Skip to content

oozou/terraform-aws-eks

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

75 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AWS EKS Terraform Module

Terraform module with create EKS resources on AWS.

Design diagram

Increase Limit of tcp, web socket, config kubelet for allow sysctl,

default net.core.somaxconn = 4096, tcp_max_syn_backlog 512

pre_bootstrap_user_data = "sysctl -w net.core.somaxconn='32767' net.ipv4.tcp_max_syn_backlog='32767' && contents=\"$(jq '.allowedUnsafeSysctls=[\"net.*\"]' /etc/kubernetes/kubelet/kubelet-config.json)\" && echo -E \"$${contents}\" > /etc/kubernetes/kubelet/kubelet-config.json"

Addons

vpc-cni

prerequisites

If you are using vpc-cni addons you need to create them first create nodegroup and run below command

kubectl set env daemonset aws-node -n kube-system ENABLE_PREFIX_DELEGATION=true #for enable interface /28

usage

additional_addons = {
  vpc-cni = {
    name = "vpc-cni",
  }
}

Amazon Elastic Block Store (EBS) CSI driver

prerequisites

iam role arn with policy below

  • arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy
  • (optional) custom policy with (kms) see more

usage

additional_service_accounts = [{
  name                 = "ebs-csi-controller-sa"
  namespace            = "kube-system"
  existing_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy", "<custom-policy-to-allow-kms>"]
  }
]
additional_addons = {
  aws-ebs-csi-driver = {
    name = "aws-ebs-csi-driver",
    service_account_role_arn = <iam_role_arn_from_service_account>
  }
}

AWS Distro for OpenTelemetry (ADOT)

prerequisites

  • cert-manager

usage

prepare RBAC
kubectl apply -f https://amazon-eks.s3.amazonaws.com/docs/addons-otel-permissions.yaml
config terraform variables
additional_service_accounts = [{
  name                 = "otel"
  namespace            = "opentelemetry-operator-system"
  existing_policy_arns = ["arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess", "arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess"]
}]

additional_addons = {
  adot = {
    name    = "adot",
    version = "v0.45.0-eksbuild.1"
    existing_policy_arns = ["arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"]
  }
}

Requirements

Name Version
terraform >= 1.0.0
aws >= 4.0.0
tls >= 3.2.1

Providers

Name Version
aws >= 4.0.0

Modules

Name Source Version
bootstrap ./modules/bootstrap n/a
eks_kms oozou/kms-key/aws 1.0.0
nodegroup ./modules/nodegroup n/a
openid_connect ./modules/openid_connect_provider n/a

Resources

Name Type
aws_cloudwatch_log_group.this resource
aws_eks_addon.this resource
aws_eks_cluster.this resource
aws_iam_policy.combined_policy resource
aws_iam_role.cluster_role resource
aws_iam_role.node_group_role resource
aws_iam_role_policy_attachment.amazon_ec2_container_registry_readonly resource
aws_iam_role_policy_attachment.amazon_ec2_ssm resource
aws_iam_role_policy_attachment.amazon_eks_cluster_policy resource
aws_iam_role_policy_attachment.amazon_eks_cni_policy resource
aws_iam_role_policy_attachment.amazon_eks_vpc_resource_controller resource
aws_iam_role_policy_attachment.amazon_eks_worker_node_combine_policy resource
aws_iam_role_policy_attachment.amazon_eks_worker_node_policy resource
aws_security_group.cluster resource
aws_security_group_rule.eks_egress_allow_all resource
aws_security_group_rule.eks_ingress_allow_tls resource
aws_iam_policy_document.cluster_role data source
aws_iam_policy_document.combined_policy data source
aws_iam_policy_document.node_group_role data source
aws_vpc.this data source

