github-mirrors/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/ysoftdevs/terraform-aws-eks.git synced 2026-05-01 04:44:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat!: Removed support for launch configuration and replace count with for_each (#1680)

Browse Source
This commit is contained in:
Bryant Biggs
2022-01-05 06:01:31 -06:00
committed by GitHub
parent d569aa3554
commit ee9f0c646a
138 changed files with 9118 additions and 6991 deletions
Download Patch File Download Diff File Expand all files Collapse all files

175
modules/eks-managed-node-group/README.md Normal file
View File

@@ -0,0 +1,175 @@
# EKS Managed Node Group Module
Configuration in this directory creates an EKS Managed Node Group along with an IAM role, security group, and launch template
## Usage
```hcl
module "eks_managed_node_group" {
source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
name = "separate-eks-mng"
cluster_name = "my-cluster"
cluster_version = "1.21"
vpc_id = "vpc-1234556abcdef"
subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
min_size = 1
max_size = 10
desired_size = 1
instance_types = ["t3.large"]
capacity_type = "SPOT"
labels = {
Environment = "test"
GithubRepo = "terraform-aws-eks"
GithubOrg = "terraform-aws-modules"
}
taints = {
dedicated = {
key = "dedicated"
value = "gpuGroup"
effect = "NO_SCHEDULE"
}
}
tags = {
Environment = "dev"
Terraform = "true"
}
}
```
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.64 |
| <a name="requirement_cloudinit"></a> [cloudinit](#requirement\_cloudinit) | >= 2.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.64 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_user_data"></a> [user\_data](#module\_user\_data) | ../_user_data | n/a |
## Resources
| Name | Type |
|------|------|
| [aws_eks_node_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group) | resource |
| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_launch_template.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_ami_id"></a> [ami\_id](#input\_ami\_id) | The AMI from which to launch the instance. If not supplied, EKS will use its own default image | `string` | `""` | no |
| <a name="input_ami_release_version"></a> [ami\_release\_version](#input\_ami\_release\_version) | AMI version of the EKS Node Group. Defaults to latest version for Kubernetes version | `string` | `null` | no |
| <a name="input_ami_type"></a> [ami\_type](#input\_ami\_type) | Type of Amazon Machine Image (AMI) associated with the EKS Node Group. Valid values are `AL2_x86_64`, `AL2_x86_64_GPU`, `AL2_ARM_64`, `CUSTOM`, `BOTTLEROCKET_ARM_64`, `BOTTLEROCKET_x86_64` | `string` | `null` | no |
| <a name="input_block_device_mappings"></a> [block\_device\_mappings](#input\_block\_device\_mappings) | Specify volumes to attach to the instance besides the volumes specified by the AMI | `any` | `{}` | no |
| <a name="input_bootstrap_extra_args"></a> [bootstrap\_extra\_args](#input\_bootstrap\_extra\_args) | Additional arguments passed to the bootstrap script. When `platform` = `bottlerocket`; these are additional [settings](https://github.com/bottlerocket-os/bottlerocket#settings) that are provided to the Bottlerocket user data | `string` | `""` | no |
| <a name="input_capacity_reservation_specification"></a> [capacity\_reservation\_specification](#input\_capacity\_reservation\_specification) | Targeting for EC2 capacity reservations | `any` | `null` | no |
| <a name="input_capacity_type"></a> [capacity\_type](#input\_capacity\_type) | Type of capacity associated with the EKS Node Group. Valid values: `ON_DEMAND`, `SPOT` | `string` | `"ON_DEMAND"` | no |
| <a name="input_cluster_auth_base64"></a> [cluster\_auth\_base64](#input\_cluster\_auth\_base64) | Base64 encoded CA of associated EKS cluster | `string` | `""` | no |
| <a name="input_cluster_endpoint"></a> [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint of associated EKS cluster | `string` | `""` | no |
| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of associated EKS cluster | `string` | `null` | no |
| <a name="input_cluster_security_group_id"></a> [cluster\_security\_group\_id](#input\_cluster\_security\_group\_id) | Cluster control plane security group ID | `string` | `null` | no |
| <a name="input_cluster_service_ipv4_cidr"></a> [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | `string` | `null` | no |
| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version. Defaults to EKS Cluster Kubernetes version | `string` | `null` | no |
| <a name="input_cpu_options"></a> [cpu\_options](#input\_cpu\_options) | The CPU options for the instance | `map(string)` | `null` | no |
| <a name="input_create"></a> [create](#input\_create) | Determines whether to create EKS managed node group or not | `bool` | `true` | no |
| <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Determines whether an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
| <a name="input_create_launch_template"></a> [create\_launch\_template](#input\_create\_launch\_template) | Determines whether to create a launch template or not. If set to `false`, EKS will use its own default launch template | `bool` | `true` | no |
| <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Determines whether to create a security group | `bool` | `true` | no |
| <a name="input_credit_specification"></a> [credit\_specification](#input\_credit\_specification) | Customize the credit specification of the instance | `map(string)` | `null` | no |
| <a name="input_desired_size"></a> [desired\_size](#input\_desired\_size) | Desired number of instances/nodes | `number` | `1` | no |
| <a name="input_disable_api_termination"></a> [disable\_api\_termination](#input\_disable\_api\_termination) | If true, enables EC2 instance termination protection | `bool` | `null` | no |
