github-mirrors/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/ysoftdevs/terraform-aws-eks.git synced 2026-03-13 05:45:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

refactor: Refactoring to match the rest of terraform-aws-modules (#1583)

Browse Source
This commit is contained in:
Anton Babenko
2021-09-16 11:35:44 +02:00
committed by GitHub
parent 619b4a0d48
commit 2bdf7d7dd6
76 changed files with 1350 additions and 1037 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
examples/README.md
View File

@@ -1,11 +0,0 @@
# Examples
These serve a few purposes:
1. Shows developers how to use the module in a straightforward way as integrated with other terraform community supported modules.
2. Serves as the test infrastructure for CI on the project.
3. Provides a simple way to play with the Kubernetes cluster you create.
## IAM Permissions
You can see the minimum IAM Permissions required [here](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/iam-permissions.md).

60
examples/_bootstrap/README.md Normal file
View File

@@ -0,0 +1,60 @@
# Various bootstrap resources required for other EKS examples
Configuration in this directory creates some resources required in other EKS examples (such as VPC).
The resources created here are free (no NAT gateways here) and they can reside in test AWS account.
## Usage
To run this example you need to execute:
```bash
$ terraform init
$ terraform plan
$ terraform apply
```
Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.22.0 |
| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 1.11 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.1 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.22.0 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 2.1 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
## Resources
| Name | Type |
|------|------|
| [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
## Inputs
No inputs.
## Outputs
| Name | Description |
|------|-------------|
| <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | Name of EKS Cluster used in tags for subnets |
| <a name="output_region"></a> [region](#output\_region) | AWS region |
| <a name="output_vpc"></a> [vpc](#output\_vpc) | Complete output of VPC module |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

50
examples/_bootstrap/main.tf Normal file
View File

@@ -0,0 +1,50 @@
provider "aws" {
region = local.region
}
locals {
region = "eu-west-1"
name = "bootstrap-example"
vpc_cidr = "10.0.0.0/16"
cluster_name = "test-eks-${random_string.suffix.result}"
}
data "aws_availability_zones" "available" {}
resource "random_string" "suffix" {
length = 8
special = false
}
################################################################################
# Supporting Resources
################################################################################
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 3.0"
name = local.name
cidr = "10.0.0.0/16"
azs = data.aws_availability_zones.available.names
public_subnets = [for k, v in data.aws_availability_zones.available.names : cidrsubnet(local.vpc_cidr, 8, k)]
private_subnets = [for k, v in data.aws_availability_zones.available.names : cidrsubnet(local.vpc_cidr, 8, k + 10)]
# NAT Gateway is disabled in the examples primarily to save costs and be able to recreate VPC faster.
enable_nat_gateway = false
single_nat_gateway = false
enable_dns_hostnames = true
public_subnet_tags = {
"kubernetes.io/cluster/${local.cluster_name}" = "shared"
"kubernetes.io/role/elb" = "1"
}
private_subnet_tags = {
"kubernetes.io/cluster/${local.cluster_name}" = "shared"
"kubernetes.io/role/internal-elb" = "1"
}
}

14
examples/_bootstrap/outputs.tf Normal file
View File

@@ -0,0 +1,14 @@
output "region" {
description = "AWS region"
value = local.region
}
output "cluster_name" {
description = "Name of EKS Cluster used in tags for subnets"
value = local.cluster_name
}
output "vpc" {
description = "Complete output of VPC module"
value = module.vpc
}

0
examples/_bootstrap/variables.tf Normal file
View File

3
examples/spot_instances/versions.tf → examples/_bootstrap/versions.tf
View File

@@ -3,8 +3,7 @@ terraform {
required_providers {
aws = ">= 3.22.0"
local = ">= 1.4"
random = ">= 2.1"
kubernetes = "~> 1.11"
kubernetes = ">= 1.11"
}
}

138
examples/basic/main.tf
View File

@@ -1,138 +0,0 @@
provider "aws" {
region = var.region
}
data "aws_eks_cluster" "cluster" {
name = module.eks.cluster_id
}
data "aws_eks_cluster_auth" "cluster" {
name = module.eks.cluster_id
}
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
}
data "aws_availability_zones" "available" {
}
locals {
cluster_name = "test-eks-${random_string.suffix.result}"
}
resource "random_string" "suffix" {
length = 8
special = false
}
resource "aws_security_group" "worker_group_mgmt_one" {
name_prefix = "worker_group_mgmt_one"
vpc_id = module.vpc.vpc_id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"10.0.0.0/8",
]
}
}
resource "aws_security_group" "worker_group_mgmt_two" {
name_prefix = "worker_group_mgmt_two"
vpc_id = module.vpc.vpc_id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"192.168.0.0/16",
]
}
}
resource "aws_security_group" "all_worker_mgmt" {
name_prefix = "all_worker_management"
vpc_id = module.vpc.vpc_id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
]
}
}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 2.47"
name = "test-vpc"
cidr = "10.0.0.0/16"
azs = data.aws_availability_zones.available.names
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
enable_nat_gateway = true
single_nat_gateway = true
enable_dns_hostnames = true
public_subnet_tags = {
"kubernetes.io/cluster/${local.cluster_name}" = "shared"
"kubernetes.io/role/elb" = "1"
}
private_subnet_tags = {
"kubernetes.io/cluster/${local.cluster_name}" = "shared"
"kubernetes.io/role/internal-elb" = "1"
}
}
module "eks" {
source = "../.."
cluster_name = local.cluster_name
cluster_version = "1.20"
subnets = module.vpc.private_subnets
tags = {
Environment = "test"
GithubRepo = "terraform-aws-eks"
GithubOrg = "terraform-aws-modules"
}
vpc_id = module.vpc.vpc_id
worker_groups = [
{
name = "worker-group-1"
instance_type = "t3.small"
additional_userdata = "echo foo bar"
asg_desired_capacity = 2
additional_security_group_ids = [aws_security_group.worker_group_mgmt_one.id]
},
{
name = "worker-group-2"
instance_type = "t3.medium"
additional_userdata = "echo foo bar"
additional_security_group_ids = [aws_security_group.worker_group_mgmt_two.id]
asg_desired_capacity = 1
},
]
worker_additional_security_group_ids = [aws_security_group.all_worker_mgmt.id]
map_roles = var.map_roles
map_users = var.map_users
map_accounts = var.map_accounts
}

