BREAKING CHANGES: We now decided to remove `random_pet` resources in Managed Node Groups (MNG). Those were used to recreate MNG if something change and also simulate the newly added argument `node_group_name_prefix`. But they were causing a lot of troubles. To upgrade the module without recreating your MNG, you will need to explicitly reuse their previous name and set them in your MNG `name` argument. Please see [upgrade docs](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/upgrades.md#upgrade-module-to-v1700-for-managed-node-groups) for more details.
NOTES: Using the [terraform-aws-modules/http](https://registry.terraform.io/providers/terraform-aws-modules/http/latest) provider is a more platform agnostic way to wait for the cluster availability than using a local-exec. With this change we're able to provision EKS clusters and manage the `aws_auth` configmap while still using the `hashicorp/tfc-agent` docker image.
* Add support for EC2 principal in assume worker role policy for China AWS
* Remove local partition according to requested change
Co-authored-by: Valeri GOLUBEV <vgolubev@kyriba.com>
* Configurable local exec command for waiting until cluster is healthy
* readme
* line feeds
* format
* fix readme
* fix readme
* Configurable local exec command for waiting until cluster is healthy (#1)
* Configurable local exec command for waiting until cluster is healthy
* readme
* line feeds
* format
* fix readme
* fix readme
* change log
* Configurable local exec wait 4 cluster op (#2)
* Configurable local exec command for waiting until cluster is healthy
* readme
* line feeds
* format
* fix readme
* fix readme
* change log
* changelog (#3)
* Changelog (#4)
* changelog
* changelog
* simplify wait_for_cluster command
* readme
* no op for manage auth false
* formatting
* docs? not sure
* linter
* specify dependency to wait for cluster more accurately
* WIP Move node_groups to a submodule
* Split the old node_groups file up
* Start moving locals
* Simplify IAM creation logic
* depends_on from the TF docs
* Wire in the variables
* Call module from parent
* Allow to customize the role name. As per workers
* aws_auth ConfigMap for node_groups
* Get the managed_node_groups example to plan
* Get the basic example to plan too
* create_eks = false works
"The true and false result expressions must have consistent types. The
given expressions are object and object, respectively."
Well, that's useful. But apparently set(string) and set() are ok. So
everything else is more complicated. Thanks.
* Update Changelog
* Update README
* Wire in node_groups_defaults
* Remove node_groups from workers_defaults_defaults
* Synchronize random and node_group defaults
* Error: "name_prefix" cannot be longer than 32
* Update READMEs again
* Fix double destroy
Was producing index errors when running destroy on an empty state.
* Remove duplicate iam_role in node_group
I think this logic works. Needs some testing with an externally created
role.
* Fix index fail if node group manually deleted
* Keep aws_auth template in top module
Downside: count causes issues as usual: can't use distinct() in the
child module so there's a template render for every node_group even if
only one role is really in use. Hopefully just output noise instead of
technical issue
* Hack to have node_groups depend on aws_auth etc
The AWS Node Groups create or edit the aws-auth ConfigMap so that nodes
can join the cluster. This breaks the kubernetes resource which cannot
do a force create. Remove the race condition with explicit depend.
Can't pull the IAM role out of the node_group any more.
* Pull variables via the random_pet to cut logic
No point having the same logic in two different places
* Pass all ForceNew variables through the pet
* Do a deep merge of NG labels and tags
* Update README.. again
* Additional managed node outputs #644
Add change from @TBeijin from PR #644
* Remove unused local
* Use more for_each
* Remove the change when create_eks = false
* Make documentation less confusing
* node_group version user configurable
* Pass through raw output from aws_eks_node_groups
* Merge workers defaults in the locals
This simplifies the random_pet and aws_eks_node_group logic. Which was
causing much consernation on the PR.
* Fix typo
Co-authored-by: Max Williams <max.williams@deliveryhero.com>
* wait for cluster to respond before creating auth config map
* adds changelog entry
* fixup tf format
* fixup kubernetes required version
* fixup missing local for kubeconfig_filename
* combine wait for cluster into provisioner on cluster; change status check to /healthz on endpoint
* fix: make kubernetes provider version more permissive
* Fix aws-auth config map for managed node groups
This change adds the IAM role used for each managed node group to the
aws-auth config map. This fixes an issue where managed nodes could not
access the EKS kubernetes API server.
* update changelog
* fix format
* add comment
Co-authored-by: Max Williams <max.williams@deliveryhero.com>
* Add destroy-time flag
* Update changelog
Fix cluster count
* Fix cluster count
* Fix docs
* Fix outputs
* Fix unsupported attribute on cluster_certificate_authority_data output
Co-Authored-By: Daniel Piddock <33028589+dpiddockcmp@users.noreply.github.com>
* Remove unnecessary flatten from cluster_endpoint output
Co-Authored-By: Daniel Piddock <33028589+dpiddockcmp@users.noreply.github.com>
* Improve description of var.enabled
* Fix errors manifesting when used on an existing-cluster
* Update README.md
* Renamed destroy-time flag
* Revert removal of changelog addition entry
* Update flag name in readme
* Update flag variable name
* Update cluster referencing for consistency
* Update flag name to `create_eks`
* Fixed incorrect count-based reference to aws_eks_cluster.this (there's only one)
* Replaced all incorrect aws_eks_cluster.this[count.index] references (there will be just one, so using '[0]').
* Changelog update, explicitly mentioning flag
* Fixed interpolation deprecation warning
* Fixed outputs to support conditional cluster
* Applied create_eks to aws_auth.tf
* Removed unused variable. Updated Changelog. Formatting.