| <a name="input_disk_size"></a> [disk\_size](#input\_disk\_size) | Disk size in GiB for nodes. Defaults to `20` | `number` | `null` | no |
| <a name="input_ebs_optimized"></a> [ebs\_optimized](#input\_ebs\_optimized) | If true, the launched EC2 instance(s) will be EBS-optimized | `bool` | `null` | no |
| <a name="input_elastic_gpu_specifications"></a> [elastic\_gpu\_specifications](#input\_elastic\_gpu\_specifications) | The elastic GPU to attach to the instance | `map(string)` | `null` | no |
| <a name="input_elastic_inference_accelerator"></a> [elastic\_inference\_accelerator](#input\_elastic\_inference\_accelerator) | Configuration block containing an Elastic Inference Accelerator to attach to the instance | `map(string)` | `null` | no |
| <a name="input_enable_bootstrap_user_data"></a> [enable\_bootstrap\_user\_data](#input\_enable\_bootstrap\_user\_data) | Determines whether the bootstrap configurations are populated within the user data template | `bool` | `false` | no |
| <a name="input_enable_monitoring"></a> [enable\_monitoring](#input\_enable\_monitoring) | Enables/disables detailed monitoring | `bool` | `true` | no |
| <a name="input_enclave_options"></a> [enclave\_options](#input\_enclave\_options) | Enable Nitro Enclaves on launched instances | `map(string)` | `null` | no |
| <a name="input_force_update_version"></a> [force\_update\_version](#input\_force\_update\_version) | Force version update if existing pods are unable to be drained due to a pod disruption budget issue | `bool` | `null` | no |
| <a name="input_iam_role_additional_policies"></a> [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `list(string)` | `[]` | no |
| <a name="input_iam_role_arn"></a> [iam\_role\_arn](#input\_iam\_role\_arn) | Existing IAM role ARN for the node group. Required if `create_iam_role` is set to `false` | `string` | `null` | no |
| <a name="input_iam_role_description"></a> [iam\_role\_description](#input\_iam\_role\_description) | Description of the role | `string` | `null` | no |
| <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
| <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `null` | no |
| <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
| <a name="input_iam_role_tags"></a> [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
| <a name="input_iam_role_use_name_prefix"></a> [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `string` | `true` | no |
| <a name="input_instance_market_options"></a> [instance\_market\_options](#input\_instance\_market\_options) | The market (purchasing) option for the instance | `any` | `null` | no |
| <a name="input_instance_types"></a> [instance\_types](#input\_instance\_types) | Set of instance types associated with the EKS Node Group. Defaults to `["t3.medium"]` | `list(string)` | `null` | no |
| <a name="input_kernel_id"></a> [kernel\_id](#input\_kernel\_id) | The kernel ID | `string` | `null` | no |
| <a name="input_key_name"></a> [key\_name](#input\_key\_name) | The key name that should be used for the instance(s) | `string` | `null` | no |
| <a name="input_labels"></a> [labels](#input\_labels) | Key-value map of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed | `map(string)` | `null` | no |
| <a name="input_launch_template_default_version"></a> [launch\_template\_default\_version](#input\_launch\_template\_default\_version) | Default version of the launch template | `string` | `null` | no |
| <a name="input_launch_template_description"></a> [launch\_template\_description](#input\_launch\_template\_description) | Description of the launch template | `string` | `null` | no |
| <a name="input_launch_template_name"></a> [launch\_template\_name](#input\_launch\_template\_name) | Launch template name - either to be created (`var.create_launch_template` = `true`) or existing (`var.create_launch_template` = `false`) | `string` | `""` | no |
| <a name="input_launch_template_use_name_prefix"></a> [launch\_template\_use\_name\_prefix](#input\_launch\_template\_use\_name\_prefix) | Determines whether to use `launch_template_name` as is or create a unique name beginning with the `launch_template_name` as the prefix | `bool` | `true` | no |
| <a name="input_launch_template_version"></a> [launch\_template\_version](#input\_launch\_template\_version) | Launch template version number. The default is `$Default` | `string` | `null` | no |
| <a name="input_license_specifications"></a> [license\_specifications](#input\_license\_specifications) | A list of license specifications to associate with | `map(string)` | `null` | no |
| <a name="input_max_size"></a> [max\_size](#input\_max\_size) | Maximum number of instances/nodes | `number` | `3` | no |
| <a name="input_metadata_options"></a> [metadata\_options](#input\_metadata\_options) | Customize the metadata options for the instance | `map(string)` | <pre>{<br> "http_endpoint": "enabled",<br> "http_put_response_hop_limit": 2,<br> "http_tokens": "required"<br>}</pre> | no |
| <a name="input_min_size"></a> [min\_size](#input\_min\_size) | Minimum number of instances/nodes | `number` | `0` | no |
| <a name="input_name"></a> [name](#input\_name) | Name of the EKS managed node group | `string` | `""` | no |
| <a name="input_network_interfaces"></a> [network\_interfaces](#input\_network\_interfaces) | Customize network interfaces to be attached at instance boot time | `list(any)` | `[]` | no |
| <a name="input_placement"></a> [placement](#input\_placement) | The placement of the instance | `map(string)` | `null` | no |
| <a name="input_platform"></a> [platform](#input\_platform) | Identifies if the OS platform is `bottlerocket` or `linux` based; `windows` is not supported | `string` | `"linux"` | no |