52
examples/basic/variables.tf
View File

@@ -1,52 +0,0 @@
variable "region" {
default = "us-west-2"
}
variable "map_accounts" {
description = "Additional AWS account numbers to add to the aws-auth configmap."
type = list(string)
default = [
"777777777777",
"888888888888",
]
}
variable "map_roles" {
description = "Additional IAM roles to add to the aws-auth configmap."
type = list(object({
rolearn = string
username = string
groups = list(string)
}))
default = [
{
rolearn = "arn:aws:iam::66666666666:role/role1"
username = "role1"
groups = ["system:masters"]
},
]
}
variable "map_users" {
description = "Additional IAM users to add to the aws-auth configmap."
type = list(object({
userarn = string
username = string
groups = list(string)
}))
default = [
{
userarn = "arn:aws:iam::66666666666:user/user1"
username = "user1"
groups = ["system:masters"]
},
{
userarn = "arn:aws:iam::66666666666:user/user2"
username = "user2"
groups = ["system:masters"]
},
]
}

74
examples/bottlerocket/README.md
View File

@@ -1,7 +1,71 @@
# AWS Bottlerocket based nodes
# AWS EKS cluster running Bottlerocket AMI
This is a minimalistic example that shows how to use functionality of this module to deploy
nodes based on [AWS Bottlerocket container OS](https://github.com/bottlerocket-os/bottlerocket)
Configuration in this directory creates EKS cluster with nodes running [AWS Bottlerocket OS](https://github.com/bottlerocket-os/bottlerocket)
Example is minimalistic by purpose - it shows what knobs to turn to make Bottlerocket work.
Do not use default VPC for your workloads deployment.
This is a minimalistic example which shows what knobs to turn to make Bottlerocket work.
See [the official documentation](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html) for more details.
## Usage
To run this example you need to execute:
```bash
$ terraform init
$ terraform plan
$ terraform apply
```
Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.22.0 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.1 |
| <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 2.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.22.0 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 2.1 |
| <a name="provider_tls"></a> [tls](#provider\_tls) | >= 2.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_eks"></a> [eks](#module\_eks) | ../.. | |
## Resources
| Name | Type |
|------|------|
| [aws_iam_role_policy_attachment.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_key_pair.nodes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
| [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
| [tls_private_key.nodes](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [aws_ami.bottlerocket_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
| [aws_subnet_ids.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
| [aws_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
## Inputs
No inputs.
## Outputs
| Name | Description |
|------|-------------|
| <a name="output_cluster_endpoint"></a> [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for EKS control plane. |
| <a name="output_cluster_security_group_id"></a> [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | Security group ids attached to the cluster control plane. |
| <a name="output_config_map_aws_auth"></a> [config\_map\_aws\_auth](#output\_config\_map\_aws\_auth) | A kubernetes configuration to authenticate to this EKS cluster. |
| <a name="output_kubectl_config"></a> [kubectl\_config](#output\_kubectl\_config) | kubectl config as generated by the module. |
| <a name="output_node_groups"></a> [node\_groups](#output\_node\_groups) | Outputs from node groups |
| <a name="output_region"></a> [region](#output\_region) | AWS region. |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

22
examples/bottlerocket/data.tf
View File

@@ -1,22 +0,0 @@
data "aws_ami" "bottlerocket_ami" {
most_recent = true
owners = ["amazon"]
filter {
name = "name"
values = ["bottlerocket-aws-k8s-${var.k8s_version}-x86_64-*"]
}
}
data "aws_region" "current" {}
data "aws_vpc" "default" {
default = true
}
data "aws_subnet_ids" "default" {
vpc_id = data.aws_vpc.default.id
}
data "aws_iam_policy" "ssm" {
arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}

