{"id":21639718,"url":"https://github.com/dasmeta/terraform-aws-eks","last_synced_at":"2026-04-01T18:31:24.074Z","repository":{"id":59659573,"uuid":"518051400","full_name":"dasmeta/terraform-aws-eks","owner":"dasmeta","description":"All terraform modules that are related or supporting EKS setup","archived":false,"fork":false,"pushed_at":"2026-03-19T07:39:37.000Z","size":921,"stargazers_count":14,"open_issues_count":5,"forks_count":9,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-26T17:58:04.274Z","etag":null,"topics":["aws","cluster","eks","kubernetes","module","terraform","terraform-module"],"latest_commit_sha":null,"homepage":"www.dasmeta.com","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dasmeta.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-07-26T12:26:04.000Z","updated_at":"2026-03-19T07:39:20.000Z","dependencies_parsed_at":"2023-12-04T11:24:26.678Z","dependency_job_id":"8d65757b-f7ec-4e0a-8c45-2032b5b76f33","html_url":"https://github.com/dasmeta/terraform-aws-eks","commit_stats":null,"previous_names":[],"tags_count":123,"template":false,"template_full_name":null,"purl":"pkg:github/dasmeta/terraform-aws-eks","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dasmeta%2Fterraform-aws-eks","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dasmeta%2Fterraform-aws-eks/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dasmeta%2Fterraform-aws-eks/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dasmeta%2Fterraform-aws-eks/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dasmeta","download_url":"https://codeload.github.com/dasmeta/terraform-aws-eks/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dasmeta%2Fterraform-aws-eks/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31290872,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T13:12:26.723Z","status":"ssl_error","status_checked_at":"2026-04-01T13:12:25.102Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cluster","eks","kubernetes","module","terraform","terraform-module"],"created_at":"2024-11-25T04:14:50.780Z","updated_at":"2026-04-01T18:31:24.064Z","avatar_url":"https://github.com/dasmeta.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n# Why\n\nTo spin up complete eks with all necessary components.\nThose include:\n- vpc (NOTE: the vpc submodule moved into separate repo https://github.com/dasmeta/terraform-aws-vpc)\n- eks cluster\n- alb ingress controller\n- fluentbit\n- external secrets\n- metrics to cloudwatch\n- karpenter\n- keda\n- linkerd\n- flagger\n- external-dns\n- event-exporter\n\n## Upgrading guide:\n - from version \u003e= 2.25.0, some manual actions are required.\n This version adds Karpenter support for GPU instance types.\n If you are using resource\\_configs\\_defaults, you now need to move it under resource\\_configs\\_defaults.default.\n - from \u003c2.19.0 to \u003e=2.19.0 version needs some manual actions as we upgraded underlying eks module from 18.x.x to 20.x.x,\n here you can find needed actions/changes docs and ready scripts which can be used:\n docs:\n https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/UPGRADE-19.0.md\n https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/UPGRADE-20.0.md\n params:\n The node group create\\_launch\\_template=false and launch\\_template\\_name=\"\" pair params have been replaced with use\\_custom\\_launch\\_template=false\n scripts:\n ```sh\n # commands to move some states, run before applying the `terraform apply` for new version\n terraform state mv \"module.\u003ceks-module-name\u003e.module.eks-cluster[0].module.eks-cluster.kubernetes_config_map_v1_data.aws_auth[0]\" \"module.\u003ceks-module-name\u003e.module.eks-cluster[0].module.aws_auth_config_map.kubernetes_config_map_v1_data.aws_auth[0]\"\n terraform state mv \"module.\u003ceks-module-name\u003e.module.eks-cluster[0].module.eks-cluster.aws_security_group_rule.node[\\\"ingress_cluster_9443\\\"]\" \"module.\u003ceks-module-name\u003e.module.eks-cluster[0].module.eks-cluster.aws_security_group_rule.node[\\\"ingress_cluster_9443_webhook\\\"]\"\n terraform state mv \"module.\u003ceks-module-name\u003e.module.eks-cluster[0].module.eks-cluster.aws_security_group_rule.node[\\\"ingress_cluster_8443\\\"]\" \"module.\u003ceks-module-name\u003e.module.eks-cluster[0].module.eks-cluster.aws_security_group_rule.node[\\\"ingress_cluster_8443_webhook\\\"]\"\n # command to run in case upgrading from \u003c2.14.6 version, run before applying the `terraform apply` for new version\n terraform state rm \"module.\u003ceks-module-name\u003e.module.autoscaler[0].aws_iam_policy.policy\"\n # command to run when apply fails to create the existing resource \"\u003ceks-cluster-name\u003e:arn:aws:iam::\u003caws-account-id\u003e:role/aws-reserved/sso.amazonaws.com/eu-central-1/AWSReservedSSO_AdministratorAccess_\u003csome-hash\u003e\"\n terraform import \"module.\u003ceks-module-name\u003e.module.eks-cluster[0].module.eks-cluster.aws_eks_access_entry.this[\\\"cluster_creator\\\"]\" \"\u003ceks-cluster-name\u003e:arn:aws:iam::\u003caws-account-id\u003e:role/aws-reserved/sso.amazonaws.com/eu-central-1/AWSReservedSSO_AdministratorAccess_\u003csome-hash\u003e\"\n # command to apply when secret store fails to be linked, probably there will be need to remove the resource\n terraform import \"module.secret_store.kubectl_manifest.main\" external-secrets.io/v1beta1//SecretStore//app-test//default\n ```\n - from \u003c2.20.0 to \u003e=2.20.0 version\n - in case if karpenter is enabled.\n the karpenter chart have been upgraded and CRDs creation have been moved into separate chart and there is need to run following kubectl commands before applying module update:\n ```bash\n kubectl patch crd ec2nodeclasses.karpenter.k8s.aws -p '{\"metadata\":{\"labels\":{\"app.kubernetes.io/managed-by\":\"Helm\"},\"annotations\":{\"meta.helm.sh/release-name\":\"karpenter-crd\",\"meta.helm.sh/release-namespace\":\"karpenter\"}}}'\n kubectl patch crd nodeclaims.karpenter.sh -p '{\"metadata\":{\"labels\":{\"app.kubernetes.io/managed-by\":\"Helm\"},\"annotations\":{\"meta.helm.sh/release-name\":\"karpenter-crd\",\"meta.helm.sh/release-namespace\":\"karpenter\"}}}'\n kubectl patch crd nodepools.karpenter.sh -p '{\"metadata\":{\"labels\":{\"app.kubernetes.io/managed-by\":\"Helm\"},\"annotations\":{\"meta.helm.sh/release-name\":\"karpenter-crd\",\"meta.helm.sh/release-namespace\":\"karpenter\"}}}'\n ```\n - the alb ingress/load-balancer controller variables have been moved under one variable set `alb_load_balancer_controller` so you have to change old way passed config(if you have this variables manually passed), here is the moved ones: `enable_alb_ingress_controller`, `enable_waf_for_alb`, `alb_log_bucket_name`, `alb_log_bucket_path`, `send_alb_logs_to_cloudwatch`\n - from \u003c2.21.0 to \u003e=2.21.0 version\n - this version upgrade brings about all underlying main components updated to latest versions and eks default version 1.30. all core/important components compatibility have been tested with install from scratch and when applying the update over old version, but in any case possibility of issues in custom configured setups. so that make sure you apply the update in dev/stage environments at first and test that all works as expected and then apply for prod/live.\n - in case if karpenter is enabled there is some tricky behavior while upgrade.\n the karpenter managed spot instances got interrupted more often(this seems related karpenter drift ability and k8s version+ami version update, so that 2 separate waves of change arrive) so that at some upgrade point there even we can have case without any karpenter managed instance(still needs deeper investigation). So make sure:\n - to apply the upgrade at the time when no much traffic to website and if possible cool down critical service which have to not be restarted.\n - make sure to set PDB on workloads, which will allow to prevent all workload pods be unavailable at certain point.\n - also in case if you have pods with annotations `karpenter.sh/do-not-disrupt: \"true\"` you may be have need to manually disrupt this pods in order to get their karpenter managed nodes be disrupted/recreated as well to get the new eks version. you can use this annotation to also to prevent karpenter to disrupt nodes where we have such pods, this is handy to manually control when an node can be disrupted.\n - the default addon coredns have explicitly set default configurations, and this configs available to configure via var.default\\_addons config. if you have manually set configs for coredns that differ from default ones here in the module then you may need to set/change the coredns configs in module use to not get your custom ones overridden and missing.