| <a name="input_post_bootstrap_user_data"></a> [post\_bootstrap\_user\_data](#input\_post\_bootstrap\_user\_data) | User data that is appended to the user data script after of the EKS bootstrap script. Not used when `platform` = `bottlerocket` | `string` | `""` | no |
| <a name="input_pre_bootstrap_user_data"></a> [pre\_bootstrap\_user\_data](#input\_pre\_bootstrap\_user\_data) | User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `platform` = `bottlerocket` | `string` | `""` | no |
| <a name="input_ram_disk_id"></a> [ram\_disk\_id](#input\_ram\_disk\_id) | The ID of the ram disk | `string` | `null` | no |
| <a name="input_remote_access"></a> [remote\_access](#input\_remote\_access) | Configuration block with remote access settings | `map(string)` | `{}` | no |
| <a name="input_security_group_description"></a> [security\_group\_description](#input\_security\_group\_description) | Description for the security group created | `string` | `"EKS managed node group security group"` | no |
| <a name="input_security_group_name"></a> [security\_group\_name](#input\_security\_group\_name) | Name to use on security group created | `string` | `null` | no |
| <a name="input_security_group_rules"></a> [security\_group\_rules](#input\_security\_group\_rules) | List of security group rules to add to the security group created | `any` | `{}` | no |
| <a name="input_security_group_tags"></a> [security\_group\_tags](#input\_security\_group\_tags) | A map of additional tags to add to the security group created | `map(string)` | `{}` | no |
| <a name="input_security_group_use_name_prefix"></a> [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Determines whether the security group name (`security_group_name`) is used as a prefix | `string` | `true` | no |
| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | Identifiers of EC2 Subnets to associate with the EKS Node Group. These subnets must have the following resource tag: `kubernetes.io/cluster/CLUSTER_NAME` | `list(string)` | `null` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
| <a name="input_taints"></a> [taints](#input\_taints) | The Kubernetes taints to be applied to the nodes in the node group. Maximum of 50 taints per node group | `any` | `{}` | no |
| <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | Create, update, and delete timeout configurations for the node group | `map(string)` | `{}` | no |
| <a name="input_update_config"></a> [update\_config](#input\_update\_config) | Configuration block of settings for max unavailable resources during node group updates | `map(string)` | `{}` | no |
| <a name="input_update_launch_template_default_version"></a> [update\_launch\_template\_default\_version](#input\_update\_launch\_template\_default\_version) | Whether to update the launch templates default version on each update. Conflicts with `launch_template_default_version` | `bool` | `true` | no |
| <a name="input_use_name_prefix"></a> [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether to use `name` as is or create a unique name beginning with the `name` as the prefix | `bool` | `true` | no |
| <a name="input_user_data_template_path"></a> [user\_data\_template\_path](#input\_user\_data\_template\_path) | Path to a local, custom user data template file to use when rendering user data | `string` | `""` | no |
| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC where the security group/nodes will be provisioned | `string` | `null` | no |
| <a name="input_vpc_security_group_ids"></a> [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | A list of security group IDs to associate | `list(string)` | `[]` | no |
## Outputs
| Name | Description |
|------|-------------|
| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | The name of the IAM role |
| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
| <a name="output_launch_template_arn"></a> [launch\_template\_arn](#output\_launch\_template\_arn) | The ARN of the launch template |
| <a name="output_launch_template_id"></a> [launch\_template\_id](#output\_launch\_template\_id) | The ID of the launch template |
| <a name="output_launch_template_latest_version"></a> [launch\_template\_latest\_version](#output\_launch\_template\_latest\_version) | The latest version of the launch template |
| <a name="output_node_group_arn"></a> [node\_group\_arn](#output\_node\_group\_arn) | Amazon Resource Name (ARN) of the EKS Node Group |
| <a name="output_node_group_id"></a> [node\_group\_id](#output\_node\_group\_id) | EKS Cluster name and EKS Node Group name separated by a colon (`:`) |
| <a name="output_node_group_resources"></a> [node\_group\_resources](#output\_node\_group\_resources) | List of objects containing information about underlying resources |
| <a name="output_node_group_status"></a> [node\_group\_status](#output\_node\_group\_status) | Status of the EKS Node Group |
| <a name="output_security_group_arn"></a> [security\_group\_arn](#output\_security\_group\_arn) | Amazon Resource Name (ARN) of the security group |
| <a name="output_security_group_id"></a> [security\_group\_id](#output\_security\_group\_id) | ID of the security group |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

435
modules/eks-managed-node-group/main.tf Normal file
View File

@@ -0,0 +1,435 @@
data "aws_partition" "current" {}
################################################################################
# User Data
################################################################################
module "user_data" {
source = "../_user_data"
create = var.create
platform = var.platform
cluster_name = var.cluster_name
cluster_endpoint = var.cluster_endpoint
cluster_auth_base64 = var.cluster_auth_base64
