearn = string - username = string - groups = list(string) - })) - - default = [ - { - rolearn = "arn:aws:iam::66666666666:role/role1" - username = "role1" - groups = ["system:masters"] - }, - ] -} - -variable "map_users" { - description = "Additional IAM users to add to the aws-auth configmap." - type = list(object({ - userarn = string - username = string - groups = list(string) - })) - - default = [ - { - userarn = "arn:aws:iam::66666666666:user/user1" - username = "user1" - groups = ["system:masters"] - }, - { - userarn = "arn:aws:iam::66666666666:user/user2" - username = "user2" - groups = ["system:masters"] - }, - ] -} diff --git a/examples/managed_node_groups/versions.tf b/examples/managed_node_groups/versions.tf deleted file mode 100644 index 8e2b837984..0000000000 --- a/examples/managed_node_groups/versions.tf +++ /dev/null @@ -1,22 +0,0 @@ -terraform { - required_version = ">= 0.13.1" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.56" - } - local = { - source = "hashicorp/local" - version = ">= 1.4" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 1.11.1" - } - random = { - source = "hashicorp/random" - version = ">= 2.1" - } - } -} diff --git a/examples/secrets_encryption/README.md b/examples/secrets_encryption/README.md deleted file mode 100644 index f5f38b0498..0000000000 --- a/examples/secrets_encryption/README.md +++ /dev/null @@ -1,66 +0,0 @@ -# Managed groups example - -This is EKS using [secrets encryption](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/) feature. - -See [the official blog](https://aws.amazon.com/blogs/containers/using-eks-encryption-provider-support-for-defense-in-depth/) for more details. - -## Usage - -To run this example you need to execute: - -```bash -$ terraform init -$ terraform plan -$ terraform apply -``` - -Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.56 | -| [kubernetes](#requirement\_kubernetes) | >= 1.11.1 | -| [local](#requirement\_local) | >= 1.4 | -| [random](#requirement\_random) | >= 2.1 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 3.56 | -| [random](#provider\_random) | >= 2.1 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [eks](#module\_eks) | ../.. | n/a | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_kms_key.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | -| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | -| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | -| [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | - -## Inputs - -No inputs. - -## Outputs - -| Name | Description | -|------|-------------| -| [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for EKS control plane. | -| [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | Security group ids attached to the cluster control plane. | -| [config\_map\_aws\_auth](#output\_config\_map\_aws\_auth) | A kubernetes configuration to authenticate to this EKS cluster. | -| [kubectl\_config](#output\_kubectl\_config) | kubectl config as generated by the module. | - diff --git a/examples/secrets_encryption/main.tf b/examples/secrets_encryption/main.tf deleted file mode 100644 index 49d9a7b029..0000000000 --- a/examples/secrets_encryption/main.tf +++ /dev/null @@ -1,126 +0,0 @@ -provider "aws" { - region = local.region -} - -locals { - name = "secrets_encryption-${random_string.suffix.result}" - cluster_version = "1.20" - region = "eu-west-1" -} - -################################################################################ -# EKS Module -################################################################################ - -module "eks" { - source = "../.." - - cluster_name = local.name - cluster_version = local.cluster_version - - vpc_id = module.vpc.vpc_id - subnets = module.vpc.private_subnets - - cluster_endpoint_private_access = true - cluster_endpoint_public_access = true - - - cluster_encryption_config = [ - { - provider_key_arn = aws_kms_key.eks.arn - resources = ["secrets"] - } - ] - - worker_groups = [ - { - name = "worker-group-1" - instance_type = "t3.small" - additional_userdata = "echo foo bar" - asg_desired_capacity = 2 - }, - ] - - tags = { - Example = local.name - GithubRepo = "terraform-aws-eks" - GithubOrg = "terraform-aws-modules" - } -} - -################################################################################ -# Kubernetes provider configuration -################################################################################ - -data "aws_eks_cluster" "cluster" { - name = module.eks.cluster_id -} - -data "aws_eks_cluster_auth" "cluster" { - name = module.eks.cluster_id -} - -provider "kubernetes" { - host = data.aws_eks_cluster.cluster.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data) - token = data.aws_eks_cluster_auth.cluster.token -} - -################################################################################ -# KMS for encrypting secrets -################################################################################ - -resource "aws_kms_key" "eks" { - description = "EKS Secret Encryption Key" - deletion_window_in_days = 7 - enable_key_rotation = true - - tags = { - Example = local.name - GithubRepo = "terraform-aws-eks" - GithubOrg = "terraform-aws-modules" - } -} - - -################################################################################ -# Supporting Resources -################################################################################ - -data "aws_availability_zones" "available" { -} - -resource "random_string" "suffix" { - length = 8 - special = false -} - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "~> 3.0" - - name = local.name - cidr = "10.0.0.0/16" - azs = data.aws_availability_zones.available.names - private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] - public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] - enable_nat_gateway = true - single_nat_gateway = true - enable_dns_hostnames = true - - public_subnet_tags = { - "kubernetes.io/cluster/${local.name}" = "shared" - "kubernetes.io/role/elb" = "1" - } - - private_subnet_tags = { - "kubernetes.io/cluster/${local.name}" = "shared" - "kubernetes.io/role/internal-elb" = "1" - } - - tags = { - Example = local.name - GithubRepo = "terraform-aws-eks" - GithubOrg = "terraform-aws-modules" - } -} diff --git a/examples/secrets_encryption/outputs.tf b/examples/secrets_encryption/outputs.tf deleted file mode 100644 index 359db3a481..0000000000 --- a/examples/secrets_encryption/outputs.tf +++ /dev/null @@ -1,19 +0,0 @@ -output "cluster_endpoint" { - description = "Endpoint for EKS control plane." - value = module.eks.cluster_endpoint -} - -output "cluster_security_group_id" { - description = "Security group ids attached to the cluster control plane." - value = module.eks.cluster_security_group_id -} - -output "kubectl_config" { - description = "kubectl config as generated by the module." - value = module.eks.kubeconfig -} - -output "config_map_aws_auth" { - description = "A kubernetes configuration to authenticate to this EKS cluster." - value = module.eks.config_map_aws_auth -} diff --git a/examples/secrets_encryption/variables.tf b/examples/secrets_encryption/variables.tf deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/examples/secrets_encryption/versions.tf b/examples/secrets_encryption/versions.tf deleted file mode 100644 index 8e2b837984..0000000000 --- a/examples/secrets_encryption/versions.tf +++ /dev/null @@ -1,22 +0,0 @@ -terraform { - required_version = ">= 0.13.1" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.56" - } - local = { - source = "hashicorp/local" - version = ">= 1.4" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 1.11.1" - } - random = { - source = "hashicorp/random" - version = ">= 2.1" - } - } -} diff --git a/examples/self_managed_node_group/README.md b/examples/self_managed_node_group/README.md new file mode 100644 index 0000000000..ff13d8148a --- /dev/null +++ b/examples/self_managed_node_group/README.md @@ -0,0 +1,95 @@ +# Self Managed Node Groups Example + +Configuration in this directory creates an AWS EKS cluster with various Self Managed Node Groups (AutoScaling Groups) demonstrating the various methods of configuring/customizing: + +- A default, "out of the box" self managed node group as supplied by the `self-managed-node-group` sub-module +- A Bottlerocket self managed node group that demonstrates many of the configuration/customizations offered by the `self-manged-node-group` sub-module for the Bottlerocket OS +- A self managed node group that demonstrates nearly all of the configurations/customizations offered by the `self-managed-node-group` sub-module + +See the [AWS documentation](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html) for further details. + +## Usage + +To run this example you need to execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + +Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13.1 | +| [aws](#requirement\_aws) | >= 3.64 | +| [null](#requirement\_null) | >= 3.0 | +| [tls](#requirement\_tls) | >= 2.2 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.64 | +| [null](#provider\_null) | >= 3.0 | +| [tls](#provider\_tls) | >= 2.2 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [eks](#module\_eks) | ../.. | n/a | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_key_pair.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource | +| [aws_kms_key.ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_kms_key.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_security_group.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [null_resource.apply](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [tls_private_key.this](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | +| [aws_ami.bottlerocket_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| [aws_iam_policy_document.ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | + +## Inputs + +No inputs. + +## Outputs + +| Name | Description | +|------|-------------| +| [aws\_auth\_configmap\_yaml](#output\_aws\_auth\_configmap\_yaml) | Formatted yaml output for base aws-auth configmap containing roles used in cluster node groups/fargate profiles | +| [cloudwatch\_log\_group\_arn](#output\_cloudwatch\_log\_group\_arn) | Arn of cloudwatch log group created | +| [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | Name of cloudwatch log group created | +| [cluster\_addons](#output\_cluster\_addons) | Map of attribute maps for all EKS cluster addons enabled | +| [cluster\_arn](#output\_cluster\_arn) | The Amazon Resource Name (ARN) of the cluster | +| [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | Base64 encoded certificate data required to communicate with the cluster | +| [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for your Kubernetes API server | +| [cluster\_iam\_role\_arn](#output\_cluster\_iam\_role\_arn) | IAM role ARN of the EKS cluster | +| [cluster\_iam\_role\_name](#output\_cluster\_iam\_role\_name) | IAM role name of the EKS cluster | +| [cluster\_iam\_role\_unique\_id](#output\_cluster\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role | +| [cluster\_id](#output\_cluster\_id) | The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready | +| [cluster\_identity\_providers](#output\_cluster\_identity\_providers) | Map of attribute maps for all EKS identity providers enabled | +| [cluster\_oidc\_issuer\_url](#output\_cluster\_oidc\_issuer\_url) | The URL on the EKS cluster for the OpenID Connect identity provider | +| [cluster\_platform\_version](#output\_cluster\_platform\_version) | Platform version for the cluster | +| [cluster\_primary\_security\_group\_id](#output\_cluster\_primary\_security\_group\_id) | Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console | +| [cluster\_security\_group\_arn](#output\_cluster\_security\_group\_arn) | Amazon Resource Name (ARN) of the cluster security group | +| [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | ID of the cluster security group | +| [cluster\_status](#output\_cluster\_status) | Status of the EKS cluster. One of `CREATING`, `ACTIVE`, `DELETING`, `FAILED` | +| [eks\_managed\_node\_groups](#output\_eks\_managed\_node\_groups) | Map of attribute maps for all EKS managed node groups created | +| [fargate\_profiles](#output\_fargate\_profiles) | Map of attribute maps for all EKS Fargate Profiles created | +| [node\_security\_group\_arn](#output\_node\_security\_group\_arn) | Amazon Resource Name (ARN) of the node shared security group | +| [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group | +| [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | The ARN of the OIDC Provider if `enable_irsa = true` | +| [self\_managed\_node\_groups](#output\_self\_managed\_node\_groups) | Map of attribute maps for all self managed node groups created | + diff --git a/examples/self_managed_node_group/main.tf b/examples/self_managed_node_group/main.tf new file mode 100644 index 0000000000..73b502520c --- /dev/null +++ b/examples/self_managed_node_group/main.tf @@ -0,0 +1,392 @@ +provider "aws" { + region = local.region +} + +locals { + name = "ex-${replace(basename(path.cwd), "_", "-")}" + cluster_version = "1.21" + region = "eu-west-1" + + tags = { + Example = local.name + GithubRepo = "terraform-aws-eks" + GithubOrg = "terraform-aws-modules" + } +} + +data "aws_caller_identity" "current" {} + +################################################################################ +# EKS Module +################################################################################ + +module "eks" { + source = "../.." + + cluster_name = local.name + cluster_version = local.cluster_version + cluster_endpoint_private_access = true + cluster_endpoint_public_access = true + + cluster_addons = { + coredns = { + resolve_conflicts = "OVERWRITE" + } + kube-proxy = {} + vpc-cni = { + resolve_conflicts = "OVERWRITE" + } + } + + cluster_encryption_config = [{ + provider_key_arn = aws_kms_key.eks.arn + resources = ["secrets"] + }] + + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets + + enable_irsa = true + + self_managed_node_group_defaults = { + disk_size = 50 + } + + self_managed_node_groups = { + # Default node group - as provisioned by the module defaults + default_node_group = {} + + # Bottlerocket node group + bottlerocket = { + name = "bottlerocket-self-mng" + + platform = "bottlerocket" + ami_id = data.aws_ami.bottlerocket_ami.id + instance_type = "m5.large" + desired_size = 2 + key_name = aws_key_pair.this.key_name + + iam_role_additional_policies = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"] + + bootstrap_extra_args = <<-EOT + # The admin host container provides SSH access and runs with "superpowers". + # It is disabled by default, but can be disabled explicitly. + [settings.host-containers.admin] + enabled = false + + # The control host container provides out-of-band access via SSM. + # It is enabled by default, and can be disabled if you do not expect to use SSM. + # This could leave you with no way to access the API and change settings on an existing node! + [settings.host-containers.control] + enabled = true + + [settings.kubernetes.node-labels] + ingress = "allowed" + EOT + } + + # Complete + complete = { + name = "complete-self-mng" + use_name_prefix = false + + subnet_ids = module.vpc.public_subnets + + min_size = 1 + max_size = 7 + desired_size = 1 + + ami_id = "ami-0caf35bc73450c396" + bootstrap_extra_args = "--kubelet-extra-args '--max-pods=110'" + + pre_bootstrap_user_data = <<-EOT + export CONTAINER_RUNTIME="containerd" + export USE_MAX_PODS=false + EOT + + post_bootstrap_user_data = <<-EOT + echo "you are free little kubelet!" + EOT + + disk_size = 256 + instance_type = "m6i.large" + + launch_template_name = "self-managed-ex" + launch_template_use_name_prefix = true + launch_template_description = "Self managed node group example launch template" + + ebs_optimized = true + vpc_security_group_ids = [aws_security_group.additional.id] + enable_monitoring = true + + block_device_mappings = { + xvda = { + device_name = "/dev/xvda" + ebs = { + volume_size = 75 + volume_type = "gp3" + iops = 3000 + throughput = 150 + encrypted = true + kms_key_id = aws_kms_key.ebs.arn + delete_on_termination = true + } + } + } + + metadata_options = { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 2 + } + + create_iam_role = true + iam_role_name = "self-managed-node-group-complete-example" + iam_role_use_name_prefix = false + iam_role_description = "Self managed node group complete example role" + iam_role_tags = { + Purpose = "Protector of the kubelet" + } + iam_role_additional_policies = [ + "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" + ] + + create_security_group = true + security_group_name = "self-managed-node-group-complete-example" + security_group_use_name_prefix = false + security_group_description = "Self managed node group complete example security group" + security_group_rules = { + phoneOut = { + description = "Hello CloudFlare" + protocol = "udp" + from_port = 53 + to_port = 53 + type = "egress" + cidr_blocks = ["1.1.1.1/32"] + } + phoneHome = { + description = "Hello cluster" + protocol = "udp" + from_port = 53 + to_port = 53 + type = "egress" + source_cluster_security_group = true # bit of reflection lookup + } + } + security_group_tags = { + Purpose = "Protector of the kubelet" + } + + timeouts = { + create = "80m" + update = "80m" + delete = "80m" + } + + tags = { + ExtraTag = "Self managed node group complete example" + } + } + } + + tags = local.tags +} + +################################################################################ +# aws-auth configmap +# Only EKS managed node groups automatically add roles to aws-auth configmap +# so we need to ensure fargate profiles and self-managed node roles are added +################################################################################ + +data "aws_eks_cluster_auth" "this" { + name = module.eks.cluster_id +} + +locals { + kubeconfig = yamlencode({ + apiVersion = "v1" + kind = "Config" + current-context = "terraform" + clusters = [{ + name = module.eks.cluster_id + cluster = { + certificate-authority-data = module.eks.cluster_certificate_authority_data + server = module.eks.cluster_endpoint + } + }] + contexts = [{ + name = "terraform" + context = { + cluster = module.eks.cluster_id + user = "terraform" + } + }] + users = [{ + name = "terraform" + user = { + token = data.aws_eks_cluster_auth.this.token + } + }] + }) +} + +resource "null_resource" "apply" { + triggers = { + kubeconfig = base64encode(local.kubeconfig) + cmd_patch = <<-EOT + kubectl create configmap aws-auth -n kube-system --kubeconfig <(echo $KUBECONFIG | base64 --decode) + kubectl patch configmap/aws-auth --patch "${module.eks.aws_auth_configmap_yaml}" -n kube-system --kubeconfig <(echo $KUBECONFIG | base64 --decode) + EOT + } + + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + environment = { + KUBECONFIG = self.triggers.kubeconfig + } + command = self.triggers.cmd_patch + } +} + +################################################################################ +# Supporting Resources +################################################################################ + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 3.0" + + name = local.name + cidr = "10.0.0.0/16" + + azs = ["${local.region}a", "${local.region}b", "${local.region}c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] + + enable_nat_gateway = true + single_nat_gateway = true + enable_dns_hostnames = true + + enable_flow_log = true + create_flow_log_cloudwatch_iam_role = true + create_flow_log_cloudwatch_log_group = true + + public_subnet_tags = { + "kubernetes.io/cluster/${local.name}" = "shared" + "kubernetes.io/role/elb" = 1 + } + + private_subnet_tags = { + "kubernetes.io/cluster/${local.name}" = "shared" + "kubernetes.io/role/internal-elb" = 1 + } + + tags = local.tags +} + +resource "aws_security_group" "additional" { + name_prefix = "${local.name}-additional" + vpc_id = module.vpc.vpc_id + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = [ + "10.0.0.0/8", + "172.16.0.0/12", + "192.168.0.0/16", + ] + } + + tags = local.tags +} + +resource "aws_kms_key" "eks" { + description = "EKS Secret Encryption Key" + deletion_window_in_days = 7 + enable_key_rotation = true + + tags = local.tags +} + +data "aws_ami" "bottlerocket_ami" { + most_recent = true + owners = ["amazon"] + + filter { + name = "name" + values = ["bottlerocket-aws-k8s-${local.cluster_version}-x86_64-*"] + } +} + +resource "tls_private_key" "this" { + algorithm = "RSA" +} + +resource "aws_key_pair" "this" { + key_name = local.name + public_key = tls_private_key.this.public_key_openssh +} + +resource "aws_kms_key" "ebs" { + description = "Customer managed key to encrypt self managed node group volumes" + deletion_window_in_days = 7 + policy = data.aws_iam_policy_document.ebs.json +} + +# This policy is required for the KMS key used for EKS root volumes, so the cluster is allowed to enc/dec/attach encrypted EBS volumes +data "aws_iam_policy_document" "ebs" { + # Copy of default KMS policy that lets you manage it + statement { + sid = "Enable IAM User Permissions" + actions = ["kms:*"] + resources = ["*"] + + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + } + + # Required for EKS + statement { + sid = "Allow service-linked role use of the CMK" + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ] + resources = ["*"] + + principals { + type = "AWS" + identifiers = [ + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", # required for the ASG to manage encrypted volumes for nodes + module.eks.cluster_iam_role_arn, # required for the cluster / persistentvolume-controller to create encrypted PVCs + ] + } + } + + statement { + sid = "Allow attachment of persistent resources" + actions = ["kms:CreateGrant"] + resources = ["*"] + + principals { + type = "AWS" + identifiers = [ + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", # required for the ASG to manage encrypted volumes for nodes + module.eks.cluster_iam_role_arn, # required for the cluster / persistentvolume-controller to create encrypted PVCs + ] + } + + condition { + test = "Bool" + variable = "kms:GrantIsForAWSResource" + values = ["true"] + } + } +} diff --git a/examples/self_managed_node_group/outputs.tf b/examples/self_managed_node_group/outputs.tf new file mode 100644 index 0000000000..3e9620157b --- /dev/null +++ b/examples/self_managed_node_group/outputs.tf @@ -0,0 +1,167 @@ +################################################################################ +# Cluster +################################################################################ + +output "cluster_arn" { + description = "The Amazon Resource Name (ARN) of the cluster" + value = module.eks.cluster_arn +} + +output "cluster_certificate_authority_data" { + description = "Base64 encoded certificate data required to communicate with the cluster" + value = module.eks.cluster_certificate_authority_data +} + +output "cluster_endpoint" { + description = "Endpoint for your Kubernetes API server" + value = module.eks.cluster_endpoint +} + +output "cluster_id" { + description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready" + value = module.eks.cluster_id +} + +output "cluster_oidc_issuer_url" { + description = "The URL on the EKS cluster for the OpenID Connect identity provider" + value = module.eks.cluster_oidc_issuer_url +} + +output "cluster_platform_version" { + description = "Platform version for the cluster" + value = module.eks.cluster_platform_version +} + +output "cluster_status" { + description = "Status of the EKS cluster. One of `CREATING`, `ACTIVE`, `DELETING`, `FAILED`" + value = module.eks.cluster_status +} + +output "cluster_primary_security_group_id" { + description = "Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console" + value = module.eks.cluster_primary_security_group_id +} + +################################################################################ +# Security Group +################################################################################ + +output "cluster_security_group_arn" { + description = "Amazon Resource Name (ARN) of the cluster security group" + value = module.eks.cluster_security_group_arn +} + +output "cluster_security_group_id" { + description = "ID of the cluster security group" + value = module.eks.cluster_security_group_id +} + +################################################################################ +# Node Security Group +################################################################################ + +output "node_security_group_arn" { + description = "Amazon Resource Name (ARN) of the node shared security group" + value = module.eks.node_security_group_arn +} + +output "node_security_group_id" { + description = "ID of the node shared security group" + value = module.eks.node_security_group_id +} + +################################################################################ +# IRSA +################################################################################ + +output "oidc_provider_arn" { + description = "The ARN of the OIDC Provider if `enable_irsa = true`" + value = module.eks.oidc_provider_arn +} + +################################################################################ +# IAM Role +################################################################################ + +output "cluster_iam_role_name" { + description = "IAM role name of the EKS cluster" + value = module.eks.cluster_iam_role_name +} + +output "cluster_iam_role_arn" { + description = "IAM role ARN of the EKS cluster" + value = module.eks.cluster_iam_role_arn +} + +output "cluster_iam_role_unique_id" { + description = "Stable and unique string identifying the IAM role" + value = module.eks.cluster_iam_role_unique_id +} + +################################################################################ +# EKS Addons +################################################################################ + +output "cluster_addons" { + description = "Map of attribute maps for all EKS cluster addons enabled" + value = module.eks.cluster_addons +} + +################################################################################ +# EKS Identity Provider +################################################################################ + +output "cluster_identity_providers" { + description = "Map of attribute maps for all EKS identity providers enabled" + value = module.eks.cluster_identity_providers +} + +################################################################################ +# CloudWatch Log Group +################################################################################ + +output "cloudwatch_log_group_name" { + description = "Name of cloudwatch log group created" + value = module.eks.cloudwatch_log_group_name +} + +output "cloudwatch_log_group_arn" { + description = "Arn of cloudwatch log group created" + value = module.eks.cloudwatch_log_group_arn +} + +################################################################################ +# Fargate Profile +################################################################################ + +output "fargate_profiles" { + description = "Map of attribute maps for all EKS Fargate Profiles created" + value = module.eks.fargate_profiles +} + +################################################################################ +# EKS Managed Node Group +################################################################################ + +output "eks_managed_node_groups" { + description = "Map of attribute maps for all EKS managed node groups created" + value = module.eks.eks_managed_node_groups +} + +################################################################################ +# Self Managed Node Group +################################################################################ + +output "self_managed_node_groups" { + description = "Map of attribute maps for all self managed node groups created" + value = module.eks.self_managed_node_groups +} + +################################################################################ +# Additional +################################################################################ + +output "aws_auth_configmap_yaml" { + description = "Formatted yaml output for base aws-auth configmap containing roles used in cluster node groups/fargate profiles" + value = module.eks.aws_auth_configmap_yaml +} diff --git a/examples/irsa/variables.tf b/examples/self_managed_node_group/variables.tf similarity index 100% rename from examples/irsa/variables.tf rename to examples/self_managed_node_group/variables.tf diff --git a/examples/self_managed_node_group/versions.tf b/examples/self_managed_node_group/versions.tf new file mode 100644 index 0000000000..883963f7b0 --- /dev/null +++ b/examples/self_managed_node_group/versions.tf @@ -0,0 +1,18 @@ +terraform { + required_version = ">= 0.13.1" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.64" + } + null = { + source = "hashicorp/null" + version = ">= 3.0" + } + tls = { + source = "hashicorp/tls" + version = ">= 2.2" + } + } +} diff --git a/examples/user_data/README.md b/examples/user_data/README.md new file mode 100644 index 0000000000..57ba591944 --- /dev/null +++ b/examples/user_data/README.md @@ -0,0 +1,78 @@ +# Internal User Data Module + +Configuration in this directory render various user data outputs used for testing and validating the internal `_user-data` sub-module. + +## Usage + +To run this example you need to execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13.1 | +| [aws](#requirement\_aws) | >= 3.64 | + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [eks\_mng\_bottlerocket\_additional](#module\_eks\_mng\_bottlerocket\_additional) | ../../modules/_user_data | n/a | +| [eks\_mng\_bottlerocket\_custom\_ami](#module\_eks\_mng\_bottlerocket\_custom\_ami) | ../../modules/_user_data | n/a | +| [eks\_mng\_bottlerocket\_custom\_template](#module\_eks\_mng\_bottlerocket\_custom\_template) | ../../modules/_user_data | n/a | +| [eks\_mng\_bottlerocket\_no\_op](#module\_eks\_mng\_bottlerocket\_no\_op) | ../../modules/_user_data | n/a | +| [eks\_mng\_linux\_additional](#module\_eks\_mng\_linux\_additional) | ../../modules/_user_data | n/a | +| [eks\_mng\_linux\_custom\_ami](#module\_eks\_mng\_linux\_custom\_ami) | ../../modules/_user_data | n/a | +| [eks\_mng\_linux\_custom\_template](#module\_eks\_mng\_linux\_custom\_template) | ../../modules/_user_data | n/a | +| [eks\_mng\_linux\_no\_op](#module\_eks\_mng\_linux\_no\_op) | ../../modules/_user_data | n/a | +| [self\_mng\_bottlerocket\_bootstrap](#module\_self\_mng\_bottlerocket\_bootstrap) | ../../modules/_user_data | n/a | +| [self\_mng\_bottlerocket\_custom\_template](#module\_self\_mng\_bottlerocket\_custom\_template) | ../../modules/_user_data | n/a | +| [self\_mng\_bottlerocket\_no\_op](#module\_self\_mng\_bottlerocket\_no\_op) | ../../modules/_user_data | n/a | +| [self\_mng\_linux\_bootstrap](#module\_self\_mng\_linux\_bootstrap) | ../../modules/_user_data | n/a | +| [self\_mng\_linux\_custom\_template](#module\_self\_mng\_linux\_custom\_template) | ../../modules/_user_data | n/a | +| [self\_mng\_linux\_no\_op](#module\_self\_mng\_linux\_no\_op) | ../../modules/_user_data | n/a | +| [self\_mng\_windows\_bootstrap](#module\_self\_mng\_windows\_bootstrap) | ../../modules/_user_data | n/a | +| [self\_mng\_windows\_custom\_template](#module\_self\_mng\_windows\_custom\_template) | ../../modules/_user_data | n/a | +| [self\_mng\_windows\_no\_op](#module\_self\_mng\_windows\_no\_op) | ../../modules/_user_data | n/a | + +## Resources + +No resources. + +## Inputs + +No inputs. + +## Outputs + +| Name | Description | +|------|-------------| +| [eks\_mng\_bottlerocket\_additional](#output\_eks\_mng\_bottlerocket\_additional) | Base64 decoded user data rendered for the provided inputs | +| [eks\_mng\_bottlerocket\_custom\_ami](#output\_eks\_mng\_bottlerocket\_custom\_ami) | Base64 decoded user data rendered for the provided inputs | +| [eks\_mng\_bottlerocket\_custom\_template](#output\_eks\_mng\_bottlerocket\_custom\_template) | Base64 decoded user data rendered for the provided inputs | +| [eks\_mng\_bottlerocket\_no\_op](#output\_eks\_mng\_bottlerocket\_no\_op) | Base64 decoded user data rendered for the provided inputs | +| [eks\_mng\_linux\_additional](#output\_eks\_mng\_linux\_additional) | Base64 decoded user data rendered for the provided inputs | +| [eks\_mng\_linux\_custom\_ami](#output\_eks\_mng\_linux\_custom\_ami) | Base64 decoded user data rendered for the provided inputs | +| [eks\_mng\_linux\_custom\_template](#output\_eks\_mng\_linux\_custom\_template) | Base64 decoded user data rendered for the provided inputs | +| [eks\_mng\_linux\_no\_op](#output\_eks\_mng\_linux\_no\_op) | Base64 decoded user data rendered for the provided inputs | +| [self\_mng\_bottlerocket\_bootstrap](#output\_self\_mng\_bottlerocket\_bootstrap) | Base64 decoded user data rendered for the provided inputs | +| [self\_mng\_bottlerocket\_custom\_template](#output\_self\_mng\_bottlerocket\_custom\_template) | Base64 decoded user data rendered for the provided inputs | +| [self\_mng\_bottlerocket\_no\_op](#output\_self\_mng\_bottlerocket\_no\_op) | Base64 decoded user data rendered for the provided inputs | +| [self\_mng\_linux\_bootstrap](#output\_self\_mng\_linux\_bootstrap) | Base64 decoded user data rendered for the provided inputs | +| [self\_mng\_linux\_custom\_template](#output\_self\_mng\_linux\_custom\_template) | Base64 decoded user data rendered for the provided inputs | +| [self\_mng\_linux\_no\_op](#output\_self\_mng\_linux\_no\_op) | Base64 decoded user data rendered for the provided inputs | +| [self\_mng\_windows\_bootstrap](#output\_self\_mng\_windows\_bootstrap) | Base64 decoded user data rendered for the provided inputs | +| [self\_mng\_windows\_custom\_template](#output\_self\_mng\_windows\_custom\_template) | Base64 decoded user data rendered for the provided inputs | +| [self\_mng\_windows\_no\_op](#output\_self\_mng\_windows\_no\_op) | Base64 decoded user data rendered for the provided inputs | + diff --git a/examples/user_data/main.tf b/examples/user_data/main.tf new file mode 100644 index 0000000000..4e961a3947 --- /dev/null +++ b/examples/user_data/main.tf @@ -0,0 +1,289 @@ +locals { + name = "ex-${replace(basename(path.cwd), "_", "-")}" + + cluster_endpoint = "https://012345678903AB2BAE5D1E0BFE0E2B50.gr7.us-east-1.eks.amazonaws.com" + cluster_auth_base64 = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKbXFqQ1VqNGdGR2w3ZW5PeWthWnZ2RjROOTVOUEZCM2o0cGhVZUsrWGFtN2ZSQnZya0d6OGxKZmZEZWF2b2plTwpQK2xOZFlqdHZncmxCUEpYdHZIZmFzTzYxVzdIZmdWQ2EvamdRM2w3RmkvL1dpQmxFOG9oWUZkdWpjc0s1SXM2CnNkbk5KTTNYUWN2TysrSitkV09NT2ZlNzlsSWdncmdQLzgvRU9CYkw3eUY1aU1hS3lsb1RHL1V3TlhPUWt3ZUcKblBNcjdiUmdkQ1NCZTlXYXowOGdGRmlxV2FOditsTDhsODBTdFZLcWVNVlUxbjQyejVwOVpQRTd4T2l6L0xTNQpYV2lXWkVkT3pMN0xBWGVCS2gzdkhnczFxMkI2d1BKZnZnS1NzWllQRGFpZTloT1NNOUJkNFNPY3JrZTRYSVBOCkVvcXVhMlYrUDRlTWJEQzhMUkVWRDdCdVZDdWdMTldWOTBoL3VJUy9WU2VOcEdUOGVScE5DakszSjc2aFlsWm8KWjNGRG5QWUY0MWpWTHhiOXF0U1ROdEp6amYwWXBEYnFWci9xZzNmQWlxbVorMzd3YWM1eHlqMDZ4cmlaRUgzZgpUM002d2lCUEVHYVlGeWN5TmNYTk5aYW9DWDJVL0N1d2JsUHAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==" + cluster_service_ipv4_cidr = "172.16.0.0/16" +} + +################################################################################ +# User Data Module +################################################################################ + +# EKS managed node group - linux +module "eks_mng_linux_no_op" { + source = "../../modules/_user_data" +} + +module "eks_mng_linux_additional" { + source = "../../modules/_user_data" + + pre_bootstrap_user_data = <<-EOT + echo "foo" + export FOO=bar + EOT + + bootstrap_extra_args = "--kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot'" + + post_bootstrap_user_data = <<-EOT + echo "All done" + EOT +} + +module "eks_mng_linux_custom_ami" { + source = "../../modules/_user_data" + + cluster_name = local.name + cluster_endpoint = local.cluster_endpoint + cluster_auth_base64 = local.cluster_auth_base64 + cluster_service_ipv4_cidr = local.cluster_service_ipv4_cidr + + enable_bootstrap_user_data = true + + pre_bootstrap_user_data = <<-EOT + echo "foo" + export FOO=bar + EOT + + bootstrap_extra_args = "--kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot'" + + post_bootstrap_user_data = <<-EOT + echo "All done" + EOT +} + + +module "eks_mng_linux_custom_template" { + source = "../../modules/_user_data" + + cluster_name = local.name + cluster_endpoint = local.cluster_endpoint + cluster_auth_base64 = local.cluster_auth_base64 + + user_data_template_path = "${path.module}/templates/linux_custom.tpl" + + pre_bootstrap_user_data = <<-EOT + echo "foo" + export FOO=bar + EOT + + bootstrap_extra_args = "--kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot'" + + post_bootstrap_user_data = <<-EOT + echo "All done" + EOT +} + +# EKS managed node group - bottlerocket +module "eks_mng_bottlerocket_no_op" { + source = "../../modules/_user_data" + + platform = "bottlerocket" +} + +module "eks_mng_bottlerocket_additional" { + source = "../../modules/_user_data" + + platform = "bottlerocket" + + bootstrap_extra_args = <<-EOT + # extra args added + [settings.kernel] + lockdown = "integrity" + EOT +} + +module "eks_mng_bottlerocket_custom_ami" { + source = "../../modules/_user_data" + + platform = "bottlerocket" + + cluster_name = local.name + cluster_endpoint = local.cluster_endpoint + cluster_auth_base64 = local.cluster_auth_base64 + + enable_bootstrap_user_data = true + + bootstrap_extra_args = <<-EOT + # extra args added + [settings.kernel] + lockdown = "integrity" + EOT +} + +module "eks_mng_bottlerocket_custom_template" { + source = "../../modules/_user_data" + + platform = "bottlerocket" + + cluster_name = local.name + cluster_endpoint = local.cluster_endpoint + cluster_auth_base64 = local.cluster_auth_base64 + + user_data_template_path = "${path.module}/templates/bottlerocket_custom.tpl" + + bootstrap_extra_args = <<-EOT + # extra args added + [settings.kernel] + lockdown = "integrity" + EOT +} + +# Self managed node group - linux +module "self_mng_linux_no_op" { + source = "../../modules/_user_data" + + is_eks_managed_node_group = false +} + +module "self_mng_linux_bootstrap" { + source = "../../modules/_user_data" + + enable_bootstrap_user_data = true + is_eks_managed_node_group = false + + cluster_name = local.name + cluster_endpoint = local.cluster_endpoint + cluster_auth_base64 = local.cluster_auth_base64 + + pre_bootstrap_user_data = <<-EOT + echo "foo" + export FOO=bar + EOT + + bootstrap_extra_args = "--kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot'" + + post_bootstrap_user_data = <<-EOT + echo "All done" + EOT +} + +module "self_mng_linux_custom_template" { + source = "../../modules/_user_data" + + enable_bootstrap_user_data = true + is_eks_managed_node_group = false + + cluster_name = local.name + cluster_endpoint = local.cluster_endpoint + cluster_auth_base64 = local.cluster_auth_base64 + + user_data_template_path = "${path.module}/templates/linux_custom.tpl" + + pre_bootstrap_user_data = <<-EOT + echo "foo" + export FOO=bar + EOT + + bootstrap_extra_args = "--kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot'" + + post_bootstrap_user_data = <<-EOT + echo "All done" + EOT +} + +# Self managed node group - bottlerocket +module "self_mng_bottlerocket_no_op" { + source = "../../modules/_user_data" + + platform = "bottlerocket" + + is_eks_managed_node_group = false +} + +module "self_mng_bottlerocket_bootstrap" { + source = "../../modules/_user_data" + + platform = "bottlerocket" + + enable_bootstrap_user_data = true + is_eks_managed_node_group = false + + cluster_name = local.name + cluster_endpoint = local.cluster_endpoint + cluster_auth_base64 = local.cluster_auth_base64 + + bootstrap_extra_args = <<-EOT + # extra args added + [settings.kernel] + lockdown = "integrity" + EOT +} + +module "self_mng_bottlerocket_custom_template" { + source = "../../modules/_user_data" + + platform = "bottlerocket" + + enable_bootstrap_user_data = true + is_eks_managed_node_group = false + + cluster_name = local.name + cluster_endpoint = local.cluster_endpoint + cluster_auth_base64 = local.cluster_auth_base64 + + user_data_template_path = "${path.module}/templates/bottlerocket_custom.tpl" + + bootstrap_extra_args = <<-EOT + # extra args added + [settings.kernel] + lockdown = "integrity" + EOT +} + +# Self managed node group - windows +module "self_mng_windows_no_op" { + source = "../../modules/_user_data" + + platform = "windows" + + is_eks_managed_node_group = false +} + +module "self_mng_windows_bootstrap" { + source = "../../modules/_user_data" + + platform = "windows" + + enable_bootstrap_user_data = true + is_eks_managed_node_group = false + + cluster_name = local.name + cluster_endpoint = local.cluster_endpoint + cluster_auth_base64 = local.cluster_auth_base64 + + pre_bootstrap_user_data = <<-EOT + [string]$Something = 'IDoNotKnowAnyPowerShell ¯\_(ツ)_/¯' + EOT + # I don't know if this is the right way on WindowsOS, but its just a string check here anyways + bootstrap_extra_args = "-KubeletExtraArgs --node-labels=node.kubernetes.io/lifecycle=spot" + + post_bootstrap_user_data = <<-EOT + [string]$Something = 'IStillDoNotKnowAnyPowerShell ¯\_(ツ)_/¯' + EOT +} + +module "self_mng_windows_custom_template" { + source = "../../modules/_user_data" + + platform = "windows" + + enable_bootstrap_user_data = true + is_eks_managed_node_group = false + + cluster_name = local.name + cluster_endpoint = local.cluster_endpoint + cluster_auth_base64 = local.cluster_auth_base64 + + user_data_template_path = "${path.module}/templates/windows_custom.tpl" + + pre_bootstrap_user_data = <<-EOT + [string]$Something = 'IDoNotKnowAnyPowerShell ¯\_(ツ)_/¯' + EOT + # I don't know if this is the right way on WindowsOS, but its just a string check here anyways + bootstrap_extra_args = "-KubeletExtraArgs --node-labels=node.kubernetes.io/lifecycle=spot" + + post_bootstrap_user_data = <<-EOT + [string]$Something = 'IStillDoNotKnowAnyPowerShell ¯\_(ツ)_/¯' + EOT +} diff --git a/examples/user_data/outputs.tf b/examples/user_data/outputs.tf new file mode 100644 index 0000000000..dd2c3407e1 --- /dev/null +++ b/examples/user_data/outputs.tf @@ -0,0 +1,89 @@ +# EKS managed node group - linux +output "eks_mng_linux_no_op" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.eks_mng_linux_no_op.user_data) +} + +output "eks_mng_linux_additional" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.eks_mng_linux_additional.user_data) +} + +output "eks_mng_linux_custom_ami" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.eks_mng_linux_custom_ami.user_data) +} + +output "eks_mng_linux_custom_template" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.eks_mng_linux_custom_template.user_data) +} + +# EKS managed node group - bottlerocket +output "eks_mng_bottlerocket_no_op" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.eks_mng_bottlerocket_no_op.user_data) +} + +output "eks_mng_bottlerocket_additional" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.eks_mng_bottlerocket_additional.user_data) +} + +output "eks_mng_bottlerocket_custom_ami" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.eks_mng_bottlerocket_custom_ami.user_data) +} + +output "eks_mng_bottlerocket_custom_template" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.eks_mng_bottlerocket_custom_template.user_data) +} + +# Self managed node group - linux +output "self_mng_linux_no_op" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.self_mng_linux_no_op.user_data) +} + +output "self_mng_linux_bootstrap" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.self_mng_linux_bootstrap.user_data) +} + +output "self_mng_linux_custom_template" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.self_mng_linux_custom_template.user_data) +} + +# Self managed node group - bottlerocket +output "self_mng_bottlerocket_no_op" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.self_mng_bottlerocket_no_op.user_data) +} + +output "self_mng_bottlerocket_bootstrap" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.self_mng_bottlerocket_bootstrap.user_data) +} + +output "self_mng_bottlerocket_custom_template" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.self_mng_bottlerocket_custom_template.user_data) +} + +# Self managed node group - windows +output "self_mng_windows_no_op" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.self_mng_windows_no_op.user_data) +} + +output "self_mng_windows_bootstrap" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.self_mng_windows_bootstrap.user_data) +} + +output "self_mng_windows_custom_template" { + description = "Base64 decoded user data rendered for the provided inputs" + value = base64decode(module.self_mng_windows_custom_template.user_data) +} diff --git a/examples/user_data/templates/bottlerocket_custom.tpl b/examples/user_data/templates/bottlerocket_custom.tpl new file mode 100644 index 0000000000..6c4d9434a7 --- /dev/null +++ b/examples/user_data/templates/bottlerocket_custom.tpl @@ -0,0 +1,7 @@ +# Custom user data template provided for rendering +[settings.kubernetes] +"cluster-name" = "${cluster_name}" +"api-server" = "${cluster_endpoint}" +"cluster-certificate" = "${cluster_auth_base64}" + +${bootstrap_extra_args~} diff --git a/examples/user_data/templates/linux_custom.tpl b/examples/user_data/templates/linux_custom.tpl new file mode 100644 index 0000000000..bfe21f117a --- /dev/null +++ b/examples/user_data/templates/linux_custom.tpl @@ -0,0 +1,10 @@ +#!/bin/bash +set -ex + +${pre_bootstrap_user_data ~} + +# Custom user data template provided for rendering +B64_CLUSTER_CA=${cluster_auth_base64} +API_SERVER_URL=${cluster_endpoint} +/etc/eks/bootstrap.sh ${cluster_name} ${bootstrap_extra_args} --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL +${post_bootstrap_user_data ~} diff --git a/examples/user_data/templates/windows_custom.tpl b/examples/user_data/templates/windows_custom.tpl new file mode 100644 index 0000000000..3c1ca7014a --- /dev/null +++ b/examples/user_data/templates/windows_custom.tpl @@ -0,0 +1,10 @@ +# Custom user data template provided for rendering +
{
"groups": [
"system:masters"
],
"userarn": "arn:aws:iam::66666666666:user/user1",
"username": "user1"
},
{
"groups": [
"system:masters"
],
"userarn": "arn:aws:iam::66666666666:user/user2",
"username": "user2"
}
]
+ 
+
{
"http_endpoint": "enabled",
"http_put_response_hop_limit": 2,
"http_tokens": "required"
} | no |
+| [min\_size](#input\_min\_size) | Minimum number of instances/nodes | `number` | `0` | no |
+| [name](#input\_name) | Name of the EKS managed node group | `string` | `""` | no |
+| [network\_interfaces](#input\_network\_interfaces) | Customize network interfaces to be attached at instance boot time | `list(any)` | `[]` | no |
+| [placement](#input\_placement) | The placement of the instance | `map(string)` | `null` | no |
+| [platform](#input\_platform) | Identifies if the OS platform is `bottlerocket` or `linux` based; `windows` is not supported | `string` | `"linux"` | no |
+| [post\_bootstrap\_user\_data](#input\_post\_bootstrap\_user\_data) | User data that is appended to the user data script after of the EKS bootstrap script. Not used when `platform` = `bottlerocket` | `string` | `""` | no |
+| [pre\_bootstrap\_user\_data](#input\_pre\_bootstrap\_user\_data) | User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `platform` = `bottlerocket` | `string` | `""` | no |
+| [ram\_disk\_id](#input\_ram\_disk\_id) | The ID of the ram disk | `string` | `null` | no |
+| [remote\_access](#input\_remote\_access) | Configuration block with remote access settings | `map(string)` | `{}` | no |
+| [security\_group\_description](#input\_security\_group\_description) | Description for the security group created | `string` | `"EKS managed node group security group"` | no |
+| [security\_group\_name](#input\_security\_group\_name) | Name to use on security group created | `string` | `null` | no |
+| [security\_group\_rules](#input\_security\_group\_rules) | List of security group rules to add to the security group created | `any` | `{}` | no |
+| [security\_group\_tags](#input\_security\_group\_tags) | A map of additional tags to add to the security group created | `map(string)` | `{}` | no |
+| [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Determines whether the security group name (`security_group_name`) is used as a prefix | `string` | `true` | no |
+| [subnet\_ids](#input\_subnet\_ids) | Identifiers of EC2 Subnets to associate with the EKS Node Group. These subnets must have the following resource tag: `kubernetes.io/cluster/CLUSTER_NAME` | `list(string)` | `null` | no |
+| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
+| [taints](#input\_taints) | The Kubernetes taints to be applied to the nodes in the node group. Maximum of 50 taints per node group | `any` | `{}` | no |
+| [timeouts](#input\_timeouts) | Create, update, and delete timeout configurations for the node group | `map(string)` | `{}` | no |
+| [update\_config](#input\_update\_config) | Configuration block of settings for max unavailable resources during node group updates | `map(string)` | `{}` | no |
+| [update\_launch\_template\_default\_version](#input\_update\_launch\_template\_default\_version) | Whether to update the launch templates default version on each update. Conflicts with `launch_template_default_version` | `bool` | `true` | no |
+| [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether to use `name` as is or create a unique name beginning with the `name` as the prefix | `bool` | `true` | no |
+| [user\_data\_template\_path](#input\_user\_data\_template\_path) | Path to a local, custom user data template file to use when rendering user data | `string` | `""` | no |
+| [vpc\_id](#input\_vpc\_id) | ID of the VPC where the security group/nodes will be provisioned | `string` | `null` | no |
+| [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | A list of security group IDs to associate | `list(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| [iam\_role\_name](#output\_iam\_role\_name) | The name of the IAM role |
+| [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| [launch\_template\_arn](#output\_launch\_template\_arn) | The ARN of the launch template |
+| [launch\_template\_id](#output\_launch\_template\_id) | The ID of the launch template |
+| [launch\_template\_latest\_version](#output\_launch\_template\_latest\_version) | The latest version of the launch template |
+| [node\_group\_arn](#output\_node\_group\_arn) | Amazon Resource Name (ARN) of the EKS Node Group |
+| [node\_group\_id](#output\_node\_group\_id) | EKS Cluster name and EKS Node Group name separated by a colon (`:`) |
+| [node\_group\_resources](#output\_node\_group\_resources) | List of objects containing information about underlying resources |
+| [node\_group\_status](#output\_node\_group\_status) | Status of the EKS Node Group |
+| [security\_group\_arn](#output\_security\_group\_arn) | Amazon Resource Name (ARN) of the security group |
+| [security\_group\_id](#output\_security\_group\_id) | ID of the security group |
+
diff --git a/modules/eks-managed-node-group/main.tf b/modules/eks-managed-node-group/main.tf
new file mode 100644
index 0000000000..e70e93a239
--- /dev/null
+++ b/modules/eks-managed-node-group/main.tf
@@ -0,0 +1,435 @@
+data "aws_partition" "current" {}
+
+################################################################################
+# User Data
+################################################################################
+
+module "user_data" {
+ source = "../_user_data"
+
+ create = var.create
+ platform = var.platform
+
+ cluster_name = var.cluster_name
+ cluster_endpoint = var.cluster_endpoint
+ cluster_auth_base64 = var.cluster_auth_base64
+
+ cluster_service_ipv4_cidr = var.cluster_service_ipv4_cidr
+
+ enable_bootstrap_user_data = var.enable_bootstrap_user_data
+ pre_bootstrap_user_data = var.pre_bootstrap_user_data
+ post_bootstrap_user_data = var.post_bootstrap_user_data
+ bootstrap_extra_args = var.bootstrap_extra_args
+ user_data_template_path = var.user_data_template_path
+}
+
+################################################################################
+# Launch template
+################################################################################
+
+locals {
+ use_custom_launch_template = var.launch_template_name != ""
+ launch_template_name_int = coalesce(var.launch_template_name, "${var.name}-eks-node-group")
+}
+
+resource "aws_launch_template" "this" {
+ count = var.create && var.create_launch_template ? 1 : 0
+
+ name = var.launch_template_use_name_prefix ? null : local.launch_template_name_int
+ name_prefix = var.launch_template_use_name_prefix ? "${local.launch_template_name_int}-" : null
+ description = var.launch_template_description
+
+ ebs_optimized = var.ebs_optimized
+ image_id = var.ami_id
+ # # Set on node group instead
+ # instance_type = var.launch_template_instance_type
+ key_name = var.key_name
+ user_data = module.user_data.user_data
+
+ vpc_security_group_ids = compact(concat([try(aws_security_group.this[0].id, "")], var.vpc_security_group_ids))
+
+ default_version = var.launch_template_default_version
+ update_default_version = var.update_launch_template_default_version
+ disable_api_termination = var.disable_api_termination
+ # Set on EKS managed node group, will fail if set here
+ # https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-basics
+ # instance_initiated_shutdown_behavior = var.instance_initiated_shutdown_behavior
+ kernel_id = var.kernel_id
+ ram_disk_id = var.ram_disk_id
+
+ dynamic "block_device_mappings" {
+ for_each = var.block_device_mappings
+ content {
+ device_name = block_device_mappings.value.device_name
+ no_device = lookup(block_device_mappings.value, "no_device", null)
+ virtual_name = lookup(block_device_mappings.value, "virtual_name", null)
+
+ dynamic "ebs" {
+ for_each = flatten([lookup(block_device_mappings.value, "ebs", [])])
+ content {
+ delete_on_termination = lookup(ebs.value, "delete_on_termination", null)
+ encrypted = lookup(ebs.value, "encrypted", null)
+ kms_key_id = lookup(ebs.value, "kms_key_id", null)
+ iops = lookup(ebs.value, "iops", null)
+ throughput = lookup(ebs.value, "throughput", null)
+ snapshot_id = lookup(ebs.value, "snapshot_id", null)
+ volume_size = lookup(ebs.value, "volume_size", null)
+ volume_type = lookup(ebs.value, "volume_type", null)
+ }
+ }
+ }
+ }
+
+ dynamic "capacity_reservation_specification" {
+ for_each = var.capacity_reservation_specification != null ? [var.capacity_reservation_specification] : []
+ content {
+ capacity_reservation_preference = lookup(capacity_reservation_specification.value, "capacity_reservation_preference", null)
+
+ dynamic "capacity_reservation_target" {
+ for_each = lookup(capacity_reservation_specification.value, "capacity_reservation_target", [])
+ content {
+ capacity_reservation_id = lookup(capacity_reservation_target.value, "capacity_reservation_id", null)
+ }
+ }
+ }
+ }
+
+ dynamic "cpu_options" {
+ for_each = var.cpu_options != null ? [var.cpu_options] : []
+ content {
+ core_count = cpu_options.value.core_count
+ threads_per_core = cpu_options.value.threads_per_core
+ }
+ }
+
+ dynamic "credit_specification" {
+ for_each = var.credit_specification != null ? [var.credit_specification] : []
+ content {
+ cpu_credits = credit_specification.value.cpu_credits
+ }
+ }
+
+ dynamic "elastic_gpu_specifications" {
+ for_each = var.elastic_gpu_specifications != null ? [var.elastic_gpu_specifications] : []
+ content {
+ type = elastic_gpu_specifications.value.type
+ }
+ }
+
+ dynamic "elastic_inference_accelerator" {
+ for_each = var.elastic_inference_accelerator != null ? [var.elastic_inference_accelerator] : []
+ content {
+ type = elastic_inference_accelerator.value.type
+ }
+ }
+
+ dynamic "enclave_options" {
+ for_each = var.enclave_options != null ? [var.enclave_options] : []
+ content {
+ enabled = enclave_options.value.enabled
+ }
+ }
+
+ # Set on EKS managed node group, will fail if set here
+ # https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-basics
+ # dynamic "hibernation_options" {
+ # for_each = var.hibernation_options != null ? [var.hibernation_options] : []
+ # content {
+ # configured = hibernation_options.value.configured
+ # }
+ # }
+
+ # Set on EKS managed node group, will fail if set here
+ # https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-basics
+ # dynamic "iam_instance_profile" {
+ # for_each = [var.iam_instance_profile]
+ # content {
+ # name = lookup(var.iam_instance_profile, "name", null)
+ # arn = lookup(var.iam_instance_profile, "arn", null)
+ # }
+ # }
+
+ dynamic "instance_market_options" {
+ for_each = var.instance_market_options != null ? [var.instance_market_options] : []
+ content {
+ market_type = instance_market_options.value.market_type
+
+ dynamic "spot_options" {
+ for_each = lookup(instance_market_options.value, "spot_options", null) != null ? [instance_market_options.value.spot_options] : []
+ content {
+ block_duration_minutes = spot_options.value.block_duration_minutes
+ instance_interruption_behavior = lookup(spot_options.value, "instance_interruption_behavior", null)
+ max_price = lookup(spot_options.value, "max_price", null)
+ spot_instance_type = lookup(spot_options.value, "spot_instance_type", null)
+ valid_until = lookup(spot_options.value, "valid_until", null)
+ }
+ }
+ }
+ }
+
+ dynamic "license_specification" {
+ for_each = var.license_specifications != null ? [var.license_specifications] : []
+ content {
+ license_configuration_arn = license_specifications.value.license_configuration_arn
+ }
+ }
+
+ dynamic "metadata_options" {
+ for_each = var.metadata_options != null ? [var.metadata_options] : []
+ content {
+ http_endpoint = lookup(metadata_options.value, "http_endpoint", null)
+ http_tokens = lookup(metadata_options.value, "http_tokens", null)
+ http_put_response_hop_limit = lookup(metadata_options.value, "http_put_response_hop_limit", null)
+ http_protocol_ipv6 = lookup(metadata_options.value, "http_protocol_ipv6", null)
+ }
+ }
+
+ dynamic "monitoring" {
+ for_each = var.enable_monitoring != null ? [1] : []
+ content {
+ enabled = var.enable_monitoring
+ }
+ }
+
+ dynamic "network_interfaces" {
+ for_each = var.network_interfaces
+ content {
+ associate_carrier_ip_address = lookup(network_interfaces.value, "associate_carrier_ip_address", null)
+ associate_public_ip_address = lookup(network_interfaces.value, "associate_public_ip_address", null)
+ delete_on_termination = lookup(network_interfaces.value, "delete_on_termination", null)
+ description = lookup(network_interfaces.value, "description", null)
+ device_index = lookup(network_interfaces.value, "device_index", null)
+ ipv4_addresses = lookup(network_interfaces.value, "ipv4_addresses", null) != null ? network_interfaces.value.ipv4_addresses : []
+ ipv4_address_count = lookup(network_interfaces.value, "ipv4_address_count", null)
+ ipv6_addresses = lookup(network_interfaces.value, "ipv6_addresses", null) != null ? network_interfaces.value.ipv6_addresses : []
+ ipv6_address_count = lookup(network_interfaces.value, "ipv6_address_count", null)
+ network_interface_id = lookup(network_interfaces.value, "network_interface_id", null)
+ private_ip_address = lookup(network_interfaces.value, "private_ip_address", null)
+ security_groups = lookup(network_interfaces.value, "security_groups", null) != null ? network_interfaces.value.security_groups : []
+ # Set on EKS managed node group, will fail if set here
+ # https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-basics
+ # subnet_id = lookup(network_interfaces.value, "subnet_id", null)
+ }
+ }
+
+ dynamic "placement" {
+ for_each = var.placement != null ? [var.placement] : []
+ content {
+ affinity = lookup(placement.value, "affinity", null)
+ availability_zone = lookup(placement.value, "availability_zone", null)
+ group_name = lookup(placement.value, "group_name", null)
+ host_id = lookup(placement.value, "host_id", null)
+ spread_domain = lookup(placement.value, "spread_domain", null)
+ tenancy = lookup(placement.value, "tenancy", null)
+ partition_number = lookup(placement.value, "partition_number", null)
+ }
+ }
+
+ dynamic "tag_specifications" {
+ for_each = toset(["instance", "volume", "network-interface"])
+ content {
+ resource_type = tag_specifications.key
+ tags = merge(var.tags, { Name = var.name })
+ }
+ }
+
+ lifecycle {
+ create_before_destroy = true
+ }
+
+ # Prevent premature access of security group roles and policies by pods that
+ # require permissions on create/destroy that depend on nodes
+ depends_on = [
+ aws_security_group_rule.this,
+ aws_iam_role_policy_attachment.this,
+ ]
+
+ tags = var.tags
+}
+
+################################################################################
+# Node Group
+################################################################################
+
+locals {
+ launch_template_name = try(aws_launch_template.this[0].name, var.launch_template_name, null)
+ # Change order to allow users to set version priority before using defaults
+ launch_template_version = coalesce(var.launch_template_version, try(aws_launch_template.this[0].default_version, "$Default"))
+}
+
+resource "aws_eks_node_group" "this" {
+ count = var.create ? 1 : 0
+
+ # Required
+ cluster_name = var.cluster_name