\n - from \u003c2.22.0 to \u003e=2.22.0 version\n - we have linkerd integration implemented, so that starting with this version linkerd will be enabled by default.\n - if the linkerd had been deployed before using linkerd cli then you have to disable/uninstall linkerd via cli, here are command to apply\n ```sh\n linkerd viz uninstall | kubectl delete -f - # to uninstall linkerd viz\n linkerd uninstall | kubectl delete -f - # to uninstall linkerd\n ```\n it is supposed no downtime will be there because of uninstalling/disabling linkerd but recommended to disable(set podAnnotation `linkerd.io/inject: disabled`) at first linkerd on all workloads where we have it enabled and then uninstall it, so that the new module version will bring it back and you can enable(via podAnnotation `linkerd.io/inject: enabled`) back linkerd\n - we have also new ability to enable s3-csi driver and get s3 buckets mounted into k8s pod/containers as volume\n - from \u003c2.23.0 to \u003e=2.23.0 version\n - we have fluentbit and adot disabled by default, so that grafana stack will be used as telemetry data collector and app metrics, check example `eks-with-all-telemetry-to-grafana-stack` for more info on how.\n - it still possible to enable fluentbit and adot and have monitoring data collection worked as before by just setting\n ```terraform\n module \"this\" {\n source = \"dasmeta/eks/aws\"\n version = \"\u003e= 2.23.0\"\n ....\n metrics_exporter = \"adot\"\n fluent_bit_configs = {\n enabled = true\n }\n }\n ```\n - before disabling adot/fluentbit(what this module version brings) it is recommended to check and disable existing alerting/dashboard in cloudwatch that based on cloudwatch container insights metrics and logs and also inform dev/devops guys that logs/metric are/should-be now available in grafana\n - from \u003c2.23.2 to \u003e=2.23.2 version\n - the `alarms` variable is not required anymore and the `alarms.sns_topic` also is not required and is by default \"\"\n - the alarms(it is actually one single alarm on ContainerInsights `cluster_failed_node_count` metric) are disabled by default as we have disabled cloudwatch/adot metric exporter\n - if you still want to keep alarms enabled with `adot/cloudwatch` exporter you can set the following\n ```terraform\n module \"this\" {\n source = \"dasmeta/eks/aws\"\n version = \"\u003e= 2.23.2\"\n ....\n metrics_exporter = \"adot\"\n fluent_bit_configs = {\n enabled = true\n }\n alarms = {\n enabled = true\n sns_topic = \"default\"\n }\n }\n ```\n - from \u003c2.24.0 to \u003e=2.24.0 version\n - this version brings the following new ebs csi provisioner attached StorageClasses:\n\n **ebs-gp3** - new generation general purpose SSD, the default storage class with \"gp3\" volume types to use with baseline performance 3000 IOPS and 125 MiB/s throughput, gp3 supports up to 1000 MB/s and 16,000 IOPS but there will be need to create separate StorageClass to utilize this with considering that in this case volume size have to satisfy the rule IOPS ≤ 500 × size(GiB) and that extra iops will be charged in separate if exceeds baseline\n\n **ebs-gp2** - old generation general purpose SSD, this class we create as replacement of aws eks default created \"gp2\" StorageClass, baseline is 3 IOPS per GiB (3 × volume GiBs) of volume size with minimum 100 IOPS and up to 16,000 IOPS, throughput for ≤ 170 GiB is max ~128 MiB/s; can reaches 250 MiB/s only ≥ 334 GiB; and 170–334 GiB can burst to 250 MiB/s\n\n **ebs-io2-3k, ebs-io2-5k, ebs-io2-8k, ebs-io2-16k, ebs-io2-32k, ebs-io2-64k** - this ones are predefined set of the \"io2\" volume type StorageClasses with set/provisioned iops, this are SSDs with provisioned IOPS explicitly (good for latency-sensitive DBs), NOTE: you pay also for the IOPS you set in StorageClass for this volumes (even if you don’t use all of the iops), so make sure you know your ipos requirement when using this classes\n\n **ebs-st1** - the \"st1\" type, throughput-optimized HDD, designed for large, sequential I/O (big scans, ETL, log processing, data lakes)\n\n **ebs-sc1** - the \"sc1\" type, cold HDD, lowest cost per GiB, lowest baseline throughput; for infrequently accessed, large, sequential data (cold logs, archives)\n\n NOTE: In order to not get default storage classes collision(as before 1.30 version on old created eks clusters we have gp2 storage class annotated as default and we bring new ebs-gp3 one as default) there is need to reset aws auto-created gp2 storage class default tag/annotation, by running the following kubectl script before applying the new change:\n ```sh\n kubectl annotate sc gp2 storageclass.kubernetes.io/is-default-class- --overwrite\n ```\n It is supposed tat this will not break already created volumes, even if gp2 StorageClass has not annotated as default the script will pass with no issues, we just have to make sure we do apply the new version change immediately to not have issue for new k8s PVCs which have not explicitly set storageClass and use default. checks show that no major issue if we have two defaults but docs propose to not have and we need to be safe by removing the default-class annotation from gp2 preexist StorageClass\n\n - 2.24.7 version notes\n - brings all 3 aws core/default components coredns, vpc-cni/eks-node, kube-proxy into terraform managed addons so that this components will get auto upgraded to newer versions compatible to eks version\n - the default of most\\_recent has been changed from true to false to bring the aws defined default for the addons that we create so that no auto updates for same cluster version will be applied and no surprises, we just take the addon version for eks version we have that aws has marked as default\n - got some cleanup of unnecessary tf codes\n - have aws-load-balancer-controller helm chart upgraded to new minor compatible version\n - do not worry if you do upgrade of eks version and got change that decrease addon version as we have using now not mos recent but the aws default picked one\n - from version \u003e= 2.25.0, no manual actions are required. here are what this release brings:\n - upgraded eks cluster to 1.33 version\n - gateway-api(istio) support added (example how to use can be found in examples/eks-with-istio-gateway-api)\n - improved cert-manager implementation by adding cluster-issuer and certificate resources creation and validation based on HTTP01 and DNS01 challenges(example how to used with cloudflare can be found in examples/eks-with-cert-manager)\n\n## How to run\n```hcl\ndata \"aws_availability_zones\" \"available\" {}\n\nlocals {\n cluster_endpoint_public_access = true\n cluster_enabled_log_types = [\"audit\"]\n vpc = {\n create = {\n name = \"dev\"\n availability_zones = data.aws_availability_zones.available.names\n private_subnets = [\"172.16.1.0/24\", \"172.16.2.0/24\", \"172.16.3.0/24\"]\n public_subnets = [\"172.16.4.0/24\", \"172.16.5.0/24\", \"172.16.6.0/24\"]\n cidr = \"172.16.0.0/16\"\n public_subnet_tags = {\n \"kubernetes.io/cluster/dev\" = \"shared\"\n \"kubernetes.io/role/elb\" = \"1\"\n }\n private_subnet_tags = {\n \"kubernetes.io/cluster/dev\" = \"shared\"\n \"kubernetes.io/role/internal-elb\" = \"1\"\n }\n }\n }\n cluster_name = \"your-cluster-name-goes-here\"\n alb_log_bucket_name = \"your-log-bucket-name-goes-here\"\n\n fluent_bit_name = \"fluent-bit\"\n log_group_name = \"fluent-bit-cloudwatch-env\"\n}\n\n#(Basic usage with example of using already created VPC)\ndata \"aws_availability_zones\" \"available\" {}\n\nlocals {\n cluster_endpoint_public_access = true\n cluster_enabled_log_types = [\"audit\"]\n\n vpc = {\n link = {\n id = \"vpc-1234\"\n private_subnet_ids = [\"subnet-1\", \"subnet-2\"]\n }\n }\n cluster_name = \"your-cluster-name-goes-here\"\n alb_log_bucket_name = \"your-log-bucket-name-goes-here\"\n\n fluent_bit_name = \"fluent-bit\"\n log_group_name = \"fluent-bit-cloudwatch-env\"\n}\n\n# Minimum\n\nmodule \"cluster_min\" {\n source = \"dasmeta/eks/aws\"\n version = \"0.1.1\"\n\n cluster_name = local.cluster_name\n users = local.users\n\n vpc = {\n link = {\n id = \"vpc-1234\"\n private_subnet_ids = [\"subnet-1\", \"subnet-2\"]\n }\n }\n\n}\n\n# Max @TODO: the max param passing setup needs to be checked/fixed\n\nmodule \"cluster_max\" {\n source = \"dasmeta/eks/aws\"\n version = \"0.1.1\"\n\n ### VPC\n vpc = {\n create = {\n name = \"dev\"\n availability_zones = data.aws_availability_zones.available.names\n private_subnets = [\"172.16.1.0/24\", \"172.16.2.0/24\", \"172.16.3.0/24\"]\n public_subnets = [\"172.16.4.0/24\", \"172.16.5.0/24\", \"172.16.6.0/24\"]\n cidr = \"172.16.0.0/16\"\n public_subnet_tags = {\n \"kubernetes.io/cluster/dev\" = \"shared\"\n \"kubernetes.io/role/elb\" = \"1\"\n }\n private_subnet_tags = {\n \"kubernetes.io/cluster/dev\" = \"shared\"\n \"kubernetes.io/role/internal-elb\" = \"1\"\n }\n }\n }\n\n cluster_enabled_log_types = local.cluster_enabled_log_types\n cluster_endpoint_public_access = local.cluster_endpoint_public_access\n\n ### EKS\n cluster_name = local.cluster_name\n manage_aws_auth = true\n\n # IAM users username and group. By default value is [\"system:masters\"]\n user = [\n {\n username = \"devops1\"\n group = [\"system:masters\"]\n },\n {\n username = \"devops2\"\n group = [\"system:kube-scheduler\"]\n },\n {\n username = \"devops3\"\n }\n ]\n\n # You can create node use node_group when you create node in specific subnet zone.