terraform-aws-eks/examples/eks_managed_node_group/README.md

EKS Managed Node Group Example

Configuration in this directory creates an AWS EKS cluster with various EKS Managed Node Groups demonstrating the various methods of configuring/customizing:

• A default, "out of the box" EKS managed node group as supplied by AWS EKS
• A default, "out of the box" Bottlerocket EKS managed node group as supplied by AWS EKS
• A Bottlerocket EKS managed node group that supplies additional bootstrap settings
• A Bottlerocket EKS managed node group that demonstrates many of the configuration/customizations offered by the eks-managed-node-group sub-module for the Bottlerocket OS
• An EKS managed node group created from a launch template created outside of the module
• An EKS managed node group that utilizes a custom AMI that is an EKS optimized AMI derivative
• An EKS managed node group that demonstrates nearly all of the configurations/customizations offered by the eks-managed-node-group sub-module

See the AWS documentation for further details.

Container Runtime & User Data

When using the default AMI provided by the EKS Managed Node Group service (i.e. - not specifying a value for ami_id), users should be aware of the limitations of configuring the node bootstrap process via user data. Due to not having direct access to the bootrap.sh script invocation and therefore its configuration flags (this is provide by the EKS Managed Node Group service in the node user data), a work around for ensuring the appropriate configuration settings is shown below. The following example shows how to inject configuration variables ahead of the merged user data provided by the EKS Managed Node Group service as well as how to enable the containerd runtime using this approach. More details can be found here.

  ...
  # Demo of containerd usage when not specifying a custom AMI ID
  # (merged into user data before EKS MNG provided user data)
  containerd = {
    name = "containerd"

    # See issue https://github.com/awslabs/amazon-eks-ami/issues/844
    pre_bootstrap_user_data = <<-EOT
    #!/bin/bash
    set -ex
    cat <<-EOF > /etc/profile.d/bootstrap.sh
    export CONTAINER_RUNTIME="containerd"
    export USE_MAX_PODS=false
    export KUBELET_EXTRA_ARGS="--max-pods=110"
    EOF
    # Source extra environment variables in bootstrap script
    sed -i '/^set -o errexit/a\\nsource /etc/profile.d/bootstrap.sh' /etc/eks/bootstrap.sh
    EOT
  }
  ...

Usage

To run this example you need to execute:

$ terraform init
$ terraform plan
$ terraform apply

Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources.

Requirements

Name	Version
terraform	>= 0.13.1
aws	>= 3.72
kubernetes	>= 2.10
tls	>= 2.2

Providers

Name	Version
aws	>= 3.72
tls	>= 2.2

Modules

Name	Source	Version
eks	../..	n/a
vpc	terraform-aws-modules/vpc/aws	~> 3.0
vpc_cni_irsa	terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks	~> 4.12

Resources

Name	Type
aws_iam_policy.node_additional	resource
aws_iam_role_policy_attachment.additional	resource
aws_key_pair.this	resource
aws_kms_key.ebs	resource
aws_kms_key.eks	resource
aws_launch_template.external	resource
aws_security_group.additional	resource
aws_security_group.remote_access	resource
tls_private_key.this	resource
aws_ami.eks_default	data source
aws_ami.eks_default_arm	data source
aws_ami.eks_default_bottlerocket	data source
aws_caller_identity.current	data source
aws_iam_policy_document.ebs	data source

Inputs

No inputs.

Outputs

Name	Description
aws_auth_configmap_yaml	Formatted yaml output for base aws-auth configmap containing roles used in cluster node groups/fargate profiles
cloudwatch_log_group_arn	Arn of cloudwatch log group created
cloudwatch_log_group_name	Name of cloudwatch log group created
cluster_addons	Map of attribute maps for all EKS cluster addons enabled
cluster_arn	The Amazon Resource Name (ARN) of the cluster
cluster_certificate_authority_data	Base64 encoded certificate data required to communicate with the cluster
cluster_endpoint	Endpoint for your Kubernetes API server
cluster_iam_role_arn	IAM role ARN of the EKS cluster
cluster_iam_role_name	IAM role name of the EKS cluster
cluster_iam_role_unique_id	Stable and unique string identifying the IAM role
cluster_id	The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready
cluster_identity_providers	Map of attribute maps for all EKS identity providers enabled
cluster_oidc_issuer_url	The URL on the EKS cluster for the OpenID Connect identity provider
cluster_platform_version	Platform version for the cluster
cluster_primary_security_group_id	Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console
cluster_security_group_arn	Amazon Resource Name (ARN) of the cluster security group
cluster_security_group_id	ID of the cluster security group
cluster_status	Status of the EKS cluster. One of CREATING, ACTIVE, DELETING, FAILED
eks_managed_node_groups	Map of attribute maps for all EKS managed node groups created
eks_managed_node_groups_autoscaling_group_names	List of the autoscaling group names created by EKS managed node groups
fargate_profiles	Map of attribute maps for all EKS Fargate Profiles created
node_security_group_arn	Amazon Resource Name (ARN) of the node shared security group
node_security_group_id	ID of the node shared security group
oidc_provider	The OpenID Connect identity provider (issuer URL without leading https://)
oidc_provider_arn	The ARN of the OIDC Provider if enable_irsa = true
self_managed_node_groups	Map of attribute maps for all self managed node groups created
self_managed_node_groups_autoscaling_group_names	List of the autoscaling group names created by self-managed node groups