feat!: Replace the use of aws-auth configmap with EKS cluster access entry (#2858)

* feat: Replace `resolve_conflicts` with `resolve_conflicts_on_create`/`delete`; raise MSV of AWS provider to `v5.0` to support * fix: Replace dynamic DNS suffix for `sts:AssumeRole` API calls for static suffix * feat: Add module tag * feat: Align Karpenter permissions with Karpenter v1beta1/v0.32 permissions from upstream * refactor: Move `aws-auth` ConfigMap functionality to its own sub-module * chore: Update examples * feat: Add state `moved` block for Karpenter Pod Identity role re-name * fix: Correct variable `create` description * feat: Add support for cluster access entries * chore: Bump MSV of Terraform to `1.3` * fix: Replace defunct kubectl provider with an updated forked equivalent * chore: Update and validate examples for access entry; clean up provider usage * docs: Correct double redundant variable descriptions * feat: Add support for Cloudwatch log group class argument * fix: Update usage tag placement, fix Karpenter event spelling, add upcoming changes section to upgrade guide * feat: Update Karpenter module to generalize naming used and align policy with the upstream Karpenter policy * feat: Add native support for Windows based managed nodegroups similar to AL2 and Bottlerocket * feat: Update self-managed nodegroup module to use latest features of ASG * docs: Update and simplify docs * fix: Correct variable description for AMI types * fix: Update upgrade guide with changes; rename Karpenter controller resource names to support migrating for users * docs: Complete upgrade guide docs for migration and changes applied * Update examples/karpenter/README.md Co-authored-by: Anton Babenko <anton@antonbabenko.com> * Update examples/outposts/README.md Co-authored-by: Anton Babenko <anton@antonbabenko.com> * Update modules/karpenter/README.md Co-authored-by: Anton Babenko <anton@antonbabenko.com> --------- Co-authored-by: Anton Babenko <anton@antonbabenko.com>
2026-05-02 05:14:32 +02:00 · 2024-02-02 09:36:25 -05:00
parent 2cb1fac31b
commit 6b40bdbb1d
71 changed files with 1809 additions and 2136 deletions
--- a/modules/self-managed-node-group/main.tf
+++ b/modules/self-managed-node-group/main.tf
@@ -438,6 +438,15 @@ resource "aws_autoscaling_group" "this" {
    }
  }

+  dynamic "instance_maintenance_policy" {
+    for_each = length(var.instance_maintenance_policy) > 0 ? [var.instance_maintenance_policy] : []
+
+    content {
+      min_healthy_percentage = instance_maintenance_policy.value.min_healthy_percentage
+      max_healthy_percentage = instance_maintenance_policy.value.max_healthy_percentage
+    }
+  }
+
  dynamic "instance_refresh" {
    for_each = length(var.instance_refresh) > 0 ? [var.instance_refresh] : []

@@ -446,11 +455,14 @@ resource "aws_autoscaling_group" "this" {
        for_each = try([instance_refresh.value.preferences], [])

        content {
-          checkpoint_delay       = try(preferences.value.checkpoint_delay, null)
-          checkpoint_percentages = try(preferences.value.checkpoint_percentages, null)
-          instance_warmup        = try(preferences.value.instance_warmup, null)
-          min_healthy_percentage = try(preferences.value.min_healthy_percentage, null)
-          skip_matching          = try(preferences.value.skip_matching, null)
+          checkpoint_delay             = try(preferences.value.checkpoint_delay, null)
+          checkpoint_percentages       = try(preferences.value.checkpoint_percentages, null)
+          instance_warmup              = try(preferences.value.instance_warmup, null)
+          max_healthy_percentage       = try(preferences.value.max_healthy_percentage, null)
+          min_healthy_percentage       = try(preferences.value.min_healthy_percentage, null)
+          scale_in_protected_instances = try(preferences.value.scale_in_protected_instances, null)
+          skip_matching                = try(preferences.value.skip_matching, null)
+          standby_instances            = try(preferences.value.standby_instances, null)
        }
      }

@@ -686,28 +698,6 @@ resource "aws_autoscaling_group" "this" {
  }
 }

-################################################################################
-# Autoscaling group schedule
-################################################################################
-
-resource "aws_autoscaling_schedule" "this" {
-  for_each = { for k, v in var.schedules : k => v if var.create && var.create_schedule }
-
-  scheduled_action_name  = each.key
-  autoscaling_group_name = aws_autoscaling_group.this[0].name
-
-  min_size         = try(each.value.min_size, null)
-  max_size         = try(each.value.max_size, null)
-  desired_capacity = try(each.value.desired_size, null)
-  start_time       = try(each.value.start_time, null)
-  end_time         = try(each.value.end_time, null)
-  time_zone        = try(each.value.time_zone, null)
-
-  # [Minute] [Hour] [Day_of_Month] [Month_of_Year] [Day_of_Week]
-  # Cron examples: https://crontab.guru/examples.html
-  recurrence = try(each.value.recurrence, null)
-}
-
 ################################################################################
 # IAM Role
 ################################################################################
@@ -727,7 +717,7 @@ data "aws_iam_policy_document" "assume_role_policy" {

    principals {
      type        = "Service"
-      identifiers = ["ec2.${data.aws_partition.current.dns_suffix}"]
+      identifiers = ["ec2.amazonaws.com"]
    }
  }
 }
@@ -780,3 +770,39 @@ resource "aws_iam_instance_profile" "this" {
    create_before_destroy = true
  }
 }
+
+################################################################################
+# Access Entry
+################################################################################
+
+resource "aws_eks_access_entry" "this" {
+  count = var.create && var.create_access_entry ? 1 : 0
+
+  cluster_name  = var.cluster_name
+  principal_arn = var.create_iam_instance_profile ? aws_iam_role.this[0].arn : var.iam_role_arn
+  type          = var.platform == "windows" ? "EC2_WINDOWS" : "EC2_LINUX"
+
+  tags = var.tags
+}
+
+################################################################################
+# Autoscaling group schedule
+################################################################################
+
+resource "aws_autoscaling_schedule" "this" {
+  for_each = { for k, v in var.schedules : k => v if var.create && var.create_schedule }
+
+  scheduled_action_name  = each.key
+  autoscaling_group_name = aws_autoscaling_group.this[0].name
+
+  min_size         = try(each.value.min_size, null)
+  max_size         = try(each.value.max_size, null)
+  desired_capacity = try(each.value.desired_size, null)
+  start_time       = try(each.value.start_time, null)
+  end_time         = try(each.value.end_time, null)
+  time_zone        = try(each.value.time_zone, null)
+
+  # [Minute] [Hour] [Day_of_Month] [Month_of_Year] [Day_of_Week]
+  # Cron examples: https://crontab.guru/examples.html
+  recurrence = try(each.value.recurrence, null)
+}