(Note. This Case Ec2 Instance havn't specific name).\n # Other case you can use worker_group variable.\n\n node_groups = {\n example = {\n name = \"nodegroup\"\n name-prefix = \"nodegroup\"\n additional_tags = {\n \"Name\" = \"node\"\n \"ExtraTag\" = \"ExtraTag\"\n }\n\n instance_type = \"t3.xlarge\"\n max_size = 1\n disk_size = 50\n create_launch_template = false\n subnet = [\"subnet_id\"]\n }\n}\n\nnode_groups_default = {\n disk_size = 50\n instance_types = [\"t3.medium\"]\n }\n\nworker_groups = {\n default = {\n name = \"nodes\"\n instance_type = \"t3.xlarge\"\n asg_max_size = 3\n root_volume_size = 50\n }\n}\n\n workers_group_defaults = {\n launch_template_use_name_prefix = true\n launch_template_name = \"default\"\n root_volume_type = \"gp3\"\n root_volume_size = 50\n }\n\n ### ALB-INGRESS-CONTROLLER\n alb_log_bucket_name = local.alb_log_bucket_name\n\n ### FLUENT-BIT\n fluent_bit_name = local.fluent_bit_name\n log_group_name = local.log_group_name\n\n # Should be refactored to install from cluster: for prod it has done from metrics-server.tf\n ### METRICS-SERVER\n # enable_metrics_server = false\n metrics_server_name = \"metrics-server\"\n}\n```\n\n## karpenter enabled\n### NOTES:\n### - enabling karpenter automatically disables cluster auto-scaler, starting from 2.30.0 version karpenter is enabled by default\n### - if vpc have been created externally(not inside this module) then you may need to set the following tags on private subnets `karpenter.sh/discovery=\u003ccluster-name\u003e`\n### - then enabling karpenter on existing old cluster there is possibility to see cycle-dependency error, to overcome this you need at first to apply main eks module change (`terraform apply --target \"module.\u003ceks-module-name\u003e.module.eks-cluster\"`) and then rest of cluster-autoloader destroy and karpenter install ones\n### - when destroying cluster which have karpenter enabled there is possibility of failure on karpenter resource removal, you need to run destruction one more time to get it complete\n### - in order to be able to use spot instances you may need to create AWSServiceRoleForEC2Spot IAM role on aws account(TODO: check and create this role on account module automatically), here is the doc: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/service-linked-roles-spot-instance-requests.html , otherwise karpenter created `nodeclaim` kubernetes resource will show AuthFailure.ServiceLinkedRoleCreationNotPermitted error\n### - karpenter is designed to keep nodes as cheep as possible to that by default it can dynamically disrupt/collocate nodes, even on-demand ones. So in order to control the process in specific cases use following options: setting `karpenter.sh/do-not-disrupt: \"true\"` for pod (or this can be set also on node) prevents karpenter to disrupt the node where pod runs(be aware to manually drain such nodes when you do eks version upgrades), also pods PDB(PodDisruptionBudget) option can be used as karpenter respects this, the node-pools disruption params also can be used to create more advanced logics(my default `disruption = { consolidationPolicy=\"WhenEmptyOrUnderutilized\", consolidateAfter=\"3m\", budgets={nodes : \"10%\"}}`)\n\n```terraform\nmodule \"eks\" {\n source = \"dasmeta/eks/aws\"\n version = \"3.x.x\"\n .....\n karpenter = {\n enabled = true\n configs = {\n replicas = 1\n }\n resource_configs_defaults = { # this is optional param, look into karpenter submodule to get available defaults\n limits = {\n cpu = 11 # the default is 10 and we can add limit restrictions on memory also\n }\n }\n resource_configs = {\n nodePools = {\n general = { weight = 1 } # by default it use linux amd64 cpu\u003c6, memory\u003c10000Mi, \u003e2 generation and [\"spot\", \"on-demand\"] type nodes so that it tries to get spot at first and if no then on-demand\n }\n }\n }\n .....\n}\n```\n**/\n\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | ~\u003e 1.3 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 3.31, \u003c 6.0.0 |\n| \u003ca name=\"requirement_deepmerge\"\u003e\u003c/a\u003e [deepmerge](#requirement\\_deepmerge) | ~\u003e 1.1 |\n| \u003ca name=\"requirement_helm\"\u003e\u003c/a\u003e [helm](#requirement\\_helm) | ~\u003e 2.0 |\n| \u003ca name=\"requirement_kubectl\"\u003e\u003c/a\u003e [kubectl](#requirement\\_kubectl) | ~\u003e1.14 |\n| \u003ca name=\"requirement_utils\"\u003e\u003c/a\u003e [utils](#requirement\\_utils) | 2.1.0 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | \u003e= 3.31, \u003c 6.0.0 |\n| \u003ca name=\"provider_helm\"\u003e\u003c/a\u003e [helm](#provider\\_helm) | ~\u003e 2.0 |\n| \u003ca name=\"provider_kubernetes\"\u003e\u003c/a\u003e [kubernetes](#provider\\_kubernetes) | n/a |\n\n## Modules\n\n| Name | Source | Version |\n|------|--------|---------|\n| \u003ca name=\"module_adot\"\u003e\u003c/a\u003e [adot](#module\\_adot) | ./modules/adot | n/a |\n| \u003ca name=\"module_alb-ingress-controller\"\u003e\u003c/a\u003e [alb-ingress-controller](#module\\_alb-ingress-controller) | ./modules/aws-load-balancer-controller | n/a |\n| \u003ca name=\"module_api-gw-controller\"\u003e\u003c/a\u003e [api-gw-controller](#module\\_api-gw-controller) | ./modules/api-gw | n/a |\n| \u003ca name=\"module_autoscaler\"\u003e\u003c/a\u003e [autoscaler](#module\\_autoscaler) | ./modules/autoscaler | n/a |\n| \u003ca name=\"module_cert-manager\"\u003e\u003c/a\u003e [cert-manager](#module\\_cert-manager) | ./modules/cert-manager | n/a |\n| \u003ca name=\"module_cloudwatch-metrics\"\u003e\u003c/a\u003e [cloudwatch-metrics](#module\\_cloudwatch-metrics) | ./modules/cloudwatch-metrics | n/a |\n| \u003ca name=\"module_cw_alerts\"\u003e\u003c/a\u003e [cw\\_alerts](#module\\_cw\\_alerts) | dasmeta/monitoring/aws//modules/alerts | 1.3.5 |\n| \u003ca name=\"module_ebs-csi\"\u003e\u003c/a\u003e [ebs-csi](#module\\_ebs-csi) | ./modules/ebs-csi | n/a |\n| \u003ca name=\"module_efs-csi-driver\"\u003e\u003c/a\u003e [efs-csi-driver](#module\\_efs-csi-driver) | ./modules/efs-csi | n/a |\n| \u003ca name=\"module_eks-cluster\"\u003e\u003c/a\u003e [eks-cluster](#module\\_eks-cluster) | ./modules/eks | n/a |\n| \u003ca name=\"module_eks-core-components\"\u003e\u003c/a\u003e [eks-core-components](#module\\_eks-core-components) | dasmeta/empty/null | 1.2.2 |\n| \u003ca name=\"module_eks-core-components-and-alb\"\u003e\u003c/a\u003e [eks-core-components-and-alb](#module\\_eks-core-components-and-alb) | dasmeta/empty/null | 1.2.2 |\n| \u003ca name=\"module_event_exporter\"\u003e\u003c/a\u003e [event\\_exporter](#module\\_event\\_exporter) | ./modules/event-exporter | n/a |\n| \u003ca name=\"module_external-dns\"\u003e\u003c/a\u003e [external-dns](#module\\_external-dns) | ./modules/external-dns | n/a |\n| \u003ca name=\"module_external-secrets\"\u003e\u003c/a\u003e [external-secrets](#module\\_external-secrets) | ./modules/external-secrets | n/a |\n| \u003ca name=\"module_flagger\"\u003e\u003c/a\u003e [flagger](#module\\_flagger) | ./modules/flagger | n/a |\n| \u003ca name=\"module_fluent-bit\"\u003e\u003c/a\u003e [fluent-bit](#module\\_fluent-bit) | ./modules/fluent-bit | n/a |\n| \u003ca name=\"module_istio\"\u003e\u003c/a\u003e [istio](#module\\_istio) | dasmeta/shared/any//modules/istio | 1.7.9 |\n| \u003ca name=\"module_karpenter\"\u003e\u003c/a\u003e [karpenter](#module\\_karpenter) | ./modules/karpenter | n/a |\n| \u003ca name=\"module_keda\"\u003e\u003c/a\u003e [keda](#module\\_keda) | ./modules/keda | n/a |\n| \u003ca name=\"module_kyverno\"\u003e\u003c/a\u003e [kyverno](#module\\_kyverno) | dasmeta/shared/any//modules/kyverno | 1.5.0 |\n| \u003ca