mirror of
https://github.com/ysoftdevs/terraform-aws-eks.git
synced 2026-01-11 14:30:55 +01:00
688 lines
23 KiB
HCL
688 lines
23 KiB
HCL
variable "create" {
|
|
description = "Controls if resources should be created (affects nearly all resources)"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "tags" {
|
|
description = "A map of tags to add to all resources"
|
|
type = map(string)
|
|
default = {}
|
|
}
|
|
|
|
variable "prefix_separator" {
|
|
description = "The separator to use between the prefix and the generated timestamp for resource names"
|
|
type = string
|
|
default = "-"
|
|
}
|
|
|
|
################################################################################
|
|
# Cluster
|
|
################################################################################
|
|
|
|
variable "cluster_name" {
|
|
description = "Name of the EKS cluster"
|
|
type = string
|
|
default = ""
|
|
}
|
|
|
|
variable "cluster_version" {
|
|
description = "Kubernetes `<major>.<minor>` version to use for the EKS cluster (i.e.: `1.27`)"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "cluster_enabled_log_types" {
|
|
description = "A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)"
|
|
type = list(string)
|
|
default = ["audit", "api", "authenticator"]
|
|
}
|
|
|
|
variable "cluster_force_update_version" {
|
|
description = "Force version update by overriding upgrade-blocking readiness checks when updating a cluster"
|
|
type = bool
|
|
default = null
|
|
}
|
|
|
|
variable "authentication_mode" {
|
|
description = "The authentication mode for the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`"
|
|
type = string
|
|
default = "API_AND_CONFIG_MAP"
|
|
}
|
|
|
|
variable "cluster_compute_config" {
|
|
description = "Configuration block for the cluster compute configuration"
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
variable "cluster_upgrade_policy" {
|
|
description = "Configuration block for the cluster upgrade policy"
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
variable "cluster_remote_network_config" {
|
|
description = "Configuration block for the cluster remote network configuration"
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
variable "cluster_zonal_shift_config" {
|
|
description = "Configuration block for the cluster zonal shift"
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
variable "cluster_additional_security_group_ids" {
|
|
description = "List of additional, externally created security group IDs to attach to the cluster control plane"
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
|
|
variable "control_plane_subnet_ids" {
|
|
description = "A list of subnet IDs where the EKS cluster control plane (ENIs) will be provisioned. Used for expanding the pool of subnets used by nodes/node groups without replacing the EKS control plane"
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
|
|
variable "subnet_ids" {
|
|
description = "A list of subnet IDs where the nodes/node groups will be provisioned. If `control_plane_subnet_ids` is not provided, the EKS cluster control plane (ENIs) will be provisioned in these subnets"
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
|
|
variable "cluster_endpoint_private_access" {
|
|
description = "Indicates whether or not the Amazon EKS private API server endpoint is enabled"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "cluster_endpoint_public_access" {
|
|
description = "Indicates whether or not the Amazon EKS public API server endpoint is enabled"
|
|
type = bool
|
|
default = false
|
|
}
|
|
|
|
variable "cluster_endpoint_public_access_cidrs" {
|
|
description = "List of CIDR blocks which can access the Amazon EKS public API server endpoint"
|
|
type = list(string)
|
|
default = ["0.0.0.0/0"]
|
|
}
|
|
|
|
variable "cluster_ip_family" {
|
|
description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created"
|
|
type = string
|
|
default = "ipv4"
|
|
}
|
|
|
|
variable "cluster_service_ipv4_cidr" {
|
|
description = "The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "cluster_service_ipv6_cidr" {
|
|
description = "The CIDR block to assign Kubernetes pod and service IP addresses from if `ipv6` was specified when the cluster was created. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "outpost_config" {
|
|
description = "Configuration for the AWS Outpost to provision the cluster on"
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
variable "cluster_encryption_config" {
|
|
description = "Configuration block with encryption configuration for the cluster. To disable secret encryption, set this value to `{}`"
|
|
type = any
|
|
default = {
|
|
resources = ["secrets"]
|
|
}
|
|
}
|
|
|
|
variable "attach_cluster_encryption_policy" {
|
|
description = "Indicates whether or not to attach an additional policy for the cluster IAM role to utilize the encryption key provided"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "cluster_tags" {
|
|
description = "A map of additional tags to add to the cluster"
|
|
type = map(string)
|
|
default = {}
|
|
}
|
|
|
|
variable "create_cluster_primary_security_group_tags" {
|
|
description = "Indicates whether or not to tag the cluster's primary security group. This security group is created by the EKS service, not the module, and therefore tagging is handled after cluster creation"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "cluster_timeouts" {
|
|
description = "Create, update, and delete timeout configurations for the cluster"
|
|
type = map(string)
|
|
default = {}
|
|
}
|
|
|
|
# TODO - hard code to false on next breaking change
|