cluster_service_ipv4_cidr = var.cluster_service_ipv4_cidr
enable_bootstrap_user_data = var.enable_bootstrap_user_data
pre_bootstrap_user_data = var.pre_bootstrap_user_data
post_bootstrap_user_data = var.post_bootstrap_user_data
bootstrap_extra_args = var.bootstrap_extra_args
user_data_template_path = var.user_data_template_path
}
################################################################################
# Launch template
################################################################################
locals {
use_custom_launch_template = var.launch_template_name != ""
launch_template_name_int = coalesce(var.launch_template_name, "${var.name}-eks-node-group")
}
resource "aws_launch_template" "this" {
count = var.create && var.create_launch_template ? 1 : 0
name = var.launch_template_use_name_prefix ? null : local.launch_template_name_int
name_prefix = var.launch_template_use_name_prefix ? "${local.launch_template_name_int}-" : null
description = var.launch_template_description
ebs_optimized = var.ebs_optimized
image_id = var.ami_id
# # Set on node group instead
# instance_type = var.launch_template_instance_type
key_name = var.key_name
user_data = module.user_data.user_data
vpc_security_group_ids = compact(concat([try(aws_security_group.this[0].id, "")], var.vpc_security_group_ids))
default_version = var.launch_template_default_version
update_default_version = var.update_launch_template_default_version
disable_api_termination = var.disable_api_termination
# Set on EKS managed node group, will fail if set here
# https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-basics
# instance_initiated_shutdown_behavior = var.instance_initiated_shutdown_behavior
kernel_id = var.kernel_id
ram_disk_id = var.ram_disk_id
dynamic "block_device_mappings" {
for_each = var.block_device_mappings
content {
device_name = block_device_mappings.value.device_name
no_device = lookup(block_device_mappings.value, "no_device", null)
virtual_name = lookup(block_device_mappings.value, "virtual_name", null)
dynamic "ebs" {
for_each = flatten([lookup(block_device_mappings.value, "ebs", [])])
content {
delete_on_termination = lookup(ebs.value, "delete_on_termination", null)
encrypted = lookup(ebs.value, "encrypted", null)
kms_key_id = lookup(ebs.value, "kms_key_id", null)
iops = lookup(ebs.value, "iops", null)
throughput = lookup(ebs.value, "throughput", null)
snapshot_id = lookup(ebs.value, "snapshot_id", null)
volume_size = lookup(ebs.value, "volume_size", null)
volume_type = lookup(ebs.value, "volume_type", null)
}
}
}
}
dynamic "capacity_reservation_specification" {
for_each = var.capacity_reservation_specification != null ? [var.capacity_reservation_specification] : []
content {
capacity_reservation_preference = lookup(capacity_reservation_specification.value, "capacity_reservation_preference", null)
dynamic "capacity_reservation_target" {
for_each = lookup(capacity_reservation_specification.value, "capacity_reservation_target", [])
content {
capacity_reservation_id = lookup(capacity_reservation_target.value, "capacity_reservation_id", null)
}
}
}
}
dynamic "cpu_options" {
for_each = var.cpu_options != null ? [var.cpu_options] : []
content {
core_count = cpu_options.value.core_count
threads_per_core = cpu_options.value.threads_per_core
}
}
dynamic "credit_specification" {
for_each = var.credit_specification != null ? [var.credit_specification] : []
content {
cpu_credits = credit_specification.value.cpu_credits
}
}
dynamic "elastic_gpu_specifications" {
for_each = var.elastic_gpu_specifications != null ? [var.elastic_gpu_specifications] : []
content {
type = elastic_gpu_specifications.value.type
}
}
dynamic "elastic_inference_accelerator" {
for_each = var.elastic_inference_accelerator != null ? [var.elastic_inference_accelerator] : []
content {
type = elastic_inference_accelerator.value.type
}
}
dynamic "enclave_options" {
for_each = var.enclave_options != null ? [var.enclave_options] : []
content {
enabled = enclave_options.value.enabled
}
}
# Set on EKS managed node group, will fail if set here
# https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-basics
# dynamic "hibernation_options" {
# for_each = var.hibernation_options != null ? [var.hibernation_options] : []
# content {
# configured = hibernation_options.value.configured
# }
# }
# Set on EKS managed node group, will fail if set here
# https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-basics
# dynamic "iam_instance_profile" {
# for_each = [var.iam_instance_profile]
# content {
# name = lookup(var.iam_instance_profile, "name", null)
# arn = lookup(var.iam_instance_profile, "arn", null)
# }
# }
dynamic "instance_market_options" {
for_each = var.instance_market_options != null ? [var.instance_market_options] : []
content {
market_type = instance_market_options.value.market_type
dynamic "spot_options" {
for_each = lookup(instance_market_options.value, "spot_options", null) != null ? [instance_market_options.value.spot_options] : []
content {
block_duration_minutes = spot_options.value.block_duration_minutes
instance_interruption_behavior = lookup(spot_options.value, "instance_interruption_behavior", null)
max_price = lookup(spot_options.value, "max_price", null)
spot_instance_type = lookup(spot_options.value, "spot_instance_type", null)
valid_until = lookup(spot_options.value, "valid_until", null)
}
}
}
}
dynamic "license_specification" {
for_each = var.license_specifications != null ? [var.license_specifications] : []
content {
license_configuration_arn = license_specifications.value.license_configuration_arn
}
}
dynamic "metadata_options" {
for_each = var.metadata_options != null ? [var.metadata_options] : []
content {
http_endpoint = lookup(metadata_options.value, "http_endpoint", null)