72
examples/bottlerocket/main.tf
View File

@@ -1,31 +1,27 @@
terraform {
required_version = ">= 0.13.0"
provider "aws" {
region = local.region
}
resource "tls_private_key" "nodes" {
algorithm = "RSA"
}
resource "aws_key_pair" "nodes" {
key_name = "bottlerocket-nodes"
public_key = tls_private_key.nodes.public_key_openssh
locals {
region = "eu-west-1"
k8s_version = "1.21"
}
module "eks" {
source = "../.."
cluster_name = "bottlerocket"
cluster_version = var.k8s_version
subnets = data.aws_subnet_ids.default.ids
source = "../.."
vpc_id = data.aws_vpc.default.id
cluster_name = "bottlerocket-${random_string.suffix.result}"
cluster_version = local.k8s_version
vpc_id = data.aws_vpc.default.id
subnets = data.aws_subnet_ids.default.ids
write_kubeconfig = false
manage_aws_auth = false
worker_groups_launch_template = [
{
name = "bottlerocket-nodes"
# passing bottlerocket ami id
name = "bottlerocket-nodes"
ami_id = data.aws_ami.bottlerocket_ami.id
instance_type = "t3a.small"
asg_desired_capacity = 2
@@ -42,9 +38,9 @@ module "eks" {
# we are using this section to pass additional arguments for
# userdata template rendering
userdata_template_extra_args = {
enable_admin_container = var.enable_admin_container
enable_control_container = var.enable_control_container
aws_region = data.aws_region.current.name
enable_admin_container = false
enable_control_container = true
aws_region = local.region
}
# example of k8s/kubelet configuration via additional_userdata
additional_userdata = <<EOT
@@ -59,5 +55,41 @@ EOT
# https://github.com/bottlerocket-os/bottlerocket/blob/develop/QUICKSTART-EKS.md#enabling-ssm
resource "aws_iam_role_policy_attachment" "ssm" {
role = module.eks.worker_iam_role_name
policy_arn = data.aws_iam_policy.ssm.arn
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
################################################################################
# Supporting Resources
################################################################################
data "aws_vpc" "default" {
default = true
}
data "aws_subnet_ids" "default" {
vpc_id = data.aws_vpc.default.id
}
data "aws_ami" "bottlerocket_ami" {
most_recent = true
owners = ["amazon"]
filter {
name = "name"
values = ["bottlerocket-aws-k8s-${local.k8s_version}-x86_64-*"]
}
}
resource "random_string" "suffix" {
length = 8
special = false
}
resource "tls_private_key" "nodes" {
algorithm = "RSA"
}
resource "aws_key_pair" "nodes" {
key_name = "bottlerocket-nodes-${random_string.suffix.result}"
public_key = tls_private_key.nodes.public_key_openssh
}

12
examples/spot_instances/outputs.tf → examples/bottlerocket/outputs.tf
View File

@@ -1,3 +1,8 @@
output "region" {
description = "AWS region."
value = local.region
}
output "cluster_endpoint" {
description = "Endpoint for EKS control plane."
value = module.eks.cluster_endpoint
@@ -18,8 +23,7 @@ output "config_map_aws_auth" {
value = module.eks.config_map_aws_auth
}
output "region" {
description = "AWS region."
value = var.region
output "node_groups" {
description = "Outputs from node groups"
value = module.eks.node_groups
}

17
examples/bottlerocket/variables.tf
View File

@@ -1,17 +0,0 @@
variable "k8s_version" {
description = "k8s cluster version"
default = "1.20"
type = string
}
variable "enable_admin_container" {
description = "Enable/disable admin container"
default = false
type = bool
}
variable "enable_control_container" {
description = "Enable/disable control container"
default = true
type = bool
}

5
examples/create_false/versions.tf → examples/bottlerocket/versions.tf
View File

@@ -2,7 +2,8 @@ terraform {
required_version = ">= 0.13.1"
required_providers {
aws = ">= 3.22.0"
kubernetes = "~> 1.11"
aws = ">= 3.22.0"
random = ">= 2.1"
tls = ">= 2.0"
}
}

73
examples/complete/README.md Normal file
View File

@@ -0,0 +1,73 @@
# Complete AWS EKS Cluster
Configuration in this directory creates EKS cluster with different features shown all-in-one cluster (e.g. Managed Node Groups, Worker Groups, Fargate, Spot instances, AWS Auth enabled).
This example can be used to do smoke test.
See configurations in other `examples` directories for more specific cases.
## Usage
To run this example you need to execute:
```bash
$ terraform init
$ terraform plan
$ terraform apply
```
Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.22.0 |
| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 1.11 |
| <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.4 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.1 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.22.0 |
| <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_disabled_eks"></a> [disabled\_eks](#module\_disabled\_eks) | ../.. | |
| <a name="module_disabled_fargate"></a> [disabled\_fargate](#module\_disabled\_fargate) | ../../modules/fargate | |
| <a name="module_disabled_node_groups"></a> [disabled\_node\_groups](#module\_disabled\_node\_groups) | ../../modules/node_groups | |
| <a name="module_eks"></a> [eks](#module\_eks) | ../.. | |
## Resources
| Name | Type |
|------|------|
| [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.worker_group_mgmt_one](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.worker_group_mgmt_two](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
| [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
| [terraform_remote_state.bootstrap](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |
## Inputs
No inputs.
## Outputs
| Name | Description |
|------|-------------|
| <a name="output_cluster_endpoint"></a> [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for EKS control plane. |
| <a name="output_cluster_security_group_id"></a> [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | Security group ids attached to the cluster control plane. |
| <a name="output_config_map_aws_auth"></a> [config\_map\_aws\_auth](#output\_config\_map\_aws\_auth) | A kubernetes configuration to authenticate to this EKS cluster. |
| <a name="output_kubectl_config"></a> [kubectl\_config](#output\_kubectl\_config) | kubectl config as generated by the module. |
| <a name="output_node_groups"></a> [node\_groups](#output\_node\_groups) | Outputs from node groups |
| <a name="output_region"></a> [region](#output\_region) | AWS region. |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