name=\"module_linkerd\"\u003e\u003c/a\u003e [linkerd](#module\\_linkerd) | ./modules/linkerd | n/a |\n| \u003ca name=\"module_metrics-server\"\u003e\u003c/a\u003e [metrics-server](#module\\_metrics-server) | ./modules/metrics-server | n/a |\n| \u003ca name=\"module_namespaces_and_docker_auth\"\u003e\u003c/a\u003e [namespaces\\_and\\_docker\\_auth](#module\\_namespaces\\_and\\_docker\\_auth) | ./modules/namespaces-and-docker-auth | n/a |\n| \u003ca name=\"module_nginx-ingress-controller\"\u003e\u003c/a\u003e [nginx-ingress-controller](#module\\_nginx-ingress-controller) | ./modules/nginx-ingress-controller/ | n/a |\n| \u003ca name=\"module_node-problem-detector\"\u003e\u003c/a\u003e [node-problem-detector](#module\\_node-problem-detector) | ./modules/node-problem-detector | n/a |\n| \u003ca name=\"module_node_local_dns\"\u003e\u003c/a\u003e [node\\_local\\_dns](#module\\_node\\_local\\_dns) | ./modules/node-local-dns | n/a |\n| \u003ca name=\"module_olm\"\u003e\u003c/a\u003e [olm](#module\\_olm) | ./modules/olm | n/a |\n| \u003ca name=\"module_portainer\"\u003e\u003c/a\u003e [portainer](#module\\_portainer) | ./modules/portainer | n/a |\n| \u003ca name=\"module_priority_class\"\u003e\u003c/a\u003e [priority\\_class](#module\\_priority\\_class) | ./modules/priority-class/ | n/a |\n| \u003ca name=\"module_s3-csi\"\u003e\u003c/a\u003e [s3-csi](#module\\_s3-csi) | ./modules/s3-csi | n/a |\n| \u003ca name=\"module_sso-rbac\"\u003e\u003c/a\u003e [sso-rbac](#module\\_sso-rbac) | ./modules/sso-rbac | n/a |\n| \u003ca name=\"module_vpc\"\u003e\u003c/a\u003e [vpc](#module\\_vpc) | dasmeta/vpc/aws | 1.0.1 |\n| \u003ca name=\"module_weave-scope\"\u003e\u003c/a\u003e [weave-scope](#module\\_weave-scope) | ./modules/weave-scope | n/a |\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [helm_release.kube-state-metrics](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.nvidia_gpu_driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [kubernetes_namespace.meta-system](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_account_id\"\u003e\u003c/a\u003e [account\\_id](#input\\_account\\_id) | AWS Account Id to apply changes into | `string` | `null` | no |\n| \u003ca name=\"input_additional_priority_classes\"\u003e\u003c/a\u003e [additional\\_priority\\_classes](#input\\_additional\\_priority\\_classes) | Defines Priority Classes in Kubernetes, used to assign different levels of priority to pods. By default, this module creates three Priority Classes: 'high'(1000000), 'medium'(500000) and 'low'(250000) . You can also provide a custom list of Priority Classes if needed. | \u003cpre\u003elist(object({\u003cbr/\u003e name = string\u003cbr/\u003e value = string # number in string form\u003cbr/\u003e }))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_adot_config\"\u003e\u003c/a\u003e [adot\\_config](#input\\_adot\\_config) | accept\\_namespace\\_regex defines the list of namespaces from which metrics will be exported, and additional\\_metrics defines additional metrics to export. | \u003cpre\u003eobject({\u003cbr/\u003e accept_namespace_regex = optional(string, \"(default|kube-system)\")\u003cbr/\u003e additional_metrics = optional(list(string), [])\u003cbr/\u003e log_group_name = optional(string, \"adot\")\u003cbr/\u003e log_retention = optional(number, 14)\u003cbr/\u003e helm_values = optional(any, null)\u003cbr/\u003e logging_enable = optional(bool, false)\u003cbr/\u003e resources = optional(object({\u003cbr/\u003e limit = object({\u003cbr/\u003e cpu = optional(string, \"200m\")\u003cbr/\u003e memory = optional(string, \"200Mi\")\u003cbr/\u003e })\u003cbr/\u003e requests = object({\u003cbr/\u003e cpu = optional(string, \"200m\")\u003cbr/\u003e memory = optional(string, \"200Mi\")\u003cbr/\u003e })\u003cbr/\u003e }), {\u003cbr/\u003e limit = {\u003cbr/\u003e cpu = \"200m\"\u003cbr/\u003e memory = \"200Mi\"\u003cbr/\u003e }\u003cbr/\u003e requests = {\u003cbr/\u003e cpu = \"200m\"\u003cbr/\u003e memory = \"200Mi\"\u003cbr/\u003e }\u003cbr/\u003e })\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"accept_namespace_regex\": \"(default|kube-system)\",\u003cbr/\u003e \"additional_metrics\": [],\u003cbr/\u003e \"helm_values\": null,\u003cbr/\u003e \"log_group_name\": \"adot\",\u003cbr/\u003e \"log_retention\": 14,\u003cbr/\u003e \"logging_enable\": false,\u003cbr/\u003e \"resources\": {\u003cbr/\u003e \"limit\": {\u003cbr/\u003e \"cpu\": \"200m\",\u003cbr/\u003e \"memory\": \"200Mi\"\u003cbr/\u003e },\u003cbr/\u003e \"requests\": {\u003cbr/\u003e \"cpu\": \"200m\",\u003cbr/\u003e \"memory\": \"200Mi\"\u003cbr/\u003e }\u003cbr/\u003e }\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_adot_version\"\u003e\u003c/a\u003e [adot\\_version](#input\\_adot\\_version) | The version of the AWS Distro for OpenTelemetry addon to use. If not passed it will get compatible version based on cluster\\_version | `string` | `null` | no |\n| \u003ca name=\"input_alarms\"\u003e\u003c/a\u003e [alarms](#input\\_alarms) | Creates cloudwatch alarms on ContainerInsights `cluster_failed_node_count` metric. If one of adot/cloudwatch metrics\\_exporters is not enabled then we have to disable alarms as specified metric do not exist and creation may fail. You need set sns topic name if you enable alarms. For customize alarms threshold use custom\\_values | \u003cpre\u003eobject({\u003cbr/\u003e enabled = optional(bool, false) # we need to have cloudwatch metrics based alarms disabled by default, as we disabled adot/cloudwatch metric exporters by default.\u003cbr/\u003e sns_topic = optional(string, \"\")\u003cbr/\u003e custom_values = optional(any, {})\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_alb_load_balancer_controller\"\u003e\u003c/a\u003e [alb\\_load\\_balancer\\_controller](#input\\_alb\\_load\\_balancer\\_controller) | Aws alb ingress/load-balancer controller configs. | \u003cpre\u003eobject({\u003cbr/\u003e enabled = optional(bool, true) # Whether alb ingress/load-balancer controller enabled, note that alb load balancer will be created also when nginx_ingress_controller_config.enabled=true as nginx loadbalancer service needs it\u003cbr/\u003e enable_waf_for_alb = optional(bool, false) # Enables WAF and WAF V2 addons for ALB\u003cbr/\u003e configs = optional(any, {}) # allows to pass additional helm chart configs\u003cbr/\u003e alb_log_bucket_name = optional(string, \"\") # The s3 bucket where alb logs will be placed, TODO: option and its related ability disable, check if we need this ability\u003cbr/\u003e alb_log_bucket_path = optional(string, \"\") # The s3 bucket path/folder where alb logs will be placed, TODO: option and its related ability disable, check if we need this ability\u003cbr/\u003e send_alb_logs_to_cloudwatch = optional(bool, true) # Whether logs will be pushed to cloudwatch also, TODO: option and its related ability disable, check if we need this ability\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_api_gateway_resources\"\u003e\u003c/a\u003e [api\\_gateway\\_resources](#input\\_api\\_gateway\\_resources) | Nested map containing API, Stage, and VPC Link resources | \u003cpre\u003elist(object({\u003cbr/\u003e namespace = string\u003cbr/\u003e api = object({\u003cbr/\u003e name = string\u003cbr/\u003e protocolType = string\u003cbr/\u003e })\u003cbr/\u003e stages = optional(list(object({\u003cbr/\u003e name = string\u003cbr/\u003e namespace = string\u003cbr/\u003e apiRef_name = string\u003cbr/\u003e stageName = string\u003cbr/\u003e autoDeploy = bool\u003cbr/\u003e description = string\u003cbr/\u003e })))\u003cbr/\u003e vpc_links = optional(list(object({\u003cbr/\u003e name = string\u003cbr/\u003e namespace = string\u003cbr/\u003e })))\u003cbr/\u003e }))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_api_gw_deploy_region\"\u003e\u003c/a\u003e [api\\_gw\\_deploy\\_region](#input\\_api\\_gw\\_deploy\\_region) | Region in which API gatewat will be configured | `string` | `\"\"` | no |\n| \u003ca name=\"input_autoscaler_image_patch\"\u003e\u003c/a\u003e [autoscaler\\_image\\_patch](#input\\_autoscaler\\_image\\_patch) | The patch number of autoscaler image | `number` | `0` | no |\n| \u003ca name=\"input_autoscaler_limits\"\u003e\u003c/a\u003e [autoscaler\\_limits](#input\\_autoscaler\\_limits) | n/a | \u003cpre\u003eobject({\u003cbr/\u003e cpu = string\u003cbr/\u003e memory = string\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"cpu\": \"100m\",\u003cbr/\u003e \"memory\": \"600Mi\"\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_autoscaler_requests\"\u003e\u003c/a\u003e [autoscaler\\_requests](#input\\_autoscaler\\_requests) | n/a | \u003cpre\u003eobject({\u003cbr/\u003e cpu = string\u003cbr/\u003e memory = string\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"cpu\": \"100m\",\u003cbr/\u003e \"memory\": \"600Mi\"\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_autoscaling\"\u003e\u003c/a\u003e [autoscaling](#input\\_autoscaling) | Weather enable cluster autoscaler for EKS, in case if karpenter enabled this config will be ignored and the cluster autoscaler will be considered as disabled | `bool` | `true` | no |\n| \u003ca name=\"input_bindings\"\u003e\u003c/a\u003e [bindings](#input\\_bindings) | Variable which describes group and role binding | \u003cpre\u003elist(object({\u003cbr/\u003e group = string\u003cbr/\u003e namespace = string\u003cbr/\u003e roles = list(string)\u003cbr/\u003e\u003cbr/\u003e }))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_cert_manager\"\u003e\u003c/a\u003e [cert\\_manager](#input\\_cert\\_manager) | Cert-manager configuration: resources (ClusterIssuers and Certificates), configs (extra Helm values), namespace, atomic. Supports DNS01 and HTTP01 challenge solvers. | \u003cpre\u003eobject({\u003cbr/\u003e # enabled = optional(bool, false) # Reserved: will replace create_cert_manager when migrated, check above TODO for this\u003cbr/\u003e # chart_version = optional(string, \"1.20.0\") # Reserved: will replace cert_manager_chart_version when migrated, check above TODO for this\u003cbr/\u003e namespace = optional(string, \"cert-manager\") # Namespace where cert-manager is installed\u003cbr/\u003e atomic = optional(bool, true) # Whether to auto rollback if helm install fails\u003cbr/\u003e configs = optional(object({ # default configuration (Helm values) passed to the cert-manager controller chart\u003cbr/\u003e crds = optional(object({\u003cbr/\u003e enabled = optional(bool, true) # Enable CRD installation\u003cbr/\u003e }), {})\u003cbr/\u003e }), {})\u003cbr/\u003e extra_configs = optional(any, {}) # Extra configuration (Helm values) passed to the cert-manager controller chart\u003cbr/\u003e resources = optional(object({ # Configuration for cert-manager resources (ClusterIssuers and Certificates)\u003cbr/\u003e # Map of DNS01 secret data keyed by \"${issuer.name}/${secret_ref.name}\" (e.g. \"letsencrypt-prod/cloudflare-api\"). Pass sensitive token/API data here so for_each is not sensitive.\u003cbr/\u003e dns01_secret_data = optional(map(map(string)), {})\u003cbr/\u003e cluster_issuers = optional(list(object({\u003cbr/\u003e name = optional(string, \"letsencrypt-prod\") # Name of the ClusterIssuer resource\u003cbr/\u003e email = optional(string, \"support@dasmeta.com\") # Required - email for Let's Encrypt account registration\u003cbr/\u003e server = optional(string, \"https://acme-v02.api.letsencrypt.org/directory\") # ACME server URL\u003cbr/\u003e private_key_secret_name = optional(string, null) # Optional: custom secret name for private key, defaults to cluster_issuer.name\u003cbr/\u003e # DNS01 challenge solver. For Route53 in the same AWS account we create the IAM role for the cert-manager controller automatically (see iam_role below).\u003cbr/\u003e # For other DNS providers (e.g. Cloudflare) or Route53 in another account: use secret_refs + dns01_secret_data to create API/token secrets here, or create them separately and reference in configs.\u003cbr/\u003e dns01 = optional(object({\u003cbr/\u003e enabled = optional(bool, false) # Enable DNS01 challenge solver\u003cbr/\u003e configs = optional(any, {}) # DNS01 solver configuration (e.g., route53 configs, or secretRef for Cloudflare/other providers)\u003cbr/\u003e # Optional: create Kubernetes secrets for the solver. List only names here; pass sensitive data via resources.dns01_secret_data so for_each is not sensitive. Created secret name = \"${cluster_issuer.name}-${ref.name}\".\u003cbr/\u003e secret_refs = optional(list(object({\u003cbr/\u003e name = string # Secret name (final name in cluster will be \"${cluster_issuer.name}-${name}\")\u003cbr/\u003e })), [])\u003cbr/\u003e iam_role = optional(object({\u003cbr/\u003e enabled = optional(bool, true) # Enable IAM role for DNS01 (IRSA) - uses cert-manager service account from Helm chart\u003cbr/\u003e hosted_zone_arns = optional(list(string), []) # Optional: restrict to specific hosted zones, empty list = all zones\u003cbr/\u003e }), {})\u003cbr/\u003e }), {})\u003cbr/\u003e http01 = optional(object({\u003cbr/\u003e enabled = optional(bool, false) # Enable HTTP01 challenge solver\u003cbr/\u003e gateway_http_route = optional(object({\u003cbr/\u003e parent_refs = optional(list(object({\u003cbr/\u003e name = string # Gateway name\u003cbr/\u003e namespace = optional(string, \"istio-system\") # Gateway namespace\u003cbr/\u003e kind = optional(string, \"Gateway\") # Gateway kind\u003cbr/\u003e group = optional(string, \"gateway.networking.k8s.io\") # Gateway API group\u003cbr/\u003e })), [])\u003cbr/\u003e }), null) # Gateway API HTTP01 configuration\u003cbr/\u003e ingress = optional(object({\u003cbr/\u003e class = optional(string, \"nginx\") # Ingress class for HTTP01\u003cbr/\u003e }), null) # Traditional Ingress HTTP01 configuration\u003cbr/\u003e }), {})\u003cbr/\u003e })), [])\u003cbr/\u003e certificates = optional(list(object({\u003cbr/\u003e name = string # Certificate resource name\u003cbr/\u003e namespace = optional(string, \"default\") # Namespace for the certificate\u003cbr/\u003e secret_name = optional(string, null) # Optional: secret name for the issued cert; default is certificate name\u003cbr/\u003e issuer_ref = object({\u003cbr/\u003e name = string # ClusterIssuer name to use\u003cbr/\u003e kind = optional(string, \"ClusterIssuer\") # Issuer kind\u003cbr/\u003e group = optional(string, \"cert-manager.io\") # Issuer API group\u003cbr/\u003e })\u003cbr/\u003e dns_names = optional(list(string), []) # DNS names for the certificate\u003cbr/\u003e common_name = optional(string, null) # Common name for the certificate\u003cbr/\u003e duration = optional(string, null) # Certificate duration (e.g., \"2160h\" for 90 days)\u003cbr/\u003e renew_before = optional(string, null) # Renew before expiration (e.g., \"360h\" for 15 days)\u003cbr/\u003e usages = optional(list(string), []) # Certificate usages (e.g., [\"server auth\", \"client auth\"])\u003cbr/\u003e configs = optional(any, {}) # Extra configs to merge into the Certificate spec\u003cbr/\u003e })), [])\u003cbr/\u003e }), {})\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_cert_manager_chart_version\"\u003e\u003c/a\u003e [cert\\_manager\\_chart\\_version](#input\\_cert\\_manager\\_chart\\_version) | The cert-manager helm chart version. | `string` | `\"1.20.0\"` | no |\n| \u003ca name=\"input_cluster_addons\"\u003e\u003c/a\u003e [cluster\\_addons](#input\\_cluster\\_addons) | Cluster addon configurations to enable. | `any` | `{}` | no |\n| \u003ca name=\"input_cluster_enabled_log_types\"\u003e\u003c/a\u003e [cluster\\_enabled\\_log\\_types](#input\\_cluster\\_enabled\\_log\\_types) | A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | `[]` | no |\n| \u003ca name=\"input_cluster_endpoint_public_access\"\u003e\u003c/a\u003e [cluster\\_endpoint\\_public\\_access](#input\\_cluster\\_endpoint\\_public\\_access) | n/a | `bool` | `true` | no |\n| \u003ca name=\"input_cluster_name\"\u003e\u003c/a\u003e [cluster\\_name](#input\\_cluster\\_name) | Creating eks cluster name. | `string` | n/a | yes |\n| \u003ca name=\"input_cluster_version\"\u003e\u003c/a\u003e [cluster\\_version](#input\\_cluster\\_version) | Allows to set/change kubernetes cluster version, kubernetes version needs to be updated at leas once a year. Please check here for available versions https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html | `string` | `\"1.33\"` | no |\n| \u003ca name=\"input_create\"\u003e\u003c/a\u003e [create](#input\\_create) | Whether to create cluster and other resources or not | `bool` | `true` | no |\n| \u003ca name=\"input_create_cert_manager\"\u003e\u003c/a\u003e [create\\_cert\\_manager](#input\\_create\\_cert\\_manager) | If enabled it always gets deployed to the cert-manager namespace. | `bool` | `false` | no |\n| \u003ca name=\"input_default_addons\"\u003e\u003c/a\u003e [default\\_addons](#input\\_default\\_addons) | Allows to set/override default eks addons(like coredns, kube-proxy and vpc-cni) configurations. Ww have them here to have this core components be managed via addons instead of default managed component. For coredns you can pass only the keys you want to override (e.g. replicaCount) and the rest will use module defaults. | \u003cpre\u003eobject({\u003cbr/\u003e coredns = optional(object({\u003cbr/\u003e most_recent = optional(bool, true)\u003cbr/\u003e configuration_values = optional(any, {}) # optional: pass only what you want to override (e.g. replicaCount = 3); defaults for replicaCount, resources, and corefile are applied when not set\u003cbr/\u003e }), {})\u003cbr/\u003e vpc-cni = optional(object({\u003cbr/\u003e most_recent = optional(bool, true)\u003cbr/\u003e configuration_values = optional(any, {})\u003cbr/\u003e }), {})\u003cbr/\u003e kube-proxy = optional(object({\u003cbr/\u003e most_recent = optional(bool, true)\u003cbr/\u003e configuration_values = optional(any, {})\u003cbr/\u003e }), {})\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_ebs_csi_storage_classes\"\u003e\u003c/a\u003e [ebs\\_csi\\_storage\\_classes](#input\\_ebs\\_csi\\_storage\\_classes) | The eks ebs-csi StorageClasses to create/configure. We have predefined StorageClasses: ebs-gp3, ebs-gp2, ebs-io2-3k, ebs-io2-5k, ebs-io2-8k, ebs-io2-16k, ebs-io2-32k, ebs-io2-64k, ebs-st1 and ebs-sc1. This ones can be customized or extended with additional ones by using var.storage\\_classes.extra\\_configs | \u003cpre\u003eobject({\u003cbr/\u003e defaults = optional(object({ # defaults to pass StorageClass\u003cbr/\u003e enabled = optional(bool, true) # whether storage class enabled\u003cbr/\u003e default = optional(bool, false) # whether storage class is default\u003cbr/\u003e storage_provisioner = optional(string, \"ebs.csi.aws.com\") # provisioner to use for storage class\u003cbr/\u003e volume_binding_mode = optional(string, \"WaitForFirstConsumer\") # when volume binding and dynamic provisioning should occur\u003cbr/\u003e allow_volume_expansion = optional(bool, true) # whether the storage class allow volume expand\u003cbr/\u003e reclaim_policy = optional(string, \"Retain\") # whether to \"Retain\" or \"Delete\" pv on pvc removal\u003cbr/\u003e mount_options = optional(list(string), []) # mount options to set, for example [\"file_mode=0700\", \"dir_mode=0777\", \"mfsymlinks\", \"uid=1000\", \"gid=1000\", \"nobrl\", \"cache=none\"]\u003cbr/\u003e parameters = optional(object({\u003cbr/\u003e fsType = optional(string, \"ext4\") # the filesystem of the volume\u003cbr/\u003e encrypted = optional(string, \"true\") # whether to have storage encrypted\u003cbr/\u003e kmsKeyId = optional(string, null) # the custom kms key to pass to encrypt storage when encrypted=true, by default aws managed key will be used\u003cbr/\u003e }), {})\u003cbr/\u003e }), {})\u003cbr/\u003e extra_configs = optional(any, {}) # the map of {class-name}=\u003e{class-configs} to customize predefined ones or create additional StorageClasses, the {class-configs} object has same field as var.storage_classes.defaults\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_ebs_csi_version\"\u003e\u003c/a\u003e [ebs\\_csi\\_version](#input\\_ebs\\_csi\\_version) | EBS CSI driver addon version, by default it will pick right version for this driver based on cluster\\_version | `string` | `null` | no |\n| \u003ca name=\"input_efs_id\"\u003e\u003c/a\u003e [efs\\_id](#input\\_efs\\_id) | EFS filesystem id in AWS | `string` | `null` | no |\n| \u003ca name=\"input_efs_storage_classes\"\u003e\u003c/a\u003e [efs\\_storage\\_classes](#input\\_efs\\_storage\\_classes) | Additional storage class configurations: by default, 2 storage classes are created - efs-sc and efs-sc-root which has 0 uid. One can add another storage classes besides these 2. | \u003cpre\u003elist(object({\u003cbr/\u003e name : string\u003cbr/\u003e provisioning_mode : optional(string, \"efs-ap\")\u003cbr/\u003e file_system_id : string\u003cbr/\u003e directory_perms : optional(string, \"755\")\u003cbr/\u003e base_path : optional(string, \"/\")\u003cbr/\u003e uid : optional(number)\u003cbr/\u003e }))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_enable_api_gw_controller\"\u003e\u003c/a\u003e [enable\\_api\\_gw\\_controller](#input\\_enable\\_api\\_gw\\_controller) | Weather enable API-GW controller or not | `bool` | `false` | no |\n| \u003ca name=\"input_enable_autoscaling_group_metrics\"\u003e\u003c/a\u003e [enable\\_autoscaling\\_group\\_metrics](#input\\_enable\\_autoscaling\\_group\\_metrics) | Whether to enable autoscaling group metrics. | `bool` | `false` | no |\n| \u003ca name=\"input_enable_ebs_driver\"\u003e\u003c/a\u003e [enable\\_ebs\\_driver](#input\\_enable\\_ebs\\_driver) | Weather enable EBS-CSI driver or not | `bool` | `true` | no |\n| \u003ca name=\"input_enable_efs_driver\"\u003e\u003c/a\u003e [enable\\_efs\\_driver](#input\\_enable\\_efs\\_driver) | Weather install EFS driver or not in EKS | `bool` | `false` | no |\n| \u003ca name=\"input_enable_external_secrets\"\u003e\u003c/a\u003e [enable\\_external\\_secrets](#input\\_enable\\_external\\_secrets) | Whether to enable external-secrets operator | `bool` | `true` | no |\n| \u003ca name=\"input_enable_kube_state_metrics\"\u003e\u003c/a\u003e [enable\\_kube\\_state\\_metrics](#input\\_enable\\_kube\\_state\\_metrics) | Enable kube-state-metrics | `bool` | `false` | no |\n| \u003ca name=\"input_enable_metrics_server\"\u003e\u003c/a\u003e [enable\\_metrics\\_server](#input\\_enable\\_metrics\\_server) | METRICS-SERVER | `bool` | `false` | no |\n| \u003ca name=\"input_enable_node_problem_detector\"\u003e\u003c/a\u003e [enable\\_node\\_problem\\_detector](#input\\_enable\\_node\\_problem\\_detector) | n/a | `bool` | `true` | no |\n| \u003ca name=\"input_enable_olm\"\u003e\u003c/a\u003e [enable\\_olm](#input\\_enable\\_olm) | To install OLM controller (experimental). | `bool` | `false` | no |\n| \u003ca name=\"input_enable_portainer\"\u003e\u003c/a\u003e [enable\\_portainer](#input\\_enable\\_portainer) | Enable Portainer provisioning or not | `bool` | `false` | no |\n| \u003ca name=\"input_enable_sso_rbac\"\u003e\u003c/a\u003e [enable\\_sso\\_rbac](#input\\_enable\\_sso\\_rbac) | Enable SSO RBAC integration or not | `bool` | `false` | no |\n| \u003ca name=\"input_event_exporter\"\u003e\u003c/a\u003e [event\\_exporter](#input\\_event\\_exporter) | Allows to create/configure event\\_exporter in eks cluster. The configs option is object to pass corresponding to preferred helm values.yaml, for more details check: https://artifacthub.io/packages/helm/bitnami/kubernetes-event-exporter?modal=values | \u003cpre\u003eobject({\u003cbr/\u003e enabled = optional(bool, false)\u003cbr/\u003e configs = optional(any, {})\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"enabled\": false\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_external_dns\"\u003e\u003c/a\u003e [external\\_dns](#input\\_external\\_dns) | Allows to install external-dns helm chart and related roles, which allows to automatically create R53 records based on ingress/service domain/host configs | \u003cpre\u003eobject({\u003cbr/\u003e enabled = optional(bool, false)\u003cbr/\u003e configs = optional(any, {})\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"enabled\": false\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_external_secrets_namespace\"\u003e\u003c/a\u003e [external\\_secrets\\_namespace](#input\\_external\\_secrets\\_namespace) | The namespace of external-secret operator | `string` | `\"kube-system\"` | no |\n| \u003ca name=\"input_flagger\"\u003e\u003c/a\u003e [flagger](#input\\_flagger) | Allows to create/deploy flagger operator to have custom rollout strategies like canary/blue-green and also it allows to create custom flagger metric templates | \u003cpre\u003eobject({\u003cbr/\u003e enabled = optional(bool, false)\u003cbr/\u003e namespace = optional(string, \"ingress-nginx\") # The flagger operator helm being installed on same namespace as mesh/ingress provider so this field need to be set based on which ingress/mesh we are going to use, more info in https://artifacthub.io/packages/helm/flagger/flagger\u003cbr/\u003e configs = optional(any, {}) # Available options can be found in https://artifacthub.io/packages/helm/flagger/flagger\u003cbr/\u003e metrics_and_alerts_configs = optional(any, {}) # Available options can be found in https://github.com/dasmeta/helm/tree/flagger-metrics-and-alerts-0.1.0/charts/flagger-metrics-and-alerts\u003cbr/\u003e enable_loadtester = optional(bool, false) # Whether to install flagger loadtester helm\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"enabled\": false\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_fluent_bit_configs\"\u003e\u003c/a\u003e [fluent\\_bit\\_configs](#input\\_fluent\\_bit\\_configs) | Fluent