http_tokens = lookup(metadata_options.value, "http_tokens", null)
http_put_response_hop_limit = lookup(metadata_options.value, "http_put_response_hop_limit", null)
http_protocol_ipv6 = lookup(metadata_options.value, "http_protocol_ipv6", null)
}
}
dynamic "monitoring" {
for_each = var.enable_monitoring != null ? [1] : []
content {
enabled = var.enable_monitoring
}
}
dynamic "network_interfaces" {
for_each = var.network_interfaces
content {
associate_carrier_ip_address = lookup(network_interfaces.value, "associate_carrier_ip_address", null)
associate_public_ip_address = lookup(network_interfaces.value, "associate_public_ip_address", null)
delete_on_termination = lookup(network_interfaces.value, "delete_on_termination", null)
description = lookup(network_interfaces.value, "description", null)
device_index = lookup(network_interfaces.value, "device_index", null)
ipv4_addresses = lookup(network_interfaces.value, "ipv4_addresses", null) != null ? network_interfaces.value.ipv4_addresses : []
ipv4_address_count = lookup(network_interfaces.value, "ipv4_address_count", null)
ipv6_addresses = lookup(network_interfaces.value, "ipv6_addresses", null) != null ? network_interfaces.value.ipv6_addresses : []
ipv6_address_count = lookup(network_interfaces.value, "ipv6_address_count", null)
network_interface_id = lookup(network_interfaces.value, "network_interface_id", null)
private_ip_address = lookup(network_interfaces.value, "private_ip_address", null)
security_groups = lookup(network_interfaces.value, "security_groups", null) != null ? network_interfaces.value.security_groups : []
# Set on EKS managed node group, will fail if set here
# https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-basics
# subnet_id = lookup(network_interfaces.value, "subnet_id", null)
}
}
dynamic "placement" {
for_each = var.placement != null ? [var.placement] : []
content {
affinity = lookup(placement.value, "affinity", null)
availability_zone = lookup(placement.value, "availability_zone", null)
group_name = lookup(placement.value, "group_name", null)
host_id = lookup(placement.value, "host_id", null)
spread_domain = lookup(placement.value, "spread_domain", null)
tenancy = lookup(placement.value, "tenancy", null)
partition_number = lookup(placement.value, "partition_number", null)
}
}
dynamic "tag_specifications" {
for_each = toset(["instance", "volume", "network-interface"])
content {
resource_type = tag_specifications.key
tags = merge(var.tags, { Name = var.name })
}
}
lifecycle {
create_before_destroy = true
}
# Prevent premature access of security group roles and policies by pods that
# require permissions on create/destroy that depend on nodes
depends_on = [
aws_security_group_rule.this,
aws_iam_role_policy_attachment.this,
]
tags = var.tags
}
################################################################################
# Node Group
################################################################################
locals {
launch_template_name = try(aws_launch_template.this[0].name, var.launch_template_name, null)
# Change order to allow users to set version priority before using defaults
launch_template_version = coalesce(var.launch_template_version, try(aws_launch_template.this[0].default_version, "$Default"))
}
resource "aws_eks_node_group" "this" {
count = var.create ? 1 : 0
# Required
cluster_name = var.cluster_name
node_role_arn = var.create_iam_role ? aws_iam_role.this[0].arn : var.iam_role_arn
subnet_ids = var.subnet_ids
scaling_config {
min_size = var.min_size
max_size = var.max_size
desired_size = var.desired_size
}
# Optional
node_group_name = var.use_name_prefix ? null : var.name
node_group_name_prefix = var.use_name_prefix ? "${var.name}-" : null
# https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-custom-ami
ami_type = var.ami_id != "" ? null : var.ami_type
release_version = var.ami_id != "" ? null : var.ami_release_version
version = var.ami_id != "" ? null : var.cluster_version
capacity_type = var.capacity_type
disk_size = local.use_custom_launch_template ? null : var.disk_size # if using LT, set disk size on LT or else it will error here
force_update_version = var.force_update_version
instance_types = var.instance_types
labels = var.labels
dynamic "launch_template" {
for_each = local.use_custom_launch_template ? [1] : []
content {
name = local.launch_template_name
version = local.launch_template_version
}
}
dynamic "remote_access" {
for_each = var.remote_access
content {
ec2_ssh_key = lookup(remote_access.value, "ec2_ssh_key", null)
source_security_group_ids = lookup(remote_access.value, "source_security_group_ids", [])
}
}
dynamic "taint" {
for_each = var.taints
content {
key = taint.value.key
value = lookup(taint.value, "value")
effect = taint.value.effect
}
}
dynamic "update_config" {
for_each = length(var.update_config) > 0 ? [var.update_config] : []
content {
max_unavailable_percentage = try(update_config.value.max_unavailable_percentage, null)
max_unavailable = try(update_config.value.max_unavailable, null)
}
}
timeouts {
create = lookup(var.timeouts, "create", null)
update = lookup(var.timeouts, "update", null)
delete = lookup(var.timeouts, "delete", null)
}
lifecycle {
create_before_destroy = true
ignore_changes = [
scaling_config[0].desired_size,
]
}
tags = merge(
var.tags,
{ Name = var.name }
)
}
################################################################################
# Security Group
################################################################################
locals {
security_group_name = coalesce(var.security_group_name, "${var.name}-eks-node-group")
create_security_group = var.create && var.create_security_group
}
resource "aws_security_group" "this" {
count = local.create_security_group ? 1 : 0
