Panfactum LogoPanfactum
Infrastructure ModulesAWSaws_eks

Elastic Kubernetes Service (EKS)

aws_eks
Stable
Live
Source Code Link

This module provides our standard setup for a configurable AWS EKS Cluster. It includes:

  • An EKS Cluster. This cluster defines the Kubernetes control plane (managed by AWS) and provisions it to the specified set of availability zones.

  • A KMS key for encrypting the control plane data at-rest.

  • A set of controller node groups with a static size for running cluster-critical controllers. Nodes use the Bottlerocket distribution. Autoscaled nodes are deployed via our kube_karpenter module.

  • Security groups for both the cluster control plane and for the node groups.

    • The control plane accepts inbound traffic from the nodes and can make arbitrary outbound traffic.
    • The nodes accept inbound traffic from the control plane, from each other, and can make arbitrary outbound traffic.
  • Subnet tags that controllers in our other modules depend upon.

  • The requisite infrastructure for using IAM roles for service accounts (IRSA).

  • Logging for the control plane components via AWS Cloudwatch.

Additionally, we use the following EKS add-ons:

Providers

The following providers are needed by this module:

  • aws (5.39.1)

  • tls (4.0.5)

Required Inputs

The following input variables are required:

cluster_description

Description: The purpose of the EKS cluster.

Type: string

cluster_name

Description: The name of the EKS cluster resource.

Type: string

control_plane_subnets

Description: List of subnet names for the control plane. Must be in at least two different availability zones.

Type: set(string)

controller_node_count

Description: The number of controller nodes to use

Type: number

controller_node_instance_types

Description: The allowable instance types for the controller nodes

Type: list(string)

controller_node_subnets

Description: List of names for subnets that controller nodes should be deployed to

Type: list(string)

service_cidr

Description: CIDR block that kubernetes will use for assigning service and pod ID addresses.

Type: string

vpc_id

Description: The id for the VPC that the cluster should be deployed into

Type: string

Optional Inputs

The following input variables are optional (have default values):

admin_iam_arns

Description: List of IAM arns for encryption key admins.

Type: list(string)

Default: []

all_nodes_allowed_security_groups

Description: Names of security groups allowed to communicate directly with the cluster nodes.

Type: set(string)

Default: []

control_plane_logging

Description: Which log streams to turn on for the control plane (will be sent to Cloudwatch and forwarded to DataDog)

Type: set(string)

Default: []

control_plane_version

Description: Desired Kubernetes master version.

Type: string

Default: "1.29"

controller_node_kube_version

Description: The version of kubernetes to use on the nodes

Type: string

Default: "1.29"

coredns_version

Description: The version to use for the coredns EKS add-on.

Type: string

Default: "v1.11.1-eksbuild.6"

enable_public_access

Description: Whether the cluster control plane should be available from the public internet.

Type: bool

Default: true

public_access_cidrs

Description: IP address ranges that can access the public control plane API endpoint.

Type: set(string)

Default:

[
  "0.0.0.0/0"
]

reader_iam_arns

Description: List of IAM arns for users who can use the encryption key for encryption and decryption.

Type: list(string)

Default: []

restricted_reader_iam_arns

Description: List of IAM arns for users who can only view the encryption key.

Type: list(string)

Default: []

superuser_iam_arns

Description: List of IAM arns for encryption key superusers.

Type: list(string)

Default: []

Outputs

The following outputs are exported:

cluster_ca_data

Description: The CA certificate for the Kubernetes API server

cluster_name

Description: The name of the EKS cluster

cluster_region

Description: The AWS region to which the EKS cluster is deployed

cluster_url

Description: The URL for the Kubernetes API server

node_instance_profile

Description: The instance profile assigned to controller nodes

node_role_arn

Description: The ARN of the role assigned to controller nodes

node_security_group_id

Description: ID of the security group assigned to controller nodes

user_data

Description: The user data file provided to the controller nodes

Usage

No notes