Bit configs | \u003cpre\u003eobject({\u003cbr/\u003e enabled = optional(string, false) # before default was `true`, we disable fluentbit by default as we are now using separate grafana stack setup module as k8s metric/log/trace collection tools\u003cbr/\u003e fluent_bit_name = optional(string, \"\")\u003cbr/\u003e log_group_name = optional(string, \"\")\u003cbr/\u003e system_log_group_name = optional(string, \"\")\u003cbr/\u003e log_retention_days = optional(number, 90)\u003cbr/\u003e values_yaml = optional(string, \"\")\u003cbr/\u003e s3_permission = optional(bool, false)\u003cbr/\u003e configs = optional(object({\u003cbr/\u003e inputs = optional(string, \"\")\u003cbr/\u003e filters = optional(string, \"\")\u003cbr/\u003e outputs = optional(string, \"\")\u003cbr/\u003e cloudwatch_outputs_enabled = optional(bool, true)\u003cbr/\u003e }), {})\u003cbr/\u003e drop_namespaces = optional(list(string), [])\u003cbr/\u003e log_filters = optional(list(string), [])\u003cbr/\u003e additional_log_filters = optional(list(string), [])\u003cbr/\u003e kube_namespaces = optional(list(string), [])\u003cbr/\u003e image_pull_secrets = optional(list(string), [])\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"additional_log_filters\": [\u003cbr/\u003e \"ELB-HealthChecker\",\u003cbr/\u003e \"Amazon-Route53-Health-Check-Service\"\u003cbr/\u003e ],\u003cbr/\u003e \"configs\": {\u003cbr/\u003e \"cloudwatch_outputs_enabled\": true,\u003cbr/\u003e \"filters\": \"\",\u003cbr/\u003e \"inputs\": \"\",\u003cbr/\u003e \"outputs\": \"\"\u003cbr/\u003e },\u003cbr/\u003e \"drop_namespaces\": [\u003cbr/\u003e \"kube-system\",\u003cbr/\u003e \"opentelemetry-operator-system\",\u003cbr/\u003e \"adot\",\u003cbr/\u003e \"cert-manager\",\u003cbr/\u003e \"opentelemetry.*\",\u003cbr/\u003e \"meta.*\"\u003cbr/\u003e ],\u003cbr/\u003e \"enabled\": false,\u003cbr/\u003e \"fluent_bit_name\": \"\",\u003cbr/\u003e \"image_pull_secrets\": [],\u003cbr/\u003e \"kube_namespaces\": [\u003cbr/\u003e \"kube.*\",\u003cbr/\u003e \"meta.*\",\u003cbr/\u003e \"adot.*\",\u003cbr/\u003e \"devops.*\",\u003cbr/\u003e \"cert-manager.*\",\u003cbr/\u003e \"git.*\",\u003cbr/\u003e \"opentelemetry.*\",\u003cbr/\u003e \"stakater.*\",\u003cbr/\u003e \"renovate.*\"\u003cbr/\u003e ],\u003cbr/\u003e \"log_filters\": [\u003cbr/\u003e \"kube-probe\",\u003cbr/\u003e \"health\",\u003cbr/\u003e \"prometheus\",\u003cbr/\u003e \"liveness\"\u003cbr/\u003e ],\u003cbr/\u003e \"log_group_name\": \"\",\u003cbr/\u003e \"log_retention_days\": 90,\u003cbr/\u003e \"s3_permission\": false,\u003cbr/\u003e \"system_log_group_name\": \"\",\u003cbr/\u003e \"values_yaml\": \"\"\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_istio\"\u003e\u003c/a\u003e [istio](#input\\_istio) | Allows to create/configure Istio with Gateway API in eks cluster. NOTE: IAM role is typically NOT needed - AWS Load Balancer Controller (which has its own IAM role) handles LoadBalancer creation for all LoadBalancer services, including those created by istio-gateway Helm chart and Gateway API Gateways. | \u003cpre\u003eobject({\u003cbr/\u003e enabled = optional(bool, false)\u003cbr/\u003e configs = optional(any, {}) # Istio configuration, see terraform-any-shared/modules/istio for available options\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_karpenter\"\u003e\u003c/a\u003e [karpenter](#input\\_karpenter) | Allows to create/deploy/configure karpenter operator and its resources to have custom node auto-calling | \u003cpre\u003eobject({\u003cbr/\u003e enabled = optional(bool, true)\u003cbr/\u003e configs = optional(any, {}) # karpenter chart configs, the underlying module sets some general/default ones, available option can be found here: https://github.com/aws/karpenter-provider-aws/blob/v1.0.8/charts/karpenter/values.yaml\u003cbr/\u003e resource_configs = optional(any, { nodePools = { general = {} } }) # karpenter resources creation configs, available options can be fount here: https://github.com/dasmeta/helm/tree/karpenter-resources-0.1.0/charts/karpenter-resources\u003cbr/\u003e resource_configs_defaults = optional(any, {}) # the default used for karpenter node pool creation, the available values to override/set can be found in karpenter submodule corresponding variable modules/karpenter/values.tf\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"enabled\": true\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_keda\"\u003e\u003c/a\u003e [keda](#input\\_keda) | Allows to create/deploy/configure keda | \u003cpre\u003eobject({\u003cbr/\u003e enabled = optional(bool, true)\u003cbr/\u003e name = optional(string, \"keda\") # keda chart name,\u003cbr/\u003e namespace = optional(string, \"keda\") # keda chart namespace\u003cbr/\u003e create_namespace = optional(bool, true) # create keda chart\u003cbr/\u003e keda_version = optional(string, \"2.16.1\") # chart version\u003cbr/\u003e attach_policies = optional(object({\u003cbr/\u003e sqs = bool\u003cbr/\u003e }), { sqs = false })\u003cbr/\u003e keda_trigger_auth_additional = optional(any, null)\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"create_namespace\": true,\u003cbr/\u003e \"enabled\": true,\u003cbr/\u003e \"keda_version\": \"2.16.1\",\u003cbr/\u003e \"name\": \"keda\",\u003cbr/\u003e \"namespace\": \"keda\"\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_kube_state_metrics_chart_version\"\u003e\u003c/a\u003e [kube\\_state\\_metrics\\_chart\\_version](#input\\_kube\\_state\\_metrics\\_chart\\_version) | The kube-state-metrics chart version | `string` | `\"5.27.0\"` | no |\n| \u003ca name=\"input_kyverno\"\u003e\u003c/a\u003e [kyverno](#input\\_kyverno) | Allows to enable/install the kyverno k8s policies management tool/operator, by default we have predefined \"bitnami-to-bitnamilegacy\" policy enabled | \u003cpre\u003eobject({\u003cbr/\u003e enabled = optional(bool, true)\u003cbr/\u003e policies = optional(list(string), [\"bitnami-to-bitnamilegacy\"]) # Predefined kyverno rules to apply/enable. supported rule are \"bitnami-to-bitnamilegacy\"\u003cbr/\u003e custom_policies = optional(any, []) # Custom kyverno rules to apply. The custom policies are list of objects. check for more details in terraform module \"dasmeta/shared/any//modules/kyverno\"\u003cbr/\u003e extra_configs = optional(any, {}) # Configs to pass and override kyverno helm values.yaml defaults and var.default_configs if needed more fine control. for more info check https://artifacthub.io/packages/helm/kyverno/kyverno?modal=values\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_linkerd\"\u003e\u003c/a\u003e [linkerd](#input\\_linkerd) | Allows to create/configure linkerd in eks cluster | \u003cpre\u003eobject({\u003cbr/\u003e enabled = optional(bool, true)\u003cbr/\u003e configs = optional(any, {}) # allows to override default configs of linkerd main helm chart, check underlying sub-module module for more info\u003cbr/\u003e configs_viz = optional(any, {}) # allows to override default configs of linkerd viz helm chart, check underlying sub-module module for more info\u003cbr/\u003e crds_create = optional(bool, true) # whether to have linkerd crd installed\u003cbr/\u003e viz_create = optional(bool, true) # whether to have linkerd monitoring/dashboard tooling installed\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"enabled\": true\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_manage_aws_auth\"\u003e\u003c/a\u003e [manage\\_aws\\_auth](#input\\_manage\\_aws\\_auth) | n/a | `bool` | `true` | no |\n| \u003ca name=\"input_map_roles\"\u003e\u003c/a\u003e [map\\_roles](#input\\_map\\_roles) | Additional IAM roles to add to the aws-auth configmap. | \u003cpre\u003elist(object({\u003cbr/\u003e rolearn = string\u003cbr/\u003e username = string\u003cbr/\u003e groups = list(string)\u003cbr/\u003e }))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_metrics_exporter\"\u003e\u003c/a\u003e [metrics\\_exporter](#input\\_metrics\\_exporter) | Metrics Exporter, can use `cloudwatch` or `adot` | `string` | `\"none\"` | no |\n| \u003ca name=\"input_metrics_server_name\"\u003e\u003c/a\u003e [metrics\\_server\\_name](#input\\_metrics\\_server\\_name) | n/a | `string` | `\"metrics-server\"` | no |\n| \u003ca name=\"input_namespaces_and_docker_auth\"\u003e\u003c/a\u003e [namespaces\\_and\\_docker\\_auth](#input\\_namespaces\\_and\\_docker\\_auth) | Allows to create application namespaces, like 'prod' or 'dev' automatically. it can also set to use docker hub credential for image pull | \u003cpre\u003eobject({\u003cbr/\u003e enabled = optional(bool, false)\u003cbr/\u003e