name = var.security_group_use_name_prefix ? null : local.security_group_name
name_prefix = var.security_group_use_name_prefix ? "${local.security_group_name}-" : null
description = var.security_group_description
vpc_id = var.vpc_id
tags = merge(
var.tags,
{ "Name" = local.security_group_name },
var.security_group_tags
)
}
resource "aws_security_group_rule" "this" {
for_each = { for k, v in var.security_group_rules : k => v if local.create_security_group }
# Required
security_group_id = aws_security_group.this[0].id
protocol = each.value.protocol
from_port = each.value.from_port
to_port = each.value.to_port
type = each.value.type
# Optional
description = try(each.value.description, null)
cidr_blocks = try(each.value.cidr_blocks, null)
ipv6_cidr_blocks = try(each.value.ipv6_cidr_blocks, null)
prefix_list_ids = try(each.value.prefix_list_ids, [])
self = try(each.value.self, null)
source_security_group_id = try(
each.value.source_security_group_id,
try(each.value.source_cluster_security_group, false) ? var.cluster_security_group_id : null
)
}
################################################################################
# IAM Role
################################################################################
locals {
iam_role_name = coalesce(var.iam_role_name, "${var.name}-eks-node-group")
policy_arn_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
}
data "aws_iam_policy_document" "assume_role_policy" {
count = var.create && var.create_iam_role ? 1 : 0
statement {
sid = "EKSNodeAssumeRole"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.${data.aws_partition.current.dns_suffix}"]
}
}
}
resource "aws_iam_role" "this" {
count = var.create && var.create_iam_role ? 1 : 0
name = var.iam_role_use_name_prefix ? null : local.iam_role_name
name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
path = var.iam_role_path
description = var.iam_role_description
assume_role_policy = data.aws_iam_policy_document.assume_role_policy[0].json
permissions_boundary = var.iam_role_permissions_boundary
force_detach_policies = true
tags = merge(var.tags, var.iam_role_tags)
}
# Policies attached ref https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group
resource "aws_iam_role_policy_attachment" "this" {
for_each = var.create && var.create_iam_role ? toset(compact(distinct(concat([
"${local.policy_arn_prefix}/AmazonEKSWorkerNodePolicy",
"${local.policy_arn_prefix}/AmazonEC2ContainerRegistryReadOnly",
"${local.policy_arn_prefix}/AmazonEKS_CNI_Policy",
], var.iam_role_additional_policies)))) : toset([])
policy_arn = each.value
role = aws_iam_role.this[0].name
}

75
modules/eks-managed-node-group/outputs.tf Normal file
View File

@@ -0,0 +1,75 @@
################################################################################
# Launch template
################################################################################
output "launch_template_id" {
description = "The ID of the launch template"
value = try(aws_launch_template.this[0].id, "")
}
output "launch_template_arn" {
description = "The ARN of the launch template"
value = try(aws_launch_template.this[0].arn, "")
}
output "launch_template_latest_version" {
description = "The latest version of the launch template"
value = try(aws_launch_template.this[0].latest_version, "")
}
################################################################################
# Node Group
################################################################################
output "node_group_arn" {
description = "Amazon Resource Name (ARN) of the EKS Node Group"
value = try(aws_eks_node_group.this[0].arn, "")
}
output "node_group_id" {
description = "EKS Cluster name and EKS Node Group name separated by a colon (`:`)"
value = try(aws_eks_node_group.this[0].id, "")
}
output "node_group_resources" {
description = "List of objects containing information about underlying resources"
value = try(aws_eks_node_group.this[0].resources, "")
}
output "node_group_status" {
description = "Status of the EKS Node Group"
value = try(aws_eks_node_group.this[0].arn, "")
}
################################################################################
# Security Group
################################################################################
output "security_group_arn" {
description = "Amazon Resource Name (ARN) of the security group"
value = try(aws_security_group.this[0].arn, "")
}
output "security_group_id" {
description = "ID of the security group"
value = try(aws_security_group.this[0].id, "")
}
################################################################################
# IAM Role
################################################################################
output "iam_role_name" {
description = "The name of the IAM role"
value = try(aws_iam_role.this[0].name, "")
}
output "iam_role_arn" {
description = "The Amazon Resource Name (ARN) specifying the IAM role"
value = try(aws_iam_role.this[0].arn, "")
}
output "iam_role_unique_id" {
description = "Stable and unique string identifying the IAM role"
value = try(aws_iam_role.this[0].unique_id, "")
}

467
modules/eks-managed-node-group/variables.tf Normal file
View File

@@ -0,0 +1,467 @@
variable "create" {
description = "Determines whether to create EKS managed node group or not"
type = bool
default = true
}
variable "tags" {
description = "A map of tags to add to all resources"
type = map(string)
default = {}
}
variable "platform" {
description = "Identifies if the OS platform is `bottlerocket` or `linux` based; `windows` is not supported"
type = string
default = "linux"
}
################################################################################
# User Data
################################################################################