|
variable "bootstrap_self_managed_addons" {
|
|
description = "Indicates whether or not to bootstrap self-managed addons after the cluster has been created"
|
|
type = bool
|
|
default = null
|
|
}
|
|
|
|
################################################################################
|
|
# Access Entry
|
|
################################################################################
|
|
|
|
variable "access_entries" {
|
|
description = "Map of access entries to add to the cluster"
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
variable "enable_cluster_creator_admin_permissions" {
|
|
description = "Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry"
|
|
type = bool
|
|
default = false
|
|
}
|
|
|
|
################################################################################
|
|
# KMS Key
|
|
################################################################################
|
|
|
|
variable "create_kms_key" {
|
|
description = "Controls if a KMS key for cluster encryption should be created"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "kms_key_description" {
|
|
description = "The description of the key as viewed in AWS console"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "kms_key_deletion_window_in_days" {
|
|
description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30`"
|
|
type = number
|
|
default = null
|
|
}
|
|
|
|
variable "enable_kms_key_rotation" {
|
|
description = "Specifies whether key rotation is enabled"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "kms_key_enable_default_policy" {
|
|
description = "Specifies whether to enable the default key policy"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "kms_key_owners" {
|
|
description = "A list of IAM ARNs for those who will have full key permissions (`kms:*`)"
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
|
|
variable "kms_key_administrators" {
|
|
description = "A list of IAM ARNs for [key administrators](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-administrators). If no value is provided, the current caller identity is used to ensure at least one key admin is available"
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
|
|
variable "kms_key_users" {
|
|
description = "A list of IAM ARNs for [key users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-users)"
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
|
|
variable "kms_key_service_users" {
|
|
description = "A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration)"
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
|
|
variable "kms_key_source_policy_documents" {
|
|
description = "List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s"
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
|
|
variable "kms_key_override_policy_documents" {
|
|
description = "List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid`"
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
|
|
variable "kms_key_aliases" {
|
|
description = "A list of aliases to create. Note - due to the use of `toset()`, values must be static strings and not computed values"
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
|
|
################################################################################
|
|
# CloudWatch Log Group
|
|
################################################################################
|
|
|
|
variable "create_cloudwatch_log_group" {
|
|
description = "Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "cloudwatch_log_group_retention_in_days" {
|
|
description = "Number of days to retain log events. Default retention - 90 days"
|
|
type = number
|
|
default = 90
|
|
}
|
|
|
|
variable "cloudwatch_log_group_kms_key_id" {
|
|
description = "If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "cloudwatch_log_group_class" {
|
|
description = "Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS`"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "cloudwatch_log_group_tags" {
|
|
description = "A map of additional tags to add to the cloudwatch log group created"
|
|
type = map(string)
|
|
default = {}
|
|
}
|
|
|
|
################################################################################
|
|
# Cluster Security Group
|
|
################################################################################
|
|
|
|
variable "create_cluster_security_group" {
|
|
description = "Determines if a security group is created for the cluster. Note: the EKS service creates a primary security group for the cluster by default"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "cluster_security_group_id" {
|
|
description = "Existing security group ID to be attached to the cluster"
|
|
type = string
|
|
default = ""
|
|
}
|
|
|
|
variable "vpc_id" {
|
|
description = "ID of the VPC where the cluster security group will be provisioned"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "cluster_security_group_name" {
|
|
description = "Name to use on cluster security group created"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "cluster_security_group_use_name_prefix" {
|
|
description = "Determines whether cluster security group name (`cluster_security_group_name`) is used as a prefix"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "cluster_security_group_description" {
|
|
description = "Description of the cluster security group created"
|
|
type = string
|
|
default = "EKS cluster security group"
|
|
}
|
|
|
|
variable "cluster_security_group_additional_rules" {
|
|