+ node_role_arn = var.create_iam_role ? aws_iam_role.this[0].arn : var.iam_role_arn
+ subnet_ids = var.subnet_ids
+
+ scaling_config {
+ min_size = var.min_size
+ max_size = var.max_size
+ desired_size = var.desired_size
+ }
+
+ # Optional
+ node_group_name = var.use_name_prefix ? null : var.name
+ node_group_name_prefix = var.use_name_prefix ? "${var.name}-" : null
+
+ # https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-custom-ami
+ ami_type = var.ami_id != "" ? null : var.ami_type
+ release_version = var.ami_id != "" ? null : var.ami_release_version
+ version = var.ami_id != "" ? null : var.cluster_version
+
+ capacity_type = var.capacity_type
+ disk_size = local.use_custom_launch_template ? null : var.disk_size # if using LT, set disk size on LT or else it will error here
+ force_update_version = var.force_update_version
+ instance_types = var.instance_types
+ labels = var.labels
+
+ dynamic "launch_template" {
+ for_each = local.use_custom_launch_template ? [1] : []
+ content {
+ name = local.launch_template_name
+ version = local.launch_template_version
+ }
+ }
+
+ dynamic "remote_access" {
+ for_each = var.remote_access
+ content {
+ ec2_ssh_key = lookup(remote_access.value, "ec2_ssh_key", null)
+ source_security_group_ids = lookup(remote_access.value, "source_security_group_ids", [])
+ }
+ }
+
+ dynamic "taint" {
+ for_each = var.taints
+ content {
+ key = taint.value.key
+ value = lookup(taint.value, "value")
+ effect = taint.value.effect
+ }
+ }
+
+ dynamic "update_config" {
+ for_each = length(var.update_config) > 0 ? [var.update_config] : []
+ content {
+ max_unavailable_percentage = try(update_config.value.max_unavailable_percentage, null)
+ max_unavailable = try(update_config.value.max_unavailable, null)
+ }
+ }
+
+ timeouts {
+ create = lookup(var.timeouts, "create", null)
+ update = lookup(var.timeouts, "update", null)
+ delete = lookup(var.timeouts, "delete", null)
+ }
+
+ lifecycle {
+ create_before_destroy = true
+ ignore_changes = [
+ scaling_config[0].desired_size,
+ ]
+ }
+
+ tags = merge(
+ var.tags,
+ { Name = var.name }
+ )
+}
+
+################################################################################
+# Security Group
+################################################################################
+
+locals {
+ security_group_name = coalesce(var.security_group_name, "${var.name}-eks-node-group")
+ create_security_group = var.create && var.create_security_group
+}
+
+resource "aws_security_group" "this" {
+ count = local.create_security_group ? 1 : 0
+
+ name = var.security_group_use_name_prefix ? null : local.security_group_name
+ name_prefix = var.security_group_use_name_prefix ? "${local.security_group_name}-" : null
+ description = var.security_group_description
+ vpc_id = var.vpc_id
+
+ tags = merge(
+ var.tags,
+ { "Name" = local.security_group_name },
+ var.security_group_tags
+ )
+}
+
+resource "aws_security_group_rule" "this" {
+ for_each = { for k, v in var.security_group_rules : k => v if local.create_security_group }
+
+ # Required
+ security_group_id = aws_security_group.this[0].id
+ protocol = each.value.protocol
+ from_port = each.value.from_port
+ to_port = each.value.to_port
+ type = each.value.type
+
+ # Optional
+ description = try(each.value.description, null)
+ cidr_blocks = try(each.value.cidr_blocks, null)
+ ipv6_cidr_blocks = try(each.value.ipv6_cidr_blocks, null)
+ prefix_list_ids = try(each.value.prefix_list_ids, [])
+ self = try(each.value.self, null)
+ source_security_group_id = try(
+ each.value.source_security_group_id,
+ try(each.value.source_cluster_security_group, false) ? var.cluster_security_group_id : null
+ )
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+locals {
+ iam_role_name = coalesce(var.iam_role_name, "${var.name}-eks-node-group")
+ policy_arn_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
+}
+
+data "aws_iam_policy_document" "assume_role_policy" {
+ count = var.create && var.create_iam_role ? 1 : 0
+
+ statement {
+ sid = "EKSNodeAssumeRole"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "Service"
+ identifiers = ["ec2.${data.aws_partition.current.dns_suffix}"]
+ }
+ }
+}
+
+resource "aws_iam_role" "this" {
+ count = var.create && var.create_iam_role ? 1 : 0
+
+ name = var.iam_role_use_name_prefix ? null : local.iam_role_name
+ name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
+ path = var.iam_role_path
+ description = var.iam_role_description
+
+ assume_role_policy = data.aws_iam_policy_document.assume_role_policy[0].json
+ permissions_boundary = var.iam_role_permissions_boundary
+ force_detach_policies = true
+
+ tags = merge(var.tags, var.iam_role_tags)
+}
+
+# Policies attached ref https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group
+resource "aws_iam_role_policy_attachment" "this" {
+ for_each = var.create && var.create_iam_role ? toset(compact(distinct(concat([
+ "${local.policy_arn_prefix}/AmazonEKSWorkerNodePolicy",
+ "${local.policy_arn_prefix}/AmazonEC2ContainerRegistryReadOnly",
+ "${local.policy_arn_prefix}/AmazonEKS_CNI_Policy",
+ ], var.iam_role_additional_policies)))) : toset([])
+
+ policy_arn = each.value
+ role = aws_iam_role.this[0].name
+}
diff --git a/modules/eks-managed-node-group/outputs.tf b/modules/eks-managed-node-group/outputs.tf
new file mode 100644
index 0000000000..476abc8420
--- /dev/null
+++ b/modules/eks-managed-node-group/outputs.tf
@@ -0,0 +1,75 @@
+################################################################################
+# Launch template
+################################################################################
+
+output "launch_template_id" {
+ description = "The ID of the launch template"
+ value = try(aws_launch_template.this[0].id, "")
+}
+
+output "launch_template_arn" {
+ description = "The ARN of the launch template"
+ value = try(aws_launch_template.this[0].arn, "")
+}
+
+output "launch_template_latest_version" {
+ description = "The latest version of the launch template"
+ value = try(aws_launch_template.this[0].latest_version, "")
+}
+
+################################################################################
+# Node Group
+################################################################################
+
+output "node_group_arn" {
+ description = "Amazon Resource Name (ARN) of the EKS Node Group"
+ value = try(aws_eks_node_group.this[0].arn, "")
+}
+
+output "node_group_id" {
+ description = "EKS Cluster name and EKS Node Group name separated by a colon (`:`)"
+ value = try(aws_eks_node_group.this[0].id, "")
+}
+
+output "node_group_resources" {
+ description = "List of objects containing information about underlying resources"
+ value = try(aws_eks_node_group.this[0].resources, "")
+}
+
+output "node_group_status" {
+ description = "Status of the EKS Node Group"
+ value = try(aws_eks_node_group.this[0].arn, "")
+}
+
+################################################################################
+# Security Group
+################################################################################
+
+output "security_group_arn" {
+ description = "Amazon Resource Name (ARN) of the security group"
+ value = try(aws_security_group.this[0].arn, "")
+}
+
+output "security_group_id" {
+ description = "ID of the security group"
+ value = try(aws_security_group.this[0].id, "")
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+output "iam_role_name" {
+ description = "The name of the IAM role"
+ value = try(aws_iam_role.this[0].name, "")
+}
+
+output "iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the IAM role"
+ value = try(aws_iam_role.this[0].arn, "")
+}
+
+output "iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = try(aws_iam_role.this[0].unique_id, "")
+}
diff --git a/modules/eks-managed-node-group/variables.tf b/modules/eks-managed-node-group/variables.tf
new file mode 100644
index 0000000000..38d126f269
--- /dev/null
+++ b/modules/eks-managed-node-group/variables.tf
@@ -0,0 +1,467 @@
+variable "create" {
+ description = "Determines whether to create EKS managed node group or not"
+ type = bool
+ default = true
+}
+
+variable "tags" {
+ description = "A map of tags to add to all resources"
+ type = map(string)
+ default = {}
+}
+
+variable "platform" {
+ description = "Identifies if the OS platform is `bottlerocket` or `linux` based; `windows` is not supported"
+ type = string
+ default = "linux"
+}
+
+################################################################################
+# User Data
+################################################################################
+
+variable "enable_bootstrap_user_data" {
+ description = "Determines whether the bootstrap configurations are populated within the user data template"
+ type = bool
+ default = false
+}
+
+variable "cluster_name" {
+ description = "Name of associated EKS cluster"
+ type = string
+ default = null
+}
+
+variable "cluster_endpoint" {
+ description = "Endpoint of associated EKS cluster"
+ type = string
+ default = ""
+}
+
+variable "cluster_auth_base64" {
+ description = "Base64 encoded CA of associated EKS cluster"
+ type = string
+ default = ""
+}
+
+variable "cluster_service_ipv4_cidr" {
+ description = "The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks"
+ type = string
+ default = null
+}
+
+variable "pre_bootstrap_user_data" {
+ description = "User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `platform` = `bottlerocket`"
+ type = string
+ default = ""
+}
+
+variable "post_bootstrap_user_data" {
+ description = "User data that is appended to the user data script after of the EKS bootstrap script. Not used when `platform` = `bottlerocket`"
+ type = string
+ default = ""
+}
+
+variable "bootstrap_extra_args" {
+ description = "Additional arguments passed to the bootstrap script. When `platform` = `bottlerocket`; these are additional [settings](https://github.com/bottlerocket-os/bottlerocket#settings) that are provided to the Bottlerocket user data"
+ type = string
+ default = ""
+}
+
+variable "user_data_template_path" {
+ description = "Path to a local, custom user data template file to use when rendering user data"
+ type = string
+ default = ""
+}
+
+################################################################################
+# Launch template
+################################################################################
+
+variable "create_launch_template" {
+ description = "Determines whether to create a launch template or not. If set to `false`, EKS will use its own default launch template"
+ type = bool
+ default = true
+}
+
+variable "launch_template_name" {
+ description = "Launch template name - either to be created (`var.create_launch_template` = `true`) or existing (`var.create_launch_template` = `false`)"
+ type = string
+ default = ""
+}
+
+variable "launch_template_use_name_prefix" {
+ description = "Determines whether to use `launch_template_name` as is or create a unique name beginning with the `launch_template_name` as the prefix"
+ type = bool
+ default = true
+}
+
+variable "launch_template_description" {
+ description = "Description of the launch template"
+ type = string
+ default = null
+}
+
+variable "ebs_optimized" {
+ description = "If true, the launched EC2 instance(s) will be EBS-optimized"
+ type = bool
+ default = null
+}
+
+variable "ami_id" {
+ description = "The AMI from which to launch the instance. If not supplied, EKS will use its own default image"
+ type = string
+ default = ""
+}
+
+variable "key_name" {
+ description = "The key name that should be used for the instance(s)"
+ type = string
+ default = null
+}
+
+variable "vpc_security_group_ids" {
+ description = "A list of security group IDs to associate"
+ type = list(string)
+ default = []
+}
+
+variable "launch_template_default_version" {
+ description = "Default version of the launch template"
+ type = string
+ default = null
+}
+
+variable "update_launch_template_default_version" {
+ description = "Whether to update the launch templates default version on each update. Conflicts with `launch_template_default_version`"
+ type = bool
+ default = true
+}
+
+variable "disable_api_termination" {
+ description = "If true, enables EC2 instance termination protection"
+ type = bool
+ default = null
+}
+
+variable "kernel_id" {
+ description = "The kernel ID"
+ type = string
+ default = null
+}
+
+variable "ram_disk_id" {
+ description = "The ID of the ram disk"
+ type = string
+ default = null
+}
+
+variable "block_device_mappings" {
+ description = "Specify volumes to attach to the instance besides the volumes specified by the AMI"
+ type = any
+ default = {}
+}
+
+variable "capacity_reservation_specification" {
+ description = "Targeting for EC2 capacity reservations"
+ type = any
+ default = null
+}
+
+variable "cpu_options" {
+ description = "The CPU options for the instance"
+ type = map(string)
+ default = null
+}
+
+variable "credit_specification" {
+ description = "Customize the credit specification of the instance"
+ type = map(string)
+ default = null
+}
+
+variable "elastic_gpu_specifications" {
+ description = "The elastic GPU to attach to the instance"
+ type = map(string)
+ default = null
+}
+
+variable "elastic_inference_accelerator" {
+ description = "Configuration block containing an Elastic Inference Accelerator to attach to the instance"
+ type = map(string)
+ default = null
+}
+
+variable "enclave_options" {
+ description = "Enable Nitro Enclaves on launched instances"
+ type = map(string)
+ default = null
+}
+
+variable "instance_market_options" {
+ description = "The market (purchasing) option for the instance"
+ type = any
+ default = null
+}
+
+variable "license_specifications" {
+ description = "A list of license specifications to associate with"
+ type = map(string)
+ default = null
+}
+
+variable "metadata_options" {
+ description = "Customize the metadata options for the instance"
+ type = map(string)
+ default = {
+ http_endpoint = "enabled"
+ http_tokens = "required"
+ http_put_response_hop_limit = 2
+ }
+}
+
+variable "enable_monitoring" {
+ description = "Enables/disables detailed monitoring"
+ type = bool
+ default = true
+}
+
+variable "network_interfaces" {
+ description = "Customize network interfaces to be attached at instance boot time"
+ type = list(any)
+ default = []
+}
+
+variable "placement" {
+ description = "The placement of the instance"
+ type = map(string)
+ default = null
+}
+
+################################################################################
+# EKS Managed Node Group
+################################################################################
+
+variable "subnet_ids" {
+ description = "Identifiers of EC2 Subnets to associate with the EKS Node Group. These subnets must have the following resource tag: `kubernetes.io/cluster/CLUSTER_NAME`"
+ type = list(string)
+ default = null
+}
+
+variable "min_size" {
+ description = "Minimum number of instances/nodes"
+ type = number
+ default = 0
+}
+
+variable "max_size" {
+ description = "Maximum number of instances/nodes"
+ type = number
+ default = 3
+}
+
+variable "desired_size" {
+ description = "Desired number of instances/nodes"
+ type = number
+ default = 1
+}
+
+variable "name" {
+ description = "Name of the EKS managed node group"
+ type = string
+ default = ""
+}
+
+variable "use_name_prefix" {
+ description = "Determines whether to use `name` as is or create a unique name beginning with the `name` as the prefix"
+ type = bool
+ default = true
+}
+
+variable "ami_type" {
+ description = "Type of Amazon Machine Image (AMI) associated with the EKS Node Group. Valid values are `AL2_x86_64`, `AL2_x86_64_GPU`, `AL2_ARM_64`, `CUSTOM`, `BOTTLEROCKET_ARM_64`, `BOTTLEROCKET_x86_64`"
+ type = string
+ default = null
+}
+
+variable "ami_release_version" {
+ description = "AMI version of the EKS Node Group. Defaults to latest version for Kubernetes version"
+ type = string
+ default = null
+}
+
+variable "capacity_type" {
+ description = "Type of capacity associated with the EKS Node Group. Valid values: `ON_DEMAND`, `SPOT`"
+ type = string
+ default = "ON_DEMAND"
+}
+
+variable "disk_size" {
+ description = "Disk size in GiB for nodes. Defaults to `20`"
+ type = number
+ default = null
+}
+
+variable "force_update_version" {
+ description = "Force version update if existing pods are unable to be drained due to a pod disruption budget issue"
+ type = bool
+ default = null
+}
+
+variable "instance_types" {
+ description = "Set of instance types associated with the EKS Node Group. Defaults to `[\"t3.medium\"]`"
+ type = list(string)
+ default = null
+}
+
+variable "labels" {
+ description = "Key-value map of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed"
+ type = map(string)
+ default = null
+}
+
+variable "cluster_version" {
+ description = "Kubernetes version. Defaults to EKS Cluster Kubernetes version"
+ type = string
+ default = null
+}
+
+variable "launch_template_version" {
+ description = "Launch template version number. The default is `$Default`"
+ type = string
+ default = null
+}
+
+variable "remote_access" {
+ description = "Configuration block with remote access settings"
+ type = map(string)
+ default = {}
+}
+
+variable "taints" {
+ description = "The Kubernetes taints to be applied to the nodes in the node group. Maximum of 50 taints per node group"
+ type = any
+ default = {}
+}
+
+variable "update_config" {
+ description = "Configuration block of settings for max unavailable resources during node group updates"
+ type = map(string)
+ default = {}
+}
+
+variable "timeouts" {
+ description = "Create, update, and delete timeout configurations for the node group"
+ type = map(string)
+ default = {}
+}
+
+################################################################################
+# Security Group
+################################################################################
+
+variable "create_security_group" {
+ description = "Determines whether to create a security group"
+ type = bool
+ default = true
+}
+
+variable "security_group_name" {
+ description = "Name to use on security group created"
+ type = string
+ default = null
+}
+
+variable "security_group_use_name_prefix" {
+ description = "Determines whether the security group name (`security_group_name`) is used as a prefix"
+ type = string
+ default = true
+}
+
+variable "security_group_description" {
+ description = "Description for the security group created"
+ type = string
+ default = "EKS managed node group security group"
+}
+
+variable "vpc_id" {
+ description = "ID of the VPC where the security group/nodes will be provisioned"
+ type = string
+ default = null
+}
+
+variable "security_group_rules" {
+ description = "List of security group rules to add to the security group created"
+ type = any
+ default = {}
+}
+
+variable "cluster_security_group_id" {
+ description = "Cluster control plane security group ID"
+ type = string
+ default = null
+}
+
+variable "security_group_tags" {
+ description = "A map of additional tags to add to the security group created"
+ type = map(string)
+ default = {}
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+variable "create_iam_role" {
+ description = "Determines whether an IAM role is created or to use an existing IAM role"
+ type = bool
+ default = true
+}
+
+variable "iam_role_arn" {
+ description = "Existing IAM role ARN for the node group. Required if `create_iam_role` is set to `false`"
+ type = string
+ default = null
+}
+
+variable "iam_role_name" {
+ description = "Name to use on IAM role created"
+ type = string
+ default = null
+}
+
+variable "iam_role_use_name_prefix" {
+ description = "Determines whether the IAM role name (`iam_role_name`) is used as a prefix"
+ type = string
+ default = true
+}
+
+variable "iam_role_path" {
+ description = "IAM role path"
+ type = string
+ default = null
+}
+
+variable "iam_role_description" {
+ description = "Description of the role"
+ type = string
+ default = null
+}
+
+variable "iam_role_permissions_boundary" {
+ description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
+ type = string
+ default = null
+}
+
+variable "iam_role_additional_policies" {
+ description = "Additional policies to be added to the IAM role"
+ type = list(string)
+ default = []
+}
+
+variable "iam_role_tags" {
+ description = "A map of additional tags to add to the IAM role created"
+ type = map(string)
+ default = {}
+}
diff --git a/modules/node_groups/versions.tf b/modules/eks-managed-node-group/versions.tf
similarity index 89%
rename from modules/node_groups/versions.tf
rename to modules/eks-managed-node-group/versions.tf
index f4d0036a86..48492037e2 100644
--- a/modules/node_groups/versions.tf
+++ b/modules/eks-managed-node-group/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.56"
+ version = ">= 3.64"
}
cloudinit = {
source = "hashicorp/cloudinit"
diff --git a/modules/fargate-profile/README.md b/modules/fargate-profile/README.md
new file mode 100644
index 0000000000..8a51f317a8
--- /dev/null
+++ b/modules/fargate-profile/README.md
@@ -0,0 +1,85 @@
+# EKS Fargate Profile Module
+
+Configuration in this directory creates a Fargate EKS Profile
+
+## Usage
+
+```hcl
+module "fargate_profile" {
+ source = "terraform-aws-modules/eks/aws//modules/fargate-profile"
+
+ name = "separate-fargate-profile"
+ cluster_name = "my-cluster"
+
+ subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
+ selectors = [{
+ namespace = "kube-system"
+ }]
+
+ tags = {
+ Environment = "dev"
+ Terraform = "true"
+ }
+}
+```
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13.1 |
+| [aws](#requirement\_aws) | >= 3.64 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 3.64 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_eks_fargate_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_fargate_profile) | resource |
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | `null` | no |
+| [create](#input\_create) | Determines whether to create Fargate profile or not | `bool` | `true` | no |
+| [create\_iam\_role](#input\_create\_iam\_role) | Determines whether an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
+| [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `list(string)` | `[]` | no |
+| [iam\_role\_arn](#input\_iam\_role\_arn) | Existing IAM role ARN for the Fargate profile. Required if `create_iam_role` is set to `false` | `string` | `null` | no |
+| [iam\_role\_description](#input\_iam\_role\_description) | Description of the role | `string` | `null` | no |
+| [iam\_role\_name](#input\_iam\_role\_name) | Name to use on IAM role created | `string` | `""` | no |
+| [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `null` | no |
+| [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
+| [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `string` | `true` | no |
+| [name](#input\_name) | Name of the EKS Fargate Profile | `string` | `""` | no |
+| [selectors](#input\_selectors) | Configuration block(s) for selecting Kubernetes Pods to execute with this Fargate Profile | `any` | `[]` | no |
+| [subnet\_ids](#input\_subnet\_ids) | A list of subnet IDs for the EKS Fargate Profile | `list(string)` | `[]` | no |
+| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
+| [timeouts](#input\_timeouts) | Create and delete timeout configurations for the Fargate Profile | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [fargate\_profile\_arn](#output\_fargate\_profile\_arn) | Amazon Resource Name (ARN) of the EKS Fargate Profile |
+| [fargate\_profile\_id](#output\_fargate\_profile\_id) | EKS Cluster name and EKS Fargate Profile name separated by a colon (`:`) |
+| [fargate\_profile\_status](#output\_fargate\_profile\_status) | Status of the EKS Fargate Profile |
+| [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| [iam\_role\_name](#output\_iam\_role\_name) | The name of the IAM role |
+| [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+
diff --git a/modules/fargate-profile/main.tf b/modules/fargate-profile/main.tf
new file mode 100644
index 0000000000..b37fc45116
--- /dev/null
+++ b/modules/fargate-profile/main.tf
@@ -0,0 +1,80 @@
+data "aws_partition" "current" {}
+
+locals {
+ iam_role_name = coalesce(var.iam_role_name, var.name, "fargate-profile")
+ policy_arn_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+data "aws_iam_policy_document" "assume_role_policy" {
+ count = var.create && var.create_iam_role ? 1 : 0
+
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "Service"
+ identifiers = ["eks-fargate-pods.amazonaws.com"]
+ }
+ }
+}
+
+resource "aws_iam_role" "this" {
+ count = var.create && var.create_iam_role ? 1 : 0
+
+ name = var.iam_role_use_name_prefix ? null : local.iam_role_name
+ name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
+ path = var.iam_role_path
+ description = var.iam_role_description
+
+ assume_role_policy = data.aws_iam_policy_document.assume_role_policy[0].json
+ permissions_boundary = var.iam_role_permissions_boundary
+ force_detach_policies = true
+
+ tags = merge(var.tags, var.iam_role_tags)
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+ for_each = var.create && var.create_iam_role ? toset(compact(distinct(concat([
+ "${local.policy_arn_prefix}/AmazonEKSFargatePodExecutionRolePolicy",
+ ], var.iam_role_additional_policies)))) : toset([])
+
+ policy_arn = each.value
+ role = aws_iam_role.this[0].name
+}
+
+################################################################################
+# Fargate Profile
+################################################################################
+
+resource "aws_eks_fargate_profile" "this" {
+ count = var.create ? 1 : 0
+
+ cluster_name = var.cluster_name
+ fargate_profile_name = var.name
+ pod_execution_role_arn = var.create_iam_role ? aws_iam_role.this[0].arn : var.iam_role_arn
+ subnet_ids = var.subnet_ids
+
+ dynamic "selector" {
+ for_each = var.selectors
+
+ content {
+ namespace = selector.value.namespace
+ labels = lookup(selector.value, "labels", {})
+ }
+ }
+
+ dynamic "timeouts" {
+ for_each = [var.timeouts]
+ content {
+ create = lookup(var.timeouts, "create", null)
+ delete = lookup(var.timeouts, "delete", null)
+ }
+ }
+
+ tags = var.tags
+}
diff --git a/modules/fargate-profile/outputs.tf b/modules/fargate-profile/outputs.tf
new file mode 100644
index 0000000000..bb6e023248
--- /dev/null
+++ b/modules/fargate-profile/outputs.tf
@@ -0,0 +1,37 @@
+################################################################################
+# IAM Role
+################################################################################
+
+output "iam_role_name" {
+ description = "The name of the IAM role"
+ value = try(aws_iam_role.this[0].name, "")
+}
+
+output "iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the IAM role"
+ value = try(aws_iam_role.this[0].arn, "")
+}
+
+output "iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = try(aws_iam_role.this[0].unique_id, "")
+}
+
+################################################################################
+# Fargate Profile
+################################################################################
+
+output "fargate_profile_arn" {
+ description = "Amazon Resource Name (ARN) of the EKS Fargate Profile"
+ value = try(aws_eks_fargate_profile.this[0].arn, "")
+}
+
+output "fargate_profile_id" {
+ description = "EKS Cluster name and EKS Fargate Profile name separated by a colon (`:`)"
+ value = try(aws_eks_fargate_profile.this[0].id, "")
+}
+
+output "fargate_profile_status" {
+ description = "Status of the EKS Fargate Profile"
+ value = try(aws_eks_fargate_profile.this[0].status, "")
+}
diff --git a/modules/fargate-profile/variables.tf b/modules/fargate-profile/variables.tf
new file mode 100644
index 0000000000..afad4809a6
--- /dev/null
+++ b/modules/fargate-profile/variables.tf
@@ -0,0 +1,103 @@
+variable "create" {
+ description = "Determines whether to create Fargate profile or not"
+ type = bool
+ default = true
+}
+
+variable "tags" {
+ description = "A map of tags to add to all resources"
+ type = map(string)
+ default = {}
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+variable "create_iam_role" {
+ description = "Determines whether an IAM role is created or to use an existing IAM role"
+ type = bool
+ default = true
+}
+
+variable "iam_role_arn" {
+ description = "Existing IAM role ARN for the Fargate profile. Required if `create_iam_role` is set to `false`"
+ type = string
+ default = null
+}
+
+variable "iam_role_name" {
+ description = "Name to use on IAM role created"
+ type = string
+ default = ""
+}
+
+variable "iam_role_use_name_prefix" {
+ description = "Determines whether the IAM role name (`iam_role_name`) is used as a prefix"
+ type = string
+ default = true
+}
+
+variable "iam_role_path" {
+ description = "IAM role path"
+ type = string
+ default = null
+}
+
+variable "iam_role_description" {
+ description = "Description of the role"
+ type = string
+ default = null
+}
+
+variable "iam_role_permissions_boundary" {
+ description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
+ type = string
+ default = null
+}
+
+variable "iam_role_additional_policies" {
+ description = "Additional policies to be added to the IAM role"
+ type = list(string)
+ default = []
+}
+
+variable "iam_role_tags" {
+ description = "A map of additional tags to add to the IAM role created"
+ type = map(string)
+ default = {}
+}
+
+################################################################################
+# Fargate Profile
+################################################################################
+
+variable "cluster_name" {
+ description = "Name of the EKS cluster"
+ type = string
+ default = null
+}
+
+variable "name" {
+ description = "Name of the EKS Fargate Profile"
+ type = string
+ default = ""
+}
+
+variable "subnet_ids" {
+ description = "A list of subnet IDs for the EKS Fargate Profile"
+ type = list(string)
+ default = []
+}
+
+variable "selectors" {
+ description = "Configuration block(s) for selecting Kubernetes Pods to execute with this Fargate Profile"
+ type = any
+ default = []
+}
+
+variable "timeouts" {
+ description = "Create and delete timeout configurations for the Fargate Profile"
+ type = map(string)
+ default = {}
+}
diff --git a/modules/fargate-profile/versions.tf b/modules/fargate-profile/versions.tf
new file mode 100644
index 0000000000..bfce6ae345
--- /dev/null
+++ b/modules/fargate-profile/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 0.13.1"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.64"
+ }
+ }
+}
diff --git a/modules/fargate/README.md b/modules/fargate/README.md
deleted file mode 100644
index 7a20be175b..0000000000
--- a/modules/fargate/README.md
+++ /dev/null
@@ -1,73 +0,0 @@
-# EKS `fargate` submodule
-
-Helper submodule to create and manage resources related to `aws_eks_fargate_profile`.
