feat!: Add support for Outposts, remove node security group, add support for addon preserve and most_recent configurations (#2250)

Co-authored-by: Anton Babenko <anton@antonbabenko.com> Resolves undefined
2026-03-17 23:13:46 +01:00 · 2022-12-05 16:26:23 -05:00
parent efbe952632
commit b2e97ca3dc
66 changed files with 2749 additions and 1776 deletions
--- a/variables.tf
+++ b/variables.tf
@@ -59,13 +59,13 @@ variable "subnet_ids" {
 variable "cluster_endpoint_private_access" {
  description = "Indicates whether or not the Amazon EKS private API server endpoint is enabled"
  type        = bool
-  default     = false
+  default     = true
 }

 variable "cluster_endpoint_public_access" {
  description = "Indicates whether or not the Amazon EKS public API server endpoint is enabled"
  type        = bool
-  default     = true
+  default     = false
 }

 variable "cluster_endpoint_public_access_cidrs" {
@@ -86,10 +86,24 @@ variable "cluster_service_ipv4_cidr" {
  default     = null
 }

+variable "cluster_service_ipv6_cidr" {
+  description = "The CIDR block to assign Kubernetes pod and service IP addresses from if `ipv6` was specified when the cluster was created. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster"
+  type        = string
+  default     = null
+}
+
+variable "outpost_config" {
+  description = "Configuration for the AWS Outpost to provision the cluster on"
+  type        = any
+  default     = {}
+}
+
 variable "cluster_encryption_config" {
  description = "Configuration block with encryption configuration for the cluster"
-  type        = list(any)
-  default     = []
+  type        = any
+  default = {
+    resources = ["secrets"]
+  }
 }

 variable "attach_cluster_encryption_policy" {
@@ -123,7 +137,7 @@ variable "cluster_timeouts" {
 variable "create_kms_key" {
  description = "Controls if a KMS key for cluster encryption should be created"
  type        = bool
-  default     = false
+  default     = true
 }

 variable "kms_key_description" {
@@ -219,19 +233,19 @@ variable "cloudwatch_log_group_kms_key_id" {
 ################################################################################

 variable "create_cluster_security_group" {
-  description = "Determines if a security group is created for the cluster or use the existing `cluster_security_group_id`"
+  description = "Determines if a security group is created for the cluster. Note: the EKS service creates a primary security group for the cluster by default"
  type        = bool
  default     = true
 }

 variable "cluster_security_group_id" {
-  description = "Existing security group ID to be attached to the cluster. Required if `create_cluster_security_group` = `false`"
+  description = "Existing security group ID to be attached to the cluster"
  type        = string
  default     = ""
 }

 variable "vpc_id" {
-  description = "ID of the VPC where the cluster and its nodes will be provisioned"
+  description = "ID of the VPC where the cluster security group will be provisioned"
  type        = string
  default     = null
 }
@@ -316,26 +330,18 @@ variable "node_security_group_additional_rules" {
  default     = {}
 }

+variable "node_security_group_enable_recommended_rules" {
+  description = "Determines whether to enable recommended security group rules for the node security group created. This includes node-to-node TCP ingress on ephemeral ports and allows all egress traffic"
+  type        = bool
+  default     = true
+}
+
 variable "node_security_group_tags" {
  description = "A map of additional tags to add to the node security group created"
  type        = map(string)
  default     = {}
 }

-# TODO - at next breaking change, make 169.254.169.123/32 the default
-variable "node_security_group_ntp_ipv4_cidr_block" {
-  description = "IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `[\"169.254.169.123/32\"]`"
-  type        = list(string)
-  default     = ["0.0.0.0/0"]
-}
-
-# TODO - at next breaking change, make fd00:ec2::123/128 the default
-variable "node_security_group_ntp_ipv6_cidr_block" {
-  description = "IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `[\"fd00:ec2::123/128\"]`"
-  type        = list(string)
-  default     = ["::/0"]
-}
-
 ################################################################################
 # IRSA
 ################################################################################
@@ -406,8 +412,8 @@ variable "iam_role_permissions_boundary" {

 variable "iam_role_additional_policies" {
  description = "Additional policies to be added to the IAM role"
-  type        = list(string)
-  default     = []
+  type        = map(string)
+  default     = {}
 }

 # TODO - hopefully this can be removed once the AWS endpoint is named properly in China
@@ -464,6 +470,12 @@ variable "cluster_addons" {
  default     = {}
 }

+variable "cluster_addons_timeouts" {
+  description = "Create, update, and delete timeout configurations for the cluster addons"
+  type        = map(string)
+  default     = {}
+}
+
 ################################################################################
 # EKS Identity Provider
 ################################################################################