247
examples/complete/main.tf Normal file
View File

@@ -0,0 +1,247 @@
provider "aws" {
region = local.region
}
module "eks" {
source = "../.."
cluster_name = local.cluster_name
cluster_version = "1.21"
vpc_id = local.vpc.vpc_id
subnets = [local.vpc.private_subnets[0], local.vpc.public_subnets[1]]
fargate_subnets = [local.vpc.private_subnets[2]]
worker_additional_security_group_ids = [aws_security_group.all_worker_mgmt.id]
# Worker groups (using Launch Configurations)
worker_groups = [
{
name = "worker-group-1"
instance_type = "t3.small"
additional_userdata = "echo foo bar"
asg_desired_capacity = 2
additional_security_group_ids = [aws_security_group.worker_group_mgmt_one.id]
},
{
name = "worker-group-2"
instance_type = "t3.medium"
additional_userdata = "echo foo bar"
additional_security_group_ids = [aws_security_group.worker_group_mgmt_two.id]
asg_desired_capacity = 1
},
]
# Worker groups (using Launch Templates)
worker_groups_launch_template = [
{
name = "spot-1"
override_instance_types = ["m5.large", "m5a.large", "m5d.large", "m5ad.large"]
spot_instance_pools = 4
asg_max_size = 5
asg_desired_capacity = 5
kubelet_extra_args = "--node-labels=node.kubernetes.io/lifecycle=spot"
public_ip = true
},
]
# Managed Node Groups
node_groups_defaults = {
ami_type = "AL2_x86_64"
disk_size = 50
}
node_groups = {
example = {
desired_capacity = 1
max_capacity = 10
min_capacity = 1
instance_types = ["t3.large"]
capacity_type = "SPOT"
k8s_labels = {
Environment = "test"
GithubRepo = "terraform-aws-eks"
GithubOrg = "terraform-aws-modules"
}
additional_tags = {
ExtraTag = "example"
}
taints = [
{
key = "dedicated"
value = "gpuGroup"
effect = "NO_SCHEDULE"
}
]
update_config = {
max_unavailable_percentage = 50 # or set `max_unavailable`
}
}
}
# Fargate
fargate_profiles = {
default = {
name = "default"
selectors = [
{
namespace = "kube-system"
labels = {
k8s-app = "kube-dns"
}
},
{
namespace = "default"
}
]
tags = {
Owner = "test"
}
}
}
# AWS Auth (kubernetes_config_map)
map_roles = [
{
rolearn = "arn:aws:iam::66666666666:role/role1"
username = "role1"
groups = ["system:masters"]
},
]
map_users = [
{
userarn = "arn:aws:iam::66666666666:user/user1"
username = "user1"
groups = ["system:masters"]
},
{
userarn = "arn:aws:iam::66666666666:user/user2"
username = "user2"
groups = ["system:masters"]
},
]
map_accounts = [
"777777777777",
"888888888888",
]
tags = {
Environment = "test"
GithubRepo = "terraform-aws-eks"
GithubOrg = "terraform-aws-modules"
}
}
####################
# Disabled creation
####################
module "disabled_eks" {
source = "../.."
create_eks = false
}
module "disabled_fargate" {
source = "../../modules/fargate"
create_fargate_pod_execution_role = false
}
module "disabled_node_groups" {
source = "../../modules/node_groups"
create_eks = false
}
#############
# Kubernetes
#############
data "aws_eks_cluster" "cluster" {
name = module.eks.cluster_id
}
data "aws_eks_cluster_auth" "cluster" {
name = module.eks.cluster_id
}
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster.token
}
################################################################################
# Supporting resources
################################################################################
resource "aws_security_group" "worker_group_mgmt_one" {
name_prefix = "worker_group_mgmt_one"
vpc_id = local.vpc.vpc_id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"10.0.0.0/8",
]
}
}
resource "aws_security_group" "worker_group_mgmt_two" {
name_prefix = "worker_group_mgmt_two"
vpc_id = local.vpc.vpc_id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"192.168.0.0/16",
]
}
}
resource "aws_security_group" "all_worker_mgmt" {
name_prefix = "all_worker_management"
vpc_id = local.vpc.vpc_id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
]
}
}
################################################################################
# Supporting resources (managed in "_bootstrap" directory)
################################################################################
data "terraform_remote_state" "bootstrap" {
backend = "local"
config = {
path = "../_bootstrap/terraform.tfstate"
}
}
locals {
region = data.terraform_remote_state.bootstrap.outputs.region
cluster_name = data.terraform_remote_state.bootstrap.outputs.cluster_name
vpc = data.terraform_remote_state.bootstrap.outputs.vpc
}

29
examples/complete/outputs.tf Normal file
View File

@@ -0,0 +1,29 @@
output "region" {
description = "AWS region."
value = local.region
}
output "cluster_endpoint" {
description = "Endpoint for EKS control plane."
value = module.eks.cluster_endpoint
}
output "cluster_security_group_id" {
description = "Security group ids attached to the cluster control plane."
value = module.eks.cluster_security_group_id
}
output "kubectl_config" {
description = "kubectl config as generated by the module."
value = module.eks.kubeconfig
}
output "config_map_aws_auth" {
description = "A kubernetes configuration to authenticate to this EKS cluster."
value = module.eks.config_map_aws_auth
}
output "node_groups" {
description = "Outputs from node groups"
value = module.eks.node_groups
}

1
examples/complete/variables.tf Normal file
View File

@@ -0,0 +1 @@

2
examples/basic/versions.tf → examples/complete/versions.tf
View File

@@ -5,6 +5,6 @@ terraform {
aws = ">= 3.22.0"
local = ">= 1.4"
random = ">= 2.1"
kubernetes = "~> 1.11"
kubernetes = ">= 1.11"
}
}

30
examples/create_false/main.tf
View File

@@ -1,30 +0,0 @@
provider "aws" {
region = var.region
}
data "aws_eks_cluster" "cluster" {
count = 0
name = module.eks.cluster_id
}
data "aws_eks_cluster_auth" "cluster" {
count = 0
name = module.eks.cluster_id
}
provider "kubernetes" {
host = element(concat(data.aws_eks_cluster.cluster[*].endpoint, [""]), 0)
cluster_ca_certificate = base64decode(element(concat(data.aws_eks_cluster.cluster[*].certificate_authority.0.data, [""]), 0))
token = element(concat(data.aws_eks_cluster_auth.cluster[*].token, [""]), 0)
load_config_file = false
}
module "eks" {
source = "../.."
create_eks = false
cluster_version = ""
vpc_id = ""
cluster_name = ""
subnets = []
}

