mirror of
https://github.com/ysoftdevs/terraform-aws-eks.git
synced 2026-01-15 08:14:12 +01:00
EKS Managed Node Group Example
Configuration in this directory creates an AWS EKS cluster with various EKS Managed Node Groups demonstrating the various methods of configuring/customizing:
- A default, "out of the box" EKS managed node group as supplied by AWS EKS
- A default, "out of the box" Bottlerocket EKS managed node group as supplied by AWS EKS
- A Bottlerocket EKS managed node group that supplies additional bootstrap settings
- A Bottlerocket EKS managed node group that demonstrates many of the configuration/customizations offered by the
eks-managed-node-groupsub-module for the Bottlerocket OS - An EKS managed node group created from a launch template created outside of the module
- An EKS managed node group that utilizes a custom AMI that is an EKS optimized AMI derivative
- An EKS managed node group that demonstrates nearly all of the configurations/customizations offered by the
eks-managed-node-groupsub-module
See the AWS documentation for further details.
Container Runtime & User Data
When using the default AMI provided by the EKS Managed Node Group service (i.e. - not specifying a value for ami_id), users should be aware of the limitations of configuring the node bootstrap process via user data. Due to not having direct access to the bootrap.sh script invocation and therefore its configuration flags (this is provided by the EKS Managed Node Group service in the node user data), a workaround for ensuring the appropriate configuration settings is shown below. The following example shows how to inject configuration variables ahead of the merged user data provided by the EKS Managed Node Group service as well as how to enable the containerd runtime using this approach. More details can be found here.
...
# Demo of containerd usage when not specifying a custom AMI ID
# (merged into user data before EKS MNG provided user data)
containerd = {
name = "containerd"
# See issue https://github.com/awslabs/amazon-eks-ami/issues/844
pre_bootstrap_user_data = <<-EOT
#!/bin/bash
set -ex
cat <<-EOF > /etc/profile.d/bootstrap.sh
export CONTAINER_RUNTIME="containerd"
export USE_MAX_PODS=false
export KUBELET_EXTRA_ARGS="--max-pods=110"
EOF
# Source extra environment variables in bootstrap script
sed -i '/^set -o errexit/a\\nsource /etc/profile.d/bootstrap.sh' /etc/eks/bootstrap.sh
sed -i 's/KUBELET_EXTRA_ARGS=$2/KUBELET_EXTRA_ARGS="$2 $KUBELET_EXTRA_ARGS"/' /etc/eks/bootstrap.sh
EOT
}
...
Usage
To run this example you need to execute:
$ terraform init
$ terraform plan
$ terraform apply
Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources.
Requirements
| Name | Version |
|---|---|
| terraform | >= 0.13.1 |
| aws | >= 3.72 |
| kubernetes | >= 2.10 |
| tls | >= 3.0 |
Providers
| Name | Version |
|---|---|
| aws | >= 3.72 |
| tls | >= 3.0 |
Modules
| Name | Source | Version |
|---|---|---|
| eks | ../.. | n/a |
| vpc | terraform-aws-modules/vpc/aws | ~> 3.0 |
| vpc_cni_irsa | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 4.12 |
Resources
| Name | Type |
|---|---|
| aws_autoscaling_group_tag.cluster_autoscaler_label_tags | resource |
| aws_iam_policy.node_additional | resource |
| aws_iam_role_policy_attachment.additional | resource |
| aws_key_pair.this | resource |
| aws_kms_key.ebs | resource |
| aws_kms_key.eks | resource |
| aws_launch_template.external | resource |
| aws_security_group.additional | resource |
| aws_security_group.remote_access | resource |
| tls_private_key.this | resource |
| aws_ami.eks_default | data source |
| aws_ami.eks_default_arm | data source |
| aws_ami.eks_default_bottlerocket | data source |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.ebs | data source |
Inputs
No inputs.
Outputs
| Name | Description |
|---|---|
| aws_auth_configmap_yaml | Formatted yaml output for base aws-auth configmap containing roles used in cluster node groups/fargate profiles |
| cloudwatch_log_group_arn | Arn of cloudwatch log group created |
| cloudwatch_log_group_name | Name of cloudwatch log group created |
| cluster_addons | Map of attribute maps for all EKS cluster addons enabled |
| cluster_arn | The Amazon Resource Name (ARN) of the cluster |
| cluster_certificate_authority_data | Base64 encoded certificate data required to communicate with the cluster |
| cluster_endpoint | Endpoint for your Kubernetes API server |
| cluster_iam_role_arn | IAM role ARN of the EKS cluster |
| cluster_iam_role_name | IAM role name of the EKS cluster |
| cluster_iam_role_unique_id | Stable and unique string identifying the IAM role |
| cluster_id | The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready |
| cluster_identity_providers | Map of attribute maps for all EKS identity providers enabled |
| cluster_oidc_issuer_url | The URL on the EKS cluster for the OpenID Connect identity provider |
| cluster_platform_version | Platform version for the cluster |
| cluster_primary_security_group_id | Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console |
| cluster_security_group_arn | Amazon Resource Name (ARN) of the cluster security group |
| cluster_security_group_id | ID of the cluster security group |
| cluster_status | Status of the EKS cluster. One of CREATING, ACTIVE, DELETING, FAILED |
| cluster_tls_certificate_sha1_fingerprint | The SHA1 fingerprint of the public key of the cluster's certificate |
| eks_managed_node_groups | Map of attribute maps for all EKS managed node groups created |
| eks_managed_node_groups_autoscaling_group_names | List of the autoscaling group names created by EKS managed node groups |
| fargate_profiles | Map of attribute maps for all EKS Fargate Profiles created |
| kms_key_arn | The Amazon Resource Name (ARN) of the key |
| kms_key_id | The globally unique identifier for the key |
| kms_key_policy | The IAM resource policy set on the key |
| node_security_group_arn | Amazon Resource Name (ARN) of the node shared security group |
| node_security_group_id | ID of the node shared security group |
| oidc_provider | The OpenID Connect identity provider (issuer URL without leading https://) |
| oidc_provider_arn | The ARN of the OIDC Provider if enable_irsa = true |
| self_managed_node_groups | Map of attribute maps for all self managed node groups created |
| self_managed_node_groups_autoscaling_group_names | List of the autoscaling group names created by self-managed node groups |