Elastic Kubernetes Service (EKS)
aws_eks
This module provides our standard setup for a configurable AWS EKS Cluster. It includes:
-
An EKS Cluster. This cluster defines the Kubernetes control plane (managed by AWS) and provisions it to the specified set of availability zones.
-
A KMS key for encrypting the control plane data at-rest.
-
A set of controller node groups with a static size for running cluster-critical controllers. Nodes use the Bottlerocket distribution. Autoscaled nodes are deployed via our kube_karpenter module.
-
Security groups for both the cluster control plane and for the node groups.
- The control plane accepts inbound traffic from the nodes and can make arbitrary outbound traffic.
- The nodes accept inbound traffic from the control plane, from each other, and can make arbitrary outbound traffic.
-
Subnet tags that controllers in our other modules depend upon.
-
The requisite infrastructure for using IAM roles for service accounts (IRSA).
-
Logging for the control plane components via AWS Cloudwatch.
Additionally, we use the following EKS add-ons:
Providers
The following providers are needed by this module:
Required Inputs
The following input variables are required:
cluster_description
Description: The purpose of the EKS cluster.
Type: string
cluster_name
Description: The name of the EKS cluster resource.
Type: string
control_plane_subnets
Description: List of subnet names for the control plane. Must be in at least two different availability zones.
Type: set(string)
controller_node_count
Description: The number of controller nodes to use
Type: number
controller_node_instance_types
Description: The allowable instance types for the controller nodes
Type: list(string)
controller_node_subnets
Description: List of names for subnets that controller nodes should be deployed to
Type: list(string)
service_cidr
Description: CIDR block that kubernetes will use for assigning service and pod ID addresses.
Type: string
vpc_id
Description: The id for the VPC that the cluster should be deployed into
Type: string
Optional Inputs
The following input variables are optional (have default values):
admin_iam_arns
Description: List of IAM arns for encryption key admins.
Type: list(string)
Default: []
all_nodes_allowed_security_groups
Description: Names of security groups allowed to communicate directly with the cluster nodes.
Type: set(string)
Default: []
control_plane_logging
Description: Which log streams to turn on for the control plane (will be sent to Cloudwatch and forwarded to DataDog)
Type: set(string)
Default: []
control_plane_version
Description: Desired Kubernetes master version.
Type: string
Default: "1.29"
controller_node_kube_version
Description: The version of kubernetes to use on the nodes
Type: string
Default: "1.29"
coredns_version
Description: The version to use for the coredns EKS add-on.
Type: string
Default: "v1.11.1-eksbuild.6"
enable_public_access
Description: Whether the cluster control plane should be available from the public internet.
Type: bool
Default: true
public_access_cidrs
Description: IP address ranges that can access the public control plane API endpoint.
Type: set(string)
Default:
[
"0.0.0.0/0"
]
reader_iam_arns
Description: List of IAM arns for users who can use the encryption key for encryption and decryption.
Type: list(string)
Default: []
restricted_reader_iam_arns
Description: List of IAM arns for users who can only view the encryption key.
Type: list(string)
Default: []
superuser_iam_arns
Description: List of IAM arns for encryption key superusers.
Type: list(string)
Default: []
Outputs
The following outputs are exported:
cluster_ca_data
Description: The CA certificate for the Kubernetes API server
cluster_name
Description: The name of the EKS cluster
cluster_region
Description: The AWS region to which the EKS cluster is deployed
cluster_url
Description: The URL for the Kubernetes API server
node_instance_profile
Description: The instance profile assigned to controller nodes
node_role_arn
Description: The ARN of the role assigned to controller nodes
node_security_group_id
Description: ID of the security group assigned to controller nodes
user_data
Description: The user data file provided to the controller nodes
Usage
No notes