3
examples/create_false/variables.tf
View File

@@ -1,3 +0,0 @@
variable "region" {
default = "us-west-2"
}

68
examples/fargate/README.md Normal file
View File

@@ -0,0 +1,68 @@
# AWS EKS Cluster with Fargate profiles
Configuration in this directory creates EKS cluster with Fargate profiles in two different ways:
- Using a root module, where EKS Cluster and Fargate profiles should be created at once. This is the default behaviour for most users.
- Using `modules/fargate` submodule where Fargate profiles should be attached to the barebone EKS Cluster.
## Usage
To run this example you need to execute:
```bash
$ terraform init
$ terraform plan
$ terraform apply
```
Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.22.0 |
| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 1.11 |
| <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.4 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.1 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.22.0 |
| <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_barebone_eks"></a> [barebone\_eks](#module\_barebone\_eks) | ../.. | |
| <a name="module_eks"></a> [eks](#module\_eks) | ../.. | |
| <a name="module_fargate_profile_existing_cluster"></a> [fargate\_profile\_existing\_cluster](#module\_fargate\_profile\_existing\_cluster) | ../../modules/fargate | |
## Resources
| Name | Type |
|------|------|
| [aws_eks_cluster.barebone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
| [aws_eks_cluster_auth.barebone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
| [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
| [terraform_remote_state.bootstrap](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |
## Inputs
No inputs.
## Outputs
| Name | Description |
|------|-------------|
| <a name="output_cluster_endpoint"></a> [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for EKS control plane. |
| <a name="output_cluster_security_group_id"></a> [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | Security group ids attached to the cluster control plane. |
| <a name="output_config_map_aws_auth"></a> [config\_map\_aws\_auth](#output\_config\_map\_aws\_auth) | A kubernetes configuration to authenticate to this EKS cluster. |
| <a name="output_fargate_profile_arns"></a> [fargate\_profile\_arns](#output\_fargate\_profile\_arns) | Outputs from node groups |
| <a name="output_kubectl_config"></a> [kubectl\_config](#output\_kubectl\_config) | kubectl config as generated by the module. |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

251
examples/fargate/main.tf
View File

@@ -1,76 +1,16 @@
terraform {
required_version = ">= 0.12.6"
}
provider "aws" {
region = var.region
}
data "aws_eks_cluster" "cluster" {
name = module.eks.cluster_id
}
data "aws_eks_cluster_auth" "cluster" {
name = module.eks.cluster_id
}
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
}
data "aws_availability_zones" "available" {
}
locals {
cluster_name = "test-eks-${random_string.suffix.result}"
}
resource "random_string" "suffix" {
length = 8
special = false
}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 2.47"
name = "test-vpc"
cidr = "172.16.0.0/16"
azs = data.aws_availability_zones.available.names
private_subnets = ["172.16.1.0/24", "172.16.2.0/24", "172.16.3.0/24"]
public_subnets = ["172.16.4.0/24", "172.16.5.0/24", "172.16.6.0/24"]
enable_nat_gateway = true
single_nat_gateway = true
enable_dns_hostnames = true
public_subnet_tags = {
"kubernetes.io/cluster/${local.cluster_name}" = "shared"
"kubernetes.io/role/elb" = "1"
}
private_subnet_tags = {
"kubernetes.io/cluster/${local.cluster_name}" = "shared"
"kubernetes.io/role/internal-elb" = "1"
}
region = local.region
}
module "eks" {
source = "../.."
source = "../.."
cluster_name = local.cluster_name
cluster_version = "1.20"
subnets = [module.vpc.private_subnets[0], module.vpc.public_subnets[1]]
fargate_subnets = [module.vpc.private_subnets[2]]
cluster_version = "1.21"
tags = {
Environment = "test"
GithubRepo = "terraform-aws-eks"
GithubOrg = "terraform-aws-modules"
}
vpc_id = module.vpc.vpc_id
vpc_id = local.vpc.vpc_id
subnets = [local.vpc.private_subnets[0], local.vpc.public_subnets[1]]
fargate_subnets = [local.vpc.private_subnets[2]]
fargate_profiles = {
default = {
@@ -84,25 +24,178 @@ module "eks" {
},
{
namespace = "default"
# Kubernetes labels for selection
# labels = {
# Environment = "test"
# GithubRepo = "terraform-aws-eks"
# GithubOrg = "terraform-aws-modules"
# }
labels = {
WorkerType = "fargate"
}
}
]
# using specific subnets instead of all the ones configured in eks
# subnets = ["subnet-0ca3e3d1234a56c78"]
tags = {
Owner = "default"
}
}
secondary = {
name = "secondary"
selectors = [
{
namespace = "default"
labels = {
Environment = "test"
GithubRepo = "terraform-aws-eks"
GithubOrg = "terraform-aws-modules"
}
}
]
# Using specific subnets instead of the ones configured in EKS (`subnets` and `fargate_subnets`)
subnets = [local.vpc.private_subnets[1]]
tags = {
Owner = "test"
Owner = "secondary"
}
}
}
map_roles = var.map_roles
map_users = var.map_users
map_accounts = var.map_accounts
manage_aws_auth = false
tags = {
Environment = "test"
GithubRepo = "terraform-aws-eks"
GithubOrg = "terraform-aws-modules"
}
}
##############################################
# Calling submodule with existing EKS cluster
##############################################
module "fargate_profile_existing_cluster" {
source = "../../modules/fargate"
cluster_name = module.barebone_eks.cluster_id
subnets = [local.vpc.private_subnets[0], local.vpc.private_subnets[1]]
fargate_profiles = {
profile1 = {
name = "profile1"
selectors = [
{
namespace = "kube-system"
labels = {
k8s-app = "kube-dns"
}
},
{
namespace = "profile"
labels = {
WorkerType = "fargate"
}
}
]
tags = {
Owner = "profile1"
}
}
profile2 = {
name = "profile2"
selectors = [
{
namespace = "default"
labels = {
Fargate = "profile2"
}
}
]
# Using specific subnets instead of the ones configured in EKS (`subnets` and `fargate_subnets`)
subnets = [local.vpc.private_subnets[1]]
tags = {
Owner = "profile2"
}
}
}
tags = {
DoYouLoveFargate = "Yes"
}
}
#############
# Kubernetes
#############
data "aws_eks_cluster" "cluster" {
name = module.eks.cluster_id
}
data "aws_eks_cluster_auth" "cluster" {
name = module.eks.cluster_id
}
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster.token
}
############################################################
# Barebone EKS Cluster where submodules can add extra stuff
############################################################
module "barebone_eks" {
source = "../.."
cluster_name = "barebone-${local.cluster_name}"
cluster_version = "1.21"
vpc_id = local.vpc.vpc_id
subnets = local.vpc.private_subnets
tags = {
Environment = "test"
Barebone = "yes_please"
}
}
#############
# Kubernetes
#############
data "aws_eks_cluster" "barebone" {
name = module.barebone_eks.cluster_id
}
data "aws_eks_cluster_auth" "barebone" {
name = module.barebone_eks.cluster_id
}
provider "kubernetes" {
alias = "barebone"
host = data.aws_eks_cluster.barebone.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.barebone.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.barebone.token
}
################################################################################
# Supporting resources (managed in "_bootstrap" directory)
################################################################################
data "terraform_remote_state" "bootstrap" {
backend = "local"
config = {
path = "../_bootstrap/terraform.tfstate"
}
}
locals {
region = data.terraform_remote_state.bootstrap.outputs.region
cluster_name = data.terraform_remote_state.bootstrap.outputs.cluster_name
vpc = data.terraform_remote_state.bootstrap.outputs.vpc
}