description = "List of additional security group rules to add to the cluster security group created. Set `source_node_security_group = true` inside rules to set the `node_security_group` as source"
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
variable "cluster_security_group_tags" {
|
|
description = "A map of additional tags to add to the cluster security group created"
|
|
type = map(string)
|
|
default = {}
|
|
}
|
|
|
|
################################################################################
|
|
# EKS IPV6 CNI Policy
|
|
################################################################################
|
|
|
|
variable "create_cni_ipv6_iam_policy" {
|
|
description = "Determines whether to create an [`AmazonEKS_CNI_IPv6_Policy`](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy)"
|
|
type = bool
|
|
default = false
|
|
}
|
|
|
|
################################################################################
|
|
# Node Security Group
|
|
################################################################################
|
|
|
|
variable "create_node_security_group" {
|
|
description = "Determines whether to create a security group for the node groups or use the existing `node_security_group_id`"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "node_security_group_id" {
|
|
description = "ID of an existing security group to attach to the node groups created"
|
|
type = string
|
|
default = ""
|
|
}
|
|
|
|
variable "node_security_group_name" {
|
|
description = "Name to use on node security group created"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "node_security_group_use_name_prefix" {
|
|
description = "Determines whether node security group name (`node_security_group_name`) is used as a prefix"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "node_security_group_description" {
|
|
description = "Description of the node security group created"
|
|
type = string
|
|
default = "EKS node shared security group"
|
|
}
|
|
|
|
variable "node_security_group_additional_rules" {
|
|
description = "List of additional security group rules to add to the node security group created. Set `source_cluster_security_group = true` inside rules to set the `cluster_security_group` as source"
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
variable "node_security_group_enable_recommended_rules" {
|
|
description = "Determines whether to enable recommended security group rules for the node security group created. This includes node-to-node TCP ingress on ephemeral ports and allows all egress traffic"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "node_security_group_tags" {
|
|
description = "A map of additional tags to add to the node security group created"
|
|
type = map(string)
|
|
default = {}
|
|
}
|
|
|
|
variable "enable_efa_support" {
|
|
description = "Determines whether to enable Elastic Fabric Adapter (EFA) support"
|
|
type = bool
|
|
default = false
|
|
}
|
|
|
|
################################################################################
|
|
# IRSA
|
|
################################################################################
|
|
|
|
variable "enable_irsa" {
|
|
description = "Determines whether to create an OpenID Connect Provider for EKS to enable IRSA"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "openid_connect_audiences" {
|
|
description = "List of OpenID Connect audience client IDs to add to the IRSA provider"
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
|
|
variable "include_oidc_root_ca_thumbprint" {
|
|
description = "Determines whether to include the root CA thumbprint in the OpenID Connect (OIDC) identity provider's server certificate(s)"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "custom_oidc_thumbprints" {
|
|
description = "Additional list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s)"
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
|
|
################################################################################
|
|
# Cluster IAM Role
|
|
################################################################################
|
|
|
|
variable "create_iam_role" {
|
|
description = "Determines whether an IAM role is created for the cluster"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "iam_role_arn" {
|
|
description = "Existing IAM role ARN for the cluster. Required if `create_iam_role` is set to `false`"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "iam_role_name" {
|
|
description = "Name to use on IAM role created"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "iam_role_use_name_prefix" {
|
|
description = "Determines whether the IAM role name (`iam_role_name`) is used as a prefix"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "iam_role_path" {
|
|
description = "The IAM role path"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "iam_role_description" {
|
|
description = "Description of the role"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "iam_role_permissions_boundary" {
|
|
description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "iam_role_additional_policies" {
|
|
description = "Additional policies to be added to the IAM role"
|
|
type = map(string)
|
|
default = {}
|
|
}
|
|
|
|
# TODO - will be removed in next breaking change; user can add the policy on their own when needed
|
|
variable "enable_security_groups_for_pods" {
|
|
description = "Determines whether to add the necessary IAM permission policy for security groups for pods"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "iam_role_tags" {
|
|
description = "A map of additional tags to add to the IAM role created"
|
|
type = map(string)
|
|
default = {}
|
|
}
|
|
|
|