-
-## `fargate_profile` keys
-
-`fargate_profile` is a map of maps. Key of first level will be used as unique value for `for_each` resources and in the `aws_eks_fargate_profile` name. Inner map can take the below values.
-
-## Example
-
-See example code in `examples/fargate`.
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| name | Fargate profile name | `string` | Auto generated in the following format `[cluster_name]-fargate-[fargate_profile_map_key]`| no |
-| selectors | A list of Kubernetes selectors. See examples/fargate/main.tf for example format. | list(map({
namespace = string
labels = map(string)
}))| `[]` | no |
-| subnets | List of subnet IDs. Will replace the root module subnets. | `list(string)` | `var.subnets` | no |
-| timeouts | A map of timeouts for create/delete operations. | `map(string)` | Provider default behavior | no |
-| tags | Key-value map of resource tags. Will be merged with root module tags. | `map(string)` | `var.tags` | no |
-
-
-## Requirements
-
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.13.1 |
-| [aws](#requirement\_aws) | >= 3.56 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | >= 3.56 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_eks_fargate_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_fargate_profile) | resource |
-| [aws_iam_role.eks_fargate_pod](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.eks_fargate_pod](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_policy_document.eks_fargate_pod_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_role.custom_fargate_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
-| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster. | `string` | `""` | no |
-| [create\_eks](#input\_create\_eks) | Controls if EKS resources should be created (it affects almost all resources) | `bool` | `true` | no |
-| [create\_fargate\_pod\_execution\_role](#input\_create\_fargate\_pod\_execution\_role) | Controls if the the IAM Role that provides permissions for the EKS Fargate Profile should be created. | `bool` | `true` | no |
-| [fargate\_pod\_execution\_role\_name](#input\_fargate\_pod\_execution\_role\_name) | The IAM Role that provides permissions for the EKS Fargate Profile. | `string` | `null` | no |
-| [fargate\_profiles](#input\_fargate\_profiles) | Fargate profiles to create. See `fargate_profile` keys section in README.md for more details | `any` | `{}` | no |
-| [iam\_path](#input\_iam\_path) | IAM roles will be created on this path. | `string` | `"/"` | no |
-| [permissions\_boundary](#input\_permissions\_boundary) | If provided, all IAM roles will be created with this permissions boundary attached. | `string` | `null` | no |
-| [subnets](#input\_subnets) | A list of subnets for the EKS Fargate profiles. | `list(string)` | `[]` | no |
-| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [aws\_auth\_roles](#output\_aws\_auth\_roles) | Roles for use in aws-auth ConfigMap |
-| [fargate\_profile\_arns](#output\_fargate\_profile\_arns) | Amazon Resource Name (ARN) of the EKS Fargate Profiles. |
-| [fargate\_profile\_ids](#output\_fargate\_profile\_ids) | EKS Cluster name and EKS Fargate Profile names separated by a colon (:). |
-| [iam\_role\_arn](#output\_iam\_role\_arn) | IAM role ARN for EKS Fargate pods |
-| [iam\_role\_name](#output\_iam\_role\_name) | IAM role name for EKS Fargate pods |
-
diff --git a/modules/fargate/main.tf b/modules/fargate/main.tf
deleted file mode 100644
index a4e4b0d80f..0000000000
--- a/modules/fargate/main.tf
+++ /dev/null
@@ -1,72 +0,0 @@
-locals {
- create_eks = var.create_eks && length(var.fargate_profiles) > 0
-
- pod_execution_role_arn = coalescelist(aws_iam_role.eks_fargate_pod.*.arn, data.aws_iam_role.custom_fargate_iam_role.*.arn, [""])[0]
- pod_execution_role_name = coalescelist(aws_iam_role.eks_fargate_pod.*.name, data.aws_iam_role.custom_fargate_iam_role.*.name, [""])[0]
-
- fargate_profiles = { for k, v in var.fargate_profiles : k => v if var.create_eks }
-}
-
-data "aws_partition" "current" {}
-
-data "aws_iam_policy_document" "eks_fargate_pod_assume_role" {
- count = local.create_eks && var.create_fargate_pod_execution_role ? 1 : 0
-
- statement {
- effect = "Allow"
- actions = ["sts:AssumeRole"]
-
- principals {
- type = "Service"
- identifiers = ["eks-fargate-pods.amazonaws.com"]
- }
- }
-}
-
-data "aws_iam_role" "custom_fargate_iam_role" {
- count = local.create_eks && !var.create_fargate_pod_execution_role ? 1 : 0
-
- name = var.fargate_pod_execution_role_name
-}
-
-resource "aws_iam_role" "eks_fargate_pod" {
- count = local.create_eks && var.create_fargate_pod_execution_role ? 1 : 0
-
- name_prefix = format("%s-fargate", substr(var.cluster_name, 0, 24))
- assume_role_policy = data.aws_iam_policy_document.eks_fargate_pod_assume_role[0].json
- permissions_boundary = var.permissions_boundary
- tags = var.tags
- path = var.iam_path
-}
-
-resource "aws_iam_role_policy_attachment" "eks_fargate_pod" {
- count = local.create_eks && var.create_fargate_pod_execution_role ? 1 : 0
-
- policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
- role = aws_iam_role.eks_fargate_pod[0].name
-}
-
-resource "aws_eks_fargate_profile" "this" {
- for_each = local.fargate_profiles
-
- cluster_name = var.cluster_name
- fargate_profile_name = lookup(each.value, "name", format("%s-fargate-%s", var.cluster_name, replace(each.key, "_", "-")))
- pod_execution_role_arn = local.pod_execution_role_arn
- subnet_ids = lookup(each.value, "subnets", var.subnets)
-
- dynamic "selector" {
- for_each = each.value.selectors
-
- content {
- namespace = selector.value["namespace"]
- labels = lookup(selector.value, "labels", {})
- }
- }
-
- timeouts {
- create = try(each.value["timeouts"].create, null)
- delete = try(each.value["timeouts"].delete, null)
- }
-
- tags = merge(var.tags, lookup(each.value, "tags", {}))
-}
diff --git a/modules/fargate/outputs.tf b/modules/fargate/outputs.tf
deleted file mode 100644
index 126ba6e385..0000000000
--- a/modules/fargate/outputs.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-output "fargate_profile_ids" {
- description = "EKS Cluster name and EKS Fargate Profile names separated by a colon (:)."
- value = [for f in aws_eks_fargate_profile.this : f.id]
-}
-
-output "fargate_profile_arns" {
- description = "Amazon Resource Name (ARN) of the EKS Fargate Profiles."
- value = [for f in aws_eks_fargate_profile.this : f.arn]
-}
-
-output "iam_role_name" {
- description = "IAM role name for EKS Fargate pods"
- value = local.pod_execution_role_name
-}
-
-output "iam_role_arn" {
- description = "IAM role ARN for EKS Fargate pods"
- value = local.pod_execution_role_arn
-}
-
-output "aws_auth_roles" {
- description = "Roles for use in aws-auth ConfigMap"
- value = [
- for i in range(1) : {
- worker_role_arn = local.pod_execution_role_arn
- platform = "fargate"
- } if local.create_eks
- ]
-}
diff --git a/modules/fargate/variables.tf b/modules/fargate/variables.tf
deleted file mode 100644
index 39e2cc68b3..0000000000
--- a/modules/fargate/variables.tf
+++ /dev/null
@@ -1,53 +0,0 @@
-variable "create_eks" {
- description = "Controls if EKS resources should be created (it affects almost all resources)"
- type = bool
- default = true
-}
-
-variable "create_fargate_pod_execution_role" {
- description = "Controls if the the IAM Role that provides permissions for the EKS Fargate Profile should be created."
- type = bool
- default = true
-}
-
-variable "cluster_name" {
- description = "Name of the EKS cluster."
- type = string
- default = ""
-}
-
-variable "iam_path" {
- description = "IAM roles will be created on this path."
- type = string
- default = "/"
-}
-
-variable "fargate_pod_execution_role_name" {
- description = "The IAM Role that provides permissions for the EKS Fargate Profile."
- type = string
- default = null
-}
-
-variable "fargate_profiles" {
- description = "Fargate profiles to create. See `fargate_profile` keys section in README.md for more details"
- type = any
- default = {}
-}
-
-variable "permissions_boundary" {
- description = "If provided, all IAM roles will be created with this permissions boundary attached."
- type = string
- default = null
-}
-
-variable "subnets" {
- description = "A list of subnets for the EKS Fargate profiles."
- type = list(string)
- default = []
-}
-
-variable "tags" {
- description = "A map of tags to add to all resources."
- type = map(string)
- default = {}
-}
diff --git a/modules/node_groups/README.md b/modules/node_groups/README.md
deleted file mode 100644
index f91ce04ae0..0000000000
--- a/modules/node_groups/README.md
+++ /dev/null
@@ -1,113 +0,0 @@
-# EKS `node_groups` submodule
-
-Helper submodule to create and manage resources related to `eks_node_groups`.
-
-## Node Groups' IAM Role
-
-The role ARN specified in `var.default_iam_role_arn` will be used by default. In a simple configuration this will be the worker role created by the parent module.
-
-`iam_role_arn` must be specified in either `var.node_groups_defaults` or `var.node_groups` if the default parent IAM role is not being created for whatever reason, for example if `manage_worker_iam_resources` is set to false in the parent.
-
-## `node_groups` and `node_groups_defaults` keys
-`node_groups_defaults` is a map that can take the below keys. Values will be used if not specified in individual node groups.
-
-`node_groups` is a map of maps. Key of first level will be used as unique value for `for_each` resources and in the `aws_eks_node_group` name. Inner map can take the below values.
-
-| Name | Description | Type | If unset |
-|------|-------------|:----:|:-----:|
-| additional\_tags | Additional tags to apply to node group | map(string) | Only `var.tags` applied |
-| ami\_release\_version | AMI version of workers | string | Provider default behavior |
-| ami\_type | AMI Type. See Terraform or AWS docs | string | Provider default behavior |
-| ami\_id | ID of custom AMI. If you use a custom AMI, you need to set `ami_is_eks_optimized` | string | Provider default behavior |
-| ami\_is\_eks\_optimized | If the custom AMI is an EKS optimised image, ignored if `ami_id` is not set. If this is `true` then `bootstrap.sh` is called automatically (max pod logic needs to be manually set), if this is `false` you need to provide all the node configuration in `pre_userdata` | bool | `true` |
-| capacity\_type | Type of instance capacity to provision. Options are `ON_DEMAND` and `SPOT` | string | Provider default behavior |
-| create_launch_template | Create and use a default launch template | bool | `false` |
-| desired\_capacity | Desired number of workers | number | `var.workers_group_defaults[asg_desired_capacity]` |
-| disk\_encrypted | Whether the root disk will be encrypyted. Requires `create_launch_template` to be `true` and `disk_kms_key_id` to be set | bool | false |
-| disk\_kms\_key\_id | KMS Key used to encrypt the root disk. Requires both `create_launch_template` and `disk_encrypted` to be `true` | string | "" |
-| disk\_size | Workers' disk size | number | Provider default behavior |
-| disk\_type | Workers' disk type. Require `create_launch_template` to be `true`| string | Provider default behavior |
-| disk\_throughput | Workers' disk throughput. Require `create_launch_template` to be `true` and `disk_type` to be `gp3`| number | Provider default behavior |
-| disk\_iops | Workers' disk IOPS. Require `create_launch_template` to be `true` and `disk_type` to be `gp3`| number | Provider default behavior |
-| ebs\_optimized | Enables/disables EBS optimization. Require `create_launch_template` to be `true` | bool | `true` if defined `instance\_types` are not present in `var.ebs\_optimized\_not\_supported` |
-| enable_monitoring | Enables/disables detailed monitoring. Require `create_launch_template` to be `true`| bool | `true` |
-| eni_delete | Delete the Elastic Network Interface (ENI) on termination (if set to false you will have to manually delete before destroying) | bool | `true` |
-| force\_update\_version | Force version update if existing pods are unable to be drained due to a pod disruption budget issue. | bool | Provider default behavior |
-| iam\_role\_arn | IAM role ARN for workers | string | `var.default_iam_role_arn` |
-| instance\_types | Node group's instance type(s). Multiple types can be specified when `capacity_type="SPOT"`. | list | `[var.workers_group_defaults[instance_type]]` |
-| k8s\_labels | Kubernetes labels | map(string) | No labels applied |
-| key\_name | Key name for workers. Set to empty string to disable remote access | string | `var.workers_group_defaults[key_name]` |
-| bootstrap_env | Provide environment variables to customise [bootstrap.sh](https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh). Require `create_launch_template` to be `true` | map(string) | `{}` |
-| kubelet_extra_args | Extra arguments for kubelet, this is automatically merged with `labels`. Require `create_launch_template` to be `true` | string | "" |
-| launch_template_id | The id of a aws_launch_template to use | string | No LT used |
-| launch\_template_version | The version of the LT to use | string | none |
-| max\_capacity | Max number of workers | number | `var.workers_group_defaults[asg_max_size]` |
-| min\_capacity | Min number of workers | number | `var.workers_group_defaults[asg_min_size]` |
-| update_config.max\_unavailable\_percentage | Max percentage of unavailable nodes during update. (e.g. 25, 50, etc) | number | `null` if `update_config.max_unavailable` is set |
-| update_config.max\_unavailable | Max number of unavailable nodes during update | number | `null` if `update_config.max_unavailable_percentage` is set |
-| name | Name of the node group. If you don't really need this, we recommend you to use `name_prefix` instead. | string | Will use the autogenerate name prefix |
-| name_prefix | Name prefix of the node group | string | Auto generated |
-| pre_userdata | userdata to pre-append to the default userdata. Require `create_launch_template` to be `true`| string | "" |
-| public_ip | Associate a public ip address with a worker. Require `create_launch_template` to be `true`| string | `false`
-| source\_security\_group\_ids | Source security groups for remote access to workers | list(string) | If key\_name is specified: THE REMOTE ACCESS WILL BE OPENED TO THE WORLD |
-| subnets | Subnets to contain workers | list(string) | `var.workers_group_defaults[subnets]` |
-| version | Kubernetes version | string | Provider default behavior |
-| taints | Kubernetes node taints | list(map) | empty |
-| timeouts | A map of timeouts for create/update/delete operations. | `map(string)` | Provider default behavior |
-| update_default_version | Whether or not to set the new launch template version the Default | bool | `true` |
-| metadata_http_endpoint | The state of the instance metadata service. Requires `create_launch_template` to be `true` | string | `var.workers_group_defaults[metadata_http_endpoint]` |
-| metadata_http_tokens | If session tokens are required. Requires `create_launch_template` to be `true` | string | `var.workers_group_defaults[metadata_http_tokens]` |
-| metadata_http_put_response_hop_limit | The desired HTTP PUT response hop limit for instance metadata requests. Requires `create_launch_template` to be `true` | number | `var.workers_group_defaults[metadata_http_put_response_hop_limit]` |
-
-
-## Requirements
-
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.13.1 |
-| [aws](#requirement\_aws) | >= 3.56 |
-| [cloudinit](#requirement\_cloudinit) | >= 2.0 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | >= 3.56 |
-| [cloudinit](#provider\_cloudinit) | >= 2.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_eks_node_group.workers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group) | resource |
-| [aws_launch_template.workers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
-| [cloudinit_config.workers_userdata](https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/config) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [cluster\_auth\_base64](#input\_cluster\_auth\_base64) | Base64 encoded CA of parent cluster | `string` | `""` | no |
-| [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint of parent cluster | `string` | `""` | no |
-| [cluster\_name](#input\_cluster\_name) | Name of parent cluster | `string` | `""` | no |
-| [create\_eks](#input\_create\_eks) | Controls if EKS resources should be created (it affects almost all resources) | `bool` | `true` | no |
-| [default\_iam\_role\_arn](#input\_default\_iam\_role\_arn) | ARN of the default IAM worker role to use if one is not specified in `var.node_groups` or `var.node_groups_defaults` | `string` | `""` | no |
-| [ebs\_optimized\_not\_supported](#input\_ebs\_optimized\_not\_supported) | List of instance types that do not support EBS optimization | `list(string)` | `[]` | no |
-| [node\_groups](#input\_node\_groups) | Map of maps of `eks_node_groups` to create. See "`node_groups` and `node_groups_defaults` keys" section in README.md for more details | `any` | `{}` | no |
-| [node\_groups\_defaults](#input\_node\_groups\_defaults) | map of maps of node groups to create. See "`node_groups` and `node_groups_defaults` keys" section in README.md for more details | `any` | `{}` | no |
-| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
-| [worker\_additional\_security\_group\_ids](#input\_worker\_additional\_security\_group\_ids) | A list of additional security group ids to attach to worker instances | `list(string)` | `[]` | no |
-| [worker\_security\_group\_id](#input\_worker\_security\_group\_id) | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the EKS cluster. | `string` | `""` | no |
-| [workers\_group\_defaults](#input\_workers\_group\_defaults) | Workers group defaults from parent | `any` | `{}` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [aws\_auth\_roles](#output\_aws\_auth\_roles) | Roles for use in aws-auth ConfigMap |
-| [node\_groups](#output\_node\_groups) | Outputs from EKS node groups. Map of maps, keyed by `var.node_groups` keys. See `aws_eks_node_group` Terraform documentation for values |
-
diff --git a/modules/node_groups/launch_template.tf b/modules/node_groups/launch_template.tf
deleted file mode 100644
index 6abe358d5a..0000000000
--- a/modules/node_groups/launch_template.tf
+++ /dev/null
@@ -1,146 +0,0 @@
-data "cloudinit_config" "workers_userdata" {
- for_each = { for k, v in local.node_groups_expanded : k => v if v["create_launch_template"] }
-
- gzip = false
- base64_encode = true
- boundary = "//"
-
- part {
- content_type = "text/x-shellscript"
- content = templatefile("${path.module}/templates/userdata.sh.tpl",
- {
- cluster_name = var.cluster_name
- cluster_endpoint = var.cluster_endpoint
- cluster_auth_base64 = var.cluster_auth_base64
- ami_id = lookup(each.value, "ami_id", "")
- ami_is_eks_optimized = each.value["ami_is_eks_optimized"]
- bootstrap_env = each.value["bootstrap_env"]
- kubelet_extra_args = each.value["kubelet_extra_args"]
- pre_userdata = each.value["pre_userdata"]
- capacity_type = lookup(each.value, "capacity_type", "ON_DEMAND")
- append_labels = length(lookup(each.value, "k8s_labels", {})) > 0 ? ",${join(",", [for k, v in lookup(each.value, "k8s_labels", {}) : "${k}=${v}"])}" : ""
- }
- )
- }
-}
-
-# This is based on the LT that EKS would create if no custom one is specified (aws ec2 describe-launch-template-versions --launch-template-id xxx)
-# there are several more options one could set but you probably dont need to modify them
-# you can take the default and add your custom AMI and/or custom tags
-#
-# Trivia: AWS transparently creates a copy of your LaunchTemplate and actually uses that copy then for the node group. If you DONT use a custom AMI,
-# then the default user-data for bootstrapping a cluster is merged in the copy.
-resource "aws_launch_template" "workers" {
- for_each = { for k, v in local.node_groups_expanded : k => v if v["create_launch_template"] }
-
- name_prefix = local.node_groups_names[each.key]
- description = format("EKS Managed Node Group custom LT for %s", local.node_groups_names[each.key])
- update_default_version = lookup(each.value, "update_default_version", true)
-
- block_device_mappings {
- device_name = "/dev/xvda"
-
- ebs {
- volume_size = lookup(each.value, "disk_size", null)
- volume_type = lookup(each.value, "disk_type", null)
- iops = lookup(each.value, "disk_iops", null)
- throughput = lookup(each.value, "disk_throughput", null)
- encrypted = lookup(each.value, "disk_encrypted", null)
- kms_key_id = lookup(each.value, "disk_kms_key_id", null)
- delete_on_termination = true
- }
- }
-
- ebs_optimized = lookup(each.value, "ebs_optimized", !contains(var.ebs_optimized_not_supported, element(each.value.instance_types, 0)))
-
- instance_type = each.value["set_instance_types_on_lt"] ? element(each.value.instance_types, 0) : null
-
- monitoring {
- enabled = lookup(each.value, "enable_monitoring", null)
- }
-
- network_interfaces {
- associate_public_ip_address = lookup(each.value, "public_ip", null)
- delete_on_termination = lookup(each.value, "eni_delete", null)
- security_groups = compact(flatten([
- var.worker_security_group_id,
- var.worker_additional_security_group_ids,
- lookup(
- each.value,
- "additional_security_group_ids",
- null,
- ),
- ]))
- }
-
- # if you want to use a custom AMI
- image_id = lookup(each.value, "ami_id", null)
-
- # If you use a custom AMI, you need to supply via user-data, the bootstrap script as EKS DOESNT merge its managed user-data then
- # you can add more than the minimum code you see in the template, e.g. install SSM agent, see https://github.com/aws/containers-roadmap/issues/593#issuecomment-577181345
- #
- # (optionally you can use https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/cloudinit_config to render the script, example: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/997#issuecomment-705286151)
-
- user_data = data.cloudinit_config.workers_userdata[each.key].rendered
-
- key_name = lookup(each.value, "key_name", null)
-
- metadata_options {
- http_endpoint = lookup(each.value, "metadata_http_endpoint", null)
- http_tokens = lookup(each.value, "metadata_http_tokens", null)
- http_put_response_hop_limit = lookup(each.value, "metadata_http_put_response_hop_limit", null)
- }
-
- # Supplying custom tags to EKS instances is another use-case for LaunchTemplates
- tag_specifications {
- resource_type = "instance"
-
- tags = merge(
- var.tags,
- {
- Name = local.node_groups_names[each.key]
- },
- lookup(var.node_groups_defaults, "additional_tags", {}),
- lookup(var.node_groups[each.key], "additional_tags", {})
- )
- }
-
- # Supplying custom tags to EKS instances root volumes is another use-case for LaunchTemplates. (doesnt add tags to dynamically provisioned volumes via PVC tho)
- tag_specifications {
- resource_type = "volume"
-
- tags = merge(
- var.tags,
- {
- Name = local.node_groups_names[each.key]
- },
- lookup(var.node_groups_defaults, "additional_tags", {}),
- lookup(var.node_groups[each.key], "additional_tags", {})
- )
- }
-
- # Supplying custom tags to EKS instances ENI's is another use-case for LaunchTemplates
- tag_specifications {
- resource_type = "network-interface"
-
- tags = merge(
- var.tags,
- {
- Name = local.node_groups_names[each.key]
- },
- lookup(var.node_groups_defaults, "additional_tags", {}),
- lookup(var.node_groups[each.key], "additional_tags", {})
- )
- }
-
- # Tag the LT itself
- tags = merge(
- var.tags,
- lookup(var.node_groups_defaults, "additional_tags", {}),
- lookup(var.node_groups[each.key], "additional_tags", {}),
- )
-
- lifecycle {
- create_before_destroy = true
- }
-}
diff --git a/modules/node_groups/locals.tf b/modules/node_groups/locals.tf
deleted file mode 100644
index 0a6c7cbffb..0000000000
--- a/modules/node_groups/locals.tf
+++ /dev/null
@@ -1,51 +0,0 @@
-locals {
- # Merge defaults and per-group values to make code cleaner
- node_groups_expanded = { for k, v in var.node_groups : k => merge(
- {
- desired_capacity = var.workers_group_defaults["asg_desired_capacity"]
- iam_role_arn = var.default_iam_role_arn
- instance_types = [var.workers_group_defaults["instance_type"]]
- key_name = var.workers_group_defaults["key_name"]
- launch_template_id = var.workers_group_defaults["launch_template_id"]
- launch_template_version = var.workers_group_defaults["launch_template_version"]
- set_instance_types_on_lt = false
- max_capacity = var.workers_group_defaults["asg_max_size"]
- min_capacity = var.workers_group_defaults["asg_min_size"]
- subnets = var.workers_group_defaults["subnets"]
- create_launch_template = false
- bootstrap_env = {}
- kubelet_extra_args = var.workers_group_defaults["kubelet_extra_args"]
- disk_size = var.workers_group_defaults["root_volume_size"]
- disk_type = var.workers_group_defaults["root_volume_type"]
- disk_iops = var.workers_group_defaults["root_iops"]
- disk_throughput = var.workers_group_defaults["root_volume_throughput"]
- disk_encrypted = var.workers_group_defaults["root_encrypted"]
- disk_kms_key_id = var.workers_group_defaults["root_kms_key_id"]
- enable_monitoring = var.workers_group_defaults["enable_monitoring"]
- eni_delete = var.workers_group_defaults["eni_delete"]
- public_ip = var.workers_group_defaults["public_ip"]
- pre_userdata = var.workers_group_defaults["pre_userdata"]
- additional_security_group_ids = var.workers_group_defaults["additional_security_group_ids"]
- taints = []
- timeouts = var.workers_group_defaults["timeouts"]
- update_default_version = true
- ebs_optimized = null
- metadata_http_endpoint = var.workers_group_defaults["metadata_http_endpoint"]
- metadata_http_tokens = var.workers_group_defaults["metadata_http_tokens"]
- metadata_http_put_response_hop_limit = var.workers_group_defaults["metadata_http_put_response_hop_limit"]
- ami_is_eks_optimized = true
- },
- var.node_groups_defaults,
- v,
- ) if var.create_eks }
-
- node_groups_names = { for k, v in local.node_groups_expanded : k => lookup(
- v,
- "name",
- lookup(
- v,
- "name_prefix",
- join("-", [var.cluster_name, k])
- )
- ) }
-}
diff --git a/modules/node_groups/main.tf b/modules/node_groups/main.tf
deleted file mode 100644
index 75e6209730..0000000000
--- a/modules/node_groups/main.tf
+++ /dev/null
@@ -1,105 +0,0 @@
-resource "aws_eks_node_group" "workers" {
- for_each = local.node_groups_expanded
-
- node_group_name_prefix = lookup(each.value, "name", null) == null ? local.node_groups_names[each.key] : null
- node_group_name = lookup(each.value, "name", null)
-
- cluster_name = var.cluster_name
- node_role_arn = each.value["iam_role_arn"]
- subnet_ids = each.value["subnets"]
-
- scaling_config {
- desired_size = each.value["desired_capacity"]
- max_size = each.value["max_capacity"]
- min_size = each.value["min_capacity"]
- }
-
- ami_type = lookup(each.value, "ami_type", null)
- disk_size = each.value["launch_template_id"] != null || each.value["create_launch_template"] ? null : lookup(each.value, "disk_size", null)
- instance_types = !each.value["set_instance_types_on_lt"] ? each.value["instance_types"] : null
- release_version = lookup(each.value, "ami_release_version", null)
- capacity_type = lookup(each.value, "capacity_type", null)
- force_update_version = lookup(each.value, "force_update_version", null)
-
- dynamic "remote_access" {
- for_each = each.value["key_name"] != "" && each.value["launch_template_id"] == null && !each.value["create_launch_template"] ? [{
- ec2_ssh_key = each.value["key_name"]
- source_security_group_ids = lookup(each.value, "source_security_group_ids", [])
- }] : []
-
- content {
- ec2_ssh_key = remote_access.value["ec2_ssh_key"]
- source_security_group_ids = remote_access.value["source_security_group_ids"]
- }
- }
-
- dynamic "launch_template" {
- for_each = each.value["launch_template_id"] != null ? [{
- id = each.value["launch_template_id"]
- version = each.value["launch_template_version"]
- }] : []
-
- content {
- id = launch_template.value["id"]
- version = launch_template.value["version"]
- }
- }
-
- dynamic "launch_template" {
- for_each = each.value["launch_template_id"] == null && each.value["create_launch_template"] ? [{
- id = aws_launch_template.workers[each.key].id
- version = each.value["launch_template_version"] == "$Latest" ? aws_launch_template.workers[each.key].latest_version : (
- each.value["launch_template_version"] == "$Default" ? aws_launch_template.workers[each.key].default_version : each.value["launch_template_version"]
- )
- }] : []
-
- content {
- id = launch_template.value["id"]
- version = launch_template.value["version"]
- }
- }
-
- dynamic "taint" {
- for_each = each.value["taints"]
-
- content {
- key = taint.value["key"]
- value = taint.value["value"]
- effect = taint.value["effect"]
- }
- }
-
- dynamic "update_config" {
- for_each = try(each.value.update_config.max_unavailable_percentage > 0, each.value.update_config.max_unavailable > 0, false) ? [true] : []
-
- content {
- max_unavailable_percentage = try(each.value.update_config.max_unavailable_percentage, null)
- max_unavailable = try(each.value.update_config.max_unavailable, null)
- }
- }
-
- timeouts {
- create = lookup(each.value["timeouts"], "create", null)
- update = lookup(each.value["timeouts"], "update", null)
- delete = lookup(each.value["timeouts"], "delete", null)
- }
-
- version = lookup(each.value, "version", null)
-
- labels = merge(
- lookup(var.node_groups_defaults, "k8s_labels", {}),
- lookup(var.node_groups[each.key], "k8s_labels", {})
- )
-
- tags = merge(
- var.tags,
- lookup(var.node_groups_defaults, "additional_tags", {}),
- lookup(var.node_groups[each.key], "additional_tags", {}),
- )
-
- lifecycle {
- create_before_destroy = true
- ignore_changes = [scaling_config[0].desired_size]
- }
-
-}
diff --git a/modules/node_groups/outputs.tf b/modules/node_groups/outputs.tf
deleted file mode 100644
index ad148ea514..0000000000
--- a/modules/node_groups/outputs.tf
+++ /dev/null
@@ -1,14 +0,0 @@
-output "node_groups" {
- description = "Outputs from EKS node groups. Map of maps, keyed by `var.node_groups` keys. See `aws_eks_node_group` Terraform documentation for values"
- value = aws_eks_node_group.workers
-}
-
-output "aws_auth_roles" {
- description = "Roles for use in aws-auth ConfigMap"
- value = [
- for k, v in local.node_groups_expanded : {
- worker_role_arn = lookup(v, "iam_role_arn", var.default_iam_role_arn)
- platform = "linux"
- }
- ]
-}
diff --git a/modules/node_groups/templates/userdata.sh.tpl b/modules/node_groups/templates/userdata.sh.tpl
deleted file mode 100644
index 321c17b427..0000000000
--- a/modules/node_groups/templates/userdata.sh.tpl
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/bin/bash -e
-%{ if length(ami_id) == 0 ~}
-
-# Set bootstrap env
-printf '#!/bin/bash
-%{ for k, v in bootstrap_env ~}
-export ${k}="${v}"
-%{ endfor ~}
-export ADDITIONAL_KUBELET_EXTRA_ARGS="${kubelet_extra_args}"
-' > /etc/profile.d/eks-bootstrap-env.sh
-
-# Source extra environment variables in bootstrap script
-sed -i '/^set -o errexit/a\\nsource /etc/profile.d/eks-bootstrap-env.sh' /etc/eks/bootstrap.sh
-
-# Merge ADDITIONAL_KUBELET_EXTRA_ARGS into KUBELET_EXTRA_ARGS
-sed -i 's/^KUBELET_EXTRA_ARGS="$${KUBELET_EXTRA_ARGS:-}/KUBELET_EXTRA_ARGS="$${KUBELET_EXTRA_ARGS:-} $${ADDITIONAL_KUBELET_EXTRA_ARGS}/' /etc/eks/bootstrap.sh
-%{else ~}
-
-# Set variables for custom AMI
-API_SERVER_URL=${cluster_endpoint}
-B64_CLUSTER_CA=${cluster_auth_base64}
-%{ for k, v in bootstrap_env ~}
-${k}="${v}"
-%{ endfor ~}
-KUBELET_EXTRA_ARGS='--node-labels=eks.amazonaws.com/nodegroup-image=${ami_id},eks.amazonaws.com/capacityType=${capacity_type}${append_labels} ${kubelet_extra_args}'
-%{endif ~}
-
-# User supplied pre userdata
-${pre_userdata}
-%{ if length(ami_id) > 0 && ami_is_eks_optimized ~}
-
-# Call bootstrap for EKS optimised custom AMI
-/etc/eks/bootstrap.sh ${cluster_name} --apiserver-endpoint "$${API_SERVER_URL}" --b64-cluster-ca "$${B64_CLUSTER_CA}" --kubelet-extra-args "$${KUBELET_EXTRA_ARGS}"
-%{ endif ~}
diff --git a/modules/node_groups/variables.tf b/modules/node_groups/variables.tf
deleted file mode 100644
index 1aa8cfe26d..0000000000
--- a/modules/node_groups/variables.tf
+++ /dev/null
@@ -1,71 +0,0 @@
-variable "create_eks" {
- description = "Controls if EKS resources should be created (it affects almost all resources)"
- type = bool
- default = true
-}
-
-variable "cluster_name" {
- description = "Name of parent cluster"
- type = string
- default = ""
-}
-
-variable "cluster_endpoint" {
- description = "Endpoint of parent cluster"
- type = string
- default = ""
-}
-
-variable "cluster_auth_base64" {
- description = "Base64 encoded CA of parent cluster"
- type = string
- default = ""
-}
-
-variable "default_iam_role_arn" {
- description = "ARN of the default IAM worker role to use if one is not specified in `var.node_groups` or `var.node_groups_defaults`"
- type = string
- default = ""
-}
-
-variable "workers_group_defaults" {
- description = "Workers group defaults from parent"
- type = any
- default = {}
-}
-
-variable "worker_security_group_id" {
- description = "If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the EKS cluster."