variable "enable_bootstrap_user_data" {
description = "Determines whether the bootstrap configurations are populated within the user data template"
type = bool
default = false
}
variable "cluster_name" {
description = "Name of associated EKS cluster"
type = string
default = null
}
variable "cluster_endpoint" {
description = "Endpoint of associated EKS cluster"
type = string
default = ""
}
variable "cluster_auth_base64" {
description = "Base64 encoded CA of associated EKS cluster"
type = string
default = ""
}
variable "cluster_service_ipv4_cidr" {
description = "The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks"
type = string
default = null
}
variable "pre_bootstrap_user_data" {
description = "User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `platform` = `bottlerocket`"
type = string
default = ""
}
variable "post_bootstrap_user_data" {
description = "User data that is appended to the user data script after of the EKS bootstrap script. Not used when `platform` = `bottlerocket`"
type = string
default = ""
}
variable "bootstrap_extra_args" {
description = "Additional arguments passed to the bootstrap script. When `platform` = `bottlerocket`; these are additional [settings](https://github.com/bottlerocket-os/bottlerocket#settings) that are provided to the Bottlerocket user data"
type = string
default = ""
}
variable "user_data_template_path" {
description = "Path to a local, custom user data template file to use when rendering user data"
type = string
default = ""
}
################################################################################
# Launch template
################################################################################
variable "create_launch_template" {
description = "Determines whether to create a launch template or not. If set to `false`, EKS will use its own default launch template"
type = bool
default = true
}
variable "launch_template_name" {
description = "Launch template name - either to be created (`var.create_launch_template` = `true`) or existing (`var.create_launch_template` = `false`)"
type = string
default = ""
}
variable "launch_template_use_name_prefix" {
description = "Determines whether to use `launch_template_name` as is or create a unique name beginning with the `launch_template_name` as the prefix"
type = bool
default = true
}
variable "launch_template_description" {
description = "Description of the launch template"
type = string
default = null
}
variable "ebs_optimized" {
description = "If true, the launched EC2 instance(s) will be EBS-optimized"
type = bool
default = null
}
variable "ami_id" {
description = "The AMI from which to launch the instance. If not supplied, EKS will use its own default image"
type = string
default = ""
}
variable "key_name" {
description = "The key name that should be used for the instance(s)"
type = string
default = null
}
variable "vpc_security_group_ids" {
description = "A list of security group IDs to associate"
type = list(string)
default = []
}
variable "launch_template_default_version" {
description = "Default version of the launch template"
type = string
default = null
}
variable "update_launch_template_default_version" {
description = "Whether to update the launch templates default version on each update. Conflicts with `launch_template_default_version`"
type = bool
default = true
}
variable "disable_api_termination" {
description = "If true, enables EC2 instance termination protection"
type = bool
default = null
}
variable "kernel_id" {
description = "The kernel ID"
type = string
default = null
}
variable "ram_disk_id" {
description = "The ID of the ram disk"
type = string
default = null
}
variable "block_device_mappings" {
description = "Specify volumes to attach to the instance besides the volumes specified by the AMI"
type = any
default = {}
}
variable "capacity_reservation_specification" {
description = "Targeting for EC2 capacity reservations"
type = any
default = null
}
variable "cpu_options" {
description = "The CPU options for the instance"
type = map(string)
default = null
}
variable "credit_specification" {
description = "Customize the credit specification of the instance"
type = map(string)
default = null
}
variable "elastic_gpu_specifications" {
description = "The elastic GPU to attach to the instance"
type = map(string)
default = null
}
variable "elastic_inference_accelerator" {
description = "Configuration block containing an Elastic Inference Accelerator to attach to the instance"
type = map(string)
default = null
}
variable "enclave_options" {
description = "Enable Nitro Enclaves on launched instances"
type = map(string)
default = null
}
variable "instance_market_options" {
description = "The market (purchasing) option for the instance"
type = any
default = null
}
variable "license_specifications" {
description = "A list of license specifications to associate with"
type = map(string)
default = null
}
variable "metadata_options" {
description = "Customize the metadata options for the instance"
type = map(string)
default = {
http_endpoint = "enabled"
http_tokens = "required"
http_put_response_hop_limit = 2
}
}
variable "enable_monitoring" {
description = "Enables/disables detailed monitoring"
type = bool
default = true
}
variable "network_interfaces" {
description = "Customize network interfaces to be attached at instance boot time"
type = list(any)
default = []
}
variable "placement" {
description = "The placement of the instance"
type = map(string)
default = null
}
################################################################################
# EKS Managed Node Group
################################################################################
variable "subnet_ids" {