5
examples/fargate/outputs.tf
View File

@@ -18,11 +18,6 @@ output "config_map_aws_auth" {
value = module.eks.config_map_aws_auth
}
output "region" {
description = "AWS region."
value = var.region
}
output "fargate_profile_arns" {
description = "Outputs from node groups"
value = module.eks.fargate_profile_arns

52
examples/fargate/variables.tf
View File

@@ -1,52 +0,0 @@
variable "region" {
default = "us-west-2"
}
variable "map_accounts" {
description = "Additional AWS account numbers to add to the aws-auth configmap."
type = list(string)
default = [
"777777777777",
"888888888888",
]
}
variable "map_roles" {
description = "Additional IAM roles to add to the aws-auth configmap."
type = list(object({
rolearn = string
username = string
groups = list(string)
}))
default = [
{
rolearn = "arn:aws:iam::66666666666:role/role1"
username = "role1"
groups = ["system:masters"]
},
]
}
variable "map_users" {
description = "Additional IAM users to add to the aws-auth configmap."
type = list(object({
userarn = string
username = string
groups = list(string)
}))
default = [
{
userarn = "arn:aws:iam::66666666666:user/user1"
username = "user1"
groups = ["system:masters"]
},
{
userarn = "arn:aws:iam::66666666666:user/user2"
username = "user2"
groups = ["system:masters"]
},
]
}

2
examples/fargate/versions.tf
View File

@@ -5,6 +5,6 @@ terraform {
aws = ">= 3.22.0"
local = ">= 1.4"
random = ">= 2.1"
kubernetes = "~> 1.11"
kubernetes = ">= 1.11"
}
}

12
examples/instance_refresh/main.tf
View File

@@ -1,7 +1,7 @@
# Based on the official aws-node-termination-handler setup guide at https://github.com/aws/aws-node-termination-handler#infrastructure-setup
provider "aws" {
region = var.region
region = local.region
}
data "aws_caller_identity" "current" {}
@@ -16,15 +16,14 @@ data "aws_eks_cluster_auth" "cluster" {
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
}
provider "helm" {
kubernetes {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster.token
}
}
@@ -34,6 +33,7 @@ data "aws_availability_zones" "available" {
locals {
cluster_name = "test-refresh-${random_string.suffix.result}"
region = "eu-west-1"
}
resource "random_string" "suffix" {
@@ -102,7 +102,7 @@ data "aws_iam_policy_document" "aws_node_termination_handler_events" {
"sqs:SendMessage",
]
resources = [
"arn:aws:sqs:${var.region}:${data.aws_caller_identity.current.account_id}:${local.cluster_name}",
"arn:aws:sqs:${local.region}:${data.aws_caller_identity.current.account_id}:${local.cluster_name}",
]
}
}
@@ -184,7 +184,7 @@ resource "helm_release" "aws_node_termination_handler" {
set {
name = "awsRegion"
value = var.region
value = local.region
}
set {
name = "serviceAccount.name"

5
examples/instance_refresh/outputs.tf
View File

@@ -18,11 +18,6 @@ output "config_map_aws_auth" {
value = module.eks.config_map_aws_auth
}
output "region" {
description = "AWS region."
value = var.region
}
output "sqs_queue_asg_notification_arn" {
description = "SQS queue ASG notification ARN"
value = module.aws_node_termination_handler_sqs.sqs_queue_arn