- type = string
- default = ""
-}
-
-variable "worker_additional_security_group_ids" {
- description = "A list of additional security group ids to attach to worker instances"
- type = list(string)
- default = []
-}
-
-variable "tags" {
- description = "A map of tags to add to all resources"
- type = map(string)
- default = {}
-}
-
-variable "node_groups_defaults" {
- description = "map of maps of node groups to create. See \"`node_groups` and `node_groups_defaults` keys\" section in README.md for more details"
- type = any
- default = {}
-}
-
-variable "node_groups" {
- description = "Map of maps of `eks_node_groups` to create. See \"`node_groups` and `node_groups_defaults` keys\" section in README.md for more details"
- type = any
- default = {}
-}
-
-variable "ebs_optimized_not_supported" {
- description = "List of instance types that do not support EBS optimization"
- type = list(string)
- default = []
-}
diff --git a/modules/self-managed-node-group/README.md b/modules/self-managed-node-group/README.md
new file mode 100644
index 0000000000..10a3068825
--- /dev/null
+++ b/modules/self-managed-node-group/README.md
@@ -0,0 +1,199 @@
+# Self Managed Node Group Module
+
+Configuration in this directory creates a Self Managed Node Group (AutoScaling Group) along with an IAM role, security group, and launch template
+
+## Usage
+
+```hcl
+module "self_managed_node_group" {
+ source = "terraform-aws-modules/eks/aws//modules/self-managed-node-group"
+
+ name = "separate-self-mng"
+ cluster_name = "my-cluster"
+ cluster_version = "1.21"
+ cluster_endpoint = "https://012345678903AB2BAE5D1E0BFE0E2B50.gr7.us-east-1.eks.amazonaws.com"
+ cluster_auth_base64 = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKbXFqQ1VqNGdGR2w3ZW5PeWthWnZ2RjROOTVOUEZCM2o0cGhVZUsrWGFtN2ZSQnZya0d6OGxKZmZEZWF2b2plTwpQK2xOZFlqdHZncmxCUEpYdHZIZmFzTzYxVzdIZmdWQ2EvamdRM2w3RmkvL1dpQmxFOG9oWUZkdWpjc0s1SXM2CnNkbk5KTTNYUWN2TysrSitkV09NT2ZlNzlsSWdncmdQLzgvRU9CYkw3eUY1aU1hS3lsb1RHL1V3TlhPUWt3ZUcKblBNcjdiUmdkQ1NCZTlXYXowOGdGRmlxV2FOditsTDhsODBTdFZLcWVNVlUxbjQyejVwOVpQRTd4T2l6L0xTNQpYV2lXWkVkT3pMN0xBWGVCS2gzdkhnczFxMkI2d1BKZnZnS1NzWllQRGFpZTloT1NNOUJkNFNPY3JrZTRYSVBOCkVvcXVhMlYrUDRlTWJEQzhMUkVWRDdCdVZDdWdMTldWOTBoL3VJUy9WU2VOcEdUOGVScE5DakszSjc2aFlsWm8KWjNGRG5QWUY0MWpWTHhiOXF0U1ROdEp6amYwWXBEYnFWci9xZzNmQWlxbVorMzd3YWM1eHlqMDZ4cmlaRUgzZgpUM002d2lCUEVHYVlGeWN5TmNYTk5aYW9DWDJVL0N1d2JsUHAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ=="
+
+ vpc_id = "vpc-1234556abcdef"
+ subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
+ vpc_security_group_ids = [
+ # cluster_security_group_id,
+ ]
+
+ min_size = 1
+ max_size = 10
+ desired_size = 1
+
+ launch_template_name = "separate-self-mng"
+ instance_type = "m5.large"
+
+ tags = {
+ Environment = "dev"
+ Terraform = "true"
+ }
+}
+```
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13.1 |
+| [aws](#requirement\_aws) | >= 3.64 |
+| [cloudinit](#requirement\_cloudinit) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 3.64 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [user\_data](#module\_user\_data) | ../_user_data | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_autoscaling_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |
+| [aws_autoscaling_schedule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_schedule) | resource |
+| [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_launch_template.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
+| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_ami.eks_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [ami\_id](#input\_ami\_id) | The AMI from which to launch the instance | `string` | `""` | no |
+| [availability\_zones](#input\_availability\_zones) | A list of one or more availability zones for the group. Used for EC2-Classic and default subnets when not specified with `subnet_ids` argument. Conflicts with `subnet_ids` | `list(string)` | `null` | no |
+| [block\_device\_mappings](#input\_block\_device\_mappings) | Specify volumes to attach to the instance besides the volumes specified by the AMI | `any` | `{}` | no |
+| [bootstrap\_extra\_args](#input\_bootstrap\_extra\_args) | Additional arguments passed to the bootstrap script. When `platform` = `bottlerocket`; these are additional [settings](https://github.com/bottlerocket-os/bottlerocket#settings) that are provided to the Bottlerocket user data | `string` | `""` | no |
+| [capacity\_rebalance](#input\_capacity\_rebalance) | Indicates whether capacity rebalance is enabled | `bool` | `null` | no |
+| [capacity\_reservation\_specification](#input\_capacity\_reservation\_specification) | Targeting for EC2 capacity reservations | `any` | `null` | no |
+| [cluster\_auth\_base64](#input\_cluster\_auth\_base64) | Base64 encoded CA of associated EKS cluster | `string` | `""` | no |
+| [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint of associated EKS cluster | `string` | `""` | no |
+| [cluster\_name](#input\_cluster\_name) | Name of associated EKS cluster | `string` | `null` | no |
+| [cluster\_security\_group\_id](#input\_cluster\_security\_group\_id) | Cluster control plane security group ID | `string` | `null` | no |
+| [cluster\_version](#input\_cluster\_version) | Kubernetes cluster version - used to lookup default AMI ID if one is not provided | `string` | `null` | no |
+| [cpu\_options](#input\_cpu\_options) | The CPU options for the instance | `map(string)` | `null` | no |
+| [create](#input\_create) | Determines whether to create self managed node group or not | `bool` | `true` | no |
+| [create\_iam\_instance\_profile](#input\_create\_iam\_instance\_profile) | Determines whether an IAM instance profile is created or to use an existing IAM instance profile | `bool` | `true` | no |
+| [create\_launch\_template](#input\_create\_launch\_template) | Determines whether to create launch template or not | `bool` | `true` | no |
+| [create\_schedule](#input\_create\_schedule) | Determines whether to create autoscaling group schedule or not | `bool` | `true` | no |
+| [create\_security\_group](#input\_create\_security\_group) | Determines whether to create a security group | `bool` | `true` | no |
+| [credit\_specification](#input\_credit\_specification) | Customize the credit specification of the instance | `map(string)` | `null` | no |
+| [default\_cooldown](#input\_default\_cooldown) | The amount of time, in seconds, after a scaling activity completes before another scaling activity can start | `number` | `null` | no |
+| [delete\_timeout](#input\_delete\_timeout) | Delete timeout to wait for destroying autoscaling group | `string` | `null` | no |
+| [desired\_size](#input\_desired\_size) | The number of Amazon EC2 instances that should be running in the autoscaling group | `number` | `1` | no |
+| [disable\_api\_termination](#input\_disable\_api\_termination) | If true, enables EC2 instance termination protection | `bool` | `null` | no |
+| [ebs\_optimized](#input\_ebs\_optimized) | If true, the launched EC2 instance will be EBS-optimized | `bool` | `null` | no |
+| [elastic\_gpu\_specifications](#input\_elastic\_gpu\_specifications) | The elastic GPU to attach to the instance | `map(string)` | `null` | no |
+| [elastic\_inference\_accelerator](#input\_elastic\_inference\_accelerator) | Configuration block containing an Elastic Inference Accelerator to attach to the instance | `map(string)` | `null` | no |
+| [enable\_monitoring](#input\_enable\_monitoring) | Enables/disables detailed monitoring | `bool` | `true` | no |
+| [enabled\_metrics](#input\_enabled\_metrics) | A list of metrics to collect. The allowed values are `GroupDesiredCapacity`, `GroupInServiceCapacity`, `GroupPendingCapacity`, `GroupMinSize`, `GroupMaxSize`, `GroupInServiceInstances`, `GroupPendingInstances`, `GroupStandbyInstances`, `GroupStandbyCapacity`, `GroupTerminatingCapacity`, `GroupTerminatingInstances`, `GroupTotalCapacity`, `GroupTotalInstances` | `list(string)` | `null` | no |
+| [enclave\_options](#input\_enclave\_options) | Enable Nitro Enclaves on launched instances | `map(string)` | `null` | no |
+| [force\_delete](#input\_force\_delete) | Allows deleting the Auto Scaling Group without waiting for all instances in the pool to terminate. You can force an Auto Scaling Group to delete even if it's in the process of scaling a resource. Normally, Terraform drains all the instances before deleting the group. This bypasses that behavior and potentially leaves resources dangling | `bool` | `null` | no |
+| [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | Time (in seconds) after instance comes into service before checking health | `number` | `null` | no |
+| [health\_check\_type](#input\_health\_check\_type) | `EC2` or `ELB`. Controls how health checking is done | `string` | `null` | no |
+| [hibernation\_options](#input\_hibernation\_options) | The hibernation options for the instance | `map(string)` | `null` | no |
+| [iam\_instance\_profile\_arn](#input\_iam\_instance\_profile\_arn) | Amazon Resource Name (ARN) of an existing IAM instance profile that provides permissions for the node group. Required if `create_iam_instance_profile` = `false` | `string` | `null` | no |
+| [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `list(string)` | `[]` | no |
+| [iam\_role\_attach\_cni\_policy](#input\_iam\_role\_attach\_cni\_policy) | Whether to attach the Amazon managed `AmazonEKS_CNI_Policy` IAM policy to the IAM IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster | `bool` | `true` | no |
+| [iam\_role\_description](#input\_iam\_role\_description) | Description of the role | `string` | `null` | no |
+| [iam\_role\_name](#input\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
+| [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `null` | no |
+| [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
+| [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether cluster IAM role name (`iam_role_name`) is used as a prefix | `string` | `true` | no |
+| [initial\_lifecycle\_hooks](#input\_initial\_lifecycle\_hooks) | One or more Lifecycle Hooks to attach to the Auto Scaling Group before instances are launched. The syntax is exactly the same as the separate `aws_autoscaling_lifecycle_hook` resource, without the `autoscaling_group_name` attribute. Please note that this will only work when creating a new Auto Scaling Group. For all other use-cases, please use `aws_autoscaling_lifecycle_hook` resource | `list(map(string))` | `[]` | no |
+| [instance\_initiated\_shutdown\_behavior](#input\_instance\_initiated\_shutdown\_behavior) | Shutdown behavior for the instance. Can be `stop` or `terminate`. (Default: `stop`) | `string` | `null` | no |
+| [instance\_market\_options](#input\_instance\_market\_options) | The market (purchasing) option for the instance | `any` | `null` | no |
+| [instance\_refresh](#input\_instance\_refresh) | If this block is configured, start an Instance Refresh when this Auto Scaling Group is updated | `any` | `null` | no |
+| [instance\_type](#input\_instance\_type) | The type of the instance to launch | `string` | `""` | no |
+| [kernel\_id](#input\_kernel\_id) | The kernel ID | `string` | `null` | no |
+| [key\_name](#input\_key\_name) | The key name that should be used for the instance | `string` | `null` | no |
+| [launch\_template\_default\_version](#input\_launch\_template\_default\_version) | Default Version of the launch template | `string` | `null` | no |
+| [launch\_template\_description](#input\_launch\_template\_description) | Description of the launch template | `string` | `null` | no |
+| [launch\_template\_name](#input\_launch\_template\_name) | Launch template name - either to be created (`var.create_launch_template` = `true`) or existing (`var.create_launch_template` = `false`) | `string` | `null` | no |
+| [launch\_template\_use\_name\_prefix](#input\_launch\_template\_use\_name\_prefix) | Determines whether to use `launch_template_name` as is or create a unique name beginning with the `launch_template_name` as the prefix | `bool` | `true` | no |
+| [launch\_template\_version](#input\_launch\_template\_version) | Launch template version. Can be version number, `$Latest`, or `$Default` | `string` | `null` | no |
+| [license\_specifications](#input\_license\_specifications) | A list of license specifications to associate with | `map(string)` | `null` | no |
+| [max\_instance\_lifetime](#input\_max\_instance\_lifetime) | The maximum amount of time, in seconds, that an instance can be in service, values must be either equal to 0 or between 604800 and 31536000 seconds | `number` | `null` | no |
+| [max\_size](#input\_max\_size) | The maximum size of the autoscaling group | `number` | `3` | no |
+| [metadata\_options](#input\_metadata\_options) | Customize the metadata options for the instance | `map(string)` | {
"http_endpoint": "enabled",
"http_put_response_hop_limit": 2,
"http_tokens": "required"
} | no |
+| [metrics\_granularity](#input\_metrics\_granularity) | The granularity to associate with the metrics to collect. The only valid value is `1Minute` | `string` | `null` | no |
+| [min\_elb\_capacity](#input\_min\_elb\_capacity) | Setting this causes Terraform to wait for this number of instances to show up healthy in the ELB only on creation. Updates will not wait on ELB instance number changes | `number` | `null` | no |
+| [min\_size](#input\_min\_size) | The minimum size of the autoscaling group | `number` | `0` | no |
+| [mixed\_instances\_policy](#input\_mixed\_instances\_policy) | Configuration block containing settings to define launch targets for Auto Scaling groups | `any` | `null` | no |
+| [name](#input\_name) | Name of the Self managed Node Group | `string` | `""` | no |
+| [network\_interfaces](#input\_network\_interfaces) | Customize network interfaces to be attached at instance boot time | `list(any)` | `[]` | no |
+| [placement](#input\_placement) | The placement of the instance | `map(string)` | `null` | no |
+| [placement\_group](#input\_placement\_group) | The name of the placement group into which you'll launch your instances, if any | `string` | `null` | no |
+| [platform](#input\_platform) | Identifies if the OS platform is `bottlerocket`, `linux`, or `windows` based | `string` | `"linux"` | no |
+| [post\_bootstrap\_user\_data](#input\_post\_bootstrap\_user\_data) | User data that is appended to the user data script after of the EKS bootstrap script. Not used when `platform` = `bottlerocket` | `string` | `""` | no |
+| [pre\_bootstrap\_user\_data](#input\_pre\_bootstrap\_user\_data) | User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `platform` = `bottlerocket` | `string` | `""` | no |
+| [propagate\_tags](#input\_propagate\_tags) | A list of tag blocks. Each element should have keys named `key`, `value`, and `propagate_at_launch` | `list(map(string))` | `[]` | no |
+| [protect\_from\_scale\_in](#input\_protect\_from\_scale\_in) | Allows setting instance protection. The autoscaling group will not select instances with this setting for termination during scale in events. | `bool` | `false` | no |
+| [ram\_disk\_id](#input\_ram\_disk\_id) | The ID of the ram disk | `string` | `null` | no |
+| [schedules](#input\_schedules) | Map of autoscaling group schedule to create | `map(any)` | `{}` | no |
+| [security\_group\_description](#input\_security\_group\_description) | Description for the security group created | `string` | `"EKS self-managed node group security group"` | no |
+| [security\_group\_name](#input\_security\_group\_name) | Name to use on security group created | `string` | `null` | no |
+| [security\_group\_rules](#input\_security\_group\_rules) | List of security group rules to add to the security group created | `any` | `{}` | no |
+| [security\_group\_tags](#input\_security\_group\_tags) | A map of additional tags to add to the security group created | `map(string)` | `{}` | no |
+| [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Determines whether the security group name (`security_group_name`) is used as a prefix | `string` | `true` | no |
+| [service\_linked\_role\_arn](#input\_service\_linked\_role\_arn) | The ARN of the service-linked role that the ASG will use to call other AWS services | `string` | `null` | no |
+| [subnet\_ids](#input\_subnet\_ids) | A list of subnet IDs to launch resources in. Subnets automatically determine which availability zones the group will reside. Conflicts with `availability_zones` | `list(string)` | `null` | no |
+| [suspended\_processes](#input\_suspended\_processes) | A list of processes to suspend for the Auto Scaling Group. The allowed values are `Launch`, `Terminate`, `HealthCheck`, `ReplaceUnhealthy`, `AZRebalance`, `AlarmNotification`, `ScheduledActions`, `AddToLoadBalancer`. Note that if you suspend either the `Launch` or `Terminate` process types, it can prevent your Auto Scaling Group from functioning properly | `list(string)` | `null` | no |
+| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
+| [target\_group\_arns](#input\_target\_group\_arns) | A set of `aws_alb_target_group` ARNs, for use with Application or Network Load Balancing | `list(string)` | `[]` | no |
+| [termination\_policies](#input\_termination\_policies) | A list of policies to decide how the instances in the Auto Scaling Group should be terminated. The allowed values are `OldestInstance`, `NewestInstance`, `OldestLaunchConfiguration`, `ClosestToNextInstanceHour`, `OldestLaunchTemplate`, `AllocationStrategy`, `Default` | `list(string)` | `null` | no |
+| [update\_launch\_template\_default\_version](#input\_update\_launch\_template\_default\_version) | Whether to update Default Version each update. Conflicts with `launch_template_default_version` | `bool` | `true` | no |
+| [use\_mixed\_instances\_policy](#input\_use\_mixed\_instances\_policy) | Determines whether to use a mixed instances policy in the autoscaling group or not | `bool` | `false` | no |
+| [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether to use `name` as is or create a unique name beginning with the `name` as the prefix | `bool` | `true` | no |
+| [user\_data\_template\_path](#input\_user\_data\_template\_path) | Path to a local, custom user data template file to use when rendering user data | `string` | `""` | no |
+| [vpc\_id](#input\_vpc\_id) | ID of the VPC where the security group/nodes will be provisioned | `string` | `null` | no |
+| [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | A list of security group IDs to associate | `list(string)` | `[]` | no |
+| [wait\_for\_capacity\_timeout](#input\_wait\_for\_capacity\_timeout) | A maximum duration that Terraform should wait for ASG instances to be healthy before timing out. (See also Waiting for Capacity below.) Setting this to '0' causes Terraform to skip all Capacity Waiting behavior. | `string` | `null` | no |
+| [wait\_for\_elb\_capacity](#input\_wait\_for\_elb\_capacity) | Setting this will cause Terraform to wait for exactly this number of healthy instances in all attached load balancers on both create and update operations. Takes precedence over `min_elb_capacity` behavior. | `number` | `null` | no |
+| [warm\_pool](#input\_warm\_pool) | If this block is configured, add a Warm Pool to the specified Auto Scaling group | `any` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [autoscaling\_group\_arn](#output\_autoscaling\_group\_arn) | The ARN for this autoscaling group |
+| [autoscaling\_group\_availability\_zones](#output\_autoscaling\_group\_availability\_zones) | The availability zones of the autoscaling group |
+| [autoscaling\_group\_default\_cooldown](#output\_autoscaling\_group\_default\_cooldown) | Time between a scaling activity and the succeeding scaling activity |
+| [autoscaling\_group\_desired\_capacity](#output\_autoscaling\_group\_desired\_capacity) | The number of Amazon EC2 instances that should be running in the group |
+| [autoscaling\_group\_health\_check\_grace\_period](#output\_autoscaling\_group\_health\_check\_grace\_period) | Time after instance comes into service before checking health |
+| [autoscaling\_group\_health\_check\_type](#output\_autoscaling\_group\_health\_check\_type) | EC2 or ELB. Controls how health checking is done |
+| [autoscaling\_group\_id](#output\_autoscaling\_group\_id) | The autoscaling group id |
+| [autoscaling\_group\_max\_size](#output\_autoscaling\_group\_max\_size) | The maximum size of the autoscaling group |
+| [autoscaling\_group\_min\_size](#output\_autoscaling\_group\_min\_size) | The minimum size of the autoscaling group |
+| [autoscaling\_group\_name](#output\_autoscaling\_group\_name) | The autoscaling group name |
+| [autoscaling\_group\_schedule\_arns](#output\_autoscaling\_group\_schedule\_arns) | ARNs of autoscaling group schedules |
+| [autoscaling\_group\_vpc\_zone\_identifier](#output\_autoscaling\_group\_vpc\_zone\_identifier) | The VPC zone identifier |
+| [iam\_instance\_profile\_arn](#output\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
+| [iam\_instance\_profile\_id](#output\_iam\_instance\_profile\_id) | Instance profile's ID |
+| [iam\_instance\_profile\_unique](#output\_iam\_instance\_profile\_unique) | Stable and unique string identifying the IAM instance profile |
+| [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| [iam\_role\_name](#output\_iam\_role\_name) | The name of the IAM role |
+| [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| [launch\_template\_arn](#output\_launch\_template\_arn) | The ARN of the launch template |
+| [launch\_template\_id](#output\_launch\_template\_id) | The ID of the launch template |
+| [launch\_template\_latest\_version](#output\_launch\_template\_latest\_version) | The latest version of the launch template |
+| [platform](#output\_platform) | Identifies if the OS platform is `bottlerocket`, `linux`, or `windows` based |
+| [security\_group\_arn](#output\_security\_group\_arn) | Amazon Resource Name (ARN) of the security group |
+| [security\_group\_id](#output\_security\_group\_id) | ID of the security group |
+
diff --git a/modules/self-managed-node-group/main.tf b/modules/self-managed-node-group/main.tf
new file mode 100644
index 0000000000..2acaa3d199
--- /dev/null
+++ b/modules/self-managed-node-group/main.tf
@@ -0,0 +1,554 @@
+data "aws_partition" "current" {}
+
+data "aws_ami" "eks_default" {
+ count = var.create ? 1 : 0
+
+ filter {
+ name = "name"
+ values = ["amazon-eks-node-${var.cluster_version}-v*"]
+ }
+
+ most_recent = true
+ owners = ["amazon"]
+}
+
+################################################################################
+# User Data
+################################################################################
+
+module "user_data" {
+ source = "../_user_data"
+
+ create = var.create
+ platform = var.platform
+ is_eks_managed_node_group = false
+
+ cluster_name = var.cluster_name
+ cluster_endpoint = var.cluster_endpoint
+ cluster_auth_base64 = var.cluster_auth_base64
+
+ enable_bootstrap_user_data = true
+ pre_bootstrap_user_data = var.pre_bootstrap_user_data
+ post_bootstrap_user_data = var.post_bootstrap_user_data
+ bootstrap_extra_args = var.bootstrap_extra_args
+ user_data_template_path = var.user_data_template_path
+}
+
+################################################################################
+# Launch template
+################################################################################
+
+locals {
+ launch_template_name_int = coalesce(var.launch_template_name, "${var.name}-node-group")
+}
+
+resource "aws_launch_template" "this" {
+ count = var.create && var.create_launch_template ? 1 : 0
+
+ name = var.launch_template_use_name_prefix ? null : local.launch_template_name_int
+ name_prefix = var.launch_template_use_name_prefix ? "${local.launch_template_name_int}-" : null
+ description = var.launch_template_description
+
+ ebs_optimized = var.ebs_optimized
+ image_id = coalesce(var.ami_id, data.aws_ami.eks_default[0].image_id)
+ instance_type = var.instance_type
+ key_name = var.key_name
+ user_data = module.user_data.user_data
+
+ vpc_security_group_ids = compact(concat([try(aws_security_group.this[0].id, "")], var.vpc_security_group_ids))
+
+ default_version = var.launch_template_default_version
+ update_default_version = var.update_launch_template_default_version
+ disable_api_termination = var.disable_api_termination
+ instance_initiated_shutdown_behavior = var.instance_initiated_shutdown_behavior
+ kernel_id = var.kernel_id
+ ram_disk_id = var.ram_disk_id
+
+ dynamic "block_device_mappings" {
+ for_each = var.block_device_mappings
+ content {
+ device_name = block_device_mappings.value.device_name
+ no_device = lookup(block_device_mappings.value, "no_device", null)
+ virtual_name = lookup(block_device_mappings.value, "virtual_name", null)
+
+ dynamic "ebs" {
+ for_each = flatten([lookup(block_device_mappings.value, "ebs", [])])
+ content {
+ delete_on_termination = lookup(ebs.value, "delete_on_termination", null)
+ encrypted = lookup(ebs.value, "encrypted", null)
+ kms_key_id = lookup(ebs.value, "kms_key_id", null)
+ iops = lookup(ebs.value, "iops", null)
+ throughput = lookup(ebs.value, "throughput", null)
+ snapshot_id = lookup(ebs.value, "snapshot_id", null)
+ volume_size = lookup(ebs.value, "volume_size", null)
+ volume_type = lookup(ebs.value, "volume_type", null)
+ }
+ }
+ }
+ }
+
+ dynamic "capacity_reservation_specification" {
+ for_each = var.capacity_reservation_specification != null ? [var.capacity_reservation_specification] : []
+ content {
+ capacity_reservation_preference = lookup(capacity_reservation_specification.value, "capacity_reservation_preference", null)
+
+ dynamic "capacity_reservation_target" {
+ for_each = lookup(capacity_reservation_specification.value, "capacity_reservation_target", [])
+ content {
+ capacity_reservation_id = lookup(capacity_reservation_target.value, "capacity_reservation_id", null)
+ }
+ }
+ }
+ }
+
+ dynamic "cpu_options" {
+ for_each = var.cpu_options != null ? [var.cpu_options] : []
+ content {
+ core_count = cpu_options.value.core_count
+ threads_per_core = cpu_options.value.threads_per_core
+ }
+ }
+
+ dynamic "credit_specification" {
+ for_each = var.credit_specification != null ? [var.credit_specification] : []
+ content {
+ cpu_credits = credit_specification.value.cpu_credits
+ }
+ }
+
+ dynamic "elastic_gpu_specifications" {
+ for_each = var.elastic_gpu_specifications != null ? [var.elastic_gpu_specifications] : []
+ content {
+ type = elastic_gpu_specifications.value.type
+ }
+ }
+
+ dynamic "elastic_inference_accelerator" {
+ for_each = var.elastic_inference_accelerator != null ? [var.elastic_inference_accelerator] : []
+ content {
+ type = elastic_inference_accelerator.value.type
+ }
+ }
+
+ dynamic "enclave_options" {
+ for_each = var.enclave_options != null ? [var.enclave_options] : []
+ content {
+ enabled = enclave_options.value.enabled
+ }
+ }
+
+ dynamic "hibernation_options" {
+ for_each = var.hibernation_options != null ? [var.hibernation_options] : []
+ content {
+ configured = hibernation_options.value.configured
+ }
+ }
+
+ iam_instance_profile {
+ arn = var.create_iam_instance_profile ? aws_iam_instance_profile.this[0].arn : var.iam_instance_profile_arn
+ }
+
+ dynamic "instance_market_options" {
+ for_each = var.instance_market_options != null ? [var.instance_market_options] : []
+ content {
+ market_type = instance_market_options.value.market_type
+
+ dynamic "spot_options" {
+ for_each = lookup(instance_market_options.value, "spot_options", null) != null ? [instance_market_options.value.spot_options] : []
+ content {
+ block_duration_minutes = spot_options.value.block_duration_minutes
+ instance_interruption_behavior = lookup(spot_options.value, "instance_interruption_behavior", null)