* Fixed references to aws_eks_cluster.this[0] that would raise errors when setting create_eks to false whilst having launch templates or launch configurations configured.
* Readme and example updates.
* Revert "Readme and example updates."
This reverts commit 18a0746355e136010ad54858a1b518406f6a3638.
* Updated readme section of conditionally creation with provider example.
* Added conditions to node_groups.
* Fixed reversed map_roles check
* Update aws_auth.tf
Revert this due to https://github.com/terraform-aws-modules/terraform-aws-eks/pull/611
* remove empty [] to mapRoles object in aws-auth
Simply having ${yamlencode(var.map_roles)} in mapRoles for aws-auth
creates a empty [] at the end after adding the default roles.
Changing it to be added only when its not empty
* Update aws_auth.tf
This commit changes the way aws auth is managed. Before a local file
was used the generate the template and a null resource to apply it. This
is now switched to the terraform kubernetes provider.
* Add Windows support
* Assign eks:kube-proxy-windows group to worker nodes
* Add Instructions for adding Windows Workers at FAQ.md
* Remove unnecessary variables from userdata_windows.tpl
* Update CHANGELOG.md
* Create ASG tags via for - utility from terraform 12
* Updated support for mixed ASG in worker_groups_launch_template variable
* Updated launch_template example to include spot and mixed ASG with worker_groups_launch_template variable
* Removed old config
* Removed workers_launch_template_mixed.tf file, added support for mixed/spot in workers_launch_template variable
* Updated examples/spot_instances/main.tf with Mixed Spot and ondemand instances
* Removed launch_template_mixed from relevant files
* Updated README.md file
* Removed workers_launch_template.tf.bkp
* Fixed case with null on_demand_allocation_strategy and Spot allocation
* Fixed workers_launch_template.tf, covered spot instances via Launch Template
* Support map users and roles to multiple groups
* Simplify code by rename `user_arn` to `userarn`, `role_arn` to `rolearn`
* Next version should be 6.x because PR this is a breaking change.
* Update example variables.tf
* Change indent to 2
* Fix map-aws-auth.yaml maybe invalid yaml.
* run terraform upgrade tool
* fix post upgrade TODOs
* use strict typing for variables
* upgrade examples, point them at VPC module tf 0.12 PR
* remove unnecessary `coalesce()` calls
coalesce(lookup(map, key, ""), default) -> lookup(map, key, default)
* Fix autoscaling_enabled broken (#1)
* always set a value for tags, fix coalescelist calls
* always set a value for these tags
* fix tag value
* fix tag value
* default element available
* added default value
* added a general default
without this default - TF is throwing an error when running a destroy
* Fix CI
* Change vpc module back to `terraform-aws-modules/vpc/aws` in example
* Update CHANGELOG.md
* Change type of variable `cluster_log_retention_in_days` to number
* Remove `xx_count` variables
* Actual lists instead of strings with commas
* Remove `xx_count` variable from docs
* Replace element with list indexing
* Change variable `worker_group_tags` to a attribute of worker_group
* Fix workers_launch_template_mixed tags
* Change override_instance_type_x variables to list.
* Update CHANGELOG.md
* adding 3 examples
* removing old example
* updating PR template
* fix this typo
* update after renaming default example
* add missing launch_template_mixed stuff to aws_auth
* fix 2 examples with public subnets
* update changelog for new minor release
* Adding new mixed type of worker group with instance overrides and mixed instances policy
* moving all count and lifecycle rule parameters to top/bottom
* adding custom IAM parts
* updating doc with new options
* fixes for spot instances
* Added update aws auth configmap when manage_aws_auth set false case
and `write_aws_auth_config` variable for not create the aws_auth files option
* Add CHANGELOG
* Changed writing config file process for Windows compatibility.
* Apply terraform-docs and terraform fmt
* Fixed zsh-specific syntax
* Fixed CHANGELOG.md
If you are trying to recover a cluster that was deleted, the current
code will not re-apply the ConfigMap because it is already rendered so
kubectl command won't get triggered.
This change adds the cluster endpoint (which should be different when
spinning up a new cluster even with the same name) so we will force a
re-render and cause the kubectl command to run.
* Added map_roles_count and user_roles_count (#1)
* Update readme for new vars
* updated tests to include count
* fix syntax error
* updated changelog
* Added map_accounts_count variable for consistency
* Fix counts in example and user latest terraform-docs to generate readme
* Add wait_nodes_max_tries to wait for nodes to be available before applying the kubernetes configurations
* Format variables.tf and aws_auth.tf
* Fix template expansion for wait-nodes-ready.tpl
* Ensuring that kubeconfig is created before its use
* Cleanup wait-nodes-ready script
* Simplify logic to retry application of kubernetes config if failed
* Revert file permission change
* allow creating an IAM role for each worker group
* moved change from 'changed' to 'added'
* create multiple roles not just profiles
* fix config_map_aws_auth generation
* don't duplicate worker-role templating
* specify ARNs for worker groups individually
todo fix aws_auth configmap
* fixed AWS auth
* fix aws_iam_instance_profile.workers name
fix iam_instance_profile fallback
* fix outputs
* fix iam_instance_profile calculation
* hopefully fix aws auth configmap generation
* manually fill out remainder of arn
* remove depends_on in worker_role_arns template file
this was causing resources to be recreated every time
* fmt
* fix typo, move iam_role_id default to defaults map
