mirror of
https://github.com/ysoftdevs/terraform-aws-eks.git
synced 2026-03-17 23:13:46 +01:00
feat!: Replace the use of aws-auth configmap with EKS cluster access entry (#2858)
* feat: Replace `resolve_conflicts` with `resolve_conflicts_on_create`/`delete`; raise MSV of AWS provider to `v5.0` to support * fix: Replace dynamic DNS suffix for `sts:AssumeRole` API calls for static suffix * feat: Add module tag * feat: Align Karpenter permissions with Karpenter v1beta1/v0.32 permissions from upstream * refactor: Move `aws-auth` ConfigMap functionality to its own sub-module * chore: Update examples * feat: Add state `moved` block for Karpenter Pod Identity role re-name * fix: Correct variable `create` description * feat: Add support for cluster access entries * chore: Bump MSV of Terraform to `1.3` * fix: Replace defunct kubectl provider with an updated forked equivalent * chore: Update and validate examples for access entry; clean up provider usage * docs: Correct double redundant variable descriptions * feat: Add support for Cloudwatch log group class argument * fix: Update usage tag placement, fix Karpenter event spelling, add upcoming changes section to upgrade guide * feat: Update Karpenter module to generalize naming used and align policy with the upstream Karpenter policy * feat: Add native support for Windows based managed nodegroups similar to AL2 and Bottlerocket * feat: Update self-managed nodegroup module to use latest features of ASG * docs: Update and simplify docs * fix: Correct variable description for AMI types * fix: Update upgrade guide with changes; rename Karpenter controller resource names to support migrating for users * docs: Complete upgrade guide docs for migration and changes applied * Update examples/karpenter/README.md Co-authored-by: Anton Babenko <anton@antonbabenko.com> * Update examples/outposts/README.md Co-authored-by: Anton Babenko <anton@antonbabenko.com> * Update modules/karpenter/README.md Co-authored-by: Anton Babenko <anton@antonbabenko.com> --------- Co-authored-by: Anton Babenko <anton@antonbabenko.com>
This commit is contained in:
Bryant Biggs
96
variables.tf
96
variables.tf
@@ -1,5 +1,5 @@
|
||||
variable "create" {
|
||||
description = "Controls if EKS resources should be created (affects nearly all resources)"
|
||||
description = "Controls if resources should be created (affects nearly all resources)"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
@@ -38,6 +38,12 @@ variable "cluster_enabled_log_types" {
|
||||
default = ["audit", "api", "authenticator"]
|
||||
}
|
||||
|
||||
variable "authentication_mode" {
|
||||
description = "The authentication mode for the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`"
|
||||
type = string
|
||||
default = "API_AND_CONFIG_MAP"
|
||||
}
|
||||
|
||||
variable "cluster_additional_security_group_ids" {
|
||||
description = "List of additional, externally created security group IDs to attach to the cluster control plane"
|
||||
type = list(string)
|
||||
@@ -130,6 +136,22 @@ variable "cluster_timeouts" {
|
||||
default = {}
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Access Entry
|
||||
################################################################################
|
||||
|
||||
variable "access_entries" {
|
||||
description = "Map of access entries to add to the cluster"
|
||||
type = any
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "enable_cluster_creator_admin_permissions" {
|
||||
description = "Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# KMS Key
|
||||
################################################################################
|
||||
@@ -153,15 +175,15 @@ variable "kms_key_deletion_window_in_days" {
|
||||
}
|
||||
|
||||
variable "enable_kms_key_rotation" {
|
||||
description = "Specifies whether key rotation is enabled. Defaults to `true`"
|
||||
description = "Specifies whether key rotation is enabled"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "kms_key_enable_default_policy" {
|
||||
description = "Specifies whether to enable the default key policy. Defaults to `false`"
|
||||
description = "Specifies whether to enable the default key policy"
|
||||
type = bool
|
||||
default = false
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "kms_key_owners" {
|
||||
@@ -228,6 +250,12 @@ variable "cloudwatch_log_group_kms_key_id" {
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "cloudwatch_log_group_class" {
|
||||
description = "Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS`"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "cloudwatch_log_group_tags" {
|
||||
description = "A map of additional tags to add to the cloudwatch log group created"
|
||||
type = map(string)
|
||||
@@ -428,14 +456,6 @@ variable "iam_role_additional_policies" {
|
||||
default = {}
|
||||
}
|
||||
|
||||
# TODO - hopefully this can be removed once the AWS endpoint is named properly in China
|
||||
# https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1904
|
||||
variable "cluster_iam_role_dns_suffix" {
|
||||
description = "Base DNS domain name for the current partition (e.g., amazonaws.com in AWS Commercial, amazonaws.com.cn in AWS China)"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "iam_role_tags" {
|
||||
description = "A map of additional tags to add to the IAM role created"
|
||||
type = map(string)
|
||||
@@ -557,55 +577,3 @@ variable "putin_khuylo" {
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# aws-auth configmap
|
||||
################################################################################
|
||||
|
||||
variable "manage_aws_auth_configmap" {
|
||||
description = "Determines whether to manage the aws-auth configmap"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "create_aws_auth_configmap" {
|
||||
description = "Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap`"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "aws_auth_node_iam_role_arns_non_windows" {
|
||||
description = "List of non-Windows based node IAM role ARNs to add to the aws-auth configmap"
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "aws_auth_node_iam_role_arns_windows" {
|
||||
description = "List of Windows based node IAM role ARNs to add to the aws-auth configmap"
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "aws_auth_fargate_profile_pod_execution_role_arns" {
|
||||
description = "List of Fargate profile pod execution role ARNs to add to the aws-auth configmap"
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "aws_auth_roles" {
|
||||
description = "List of role maps to add to the aws-auth configmap"
|
||||
type = list(any)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "aws_auth_users" {
|
||||
description = "List of user maps to add to the aws-auth configmap"
|
||||
type = list(any)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "aws_auth_accounts" {
|
||||
description = "List of account maps to add to the aws-auth configmap"
|
||||
type = list(any)
|
||||
default = []
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user