+ max_price = lookup(spot_options.value, "max_price", null)
+ spot_instance_type = lookup(spot_options.value, "spot_instance_type", null)
+ valid_until = lookup(spot_options.value, "valid_until", null)
+ }
+ }
+ }
+ }
+
+ dynamic "license_specification" {
+ for_each = var.license_specifications != null ? [var.license_specifications] : []
+ content {
+ license_configuration_arn = license_specifications.value.license_configuration_arn
+ }
+ }
+
+ dynamic "metadata_options" {
+ for_each = var.metadata_options != null ? [var.metadata_options] : []
+ content {
+ http_endpoint = lookup(metadata_options.value, "http_endpoint", null)
+ http_tokens = lookup(metadata_options.value, "http_tokens", null)
+ http_put_response_hop_limit = lookup(metadata_options.value, "http_put_response_hop_limit", null)
+ http_protocol_ipv6 = lookup(metadata_options.value, "http_protocol_ipv6", null)
+ }
+ }
+
+ dynamic "monitoring" {
+ for_each = var.enable_monitoring != null ? [1] : []
+ content {
+ enabled = var.enable_monitoring
+ }
+ }
+
+ dynamic "network_interfaces" {
+ for_each = var.network_interfaces
+ content {
+ associate_carrier_ip_address = lookup(network_interfaces.value, "associate_carrier_ip_address", null)
+ associate_public_ip_address = lookup(network_interfaces.value, "associate_public_ip_address", null)
+ delete_on_termination = lookup(network_interfaces.value, "delete_on_termination", null)
+ description = lookup(network_interfaces.value, "description", null)
+ device_index = lookup(network_interfaces.value, "device_index", null)
+ ipv4_addresses = lookup(network_interfaces.value, "ipv4_addresses", null) != null ? network_interfaces.value.ipv4_addresses : []
+ ipv4_address_count = lookup(network_interfaces.value, "ipv4_address_count", null)
+ ipv6_addresses = lookup(network_interfaces.value, "ipv6_addresses", null) != null ? network_interfaces.value.ipv6_addresses : []
+ ipv6_address_count = lookup(network_interfaces.value, "ipv6_address_count", null)
+ network_interface_id = lookup(network_interfaces.value, "network_interface_id", null)
+ private_ip_address = lookup(network_interfaces.value, "private_ip_address", null)
+ security_groups = lookup(network_interfaces.value, "security_groups", null) != null ? network_interfaces.value.security_groups : []
+ subnet_id = lookup(network_interfaces.value, "subnet_id", null)
+ }
+ }
+
+ dynamic "placement" {
+ for_each = var.placement != null ? [var.placement] : []
+ content {
+ affinity = lookup(placement.value, "affinity", null)
+ availability_zone = lookup(placement.value, "availability_zone", null)
+ group_name = lookup(placement.value, "group_name", null)
+ host_id = lookup(placement.value, "host_id", null)
+ spread_domain = lookup(placement.value, "spread_domain", null)
+ tenancy = lookup(placement.value, "tenancy", null)
+ partition_number = lookup(placement.value, "partition_number", null)
+ }
+ }
+
+ dynamic "tag_specifications" {
+ for_each = toset(["instance", "volume", "network-interface"])
+ content {
+ resource_type = tag_specifications.key
+ tags = merge(var.tags, { Name = var.name })
+ }
+ }
+
+ lifecycle {
+ create_before_destroy = true
+ }
+
+ # Prevent premature access of security group roles and policies by pods that
+ # require permissions on create/destroy that depend on nodes
+ depends_on = [
+ aws_security_group_rule.this,
+ aws_iam_role_policy_attachment.this,
+ ]
+
+ tags = var.tags
+}
+
+################################################################################
+# Node Group
+################################################################################
+
+locals {
+ launch_template_name = try(aws_launch_template.this[0].name, var.launch_template_name)
+ # Change order to allow users to set version priority before using defaults
+ launch_template_version = coalesce(var.launch_template_version, try(aws_launch_template.this[0].default_version, "$Default"))
+}
+
+resource "aws_autoscaling_group" "this" {
+ count = var.create ? 1 : 0
+
+ name = var.use_name_prefix ? null : var.name
+ name_prefix = var.use_name_prefix ? "${var.name}-" : null
+
+ dynamic "launch_template" {
+ for_each = var.use_mixed_instances_policy ? [] : [1]
+
+ content {
+ name = local.launch_template_name
+ version = local.launch_template_version
+ }
+ }
+
+ availability_zones = var.availability_zones
+ vpc_zone_identifier = var.subnet_ids
+
+ min_size = var.min_size
+ max_size = var.max_size
+ desired_capacity = var.desired_size
+ capacity_rebalance = var.capacity_rebalance
+ min_elb_capacity = var.min_elb_capacity
+ wait_for_elb_capacity = var.wait_for_elb_capacity
+ wait_for_capacity_timeout = var.wait_for_capacity_timeout
+ default_cooldown = var.default_cooldown
+ protect_from_scale_in = var.protect_from_scale_in
+
+ target_group_arns = var.target_group_arns
+ placement_group = var.placement_group
+ health_check_type = var.health_check_type
+ health_check_grace_period = var.health_check_grace_period
+
+ force_delete = var.force_delete
+ termination_policies = var.termination_policies
+ suspended_processes = var.suspended_processes
+ max_instance_lifetime = var.max_instance_lifetime
+
+ enabled_metrics = var.enabled_metrics
+ metrics_granularity = var.metrics_granularity
+ service_linked_role_arn = var.service_linked_role_arn
+
+ dynamic "initial_lifecycle_hook" {
+ for_each = var.initial_lifecycle_hooks
+ content {
+ name = initial_lifecycle_hook.value.name
+ default_result = lookup(initial_lifecycle_hook.value, "default_result", null)
+ heartbeat_timeout = lookup(initial_lifecycle_hook.value, "heartbeat_timeout", null)
+ lifecycle_transition = initial_lifecycle_hook.value.lifecycle_transition
+ notification_metadata = lookup(initial_lifecycle_hook.value, "notification_metadata", null)
+ notification_target_arn = lookup(initial_lifecycle_hook.value, "notification_target_arn", null)
+ role_arn = lookup(initial_lifecycle_hook.value, "role_arn", null)
+ }
+ }
+
+ dynamic "instance_refresh" {
+ for_each = var.instance_refresh != null ? [var.instance_refresh] : []
+ content {
+ strategy = instance_refresh.value.strategy
+ triggers = lookup(instance_refresh.value, "triggers", null)
+
+ dynamic "preferences" {
+ for_each = lookup(instance_refresh.value, "preferences", null) != null ? [instance_refresh.value.preferences] : []
+ content {
+ instance_warmup = lookup(preferences.value, "instance_warmup", null)
+ min_healthy_percentage = lookup(preferences.value, "min_healthy_percentage", null)
+ checkpoint_delay = lookup(preferences.value, "checkpoint_delay", null)
+ checkpoint_percentages = lookup(preferences.value, "checkpoint_percentages", null)
+ }
+ }
+ }
+ }
+
+ dynamic "mixed_instances_policy" {
+ for_each = var.use_mixed_instances_policy ? [var.mixed_instances_policy] : []
+ content {
+ dynamic "instances_distribution" {
+ for_each = try([mixed_instances_policy.value.instances_distribution], [])
+ content {
+ on_demand_allocation_strategy = lookup(instances_distribution.value, "on_demand_allocation_strategy", null)
+ on_demand_base_capacity = lookup(instances_distribution.value, "on_demand_base_capacity", null)
+ on_demand_percentage_above_base_capacity = lookup(instances_distribution.value, "on_demand_percentage_above_base_capacity", null)
+ spot_allocation_strategy = lookup(instances_distribution.value, "spot_allocation_strategy", null)
+ spot_instance_pools = lookup(instances_distribution.value, "spot_instance_pools", null)
+ spot_max_price = lookup(instances_distribution.value, "spot_max_price", null)
+ }
+ }
+
+ launch_template {
+ launch_template_specification {
+ launch_template_name = local.launch_template_name
+ version = local.launch_template_version
+ }
+
+ dynamic "override" {
+ for_each = try(mixed_instances_policy.value.override, [])
+ content {
+ instance_type = lookup(override.value, "instance_type", null)
+ weighted_capacity = lookup(override.value, "weighted_capacity", null)
+
+ dynamic "launch_template_specification" {
+ for_each = lookup(override.value, "launch_template_specification", null) != null ? override.value.launch_template_specification : []
+ content {
+ launch_template_id = lookup(launch_template_specification.value, "launch_template_id", null)
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "warm_pool" {
+ for_each = var.warm_pool != null ? [var.warm_pool] : []
+ content {
+ pool_state = lookup(warm_pool.value, "pool_state", null)
+ min_size = lookup(warm_pool.value, "min_size", null)
+ max_group_prepared_capacity = lookup(warm_pool.value, "max_group_prepared_capacity", null)
+ }
+ }
+
+ timeouts {
+ delete = var.delete_timeout
+ }
+
+ lifecycle {
+ create_before_destroy = true
+ ignore_changes = [
+ desired_capacity
+ ]
+ }
+
+ tags = concat(
+ [
+ {
+ key = "Name"
+ value = var.name
+ propagate_at_launch = true
+ },
+ {
+ key = "kubernetes.io/cluster/${var.cluster_name}"
+ value = "owned"
+ propagate_at_launch = true
+ },
+ {
+ key = "k8s.io/cluster/${var.cluster_name}"
+ value = "owned"
+ propagate_at_launch = true
+ },
+ ],
+ var.propagate_tags,
+ [for k, v in var.tags :
+ {
+ key = k
+ value = v
+ propagate_at_launch = true
+ }
+ ]
+ )
+}
+
+################################################################################
+# Autoscaling group schedule
+################################################################################
+
+resource "aws_autoscaling_schedule" "this" {
+ for_each = var.create && var.create_schedule ? var.schedules : {}
+
+ scheduled_action_name = each.key
+ autoscaling_group_name = aws_autoscaling_group.this[0].name
+
+ min_size = lookup(each.value, "min_size", null)
+ max_size = lookup(each.value, "max_size", null)
+ desired_capacity = lookup(each.value, "desired_size", null)
+ start_time = lookup(each.value, "start_time", null)
+ end_time = lookup(each.value, "end_time", null)
+ time_zone = lookup(each.value, "time_zone", null)
+
+ # [Minute] [Hour] [Day_of_Month] [Month_of_Year] [Day_of_Week]
+ # Cron examples: https://crontab.guru/examples.html
+ recurrence = lookup(each.value, "recurrence", null)
+}
+
+################################################################################
+# Security Group
+################################################################################
+
+locals {
+ security_group_name = coalesce(var.security_group_name, "${var.name}-node-group")
+ create_security_group = var.create && var.create_security_group
+}
+
+resource "aws_security_group" "this" {
+ count = local.create_security_group ? 1 : 0
+
+ name = var.security_group_use_name_prefix ? null : local.security_group_name
+ name_prefix = var.security_group_use_name_prefix ? "${local.security_group_name}-" : null
+ description = var.security_group_description
+ vpc_id = var.vpc_id
+
+ tags = merge(
+ var.tags,
+ {
+ "Name" = local.security_group_name
+ "kubernetes.io/cluster/${var.cluster_name}" = "owned"
+ },
+ var.security_group_tags
+ )
+}
+
+resource "aws_security_group_rule" "this" {
+ for_each = { for k, v in var.security_group_rules : k => v if local.create_security_group }
+
+ # Required
+ security_group_id = aws_security_group.this[0].id
+ protocol = each.value.protocol
+ from_port = each.value.from_port
+ to_port = each.value.to_port
+ type = each.value.type
+
+ # Optional
+ description = try(each.value.description, null)
+ cidr_blocks = try(each.value.cidr_blocks, null)
+ ipv6_cidr_blocks = try(each.value.ipv6_cidr_blocks, null)
+ prefix_list_ids = try(each.value.prefix_list_ids, [])
+ self = try(each.value.self, null)
+ source_security_group_id = try(
+ each.value.source_security_group_id,
+ try(each.value.source_cluster_security_group, false) ? var.cluster_security_group_id : null
+ )
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+locals {
+ iam_role_name = coalesce(var.iam_role_name, "${var.name}-node-group")
+
+ iam_role_policy_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
+}
+
+data "aws_iam_policy_document" "assume_role_policy" {
+ count = var.create && var.create_iam_instance_profile ? 1 : 0
+
+ statement {
+ sid = "EKSNodeAssumeRole"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "Service"
+ identifiers = ["ec2.${data.aws_partition.current.dns_suffix}"]
+ }
+ }
+}
+
+resource "aws_iam_role" "this" {
+ count = var.create && var.create_iam_instance_profile ? 1 : 0
+
+ name = var.iam_role_use_name_prefix ? null : local.iam_role_name
+ name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
+ path = var.iam_role_path
+ description = var.iam_role_description
+
+ assume_role_policy = data.aws_iam_policy_document.assume_role_policy[0].json
+ permissions_boundary = var.iam_role_permissions_boundary
+ force_detach_policies = true
+
+ tags = merge(var.tags, var.iam_role_tags)
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+ for_each = var.create && var.create_iam_instance_profile ? toset(compact(distinct(concat([
+ "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy",
+ "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly",
+ var.iam_role_attach_cni_policy ? "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy" : "",
+ ], var.iam_role_additional_policies)))) : toset([])
+
+ policy_arn = each.value
+ role = aws_iam_role.this[0].name
+}
+
+# Only self-managed node group requires instance profile
+resource "aws_iam_instance_profile" "this" {
+ count = var.create && var.create_iam_instance_profile ? 1 : 0
+
+ role = aws_iam_role.this[0].name
+
+ name = var.iam_role_use_name_prefix ? null : local.iam_role_name
+ name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
+ path = var.iam_role_path
+
+ lifecycle {
+ create_before_destroy = true
+ }
+
+ tags = merge(var.tags, var.iam_role_tags)
+}
diff --git a/modules/self-managed-node-group/outputs.tf b/modules/self-managed-node-group/outputs.tf
new file mode 100644
index 0000000000..983c92a80c
--- /dev/null
+++ b/modules/self-managed-node-group/outputs.tf
@@ -0,0 +1,147 @@
+################################################################################
+# Launch template
+################################################################################
+
+output "launch_template_id" {
+ description = "The ID of the launch template"
+ value = try(aws_launch_template.this[0].id, "")
+}
+
+output "launch_template_arn" {
+ description = "The ARN of the launch template"
+ value = try(aws_launch_template.this[0].arn, "")
+}
+
+output "launch_template_latest_version" {
+ description = "The latest version of the launch template"
+ value = try(aws_launch_template.this[0].latest_version, "")
+}
+
+################################################################################
+# autoscaling group
+################################################################################
+
+output "autoscaling_group_arn" {
+ description = "The ARN for this autoscaling group"
+ value = try(aws_autoscaling_group.this[0].arn, "")
+}
+
+output "autoscaling_group_id" {
+ description = "The autoscaling group id"
+ value = try(aws_autoscaling_group.this[0].id, "")
+}
+
+output "autoscaling_group_name" {
+ description = "The autoscaling group name"
+ value = try(aws_autoscaling_group.this[0].name, "")
+}
+
+output "autoscaling_group_min_size" {
+ description = "The minimum size of the autoscaling group"
+ value = try(aws_autoscaling_group.this[0].min_size, "")
+}
+
+output "autoscaling_group_max_size" {
+ description = "The maximum size of the autoscaling group"
+ value = try(aws_autoscaling_group.this[0].max_size, "")
+}
+
+output "autoscaling_group_desired_capacity" {
+ description = "The number of Amazon EC2 instances that should be running in the group"
+ value = try(aws_autoscaling_group.this[0].desired_capacity, "")
+}
+
+output "autoscaling_group_default_cooldown" {
+ description = "Time between a scaling activity and the succeeding scaling activity"
+ value = try(aws_autoscaling_group.this[0].default_cooldown, "")
+}
+
+output "autoscaling_group_health_check_grace_period" {
+ description = "Time after instance comes into service before checking health"
+ value = try(aws_autoscaling_group.this[0].health_check_grace_period, "")
+}
+
+output "autoscaling_group_health_check_type" {
+ description = "EC2 or ELB. Controls how health checking is done"
+ value = try(aws_autoscaling_group.this[0].health_check_type, "")
+}
+
+output "autoscaling_group_availability_zones" {
+ description = "The availability zones of the autoscaling group"
+ value = try(aws_autoscaling_group.this[0].availability_zones, "")
+}
+
+output "autoscaling_group_vpc_zone_identifier" {
+ description = "The VPC zone identifier"
+ value = try(aws_autoscaling_group.this[0].vpc_zone_identifier, "")
+}
+
+################################################################################
+# autoscaling group schedule
+################################################################################
+
+output "autoscaling_group_schedule_arns" {
+ description = "ARNs of autoscaling group schedules"
+ value = { for k, v in aws_autoscaling_schedule.this : k => v.arn }
+}
+
+################################################################################
+# Security Group
+################################################################################
+
+output "security_group_arn" {
+ description = "Amazon Resource Name (ARN) of the security group"
+ value = try(aws_security_group.this[0].arn, "")
+}
+
+output "security_group_id" {
+ description = "ID of the security group"
+ value = try(aws_security_group.this[0].id, "")
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+output "iam_role_name" {
+ description = "The name of the IAM role"
+ value = try(aws_iam_role.this[0].name, "")
+}
+
+output "iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the IAM role"
+ value = try(aws_iam_role.this[0].arn, "")
+}
+
+output "iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = try(aws_iam_role.this[0].unique_id, "")
+}
+
+################################################################################
+# IAM Instance Profile
+################################################################################
+
+output "iam_instance_profile_arn" {
+ description = "ARN assigned by AWS to the instance profile"
+ value = try(aws_iam_instance_profile.this[0].arn, "")
+}
+
+output "iam_instance_profile_id" {
+ description = "Instance profile's ID"
+ value = try(aws_iam_instance_profile.this[0].id, "")
+}
+
+output "iam_instance_profile_unique" {
+ description = "Stable and unique string identifying the IAM instance profile"
+ value = try(aws_iam_instance_profile.this[0].unique_id, "")
+}
+
+################################################################################
+# Additional
+################################################################################
+
+output "platform" {
+ description = "Identifies if the OS platform is `bottlerocket`, `linux`, or `windows` based"
+ value = var.platform
+}
diff --git a/modules/self-managed-node-group/variables.tf b/modules/self-managed-node-group/variables.tf
new file mode 100644
index 0000000000..d5fe48dec5
--- /dev/null
+++ b/modules/self-managed-node-group/variables.tf
@@ -0,0 +1,579 @@
+variable "create" {
+ description = "Determines whether to create self managed node group or not"
+ type = bool
+ default = true
+}
+
+variable "tags" {
+ description = "A map of tags to add to all resources"
+ type = map(string)
+ default = {}
+}
+
+variable "platform" {
+ description = "Identifies if the OS platform is `bottlerocket`, `linux`, or `windows` based"
+ type = string
+ default = "linux"
+}
+
+################################################################################
+# User Data
+################################################################################
+
+variable "cluster_name" {
+ description = "Name of associated EKS cluster"
+ type = string
+ default = null
+}
+
+variable "cluster_endpoint" {
+ description = "Endpoint of associated EKS cluster"
+ type = string
+ default = ""
+}
+
+variable "cluster_auth_base64" {
+ description = "Base64 encoded CA of associated EKS cluster"
+ type = string
+ default = ""
+}
+
+variable "pre_bootstrap_user_data" {
+ description = "User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `platform` = `bottlerocket`"
+ type = string
+ default = ""
+}
+
+variable "post_bootstrap_user_data" {
+ description = "User data that is appended to the user data script after of the EKS bootstrap script. Not used when `platform` = `bottlerocket`"
+ type = string
+ default = ""
+}
+
+variable "bootstrap_extra_args" {
+ description = "Additional arguments passed to the bootstrap script. When `platform` = `bottlerocket`; these are additional [settings](https://github.com/bottlerocket-os/bottlerocket#settings) that are provided to the Bottlerocket user data"
+ type = string
+ default = ""
+}
+
+variable "user_data_template_path" {
+ description = "Path to a local, custom user data template file to use when rendering user data"
+ type = string
+ default = ""
+}
+
+################################################################################
+# Launch template
+################################################################################
+
+variable "create_launch_template" {
+ description = "Determines whether to create launch template or not"
+ type = bool
+ default = true
+}
+
+variable "launch_template_name" {
+ description = "Launch template name - either to be created (`var.create_launch_template` = `true`) or existing (`var.create_launch_template` = `false`)"
+ type = string
+ default = null
+}
+
+variable "launch_template_use_name_prefix" {
+ description = "Determines whether to use `launch_template_name` as is or create a unique name beginning with the `launch_template_name` as the prefix"
+ type = bool
+ default = true
+}
+
+variable "launch_template_description" {
+ description = "Description of the launch template"
+ type = string
+ default = null
+}
+
+variable "launch_template_default_version" {
+ description = "Default Version of the launch template"
+ type = string
+ default = null
+}
+
+variable "update_launch_template_default_version" {
+ description = "Whether to update Default Version each update. Conflicts with `launch_template_default_version`"
+ type = bool
+ default = true
+}
+
+variable "disable_api_termination" {
+ description = "If true, enables EC2 instance termination protection"
+ type = bool
+ default = null
+}
+
+variable "instance_initiated_shutdown_behavior" {
+ description = "Shutdown behavior for the instance. Can be `stop` or `terminate`. (Default: `stop`)"
+ type = string
+ default = null
+}
+
+variable "kernel_id" {
+ description = "The kernel ID"
+ type = string
+ default = null
+}
+
+variable "ram_disk_id" {
+ description = "The ID of the ram disk"
+ type = string
+ default = null
+}
+
+variable "block_device_mappings" {
+ description = "Specify volumes to attach to the instance besides the volumes specified by the AMI"
+ type = any
+ default = {}
+}
+
+variable "capacity_reservation_specification" {
+ description = "Targeting for EC2 capacity reservations"
+ type = any
+ default = null
+}
+
+variable "cpu_options" {
+ description = "The CPU options for the instance"
+ type = map(string)
+ default = null
+}
+
+variable "credit_specification" {
+ description = "Customize the credit specification of the instance"
+ type = map(string)
+ default = null
+}
+
+variable "elastic_gpu_specifications" {
+ description = "The elastic GPU to attach to the instance"
+ type = map(string)
+ default = null
+}
+
+variable "elastic_inference_accelerator" {
+ description = "Configuration block containing an Elastic Inference Accelerator to attach to the instance"
+ type = map(string)
+ default = null
+}
+
+variable "enclave_options" {
+ description = "Enable Nitro Enclaves on launched instances"
+ type = map(string)
+ default = null
+}
+
+variable "hibernation_options" {
+ description = "The hibernation options for the instance"
+ type = map(string)
+ default = null
+}
+
+variable "instance_market_options" {
+ description = "The market (purchasing) option for the instance"
+ type = any
+ default = null
+}
+
+variable "license_specifications" {
+ description = "A list of license specifications to associate with"
+ type = map(string)
+ default = null
+}
+
+variable "network_interfaces" {
+ description = "Customize network interfaces to be attached at instance boot time"
+ type = list(any)
+ default = []
+}
+
+variable "placement" {
+ description = "The placement of the instance"
+ type = map(string)
+ default = null
+}
+
+variable "ebs_optimized" {
+ description = "If true, the launched EC2 instance will be EBS-optimized"
+ type = bool
+ default = null
+}
+
+variable "ami_id" {
+ description = "The AMI from which to launch the instance"
+ type = string
+ default = ""
+}
+
+variable "cluster_version" {
+ description = "Kubernetes cluster version - used to lookup default AMI ID if one is not provided"
+ type = string
+ default = null
+}
+
+variable "instance_type" {
+ description = "The type of the instance to launch"
+ type = string
+ default = ""
+}
+
+variable "key_name" {
+ description = "The key name that should be used for the instance"
+ type = string
+ default = null
+}
+
+variable "vpc_security_group_ids" {
+ description = "A list of security group IDs to associate"
+ type = list(string)
+ default = []
+}
+
+variable "enable_monitoring" {
+ description = "Enables/disables detailed monitoring"
+ type = bool
+ default = true
+}
+
+variable "metadata_options" {
+ description = "Customize the metadata options for the instance"
+ type = map(string)
+ default = {
+ http_endpoint = "enabled"
+ http_tokens = "required"
+ http_put_response_hop_limit = 2
+ }
+}
+
+################################################################################
+# Autoscaling group
+################################################################################
+
+variable "name" {
+ description = "Name of the Self managed Node Group"
+ type = string
+ default = ""
+}
+
+variable "use_name_prefix" {
+ description = "Determines whether to use `name` as is or create a unique name beginning with the `name` as the prefix"
+ type = bool
+ default = true
+}
+
+variable "launch_template_version" {
+ description = "Launch template version. Can be version number, `$Latest`, or `$Default`"
+ type = string
+ default = null
+}
+
+variable "availability_zones" {
+ description = "A list of one or more availability zones for the group. Used for EC2-Classic and default subnets when not specified with `subnet_ids` argument. Conflicts with `subnet_ids`"
+ type = list(string)
+ default = null
+}
+
+variable "subnet_ids" {
+ description = "A list of subnet IDs to launch resources in. Subnets automatically determine which availability zones the group will reside. Conflicts with `availability_zones`"
+ type = list(string)
+ default = null
+}
+
+variable "min_size" {
+ description = "The minimum size of the autoscaling group"
+ type = number
+ default = 0
+}
+
+variable "max_size" {
+ description = "The maximum size of the autoscaling group"
+ type = number
+ default = 3
+}
+
+variable "desired_size" {
+ description = "The number of Amazon EC2 instances that should be running in the autoscaling group"
+ type = number
+ default = 1
+}
+
+variable "capacity_rebalance" {
+ description = "Indicates whether capacity rebalance is enabled"
+ type = bool
+ default = null
+}
+
+variable "min_elb_capacity" {
+ description = "Setting this causes Terraform to wait for this number of instances to show up healthy in the ELB only on creation. Updates will not wait on ELB instance number changes"
+ type = number
+ default = null
+}
+
+variable "wait_for_elb_capacity" {
+ description = "Setting this will cause Terraform to wait for exactly this number of healthy instances in all attached load balancers on both create and update operations. Takes precedence over `min_elb_capacity` behavior."