variable "cluster_encryption_policy_use_name_prefix" {
|
|
description = "Determines whether cluster encryption policy name (`cluster_encryption_policy_name`) is used as a prefix"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "cluster_encryption_policy_name" {
|
|
description = "Name to use on cluster encryption policy created"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "cluster_encryption_policy_description" {
|
|
description = "Description of the cluster encryption policy created"
|
|
type = string
|
|
default = "Cluster encryption policy to allow cluster role to utilize CMK provided"
|
|
}
|
|
|
|
variable "cluster_encryption_policy_path" {
|
|
description = "Cluster encryption policy path"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "cluster_encryption_policy_tags" {
|
|
description = "A map of additional tags to add to the cluster encryption policy created"
|
|
type = map(string)
|
|
default = {}
|
|
}
|
|
|
|
variable "dataplane_wait_duration" {
|
|
description = "Duration to wait after the EKS cluster has become active before creating the dataplane components (EKS managed node group(s), self-managed node group(s), Fargate profile(s))"
|
|
type = string
|
|
default = "30s"
|
|
}
|
|
|
|
variable "enable_auto_mode_custom_tags" {
|
|
description = "Determines whether to enable permissions for custom tags resources created by EKS Auto Mode"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
################################################################################
|
|
# EKS Addons
|
|
################################################################################
|
|
|
|
variable "cluster_addons" {
|
|
description = "Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with `name`"
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
variable "cluster_addons_timeouts" {
|
|
description = "Create, update, and delete timeout configurations for the cluster addons"
|
|
type = map(string)
|
|
default = {}
|
|
}
|
|
|
|
################################################################################
|
|
# EKS Identity Provider
|
|
################################################################################
|
|
|
|
variable "cluster_identity_providers" {
|
|
description = "Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA"
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
################################################################################
|
|
# EKS Auto Node IAM Role
|
|
################################################################################
|
|
|
|
variable "create_node_iam_role" {
|
|
description = "Determines whether an EKS Auto node IAM role is created"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "node_iam_role_name" {
|
|
description = "Name to use on the EKS Auto node IAM role created"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "node_iam_role_use_name_prefix" {
|
|
description = "Determines whether the EKS Auto node IAM role name (`node_iam_role_name`) is used as a prefix"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "node_iam_role_path" {
|
|
description = "The EKS Auto node IAM role path"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "node_iam_role_description" {
|
|
description = "Description of the EKS Auto node IAM role"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "node_iam_role_permissions_boundary" {
|
|
description = "ARN of the policy that is used to set the permissions boundary for the EKS Auto node IAM role"
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "node_iam_role_additional_policies" {
|
|
description = "Additional policies to be added to the EKS Auto node IAM role"
|
|
type = map(string)
|
|
default = {}
|
|
}
|
|
|
|
variable "node_iam_role_tags" {
|
|
description = "A map of additional tags to add to the EKS Auto node IAM role created"
|
|
type = map(string)
|
|
default = {}
|
|
}
|
|
|
|
################################################################################
|
|
# Fargate
|
|
################################################################################
|
|
|
|
variable "fargate_profiles" {
|
|
description = "Map of Fargate Profile definitions to create"
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
variable "fargate_profile_defaults" {
|
|
description = "Map of Fargate Profile default configurations"
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
################################################################################
|
|
# Self Managed Node Group
|
|
################################################################################
|
|
|
|
variable "self_managed_node_groups" {
|
|
description = "Map of self-managed node group definitions to create"
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
variable "self_managed_node_group_defaults" {
|
|
description = "Map of self-managed node group default configurations"
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
################################################################################
|
|
# EKS Managed Node Group
|
|
################################################################################
|
|
|
|
variable "eks_managed_node_groups" {
|
|
description = "Map of EKS managed node group definitions to create"
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
variable "eks_managed_node_group_defaults" {
|
|
description = "Map of EKS managed node group default configurations"
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
variable "putin_khuylo" {
|
|
description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!"
|
|
type = bool
|
|
default = true
|
|
}
|