feat!: Replace the use of aws-auth configmap with EKS cluster access entry (#2858)

* feat: Replace `resolve_conflicts` with `resolve_conflicts_on_create`/`delete`; raise MSV of AWS provider to `v5.0` to support * fix: Replace dynamic DNS suffix for `sts:AssumeRole` API calls for static suffix * feat: Add module tag * feat: Align Karpenter permissions with Karpenter v1beta1/v0.32 permissions from upstream * refactor: Move `aws-auth` ConfigMap functionality to its own sub-module * chore: Update examples * feat: Add state `moved` block for Karpenter Pod Identity role re-name * fix: Correct variable `create` description * feat: Add support for cluster access entries * chore: Bump MSV of Terraform to `1.3` * fix: Replace defunct kubectl provider with an updated forked equivalent * chore: Update and validate examples for access entry; clean up provider usage * docs: Correct double redundant variable descriptions * feat: Add support for Cloudwatch log group class argument * fix: Update usage tag placement, fix Karpenter event spelling, add upcoming changes section to upgrade guide * feat: Update Karpenter module to generalize naming used and align policy with the upstream Karpenter policy * feat: Add native support for Windows based managed nodegroups similar to AL2 and Bottlerocket * feat: Update self-managed nodegroup module to use latest features of ASG * docs: Update and simplify docs * fix: Correct variable description for AMI types * fix: Update upgrade guide with changes; rename Karpenter controller resource names to support migrating for users * docs: Complete upgrade guide docs for migration and changes applied * Update examples/karpenter/README.md Co-authored-by: Anton Babenko <anton@antonbabenko.com> * Update examples/outposts/README.md Co-authored-by: Anton Babenko <anton@antonbabenko.com> * Update modules/karpenter/README.md Co-authored-by: Anton Babenko <anton@antonbabenko.com> --------- Co-authored-by: Anton Babenko <anton@antonbabenko.com>
2026-03-17 23:13:46 +01:00 · 2024-02-02 09:36:25 -05:00
parent 2cb1fac31b
commit 6b40bdbb1d
71 changed files with 1809 additions and 2136 deletions
--- a/examples/outposts/main.tf
+++ b/examples/outposts/main.tf
@@ -2,21 +2,9 @@ provider "aws" {
  region = var.region
 }

-provider "kubernetes" {
-  host                   = module.eks.cluster_endpoint
-  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
-
-  exec {
-    api_version = "client.authentication.k8s.io/v1beta1"
-    command     = "aws"
-    #                           Note: `cluster_id` is used with Outposts for auth
-    args = ["eks", "get-token", "--cluster-id", module.eks.cluster_id, "--region", var.region]
-  }
-}
-
 locals {
  name            = "ex-${basename(path.cwd)}"
-  cluster_version = "1.27" # Required by EKS on Outposts
+  cluster_version = "1.29"

  outpost_arn   = element(tolist(data.aws_outposts_outposts.this.arns), 0)
  instance_type = element(tolist(data.aws_outposts_outpost_instance_types.this.instance_types), 0)
@@ -41,6 +29,10 @@ module "eks" {
  cluster_endpoint_public_access  = false # Not available on Outpost
  cluster_endpoint_private_access = true

+  # Gives Terraform identity admin access to cluster which will
+  # allow deploying resources (EBS storage class) into the cluster
+  enable_cluster_creator_admin_permissions = true
+
  vpc_id     = data.aws_vpc.this.id
  subnet_ids = data.aws_subnets.this.ids

@@ -49,9 +41,6 @@ module "eks" {
    outpost_arns                = [local.outpost_arn]
  }

-  # Local clusters will automatically add the node group IAM role to the aws-auth configmap
-  manage_aws_auth_configmap = true
-
  # Extend cluster security group rules
  cluster_security_group_additional_rules = {
    ingress_vpc_https = {