Inputs

Name Description Type Default Required
additional_addons additional addons for eks cluster map(any)
{
"vpc-cni": {
"name": "vpc-cni"
}
}
no
additional_allow_cidr cidr for allow connection to eks cluster list(string) [] no
additional_cluster_role Additional cluster role resource
additional_cluster_role = [
{
name = "cluster_role_name"
rules = [
{ # Workloads
apiGroups = [""]
resources = ["pods", "deployments", "replicasets"]
verbs = ["get", "list", "watch", "create", "update", "delete", "patch"]
},
{ # Config
apiGroups = ["
"]
resources = ["configmaps", "secrets", "horizontalpodautoscalers"]
verbs = ["get", "list", "watch", "create", "update", "delete", "patch"]
},
{ # Network
apiGroups = ["*"]
resources = ["services", "ingresses"]
verbs = ["get", "list", "watch", "create", "update", "delete", "patch"]
]
}
]
any [] no
additional_cluster_role_binding Additional cluster role resource
additional_cluster_role_binding = [
{
name = "bdd"
subjects = [
{
kind = "User"
name = "role"
apiGroup = "rbac.authorization.k8s.io"
},
{
kind = "User"
name = "role-x"
apiGroup = "rbac.authorization.k8s.io"
}
]
roleRef = {
apiGroup = "rbac.authorization.k8s.iox"
kind = "ClusterRole"
name = "devops-clusterrole"
}
}
]
any [] no
additional_map_roles Additional role to map ex.
additional_map_roles = [
{
role_arn = arn:aws:iam::502734123891:role/cicd-role
username = dev-cicd-role
}
]
any [] no
additional_service_accounts additional service account to access eks
list(object({
name = string
namespace = string
existing_policy_arns = list(string)
}))
[] no
additional_worker_polices Additional IAM policies block, input as data source or json. Ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document. Bucket Policy Statements can be overriden by the statement with the same sid from the latest policy. list(string) [] no
admin_iam_arns admin iam arns for grant permission to aws-auth list(string) [] no
admin_role_arns admin role arns for grant permission to aws-auth list(string) [] no
aws_account AWS Credentials to access AWS by bootstrap module require if is_config_aws_auth = trues
object({
region = string,
access_key = string,
secret_key = string
})
{
"access_key": "",
"region": "",
"secret_key": ""
}
no
bootstrap_ami AMI for ec2 bootstrap module string "" no
bootstrap_kms_key_id ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in bootstrap secret. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager string "" no
cloudwatch_log_kms_key_id The ARN for the KMS encryption key. string null no
cloudwatch_log_retention_in_days Specifies the number of days you want to retain log events Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire number 90 no
dev_role_arns dev role arns for grant permission to aws-auth list(string) [] no
eks_version Desired Kubernetes version. Downgrades are not supported by EKS. string null no
enabled_cluster_log_types List of the desired control plane logging to enable list(string) [] no
environment To manage a resources with tags string n/a yes
is_config_aws_auth require if create lb controler bool true no
is_create_argo_image_updater_sa is create default role with permission for argo-cd image updater (name : argo-cd-image-updater) bool true no
is_create_bootstrap if true will create bootstrap for config aws-auth bool true no
is_create_cluster_autoscaler_sa is create default role with permission for eks cluster autoscaler bool true no
is_create_loadbalancer_controller_sa is create default role with permission for aws loadbalancer controller (name : aws-load-balancer-controller) bool true no
is_create_open_id_connect if true will create oidc provider and iam role for service account bool true no
is_enabled_cluster_encryption if enable will create kms and config eks with kms key to encrpt secret bool true no
is_endpoint_private_access Whether the Amazon EKS private API server endpoint is enabled bool true no
is_endpoint_public_access Whether the Amazon EKS public API server endpoint is enabled bool false no
karpenter_node_role_arns Karpenter node role arns for grant permission to aws-auth list(string) [] no
name The Name of the EKS cluster string n/a yes
node_groups EKS Node Group for create EC2 as worker node map(any)
{
"default": {
"ami_type": "AL2_x86_64",
"desired_size": 1,
"disk_size": 20,
"instance_types": [
"t3.medium"
],
"is_spot_instances": false,
"labels": {
"default_nodegroup_labels": "default-nodegroup"
},
"max_size": 1,
"max_unavailable": 1,
"min_size": 1,
"taint": {}
}
}
no
prefix The prefix name of customer to be displayed in AWS console and resource string n/a yes
readonly_role_arns readonly role group arns for grant permission to aws-auth list(string) [] no
subnets_ids List of IDs of subnets for create EKS list(string) n/a yes
tags Tag for a resource that create by this component map(string) {} no
vpc_id The ID of the VPC for create security group string n/a yes

Outputs

Name Description
cloudwatch_log_group_arn arn of cluster cloudwatch log group
cluster_name Name of the cluster
cluster_security_group_id Cluster security group that was created by Amazon EKS for the cluster for control-plane-to-data-plane communication.
endpoint cluster endpoint for EKS
kms_key_arn EKS encryption KMS key arn
kms_key_id EKS encryption KMS key id
kubeconfig_certificate_authority_data kubeconfig certificate
openid_connect_provider_arn arn of oidc provider
service_account_role_arns created role arn for create service accounts in cluster