7
examples/instance_refresh/variables.tf
View File

@@ -1,18 +1,17 @@
variable "region" {
default = "us-west-2"
}
variable "aws_node_termination_handler_chart_version" {
description = "Version of the aws-node-termination-handler Helm chart to install."
type = string
default = "0.15.0"
}
variable "namespace" {
description = "Namespace for the aws-node-termination-handler."
type = string
default = "kube-system"
}
variable "serviceaccount" {
description = "Serviceaccount for the aws-node-termination-handler."
type = string
default = "aws-node-termination-handler"
}

2
examples/irsa/cluster-autoscaler-chart-values.yaml
View File

@@ -1,4 +1,4 @@
awsRegion: us-west-2
awsRegion: eu-west-1
rbac:
create: true

5
examples/irsa/irsa.tf
View File

@@ -1,6 +1,7 @@
module "iam_assumable_role_admin" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "3.6.0"
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "3.6.0"
create_role = true
role_name = "cluster-autoscaler"
provider_url = replace(module.eks.cluster_oidc_issuer_url, "https://", "")

5
examples/irsa/main.tf
View File

@@ -1,5 +1,5 @@
provider "aws" {
region = var.region
region = "eu-west-1"
}
data "aws_eks_cluster" "cluster" {
@@ -12,9 +12,8 @@ data "aws_eks_cluster_auth" "cluster" {
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
}
data "aws_availability_zones" "available" {}

3
examples/irsa/outputs.tf
View File

@@ -1,3 +1,4 @@
output "aws_account_id" {
value = data.aws_caller_identity.current.account_id
description = "IAM AWS account id"
value = data.aws_caller_identity.current.account_id
}

3
examples/irsa/variables.tf
View File

@@ -1,3 +0,0 @@
variable "region" {
default = "us-west-2"
}

5
examples/launch_templates/main.tf
View File

@@ -1,5 +1,5 @@
provider "aws" {
region = var.region
region = "eu-west-1"
}
data "aws_eks_cluster" "cluster" {
@@ -12,9 +12,8 @@ data "aws_eks_cluster_auth" "cluster" {
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
}
data "aws_availability_zones" "available" {

6
examples/launch_templates/outputs.tf
View File

@@ -17,9 +17,3 @@ output "config_map_aws_auth" {
description = "A kubernetes configuration to authenticate to this EKS cluster."
value = module.eks.config_map_aws_auth
}
output "region" {
description = "AWS region."
value = var.region
}

4
examples/launch_templates/variables.tf
View File

@@ -1,4 +0,0 @@
variable "region" {
default = "us-west-2"
}

142
examples/launch_templates_with_managed_node_groups/disk_encryption_policy.tf
View File

@@ -4,74 +4,74 @@ resource "aws_iam_service_linked_role" "autoscaling" {
description = "Default Service-Linked Role enables access to AWS Services and Resources used or managed by Auto Scaling"
}
data "aws_caller_identity" "current" {}
# This policy is required for the KMS key used for EKS root volumes, so the cluster is allowed to enc/dec/attach encrypted EBS volumes
data "aws_iam_policy_document" "ebs_decryption" {
# Copy of default KMS policy that lets you manage it
statement {
sid = "Enable IAM User Permissions"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
actions = [
"kms:*"
]
resources = ["*"]
}
# Required for EKS
statement {
sid = "Allow service-linked role use of the CMK"
effect = "Allow"
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", # required for the ASG to manage encrypted volumes for nodes
module.eks.cluster_iam_role_arn, # required for the cluster / persistentvolume-controller to create encrypted PVCs
]
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
resources = ["*"]
}
statement {
sid = "Allow attachment of persistent resources"
effect = "Allow"
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", # required for the ASG to manage encrypted volumes for nodes
module.eks.cluster_iam_role_arn, # required for the cluster / persistentvolume-controller to create encrypted PVCs
]
}
actions = [
"kms:CreateGrant"
]
resources = ["*"]
condition {
test = "Bool"
variable = "kms:GrantIsForAWSResource"
values = ["true"]
}
}
}
#data "aws_caller_identity" "current" {}
#
## This policy is required for the KMS key used for EKS root volumes, so the cluster is allowed to enc/dec/attach encrypted EBS volumes
#data "aws_iam_policy_document" "ebs_decryption" {
# # Copy of default KMS policy that lets you manage it
# statement {
# sid = "Enable IAM User Permissions"
# effect = "Allow"
#
# principals {
# type = "AWS"
# identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
# }
#
# actions = [
# "kms:*"
# ]
#
# resources = ["*"]
# }
#
# # Required for EKS
# statement {
# sid = "Allow service-linked role use of the CMK"
# effect = "Allow"
#
# principals {
# type = "AWS"
# identifiers = [
# "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", # required for the ASG to manage encrypted volumes for nodes
# module.eks.cluster_iam_role_arn, # required for the cluster / persistentvolume-controller to create encrypted PVCs
# ]
# }
#
# actions = [
# "kms:Encrypt",
# "kms:Decrypt",
# "kms:ReEncrypt*",
# "kms:GenerateDataKey*",
# "kms:DescribeKey"
# ]
#
# resources = ["*"]
# }
#
# statement {
# sid = "Allow attachment of persistent resources"
# effect = "Allow"
#
# principals {
# type = "AWS"
# identifiers = [
# "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", # required for the ASG to manage encrypted volumes for nodes
# module.eks.cluster_iam_role_arn, # required for the cluster / persistentvolume-controller to create encrypted PVCs
# ]
# }
#
# actions = [
# "kms:CreateGrant"
# ]
#
# resources = ["*"]
#
# condition {
# test = "Bool"
# variable = "kms:GrantIsForAWSResource"
# values = ["true"]
# }
#
# }
#}

24
examples/launch_templates_with_managed_node_groups/launchtemplate.tf
View File