description = "Identifiers of EC2 Subnets to associate with the EKS Node Group. These subnets must have the following resource tag: `kubernetes.io/cluster/CLUSTER_NAME`"
type = list(string)
default = null
}
variable "min_size" {
description = "Minimum number of instances/nodes"
type = number
default = 0
}
variable "max_size" {
description = "Maximum number of instances/nodes"
type = number
default = 3
}
variable "desired_size" {
description = "Desired number of instances/nodes"
type = number
default = 1
}
variable "name" {
description = "Name of the EKS managed node group"
type = string
default = ""
}
variable "use_name_prefix" {
description = "Determines whether to use `name` as is or create a unique name beginning with the `name` as the prefix"
type = bool
default = true
}
variable "ami_type" {
description = "Type of Amazon Machine Image (AMI) associated with the EKS Node Group. Valid values are `AL2_x86_64`, `AL2_x86_64_GPU`, `AL2_ARM_64`, `CUSTOM`, `BOTTLEROCKET_ARM_64`, `BOTTLEROCKET_x86_64`"
type = string
default = null
}
variable "ami_release_version" {
description = "AMI version of the EKS Node Group. Defaults to latest version for Kubernetes version"
type = string
default = null
}
variable "capacity_type" {
description = "Type of capacity associated with the EKS Node Group. Valid values: `ON_DEMAND`, `SPOT`"
type = string
default = "ON_DEMAND"
}
variable "disk_size" {
description = "Disk size in GiB for nodes. Defaults to `20`"
type = number
default = null
}
variable "force_update_version" {
description = "Force version update if existing pods are unable to be drained due to a pod disruption budget issue"
type = bool
default = null
}
variable "instance_types" {
description = "Set of instance types associated with the EKS Node Group. Defaults to `[\"t3.medium\"]`"
type = list(string)
default = null
}
variable "labels" {
description = "Key-value map of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed"
type = map(string)
default = null
}
variable "cluster_version" {
description = "Kubernetes version. Defaults to EKS Cluster Kubernetes version"
type = string
default = null
}
variable "launch_template_version" {
description = "Launch template version number. The default is `$Default`"
type = string
default = null
}
variable "remote_access" {
description = "Configuration block with remote access settings"
type = map(string)
default = {}
}
variable "taints" {
description = "The Kubernetes taints to be applied to the nodes in the node group. Maximum of 50 taints per node group"
type = any
default = {}
}
variable "update_config" {
description = "Configuration block of settings for max unavailable resources during node group updates"
type = map(string)
default = {}
}
variable "timeouts" {
description = "Create, update, and delete timeout configurations for the node group"
type = map(string)
default = {}
}
################################################################################
# Security Group
################################################################################
variable "create_security_group" {
description = "Determines whether to create a security group"
type = bool
default = true
}
variable "security_group_name" {
description = "Name to use on security group created"
type = string
default = null
}
variable "security_group_use_name_prefix" {
description = "Determines whether the security group name (`security_group_name`) is used as a prefix"
type = string
default = true
}
variable "security_group_description" {
description = "Description for the security group created"
type = string
default = "EKS managed node group security group"
}
variable "vpc_id" {
description = "ID of the VPC where the security group/nodes will be provisioned"
type = string
default = null
}
variable "security_group_rules" {
description = "List of security group rules to add to the security group created"
type = any
default = {}
}
variable "cluster_security_group_id" {
description = "Cluster control plane security group ID"
type = string
default = null
}
variable "security_group_tags" {
description = "A map of additional tags to add to the security group created"
type = map(string)
default = {}
}
################################################################################
# IAM Role
################################################################################
variable "create_iam_role" {
description = "Determines whether an IAM role is created or to use an existing IAM role"
type = bool
default = true
}
variable "iam_role_arn" {
description = "Existing IAM role ARN for the node group. Required if `create_iam_role` is set to `false`"
type = string
default = null
}
variable "iam_role_name" {
description = "Name to use on IAM role created"
type = string
default = null
}
variable "iam_role_use_name_prefix" {
description = "Determines whether the IAM role name (`iam_role_name`) is used as a prefix"
type = string
default = true
}
variable "iam_role_path" {
description = "IAM role path"
type = string
default = null
}
variable "iam_role_description" {
description = "Description of the role"
type = string
default = null
}
variable "iam_role_permissions_boundary" {
description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
type = string
default = null
}
variable "iam_role_additional_policies" {
description = "Additional policies to be added to the IAM role"
type = list(string)
default = []
}
variable "iam_role_tags" {
description = "A map of additional tags to add to the IAM role created"
type = map(string)
default = {}
}

14
modules/eks-managed-node-group/versions.tf Normal file
View File

@@ -0,0 +1,14 @@
terraform {
required_version = ">= 0.13.1"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.64"
}
cloudinit = {
source = "hashicorp/cloudinit"
version = ">= 2.0"
}
}
}