+ type = number
+ default = null
+}
+
+variable "wait_for_capacity_timeout" {
+ description = "A maximum duration that Terraform should wait for ASG instances to be healthy before timing out. (See also Waiting for Capacity below.) Setting this to '0' causes Terraform to skip all Capacity Waiting behavior."
+ type = string
+ default = null
+}
+
+variable "default_cooldown" {
+ description = "The amount of time, in seconds, after a scaling activity completes before another scaling activity can start"
+ type = number
+ default = null
+}
+
+variable "protect_from_scale_in" {
+ description = "Allows setting instance protection. The autoscaling group will not select instances with this setting for termination during scale in events."
+ type = bool
+ default = false
+}
+
+variable "target_group_arns" {
+ description = "A set of `aws_alb_target_group` ARNs, for use with Application or Network Load Balancing"
+ type = list(string)
+ default = []
+}
+
+variable "placement_group" {
+ description = "The name of the placement group into which you'll launch your instances, if any"
+ type = string
+ default = null
+}
+
+variable "health_check_type" {
+ description = "`EC2` or `ELB`. Controls how health checking is done"
+ type = string
+ default = null
+}
+
+variable "health_check_grace_period" {
+ description = "Time (in seconds) after instance comes into service before checking health"
+ type = number
+ default = null
+}
+
+variable "force_delete" {
+ description = "Allows deleting the Auto Scaling Group without waiting for all instances in the pool to terminate. You can force an Auto Scaling Group to delete even if it's in the process of scaling a resource. Normally, Terraform drains all the instances before deleting the group. This bypasses that behavior and potentially leaves resources dangling"
+ type = bool
+ default = null
+}
+
+variable "termination_policies" {
+ description = "A list of policies to decide how the instances in the Auto Scaling Group should be terminated. The allowed values are `OldestInstance`, `NewestInstance`, `OldestLaunchConfiguration`, `ClosestToNextInstanceHour`, `OldestLaunchTemplate`, `AllocationStrategy`, `Default`"
+ type = list(string)
+ default = null
+}
+
+variable "suspended_processes" {
+ description = "A list of processes to suspend for the Auto Scaling Group. The allowed values are `Launch`, `Terminate`, `HealthCheck`, `ReplaceUnhealthy`, `AZRebalance`, `AlarmNotification`, `ScheduledActions`, `AddToLoadBalancer`. Note that if you suspend either the `Launch` or `Terminate` process types, it can prevent your Auto Scaling Group from functioning properly"
+ type = list(string)
+ default = null
+}
+
+variable "max_instance_lifetime" {
+ description = "The maximum amount of time, in seconds, that an instance can be in service, values must be either equal to 0 or between 604800 and 31536000 seconds"
+ type = number
+ default = null
+}
+
+variable "enabled_metrics" {
+ description = "A list of metrics to collect. The allowed values are `GroupDesiredCapacity`, `GroupInServiceCapacity`, `GroupPendingCapacity`, `GroupMinSize`, `GroupMaxSize`, `GroupInServiceInstances`, `GroupPendingInstances`, `GroupStandbyInstances`, `GroupStandbyCapacity`, `GroupTerminatingCapacity`, `GroupTerminatingInstances`, `GroupTotalCapacity`, `GroupTotalInstances`"
+ type = list(string)
+ default = null
+}
+
+variable "metrics_granularity" {
+ description = "The granularity to associate with the metrics to collect. The only valid value is `1Minute`"
+ type = string
+ default = null
+}
+
+variable "service_linked_role_arn" {
+ description = "The ARN of the service-linked role that the ASG will use to call other AWS services"
+ type = string
+ default = null
+}
+
+variable "initial_lifecycle_hooks" {
+ description = "One or more Lifecycle Hooks to attach to the Auto Scaling Group before instances are launched. The syntax is exactly the same as the separate `aws_autoscaling_lifecycle_hook` resource, without the `autoscaling_group_name` attribute. Please note that this will only work when creating a new Auto Scaling Group. For all other use-cases, please use `aws_autoscaling_lifecycle_hook` resource"
+ type = list(map(string))
+ default = []
+}
+
+variable "instance_refresh" {
+ description = "If this block is configured, start an Instance Refresh when this Auto Scaling Group is updated"
+ type = any
+ default = null
+}
+
+variable "use_mixed_instances_policy" {
+ description = "Determines whether to use a mixed instances policy in the autoscaling group or not"
+ type = bool
+ default = false
+}
+
+variable "mixed_instances_policy" {
+ description = "Configuration block containing settings to define launch targets for Auto Scaling groups"
+ type = any
+ default = null
+}
+
+variable "warm_pool" {
+ description = "If this block is configured, add a Warm Pool to the specified Auto Scaling group"
+ type = any
+ default = null
+}
+
+variable "delete_timeout" {
+ description = "Delete timeout to wait for destroying autoscaling group"
+ type = string
+ default = null
+}
+
+variable "propagate_tags" {
+ description = "A list of tag blocks. Each element should have keys named `key`, `value`, and `propagate_at_launch`"
+ type = list(map(string))
+ default = []
+}
+
+################################################################################
+# Autoscaling group schedule
+################################################################################
+
+variable "create_schedule" {
+ description = "Determines whether to create autoscaling group schedule or not"
+ type = bool
+ default = true
+}
+
+variable "schedules" {
+ description = "Map of autoscaling group schedule to create"
+ type = map(any)
+ default = {}
+}
+
+################################################################################
+# Security Group
+################################################################################
+
+variable "create_security_group" {
+ description = "Determines whether to create a security group"
+ type = bool
+ default = true
+}
+
+variable "security_group_name" {
+ description = "Name to use on security group created"
+ type = string
+ default = null
+}
+
+variable "security_group_use_name_prefix" {
+ description = "Determines whether the security group name (`security_group_name`) is used as a prefix"
+ type = string
+ default = true
+}
+
+variable "security_group_description" {
+ description = "Description for the security group created"
+ type = string
+ default = "EKS self-managed node group security group"
+}
+
+variable "vpc_id" {
+ description = "ID of the VPC where the security group/nodes will be provisioned"
+ type = string
+ default = null
+}
+
+variable "security_group_rules" {
+ description = "List of security group rules to add to the security group created"
+ type = any
+ default = {}
+}
+
+variable "cluster_security_group_id" {
+ description = "Cluster control plane security group ID"
+ type = string
+ default = null
+}
+
+variable "security_group_tags" {
+ description = "A map of additional tags to add to the security group created"
+ type = map(string)
+ default = {}
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+variable "create_iam_instance_profile" {
+ description = "Determines whether an IAM instance profile is created or to use an existing IAM instance profile"
+ type = bool
+ default = true
+}
+
+variable "iam_instance_profile_arn" {
+ description = "Amazon Resource Name (ARN) of an existing IAM instance profile that provides permissions for the node group. Required if `create_iam_instance_profile` = `false`"
+ type = string
+ default = null
+}
+
+variable "iam_role_name" {
+ description = "Name to use on IAM role created"
+ type = string
+ default = null
+}
+
+variable "iam_role_use_name_prefix" {
+ description = "Determines whether cluster IAM role name (`iam_role_name`) is used as a prefix"
+ type = string
+ default = true
+}
+
+variable "iam_role_path" {
+ description = "IAM role path"
+ type = string
+ default = null
+}
+
+variable "iam_role_description" {
+ description = "Description of the role"
+ type = string
+ default = null
+}
+
+variable "iam_role_permissions_boundary" {
+ description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
+ type = string
+ default = null
+}
+
+variable "iam_role_attach_cni_policy" {
+ description = "Whether to attach the Amazon managed `AmazonEKS_CNI_Policy` IAM policy to the IAM IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster"
+ type = bool
+ default = true
+}
+
+variable "iam_role_additional_policies" {
+ description = "Additional policies to be added to the IAM role"
+ type = list(string)
+ default = []
+}
+
+variable "iam_role_tags" {
+ description = "A map of additional tags to add to the IAM role created"
+ type = map(string)
+ default = {}
+}
diff --git a/modules/self-managed-node-group/versions.tf b/modules/self-managed-node-group/versions.tf
new file mode 100644
index 0000000000..48492037e2
--- /dev/null
+++ b/modules/self-managed-node-group/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+ required_version = ">= 0.13.1"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.64"
+ }
+ cloudinit = {
+ source = "hashicorp/cloudinit"
+ version = ">= 2.0"
+ }
+ }
+}
diff --git a/node_groups.tf b/node_groups.tf
index 531a3df480..771fa60bf8 100644
--- a/node_groups.tf
+++ b/node_groups.tf
@@ -1,27 +1,397 @@
-module "node_groups" {
- source = "./modules/node_groups"
+locals {
+ metadata_options = {
+ http_endpoint = "enabled"
+ http_tokens = "required"
+ http_put_response_hop_limit = 2
+ }
+}
+
+################################################################################
+# Node Security Group
+# Defaults follow https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html
+# Plus NTP/HTTPS (otherwise nodes fail to launch)
+################################################################################
+
+locals {
+ node_sg_name = coalesce(var.node_security_group_name, "${var.cluster_name}-node")
+ create_node_sg = var.create && var.create_node_security_group
+
+ node_security_group_id = local.create_node_sg ? aws_security_group.node[0].id : var.node_security_group_id
+
+ node_security_group_rules = {
+ egress_cluster_443 = {
+ description = "Node groups to cluster API"
+ protocol = "tcp"
+ from_port = 443
+ to_port = 443
+ type = "egress"
+ source_cluster_security_group = true
+ }
+ ingress_cluster_443 = {
+ description = "Cluster API to node groups"
+ protocol = "tcp"
+ from_port = 443
+ to_port = 443
+ type = "ingress"
+ source_cluster_security_group = true
+ }
+ ingress_cluster_kubelet = {
+ description = "Cluster API to node kubelets"
+ protocol = "tcp"
+ from_port = 10250
+ to_port = 10250
+ type = "ingress"
+ source_cluster_security_group = true
+ }
+ ingress_self_coredns_tcp = {
+ description = "Node to node CoreDNS"
+ protocol = "tcp"
+ from_port = 53
+ to_port = 53
+ type = "ingress"
+ self = true
+ }
+ egress_self_coredns_tcp = {
+ description = "Node to node CoreDNS"
+ protocol = "tcp"
+ from_port = 53
+ to_port = 53
+ type = "egress"
+ self = true
+ }
+ ingress_self_coredns_udp = {
+ description = "Node to node CoreDNS"
+ protocol = "udp"
+ from_port = 53
+ to_port = 53
+ type = "ingress"
+ self = true
+ }
+ egress_self_coredns_udp = {
+ description = "Node to node CoreDNS"
+ protocol = "udp"
+ from_port = 53
+ to_port = 53
+ type = "egress"
+ self = true
+ }
+ egress_https = {
+ description = "Egress all HTTPS to internet"
+ protocol = "tcp"
+ from_port = 443
+ to_port = 443
+ type = "egress"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ egress_ntp_tcp = {
+ description = "Egress NTP/TCP to internet"
+ protocol = "tcp"
+ from_port = 123
+ to_port = 123
+ type = "egress"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ egress_ntp_udp = {
+ description = "Egress NTP/UDP to internet"
+ protocol = "udp"
+ from_port = 123
+ to_port = 123
+ type = "egress"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ }
+}
+
+resource "aws_security_group" "node" {
+ count = local.create_node_sg ? 1 : 0
+
+ name = var.node_security_group_use_name_prefix ? null : local.node_sg_name
+ name_prefix = var.node_security_group_use_name_prefix ? "${local.node_sg_name}-" : null
+ description = var.node_security_group_description
+ vpc_id = var.vpc_id
+
+ tags = merge(
+ var.tags,
+ {
+ "Name" = local.node_sg_name
+ "kubernetes.io/cluster/${var.cluster_name}" = "owned"
+ },
+ var.node_security_group_tags
+ )
+}
+
+resource "aws_security_group_rule" "node" {
+ for_each = { for k, v in merge(local.node_security_group_rules, var.node_security_group_additional_rules) : k => v if local.create_node_sg }
+
+ # Required
+ security_group_id = aws_security_group.node[0].id
+ protocol = each.value.protocol
+ from_port = each.value.from_port
+ to_port = each.value.to_port
+ type = each.value.type
+
+ # Optional
+ description = try(each.value.description, null)
+ cidr_blocks = try(each.value.cidr_blocks, null)
+ ipv6_cidr_blocks = try(each.value.ipv6_cidr_blocks, null)
+ prefix_list_ids = try(each.value.prefix_list_ids, [])
+ self = try(each.value.self, null)
+ source_security_group_id = try(
+ each.value.source_security_group_id,
+ try(each.value.source_cluster_security_group, false) ? local.cluster_security_group_id : null
+ )
+}
+
+################################################################################
+# Fargate Profile
+################################################################################
+
+module "fargate_profile" {
+ source = "./modules/fargate-profile"
+
+ for_each = { for k, v in var.fargate_profiles : k => v if var.create }
+
+ # Fargate Profile
+ cluster_name = aws_eks_cluster.this[0].name
+ name = try(each.value.name, each.key)
+ subnet_ids = try(each.value.subnet_ids, var.fargate_profile_defaults.subnet_ids, var.subnet_ids)
+ selectors = try(each.value.selectors, var.fargate_profile_defaults.selectors, [])
+ timeouts = try(each.value.timeouts, var.fargate_profile_defaults.timeouts, {})
+
+ # IAM role
+ create_iam_role = try(each.value.create_iam_role, var.fargate_profile_defaults.create_iam_role, true)
+ iam_role_arn = try(each.value.iam_role_arn, var.fargate_profile_defaults.iam_role_arn, null)
+ iam_role_name = try(each.value.iam_role_name, var.fargate_profile_defaults.iam_role_name, null)
+ iam_role_use_name_prefix = try(each.value.iam_role_use_name_prefix, var.fargate_profile_defaults.iam_role_use_name_prefix, true)
+ iam_role_path = try(each.value.iam_role_path, var.fargate_profile_defaults.iam_role_path, null)
+ iam_role_description = try(each.value.iam_role_description, var.fargate_profile_defaults.iam_role_description, "Fargate profile IAM role")
+ iam_role_permissions_boundary = try(each.value.iam_role_permissions_boundary, var.fargate_profile_defaults.iam_role_permissions_boundary, null)
+ iam_role_tags = try(each.value.iam_role_tags, var.fargate_profile_defaults.iam_role_tags, {})
+ iam_role_additional_policies = try(each.value.iam_role_additional_policies, var.fargate_profile_defaults.iam_role_additional_policies, [])
+
+ tags = merge(var.tags, try(each.value.tags, var.fargate_profile_defaults.tags, {}))
+}
+
+################################################################################
+# EKS Managed Node Group
+################################################################################
+
+module "eks_managed_node_group" {
+ source = "./modules/eks-managed-node-group"
+
+ for_each = { for k, v in var.eks_managed_node_groups : k => v if var.create }
+
+ cluster_name = aws_eks_cluster.this[0].name
+ cluster_version = try(each.value.cluster_version, var.eks_managed_node_group_defaults.cluster_version, var.cluster_version)
+ cluster_security_group_id = local.cluster_security_group_id
+
+ # EKS Managed Node Group
+ name = try(each.value.name, each.key)
+ use_name_prefix = try(each.value.use_name_prefix, var.eks_managed_node_group_defaults.use_name_prefix, true)
+
+ subnet_ids = try(each.value.subnet_ids, var.eks_managed_node_group_defaults.subnet_ids, var.subnet_ids)
+
+ min_size = try(each.value.min_size, var.eks_managed_node_group_defaults.min_size, 1)
+ max_size = try(each.value.max_size, var.eks_managed_node_group_defaults.max_size, 3)
+ desired_size = try(each.value.desired_size, var.eks_managed_node_group_defaults.desired_size, 1)
+
+ ami_id = try(each.value.ami_id, var.eks_managed_node_group_defaults.ami_id, "")
+ ami_type = try(each.value.ami_type, var.eks_managed_node_group_defaults.ami_type, null)
+ ami_release_version = try(each.value.ami_release_version, var.eks_managed_node_group_defaults.ami_release_version, null)
+
+ capacity_type = try(each.value.capacity_type, var.eks_managed_node_group_defaults.capacity_type, null)
+ disk_size = try(each.value.disk_size, var.eks_managed_node_group_defaults.disk_size, null)
+ force_update_version = try(each.value.force_update_version, var.eks_managed_node_group_defaults.force_update_version, null)
+ instance_types = try(each.value.instance_types, var.eks_managed_node_group_defaults.instance_types, null)
+ labels = try(each.value.labels, var.eks_managed_node_group_defaults.labels, null)
+
+ remote_access = try(each.value.remote_access, var.eks_managed_node_group_defaults.remote_access, {})
+ taints = try(each.value.taints, var.eks_managed_node_group_defaults.taints, {})
+ update_config = try(each.value.update_config, var.eks_managed_node_group_defaults.update_config, {})
+ timeouts = try(each.value.timeouts, var.eks_managed_node_group_defaults.timeouts, {})
+
+ # User data
+ platform = try(each.value.platform, var.eks_managed_node_group_defaults.platform, "linux")
+ cluster_endpoint = try(aws_eks_cluster.this[0].endpoint, "")
+ cluster_auth_base64 = try(aws_eks_cluster.this[0].certificate_authority[0].data, "")
+ cluster_service_ipv4_cidr = var.cluster_service_ipv4_cidr
+ enable_bootstrap_user_data = try(each.value.enable_bootstrap_user_data, var.eks_managed_node_group_defaults.enable_bootstrap_user_data, false)
+ pre_bootstrap_user_data = try(each.value.pre_bootstrap_user_data, var.eks_managed_node_group_defaults.pre_bootstrap_user_data, "")
+ post_bootstrap_user_data = try(each.value.post_bootstrap_user_data, var.eks_managed_node_group_defaults.post_bootstrap_user_data, "")
+ bootstrap_extra_args = try(each.value.bootstrap_extra_args, var.eks_managed_node_group_defaults.bootstrap_extra_args, "")
+ user_data_template_path = try(each.value.user_data_template_path, var.eks_managed_node_group_defaults.user_data_template_path, "")
+
+ # Launch Template
+ create_launch_template = try(each.value.create_launch_template, var.eks_managed_node_group_defaults.create_launch_template, true)
+ launch_template_name = try(each.value.launch_template_name, each.key)
+ launch_template_use_name_prefix = try(each.value.launch_template_use_name_prefix, var.eks_managed_node_group_defaults.launch_template_use_name_prefix, true)
+ launch_template_version = try(each.value.launch_template_version, var.eks_managed_node_group_defaults.launch_template_version, null)
+ launch_template_description = try(each.value.launch_template_description, var.eks_managed_node_group_defaults.launch_template_description, "Custom launch template for ${try(each.value.name, each.key)} EKS managed node group")
+
+ ebs_optimized = try(each.value.ebs_optimized, var.eks_managed_node_group_defaults.ebs_optimized, null)
+ key_name = try(each.value.key_name, var.eks_managed_node_group_defaults.key_name, null)
+ vpc_security_group_ids = compact(concat([try(aws_security_group.node[0].id, "")], try(each.value.vpc_security_group_ids, var.eks_managed_node_group_defaults.vpc_security_group_ids, [])))
+ launch_template_default_version = try(each.value.launch_template_default_version, var.eks_managed_node_group_defaults.launch_template_default_version, null)
+ update_launch_template_default_version = try(each.value.update_launch_template_default_version, var.eks_managed_node_group_defaults.update_launch_template_default_version, true)
+ disable_api_termination = try(each.value.disable_api_termination, var.eks_managed_node_group_defaults.disable_api_termination, null)
+ kernel_id = try(each.value.kernel_id, var.eks_managed_node_group_defaults.kernel_id, null)
+ ram_disk_id = try(each.value.ram_disk_id, var.eks_managed_node_group_defaults.ram_disk_id, null)
+
+ block_device_mappings = try(each.value.block_device_mappings, var.eks_managed_node_group_defaults.block_device_mappings, {})
+ capacity_reservation_specification = try(each.value.capacity_reservation_specification, var.eks_managed_node_group_defaults.capacity_reservation_specification, null)
+ cpu_options = try(each.value.cpu_options, var.eks_managed_node_group_defaults.cpu_options, null)
+ credit_specification = try(each.value.credit_specification, var.eks_managed_node_group_defaults.credit_specification, null)
+ elastic_gpu_specifications = try(each.value.elastic_gpu_specifications, var.eks_managed_node_group_defaults.elastic_gpu_specifications, null)
+ elastic_inference_accelerator = try(each.value.elastic_inference_accelerator, var.eks_managed_node_group_defaults.elastic_inference_accelerator, null)
+ enclave_options = try(each.value.enclave_options, var.eks_managed_node_group_defaults.enclave_options, null)
+ instance_market_options = try(each.value.instance_market_options, var.eks_managed_node_group_defaults.instance_market_options, null)
+ license_specifications = try(each.value.license_specifications, var.eks_managed_node_group_defaults.license_specifications, null)
+ metadata_options = try(each.value.metadata_options, var.eks_managed_node_group_defaults.metadata_options, local.metadata_options)
+ enable_monitoring = try(each.value.enable_monitoring, var.eks_managed_node_group_defaults.enable_monitoring, true)
+ network_interfaces = try(each.value.network_interfaces, var.eks_managed_node_group_defaults.network_interfaces, [])
+ placement = try(each.value.placement, var.eks_managed_node_group_defaults.placement, null)
+
+ # IAM role
+ create_iam_role = try(each.value.create_iam_role, var.eks_managed_node_group_defaults.create_iam_role, true)
+ iam_role_arn = try(each.value.iam_role_arn, var.eks_managed_node_group_defaults.iam_role_arn, null)
+ iam_role_name = try(each.value.iam_role_name, var.eks_managed_node_group_defaults.iam_role_name, null)
+ iam_role_use_name_prefix = try(each.value.iam_role_use_name_prefix, var.eks_managed_node_group_defaults.iam_role_use_name_prefix, true)
+ iam_role_path = try(each.value.iam_role_path, var.eks_managed_node_group_defaults.iam_role_path, null)
+ iam_role_description = try(each.value.iam_role_description, var.eks_managed_node_group_defaults.iam_role_description, "EKS managed node group IAM role")
+ iam_role_permissions_boundary = try(each.value.iam_role_permissions_boundary, var.eks_managed_node_group_defaults.iam_role_permissions_boundary, null)
+ iam_role_tags = try(each.value.iam_role_tags, var.eks_managed_node_group_defaults.iam_role_tags, {})
+ iam_role_additional_policies = try(each.value.iam_role_additional_policies, var.eks_managed_node_group_defaults.iam_role_additional_policies, [])
+
+ # Security group
+ create_security_group = try(each.value.create_security_group, var.eks_managed_node_group_defaults.create_security_group, true)
+ security_group_name = try(each.value.security_group_name, var.eks_managed_node_group_defaults.security_group_name, null)
+ security_group_use_name_prefix = try(each.value.security_group_use_name_prefix, var.eks_managed_node_group_defaults.security_group_use_name_prefix, true)
+ security_group_description = try(each.value.security_group_description, var.eks_managed_node_group_defaults.security_group_description, "EKS managed node group security group")
+ vpc_id = try(each.value.vpc_id, var.eks_managed_node_group_defaults.vpc_id, var.vpc_id)
+ security_group_rules = try(each.value.security_group_rules, var.eks_managed_node_group_defaults.security_group_rules, {})
+ security_group_tags = try(each.value.security_group_tags, var.eks_managed_node_group_defaults.security_group_tags, {})
+
+ tags = merge(var.tags, try(each.value.tags, var.eks_managed_node_group_defaults.tags, {}))
+}
+
+################################################################################
+# Self Managed Node Group
+################################################################################
+
+module "self_managed_node_group" {
+ source = "./modules/self-managed-node-group"
+
+ for_each = { for k, v in var.self_managed_node_groups : k => v if var.create }
+
+ cluster_name = aws_eks_cluster.this[0].name
+
+ # Autoscaling Group
+ name = try(each.value.name, each.key)
+ use_name_prefix = try(each.value.use_name_prefix, var.self_managed_node_group_defaults.use_name_prefix, true)
+
+ availability_zones = try(each.value.availability_zones, var.self_managed_node_group_defaults.availability_zones, null)
+ subnet_ids = try(each.value.subnet_ids, var.self_managed_node_group_defaults.subnet_ids, var.subnet_ids)
+
+ min_size = try(each.value.min_size, var.self_managed_node_group_defaults.min_size, 0)
+ max_size = try(each.value.max_size, var.self_managed_node_group_defaults.max_size, 3)
+ desired_size = try(each.value.desired_size, var.self_managed_node_group_defaults.desired_size, 1)
+ capacity_rebalance = try(each.value.capacity_rebalance, var.self_managed_node_group_defaults.capacity_rebalance, null)
+ min_elb_capacity = try(each.value.min_elb_capacity, var.self_managed_node_group_defaults.min_elb_capacity, null)
+ wait_for_elb_capacity = try(each.value.wait_for_elb_capacity, var.self_managed_node_group_defaults.wait_for_elb_capacity, null)
+ wait_for_capacity_timeout = try(each.value.wait_for_capacity_timeout, var.self_managed_node_group_defaults.wait_for_capacity_timeout, null)
+ default_cooldown = try(each.value.default_cooldown, var.self_managed_node_group_defaults.default_cooldown, null)
+ protect_from_scale_in = try(each.value.protect_from_scale_in, var.self_managed_node_group_defaults.protect_from_scale_in, null)
+
+ target_group_arns = try(each.value.target_group_arns, var.self_managed_node_group_defaults.target_group_arns, null)
+ placement_group = try(each.value.placement_group, var.self_managed_node_group_defaults.placement_group, null)
+ health_check_type = try(each.value.health_check_type, var.self_managed_node_group_defaults.health_check_type, null)
+ health_check_grace_period = try(each.value.health_check_grace_period, var.self_managed_node_group_defaults.health_check_grace_period, null)
+
+ force_delete = try(each.value.force_delete, var.self_managed_node_group_defaults.force_delete, null)
+ termination_policies = try(each.value.termination_policies, var.self_managed_node_group_defaults.termination_policies, null)
+ suspended_processes = try(each.value.suspended_processes, var.self_managed_node_group_defaults.suspended_processes, null)