@@ -1,15 +1,15 @@
data "template_file" "launch_template_userdata" {
template = file("${path.module}/templates/userdata.sh.tpl")
vars = {
cluster_name = local.cluster_name
endpoint = module.eks.cluster_endpoint
cluster_auth_base64 = module.eks.cluster_certificate_authority_data
bootstrap_extra_args = ""
kubelet_extra_args = ""
}
}
#data "template_file" "launch_template_userdata" {
# template = file("${path.module}/templates/userdata.sh.tpl")
#
# vars = {
# cluster_name = local.cluster_name
# endpoint = module.eks.cluster_endpoint
# cluster_auth_base64 = module.eks.cluster_certificate_authority_data
#
# bootstrap_extra_args = ""
# kubelet_extra_args = ""
# }
#}
# This is based on the LT that EKS would create if no custom one is specified (aws ec2 describe-launch-template-versions --launch-template-id xxx)
# there are several more options one could set but you probably dont need to modify them

5
examples/launch_templates_with_managed_node_groups/main.tf
View File

@@ -1,5 +1,5 @@
provider "aws" {
region = var.region
region = "eu-west-1"
}
data "aws_eks_cluster" "cluster" {
@@ -12,9 +12,8 @@ data "aws_eks_cluster_auth" "cluster" {
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
}
data "aws_availability_zones" "available" {

6
examples/basic/outputs.tf → examples/launch_templates_with_managed_node_groups/outputs.tf
View File

@@ -17,9 +17,3 @@ output "config_map_aws_auth" {
description = "A kubernetes configuration to authenticate to this EKS cluster."
value = module.eks.config_map_aws_auth
}
output "region" {
description = "AWS region."
value = var.region
}

13
examples/launch_templates_with_managed_node_groups/variables.tf
View File

@@ -1,15 +1,6 @@
variable "region" {
default = "eu-central-1"
}
variable "instance_type" {
description = "Instance type"
# Smallest recommended, where ~1.1Gb of 2Gb memory is available for the Kubernetes pods after warming up Docker, Kubelet, and OS
default = "t3.small"
type = string
}
variable "kms_key_arn" {
default = ""
description = "KMS key ARN to use if you want to encrypt EKS node root volumes"
type = string
default = "t3.small"
}

5
examples/managed_node_groups/main.tf
View File

@@ -1,5 +1,5 @@
provider "aws" {
region = var.region
region = "eu-west-1"
}
data "aws_eks_cluster" "cluster" {
@@ -12,9 +12,8 @@ data "aws_eks_cluster_auth" "cluster" {
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
}
data "aws_availability_zones" "available" {

5
examples/managed_node_groups/outputs.tf
View File

@@ -18,11 +18,6 @@ output "config_map_aws_auth" {
value = module.eks.config_map_aws_auth
}
output "region" {
description = "AWS region."
value = var.region
}
output "node_groups" {
description = "Outputs from node groups"
value = module.eks.node_groups

4
examples/managed_node_groups/variables.tf
View File

@@ -1,7 +1,3 @@
variable "region" {
default = "us-west-2"
}
variable "map_accounts" {
description = "Additional AWS account numbers to add to the aws-auth configmap."
type = list(string)

5
examples/secrets_encryption/main.tf
View File

@@ -1,5 +1,5 @@
provider "aws" {
region = var.region
region = "eu-west-1"
}
data "aws_eks_cluster" "cluster" {
@@ -12,9 +12,8 @@ data "aws_eks_cluster_auth" "cluster" {
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
}
data "aws_availability_zones" "available" {

5
examples/secrets_encryption/outputs.tf
View File

@@ -17,8 +17,3 @@ output "config_map_aws_auth" {
description = "A kubernetes configuration to authenticate to this EKS cluster."
value = module.eks.config_map_aws_auth
}
output "region" {
description = "AWS region."
value = var.region
}

4
examples/secrets_encryption/variables.tf
View File

@@ -1,7 +1,3 @@
variable "region" {
default = "us-west-2"
}
variable "map_accounts" {
description = "Additional AWS account numbers to add to the aws-auth configmap."
type = list(string)

2
examples/secrets_encryption/versions.tf
View File

@@ -5,6 +5,6 @@ terraform {
aws = ">= 3.22.0"
local = ">= 1.4"
random = ">= 2.1"
kubernetes = "~> 1.11"
kubernetes = ">= 1.11"
}
}

61
examples/spot_instances/main.tf
View File

@@ -1,61 +0,0 @@
provider "aws" {
region = var.region
}
data "aws_eks_cluster" "cluster" {
name = module.eks.cluster_id
}
data "aws_eks_cluster_auth" "cluster" {
name = module.eks.cluster_id
}
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
}
data "aws_availability_zones" "available" {
}
locals {
cluster_name = "test-eks-spot-${random_string.suffix.result}"
}
resource "random_string" "suffix" {
length = 8
special = false
}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 2.47"
name = "test-vpc-spot"
cidr = "10.0.0.0/16"
azs = data.aws_availability_zones.available.names
public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
enable_dns_hostnames = true
}
module "eks" {
source = "../.."
cluster_name = local.cluster_name
cluster_version = "1.20"
subnets = module.vpc.public_subnets
vpc_id = module.vpc.vpc_id
worker_groups_launch_template = [
{
name = "spot-1"
override_instance_types = ["m5.large", "m5a.large", "m5d.large", "m5ad.large"]
spot_instance_pools = 4
asg_max_size = 5
asg_desired_capacity = 5
kubelet_extra_args = "--node-labels=node.kubernetes.io/lifecycle=spot"
public_ip = true
},
]
}

4
examples/spot_instances/variables.tf
View File

@@ -1,4 +0,0 @@
variable "region" {
default = "us-west-2"
}