+ max_instance_lifetime = try(each.value.max_instance_lifetime, var.self_managed_node_group_defaults.max_instance_lifetime, null)
+
+ enabled_metrics = try(each.value.enabled_metrics, var.self_managed_node_group_defaults.enabled_metrics, null)
+ metrics_granularity = try(each.value.metrics_granularity, var.self_managed_node_group_defaults.metrics_granularity, null)
+ service_linked_role_arn = try(each.value.service_linked_role_arn, var.self_managed_node_group_defaults.service_linked_role_arn, null)
+
+ initial_lifecycle_hooks = try(each.value.initial_lifecycle_hooks, var.self_managed_node_group_defaults.initial_lifecycle_hooks, [])
+ instance_refresh = try(each.value.instance_refresh, var.self_managed_node_group_defaults.instance_refresh, null)
+ use_mixed_instances_policy = try(each.value.use_mixed_instances_policy, var.self_managed_node_group_defaults.use_mixed_instances_policy, false)
+ warm_pool = try(each.value.warm_pool, var.self_managed_node_group_defaults.warm_pool, null)
+
+ create_schedule = try(each.value.create_schedule, var.self_managed_node_group_defaults.create_schedule, false)
+ schedules = try(each.value.schedules, var.self_managed_node_group_defaults.schedules, null)
+
+ delete_timeout = try(each.value.delete_timeout, var.self_managed_node_group_defaults.delete_timeout, null)
+
+ # User data
+ platform = try(each.value.platform, var.self_managed_node_group_defaults.platform, "linux")
+ cluster_endpoint = try(aws_eks_cluster.this[0].endpoint, "")
+ cluster_auth_base64 = try(aws_eks_cluster.this[0].certificate_authority[0].data, "")
+ pre_bootstrap_user_data = try(each.value.pre_bootstrap_user_data, var.self_managed_node_group_defaults.pre_bootstrap_user_data, "")
+ post_bootstrap_user_data = try(each.value.post_bootstrap_user_data, var.self_managed_node_group_defaults.post_bootstrap_user_data, "")
+ bootstrap_extra_args = try(each.value.bootstrap_extra_args, var.self_managed_node_group_defaults.bootstrap_extra_args, "")
+ user_data_template_path = try(each.value.user_data_template_path, var.self_managed_node_group_defaults.user_data_template_path, "")
+
+ # Launch Template
+ create_launch_template = try(each.value.create_launch_template, var.self_managed_node_group_defaults.create_launch_template, true)
+ launch_template_name = try(each.value.launch_template_name, each.key)
+ launch_template_version = try(each.value.launch_template_version, var.self_managed_node_group_defaults.launch_template_version, null)
+ launch_template_description = try(each.value.launch_template_description, var.self_managed_node_group_defaults.launch_template_description, "Custom launch template for ${try(each.value.name, each.key)} self managed node group")
- create_eks = var.create_eks
+ ebs_optimized = try(each.value.ebs_optimized, var.self_managed_node_group_defaults.ebs_optimized, null)
+ ami_id = try(each.value.ami_id, var.self_managed_node_group_defaults.ami_id, "")
+ cluster_version = try(each.value.cluster_version, var.self_managed_node_group_defaults.cluster_version, var.cluster_version)
+ instance_type = try(each.value.instance_type, var.self_managed_node_group_defaults.instance_type, "m6i.large")
+ key_name = try(each.value.key_name, var.self_managed_node_group_defaults.key_name, null)
- cluster_name = local.cluster_name
- cluster_endpoint = local.cluster_endpoint
- cluster_auth_base64 = local.cluster_auth_base64
+ vpc_security_group_ids = compact(concat([try(aws_security_group.node[0].id, "")], try(each.value.vpc_security_group_ids, var.self_managed_node_group_defaults.vpc_security_group_ids, [])))
+ cluster_security_group_id = local.cluster_security_group_id
+ launch_template_default_version = try(each.value.launch_template_default_version, var.self_managed_node_group_defaults.launch_template_default_version, null)
+ update_launch_template_default_version = try(each.value.update_launch_template_default_version, var.self_managed_node_group_defaults.update_launch_template_default_version, true)
+ disable_api_termination = try(each.value.disable_api_termination, var.self_managed_node_group_defaults.disable_api_termination, null)
+ instance_initiated_shutdown_behavior = try(each.value.instance_initiated_shutdown_behavior, var.self_managed_node_group_defaults.instance_initiated_shutdown_behavior, null)
+ kernel_id = try(each.value.kernel_id, var.self_managed_node_group_defaults.kernel_id, null)
+ ram_disk_id = try(each.value.ram_disk_id, var.self_managed_node_group_defaults.ram_disk_id, null)
- default_iam_role_arn = coalescelist(aws_iam_role.workers[*].arn, [""])[0]
- ebs_optimized_not_supported = local.ebs_optimized_not_supported
- workers_group_defaults = local.workers_group_defaults
- worker_security_group_id = local.worker_security_group_id
- worker_additional_security_group_ids = var.worker_additional_security_group_ids
+ block_device_mappings = try(each.value.block_device_mappings, var.self_managed_node_group_defaults.block_device_mappings, [])
+ capacity_reservation_specification = try(each.value.capacity_reservation_specification, var.self_managed_node_group_defaults.capacity_reservation_specification, null)
+ cpu_options = try(each.value.cpu_options, var.self_managed_node_group_defaults.cpu_options, null)
+ credit_specification = try(each.value.credit_specification, var.self_managed_node_group_defaults.credit_specification, null)
+ elastic_gpu_specifications = try(each.value.elastic_gpu_specifications, var.self_managed_node_group_defaults.elastic_gpu_specifications, null)
+ elastic_inference_accelerator = try(each.value.elastic_inference_accelerator, var.self_managed_node_group_defaults.elastic_inference_accelerator, null)
+ enclave_options = try(each.value.enclave_options, var.self_managed_node_group_defaults.enclave_options, null)
+ hibernation_options = try(each.value.hibernation_options, var.self_managed_node_group_defaults.hibernation_options, null)
+ instance_market_options = try(each.value.instance_market_options, var.self_managed_node_group_defaults.instance_market_options, null)
+ license_specifications = try(each.value.license_specifications, var.self_managed_node_group_defaults.license_specifications, null)
+ metadata_options = try(each.value.metadata_options, var.self_managed_node_group_defaults.metadata_options, local.metadata_options)
+ enable_monitoring = try(each.value.enable_monitoring, var.self_managed_node_group_defaults.enable_monitoring, true)
+ network_interfaces = try(each.value.network_interfaces, var.self_managed_node_group_defaults.network_interfaces, [])
+ placement = try(each.value.placement, var.self_managed_node_group_defaults.placement, null)
- node_groups_defaults = var.node_groups_defaults
- node_groups = var.node_groups
+ # IAM role
+ create_iam_instance_profile = try(each.value.create_iam_instance_profile, var.self_managed_node_group_defaults.create_iam_instance_profile, true)
+ iam_instance_profile_arn = try(each.value.iam_instance_profile_arn, var.self_managed_node_group_defaults.iam_instance_profile_arn, null)
+ iam_role_name = try(each.value.iam_role_name, var.self_managed_node_group_defaults.iam_role_name, null)
+ iam_role_use_name_prefix = try(each.value.iam_role_use_name_prefix, var.self_managed_node_group_defaults.iam_role_use_name_prefix, true)
+ iam_role_path = try(each.value.iam_role_path, var.self_managed_node_group_defaults.iam_role_path, null)
+ iam_role_description = try(each.value.iam_role_description, var.self_managed_node_group_defaults.iam_role_description, "Self managed node group IAM role")
+ iam_role_permissions_boundary = try(each.value.iam_role_permissions_boundary, var.self_managed_node_group_defaults.iam_role_permissions_boundary, null)
+ iam_role_tags = try(each.value.iam_role_tags, var.self_managed_node_group_defaults.iam_role_tags, {})
+ iam_role_attach_cni_policy = try(each.value.iam_role_attach_cni_policy, var.self_managed_node_group_defaults.iam_role_attach_cni_policy, true)
+ iam_role_additional_policies = try(each.value.iam_role_additional_policies, var.self_managed_node_group_defaults.iam_role_additional_policies, [])
- tags = var.tags
+ # Security group
+ create_security_group = try(each.value.create_security_group, var.self_managed_node_group_defaults.create_security_group, true)
+ security_group_name = try(each.value.security_group_name, var.self_managed_node_group_defaults.security_group_name, null)
+ security_group_use_name_prefix = try(each.value.security_group_use_name_prefix, var.self_managed_node_group_defaults.security_group_use_name_prefix, true)
+ security_group_description = try(each.value.security_group_description, var.self_managed_node_group_defaults.security_group_description, "Self managed node group security group")
+ vpc_id = try(each.value.vpc_id, var.self_managed_node_group_defaults.vpc_id, var.vpc_id)
+ security_group_rules = try(each.value.security_group_rules, var.self_managed_node_group_defaults.security_group_rules, {})
+ security_group_tags = try(each.value.security_group_tags, var.self_managed_node_group_defaults.security_group_tags, {})
- depends_on = [
- aws_eks_cluster.this,
- aws_iam_role_policy_attachment.workers_AmazonEKSWorkerNodePolicy,
- aws_iam_role_policy_attachment.workers_AmazonEKS_CNI_Policy,
- aws_iam_role_policy_attachment.workers_AmazonEC2ContainerRegistryReadOnly
- ]
+ tags = merge(var.tags, try(each.value.tags, var.self_managed_node_group_defaults.tags, {}))
+ propagate_tags = try(each.value.propagate_tags, var.self_managed_node_group_defaults.propagate_tags, [])
}
diff --git a/outputs.tf b/outputs.tf
index 8676285368..72ba73d676 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,211 +1,174 @@
-output "cluster_id" {
- description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready."
- value = local.cluster_id
-
- # So that calling plans wait for the cluster to be available before attempting to use it.
- # There is no need to duplicate this datasource
- depends_on = [data.http.wait_for_cluster]
-}
+################################################################################
+# Cluster
+################################################################################
output "cluster_arn" {
- description = "The Amazon Resource Name (ARN) of the cluster."
- value = local.cluster_arn
+ description = "The Amazon Resource Name (ARN) of the cluster"
+ value = try(aws_eks_cluster.this[0].arn, "")
}
output "cluster_certificate_authority_data" {
- description = "Nested attribute containing certificate-authority-data for your cluster. This is the base64 encoded certificate data required to communicate with your cluster."
- value = local.cluster_auth_base64
+ description = "Base64 encoded certificate data required to communicate with the cluster"
+ value = try(aws_eks_cluster.this[0].certificate_authority[0].data, "")
}
output "cluster_endpoint" {
- description = "The endpoint for your EKS Kubernetes API."
- value = local.cluster_endpoint
+ description = "Endpoint for your Kubernetes API server"
+ value = try(aws_eks_cluster.this[0].endpoint, "")
}
-output "cluster_version" {
- description = "The Kubernetes server version for the EKS cluster."
- value = element(concat(aws_eks_cluster.this[*].version, [""]), 0)
-}
-
-output "cluster_security_group_id" {
- description = "Security group ID attached to the EKS cluster. On 1.14 or later, this is the 'Additional security groups' in the EKS console."
- value = local.cluster_security_group_id
+output "cluster_id" {
+ description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready"
+ value = try(aws_eks_cluster.this[0].id, "")
}
-output "config_map_aws_auth" {
- description = "A kubernetes configuration to authenticate to this EKS cluster."
- value = kubernetes_config_map.aws_auth.*
+output "cluster_oidc_issuer_url" {
+ description = "The URL on the EKS cluster for the OpenID Connect identity provider"
+ value = try(aws_eks_cluster.this[0].identity[0].oidc[0].issuer, "")
}
-output "cluster_iam_role_name" {
- description = "IAM role name of the EKS cluster."
- value = local.cluster_iam_role_name
+output "cluster_platform_version" {
+ description = "Platform version for the cluster"
+ value = try(aws_eks_cluster.this[0].platform_version, "")
}
-output "cluster_iam_role_arn" {
- description = "IAM role ARN of the EKS cluster."
- value = local.cluster_iam_role_arn
-}
-
-output "cluster_oidc_issuer_url" {
- description = "The URL on the EKS cluster OIDC Issuer"
- value = local.cluster_oidc_issuer_url
+output "cluster_status" {
+ description = "Status of the EKS cluster. One of `CREATING`, `ACTIVE`, `DELETING`, `FAILED`"
+ value = try(aws_eks_cluster.this[0].status, "")
}
output "cluster_primary_security_group_id" {
- description = "The cluster primary security group ID created by the EKS cluster on 1.14 or later. Referred to as 'Cluster security group' in the EKS console."
- value = local.cluster_primary_security_group_id
+ description = "Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console"
+ value = try(aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id, "")
}
-output "cloudwatch_log_group_name" {
- description = "Name of cloudwatch log group created"
- value = element(concat(aws_cloudwatch_log_group.this[*].name, [""]), 0)
+################################################################################
+# Cluster Security Group
+################################################################################
+
+output "cluster_security_group_arn" {
+ description = "Amazon Resource Name (ARN) of the cluster security group"
+ value = try(aws_security_group.cluster[0].arn, "")
}
-output "cloudwatch_log_group_arn" {
- description = "Arn of cloudwatch log group created"
- value = element(concat(aws_cloudwatch_log_group.this[*].arn, [""]), 0)
+output "cluster_security_group_id" {
+ description = "ID of the cluster security group"
+ value = try(aws_security_group.cluster[0].id, "")
}
-output "kubeconfig" {
- description = "kubectl config file contents for this EKS cluster. Will block on cluster creation until the cluster is really ready."
- value = local.kubeconfig
+################################################################################
+# Node Security Group
+################################################################################
- # So that calling plans wait for the cluster to be available before attempting to use it.
- # There is no need to duplicate this datasource
- depends_on = [data.http.wait_for_cluster]
+output "node_security_group_arn" {
+ description = "Amazon Resource Name (ARN) of the node shared security group"
+ value = try(aws_security_group.node[0].arn, "")
}
-output "kubeconfig_filename" {
- description = "The filename of the generated kubectl config. Will block on cluster creation until the cluster is really ready."
- value = concat(local_file.kubeconfig.*.filename, [""])[0]
-
- # So that calling plans wait for the cluster to be available before attempting to use it.
- # There is no need to duplicate this datasource
- depends_on = [data.http.wait_for_cluster]
+output "node_security_group_id" {
+ description = "ID of the node shared security group"
+ value = try(aws_security_group.node[0].id, "")
}
+################################################################################
+# IRSA
+################################################################################
+
output "oidc_provider_arn" {
- description = "The ARN of the OIDC Provider if `enable_irsa = true`."
- value = var.enable_irsa ? concat(aws_iam_openid_connect_provider.oidc_provider[*].arn, [""])[0] : null
+ description = "The ARN of the OIDC Provider if `enable_irsa = true`"
+ value = try(aws_iam_openid_connect_provider.oidc_provider[0].arn, "")
}
-output "workers_asg_arns" {
- description = "IDs of the autoscaling groups containing workers."
- value = concat(
- aws_autoscaling_group.workers.*.arn,
- aws_autoscaling_group.workers_launch_template.*.arn,
- )
-}
+################################################################################
+# IAM Role
+################################################################################
-output "workers_asg_names" {
- description = "Names of the autoscaling groups containing workers."
- value = concat(
- aws_autoscaling_group.workers.*.id,
- aws_autoscaling_group.workers_launch_template.*.id,
- )
+output "cluster_iam_role_name" {
+ description = "IAM role name of the EKS cluster"
+ value = try(aws_iam_role.this[0].name, "")
}
-output "workers_user_data" {
- description = "User data of worker groups"
- value = concat(
- local.launch_configuration_userdata_rendered,
- local.launch_template_userdata_rendered,
- )
+output "cluster_iam_role_arn" {
+ description = "IAM role ARN of the EKS cluster"
+ value = try(aws_iam_role.this[0].arn, "")
}
-output "workers_default_ami_id" {
- description = "ID of the default worker group AMI"
- value = local.default_ami_id_linux
+output "cluster_iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = try(aws_iam_role.this[0].unique_id, "")
}
-output "workers_default_ami_id_windows" {
- description = "ID of the default Windows worker group AMI"
- value = local.default_ami_id_windows
-}
+################################################################################
+# EKS Addons
+################################################################################
-output "workers_launch_template_ids" {
- description = "IDs of the worker launch templates."
- value = aws_launch_template.workers_launch_template.*.id
+output "cluster_addons" {
+ description = "Map of attribute maps for all EKS cluster addons enabled"
+ value = aws_eks_addon.this
}
-output "workers_launch_template_arns" {
- description = "ARNs of the worker launch templates."
- value = aws_launch_template.workers_launch_template.*.arn
-}
+################################################################################
+# EKS Identity Provider
+################################################################################
-output "workers_launch_template_latest_versions" {
- description = "Latest versions of the worker launch templates."
- value = aws_launch_template.workers_launch_template.*.latest_version
+output "cluster_identity_providers" {
+ description = "Map of attribute maps for all EKS identity providers enabled"
+ value = aws_eks_identity_provider_config.this
}
-output "worker_security_group_id" {
- description = "Security group ID attached to the EKS workers."
- value = local.worker_security_group_id
-}
+################################################################################
+# CloudWatch Log Group
+################################################################################
-output "worker_iam_instance_profile_arns" {
- description = "default IAM instance profile ARN for EKS worker groups"
- value = concat(
- aws_iam_instance_profile.workers.*.arn,
- aws_iam_instance_profile.workers_launch_template.*.arn
- )
+output "cloudwatch_log_group_name" {
+ description = "Name of cloudwatch log group created"
+ value = try(aws_cloudwatch_log_group.this[0].name, "")
}
-output "worker_iam_instance_profile_names" {
- description = "default IAM instance profile name for EKS worker groups"
- value = concat(
- aws_iam_instance_profile.workers.*.name,
- aws_iam_instance_profile.workers_launch_template.*.name
- )
+output "cloudwatch_log_group_arn" {
+ description = "Arn of cloudwatch log group created"
+ value = try(aws_cloudwatch_log_group.this[0].arn, "")
}
-output "worker_iam_role_name" {
- description = "default IAM role name for EKS worker groups"
- value = coalescelist(
- aws_iam_role.workers.*.name,
- data.aws_iam_instance_profile.custom_worker_group_iam_instance_profile.*.role_name,
- data.aws_iam_instance_profile.custom_worker_group_launch_template_iam_instance_profile.*.role_name,
- [""]
- )[0]
-}
+################################################################################
+# Fargate Profile
+################################################################################
-output "worker_iam_role_arn" {
- description = "default IAM role ARN for EKS worker groups"
- value = coalescelist(
- aws_iam_role.workers.*.arn,
- data.aws_iam_instance_profile.custom_worker_group_iam_instance_profile.*.role_arn,
- data.aws_iam_instance_profile.custom_worker_group_launch_template_iam_instance_profile.*.role_arn,
- [""]
- )[0]
+output "fargate_profiles" {
+ description = "Map of attribute maps for all EKS Fargate Profiles created"
+ value = module.fargate_profile
}
-output "fargate_profile_ids" {
- description = "EKS Cluster name and EKS Fargate Profile names separated by a colon (:)."
- value = module.fargate.fargate_profile_ids
-}
+################################################################################
+# EKS Managed Node Group
+################################################################################
-output "fargate_profile_arns" {
- description = "Amazon Resource Name (ARN) of the EKS Fargate Profiles."
- value = module.fargate.fargate_profile_arns
+output "eks_managed_node_groups" {
+ description = "Map of attribute maps for all EKS managed node groups created"
+ value = module.eks_managed_node_group
}
-output "fargate_iam_role_name" {
- description = "IAM role name for EKS Fargate pods"
- value = module.fargate.iam_role_name
-}
+################################################################################
+# Self Managed Node Group
+################################################################################
-output "fargate_iam_role_arn" {
- description = "IAM role ARN for EKS Fargate pods"
- value = module.fargate.iam_role_arn
+output "self_managed_node_groups" {
+ description = "Map of attribute maps for all self managed node groups created"
+ value = module.self_managed_node_group
}
-output "node_groups" {
- description = "Outputs from EKS node groups. Map of maps, keyed by var.node_groups keys"
- value = module.node_groups.node_groups
-}
+################################################################################
+# Additional
+################################################################################
-output "security_group_rule_cluster_https_worker_ingress" {
- description = "Security group rule responsible for allowing pods to communicate with the EKS cluster API."
- value = aws_security_group_rule.cluster_https_worker_ingress
+output "aws_auth_configmap_yaml" {
+ description = "Formatted yaml output for base aws-auth configmap containing roles used in cluster node groups/fargate profiles"
+ value = templatefile("${path.module}/templates/aws_auth_cm.tpl",
+ {
+ eks_managed_role_arns = [for group in module.eks_managed_node_group : group.iam_role_arn]
+ self_managed_role_arns = [for group in module.self_managed_node_group : group.iam_role_arn if group.platform != "windows"]
+ win32_self_managed_role_arns = [for group in module.self_managed_node_group : group.iam_role_arn if group.platform == "windows"]
+ fargate_profile_arns = [for group in module.fargate_profile : group.fargate_profile_arn]
+ }
+ )
}
diff --git a/templates/aws_auth_cm.tpl b/templates/aws_auth_cm.tpl
new file mode 100644
index 0000000000..abf2102a54
--- /dev/null
+++ b/templates/aws_auth_cm.tpl
@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: aws-auth
+ namespace: kube-system
+data:
+ mapRoles: |
+%{ for role in eks_managed_role_arns ~}
+ - rolearn: ${role}
+ username: system:node:{{EC2PrivateDNSName}}
+ groups:
+ - system:bootstrappers
+ - system:nodes
+%{ endfor ~}
+%{ for role in self_managed_role_arns ~}
+ - rolearn: ${role}
+ username: system:node:{{EC2PrivateDNSName}}
+ groups:
+ - system:bootstrappers
+ - system:nodes
+%{ endfor ~}
+%{ for role in win32_self_managed_role_arns ~}
+ - rolearn: ${role}
+ username: system:node:{{EC2PrivateDNSName}}
+ groups:
+ - eks:kube-proxy-windows
+ - system:bootstrappers
+ - system:nodes
+%{ endfor ~}
+%{ for role in fargate_profile_arns ~}
+ - rolearn: ${role}
+ username: system:node:{{SessionName}}
+ groups:
+ - system:bootstrappers
+ - system:nodes
+ - system:node-proxier
+%{ endfor ~}
diff --git a/templates/bottlerocket_user_data.tpl b/templates/bottlerocket_user_data.tpl
new file mode 100644
index 0000000000..640c801438
--- /dev/null
+++ b/templates/bottlerocket_user_data.tpl
@@ -0,0 +1,7 @@
+%{ if enable_bootstrap_user_data ~}
+[settings.kubernetes]
+"cluster-name" = "${cluster_name}"
+"api-server" = "${cluster_endpoint}"
+"cluster-certificate" = "${cluster_auth_base64}"
+%{ endif ~}
+${bootstrap_extra_args ~}
diff --git a/templates/kubeconfig.tpl b/templates/kubeconfig.tpl
deleted file mode 100644
index 5004243bec..0000000000
--- a/templates/kubeconfig.tpl
+++ /dev/null
@@ -1,38 +0,0 @@
-apiVersion: v1
-preferences: {}
-kind: Config
-
-clusters:
-- cluster:
- server: ${endpoint}
- certificate-authority-data: ${cluster_auth_base64}
- name: ${kubeconfig_name}
-
-contexts:
-- context:
- cluster: ${kubeconfig_name}
- user: ${kubeconfig_name}
- name: ${kubeconfig_name}
-
-current-context: ${kubeconfig_name}
-
-users:
-- name: ${kubeconfig_name}
- user:
- exec:
- apiVersion: ${aws_authenticator_kubeconfig_apiversion}
- command: ${aws_authenticator_command}
- args:
-%{~ for i in aws_authenticator_command_args }
- - "${i}"
-%{~ endfor ~}
-%{ for i in aws_authenticator_additional_args }
- - ${i}
-%{~ endfor ~}
-%{ if length(aws_authenticator_env_variables) > 0 }
- env:
- %{~ for k, v in aws_authenticator_env_variables ~}
- - name: ${k}
- value: ${v}
- %{~ endfor ~}
-%{ endif }
diff --git a/templates/linux_user_data.tpl b/templates/linux_user_data.tpl
new file mode 100644
index 0000000000..14acbd2aff
--- /dev/null
+++ b/templates/linux_user_data.tpl
@@ -0,0 +1,14 @@
+%{ if enable_bootstrap_user_data ~}
+#!/bin/bash
+set -e
+%{ endif ~}
+${pre_bootstrap_user_data ~}
+%{ if length(cluster_service_ipv4_cidr) > 0 ~}
+export SERVICE_IPV4_CIDR=${cluster_service_ipv4_cidr}
+%{ endif ~}
+%{ if enable_bootstrap_user_data ~}
+B64_CLUSTER_CA=${cluster_auth_base64}
+API_SERVER_URL=${cluster_endpoint}
+/etc/eks/bootstrap.sh ${cluster_name} ${bootstrap_extra_args} --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL
+${post_bootstrap_user_data ~}
+%{ endif ~}
diff --git a/templates/userdata.sh.tpl b/templates/userdata.sh.tpl
deleted file mode 100644
index cf314b8800..0000000000
--- a/templates/userdata.sh.tpl
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash -e
-
-# Allow user supplied pre userdata code
-${pre_userdata}
-
-# Bootstrap and join the cluster
-/etc/eks/bootstrap.sh --b64-cluster-ca '${cluster_auth_base64}' --apiserver-endpoint '${endpoint}' ${bootstrap_extra_args} --kubelet-extra-args "${kubelet_extra_args}" '${cluster_name}'
-
-# Allow user supplied userdata code
-${additional_userdata}
diff --git a/templates/userdata_windows.tpl b/templates/windows_user_data.tpl
similarity index 53%
rename from templates/userdata_windows.tpl
rename to templates/windows_user_data.tpl
index e8856838f1..5000850604 100644
--- a/templates/userdata_windows.tpl
+++ b/templates/windows_user_data.tpl
@@ -1,11 +1,9 @@