list = optional(list(string), []) # list of application namespaces to create/init with cluster creation\u003cbr/\u003e labels = optional(any, {}) # map of key=\u003evalue strings to attach to namespaces\u003cbr/\u003e dockerAuth = optional(object({ # docker hub image registry configs, this based external secrets operator(operator should be enabled). which will allow to create 'kubernetes.io/dockerconfigjson' type secrets in app(and also all other) namespaces and configure app namespaces to use this\u003cbr/\u003e enabled = optional(bool, false)\u003cbr/\u003e refreshTime = optional(string, \"3m\") # frequency to check filtered namespaces and create ExternalSecrets (and k8s secret)\u003cbr/\u003e refreshInterval = optional(string, \"1h\") # frequency to pull/refresh data from aws secret\u003cbr/\u003e name = optional(string, \"docker-registry-auth\") # the name to use when creating k8s resources\u003cbr/\u003e secretManagerSecretName = optional(string, \"account\") # aws secret manager secret name where dockerhub credentials placed, we use \"account\" default secret\u003cbr/\u003e namespaceSelector = optional(any, { matchLabels : { \"docker-auth\" = \"enabled\" } }) # namespaces selector expression, the app namespaces created here will have this selectors by default, but for other namespaces you may need to set labels manually. this can be set to empty object {} to create secrets in all namespaces\u003cbr/\u003e registries = optional(list(object({ # docker registry configs\u003cbr/\u003e url = optional(string, \"https://index.docker.io/v1/\") # docker registry server url\u003cbr/\u003e usernameKey = optional(string, \"DOCKER_HUB_USERNAME\") # the aws secret manager secret key where docker registry username placed\u003cbr/\u003e passwordKey = optional(string, \"DOCKER_HUB_PASSWORD\") # the aws secret manager secret key where docker registry password placed, NOTE: for dockerhub under this key should be set personal access token instead of standard ui/profile password\u003cbr/\u003e authKey = optional(string) # the aws secret manager secret key where docker registry auth placed\u003cbr/\u003e })), [{ url = \"https://index.docker.io/v1/\", usernameKey = \"DOCKER_HUB_USERNAME\", passwordKey = \"DOCKER_HUB_PASSWORD\", authKey = null }])\u003cbr/\u003e }), { enabled = false })\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_nginx_ingress_controller_config\"\u003e\u003c/a\u003e [nginx\\_ingress\\_controller\\_config](#input\\_nginx\\_ingress\\_controller\\_config) | Nginx ingress controller configs | \u003cpre\u003eobject({\u003cbr/\u003e enabled = optional(bool, false)\u003cbr/\u003e name = optional(string, \"nginx\")\u003cbr/\u003e create_namespace = optional(bool, true)\u003cbr/\u003e namespace = optional(string, \"ingress-nginx\")\u003cbr/\u003e replicacount = optional(number, 3)\u003cbr/\u003e metrics_enabled = optional(bool, true)\u003cbr/\u003e configs = optional(any, {}) # Configurations to pass and override default ones. Check the helm chart available configs here: https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx/4.12.0?modal=values\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"create_namespace\": true,\u003cbr/\u003e \"enabled\": false,\u003cbr/\u003e \"metrics_enabled\": true,\u003cbr/\u003e \"name\": \"nginx\",\u003cbr/\u003e \"namespace\": \"ingress-nginx\",\u003cbr/\u003e \"replicacount\": 3\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_node_groups\"\u003e\u003c/a\u003e [node\\_groups](#input\\_node\\_groups) | Map of EKS managed node group definitions to create | `any` | \u003cpre\u003e{\u003cbr/\u003e \"default\": {\u003cbr/\u003e \"ami_type\": \"AL2023_x86_64_STANDARD\",\u003cbr/\u003e \"desired_size\": 2,\u003cbr/\u003e \"iam_role_additional_policies\": {\u003cbr/\u003e \"CloudWatchAgentServerPolicy\": \"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy\"\u003cbr/\u003e },\u003cbr/\u003e \"instance_types\": [\u003cbr/\u003e \"t3.large\"\u003cbr/\u003e ],\u003cbr/\u003e \"max_size\": 4,\u003cbr/\u003e \"min_size\": 2\u003cbr/\u003e }\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_node_groups_default\"\u003e\u003c/a\u003e [node\\_groups\\_default](#input\\_node\\_groups\\_default) | Map of EKS managed node group default configurations | `any` | \u003cpre\u003e{\u003cbr/\u003e \"ami_type\": \"AL2023_x86_64_STANDARD\",\u003cbr/\u003e \"disk_size\": 50,\u003cbr/\u003e \"iam_role_additional_policies\": {\u003cbr/\u003e \"CloudWatchAgentServerPolicy\": \"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy\"\u003cbr/\u003e },\u003cbr/\u003e \"instance_types\": [\u003cbr/\u003e \"t3.large\"\u003cbr/\u003e ]\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_node_local_dns\"\u003e\u003c/a\u003e [node\\_local\\_dns](#input\\_node\\_local\\_dns) | Allows to enable/install the NodeLocal DNSCache, to improves Cluster DNS performance | \u003cpre\u003eobject({\u003cbr/\u003e enabled = optional(bool, false) # TODO: in case having local-dns enabled is common case consider having it enabled by default, for now only high load having setups may need to enable local-dns caching\u003cbr/\u003e configs = optional(any, {})\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_node_security_group_additional_rules\"\u003e\u003c/a\u003e [node\\_security\\_group\\_additional\\_rules](#input\\_node\\_security\\_group\\_additional\\_rules) | n/a | `any` | \u003cpre\u003e{\u003cbr/\u003e \"ingress_cluster_10250\": {\u003cbr/\u003e \"description\": \"Metric server to node groups\",\u003cbr/\u003e \"from_port\": 10250,\u003cbr/\u003e \"protocol\": \"tcp\",\u003cbr/\u003e \"self\": true,\u003cbr/\u003e \"to_port\": 10250,\u003cbr/\u003e \"type\": \"ingress\"\u003cbr/\u003e }\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_nvidia_gpu_driver\"\u003e\u003c/a\u003e [nvidia\\_gpu\\_driver](#input\\_nvidia\\_gpu\\_driver) | Configuration block for enabling and customizing the NVIDIA GPU driver installation. | \u003cpre\u003eobject({\u003cbr/\u003e enabled = optional(bool, false)\u003cbr/\u003e namespace = optional(string, \"kube-system\")\u003cbr/\u003e create_namespace = optional(bool, false)\u003cbr/\u003e configs = optional(any, {\u003cbr/\u003e nodeSelector = {\u003cbr/\u003e nodetype = \"gpu\"\u003cbr/\u003e }\u003cbr/\u003e\u003cbr/\u003e tolerations = [\u003cbr/\u003e {\u003cbr/\u003e effect = \"NoSchedule\"\u003cbr/\u003e key = \"nodetype\"\u003cbr/\u003e operator = \"Equal\"\u003cbr/\u003e value = \"gpu\"\u003cbr/\u003e }\u003cbr/\u003e ]\u003cbr/\u003e\u003cbr/\u003e affinity = null # empty affinity\u003cbr/\u003e })\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_portainer_config\"\u003e\u003c/a\u003e [portainer\\_config](#input\\_portainer\\_config) | Portainer hostname and ingress config. | \u003cpre\u003eobject({\u003cbr/\u003e host = optional(string, \"portainer.dasmeta.com\")\u003cbr/\u003e enable_ingress = optional(bool, true)\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_prometheus_metrics\"\u003e\u003c/a\u003e [prometheus\\_metrics](#input\\_prometheus\\_metrics) | Prometheus Metrics | `any` | `[]` | no |\n| \u003ca name=\"input_region\"\u003e\u003c/a\u003e [region](#input\\_region) | AWS Region name. | `string` | `null` | no |\n| \u003ca name=\"input_roles\"\u003e\u003c/a\u003e [roles](#input\\_roles) | Variable describes which role will user have K8s | \u003cpre\u003elist(object({\u003cbr/\u003e actions = list(string)\u003cbr/\u003e resources = list(string)\u003cbr/\u003e }))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_s3_csi\"\u003e\u003c/a\u003e [s3\\_csi](#input\\_s3\\_csi) | S3 CSI driver addon version, by default it will pick right version for this driver based on cluster\\_version | \u003cpre\u003eobject({\u003cbr/\u003e enabled = optional(bool, false)\u003cbr/\u003e addon_version = optional(string, null) # if not passed it will use latest compatible version\u003cbr/\u003e buckets = optional(list(string), []) # the name of buckets to create policy to be able to mount them to containers, if not specified it uses all/*\u003cbr/\u003e configs = optional(object({ # allows to pass additional addon configs to override default ones\u003cbr/\u003e node = optional(object({\u003cbr/\u003e tolerateAllTaints = optional(bool, true) # Whether mountpoint for S3 CSI Driver Pods will tolerate all taints and will be scheduled in all nodes\u003cbr/\u003e }), {})\u003cbr/\u003e }), {})\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_scale_down_unneeded_time\"\u003e\u003c/a\u003e [scale\\_down\\_unneeded\\_time](#input\\_scale\\_down\\_unneeded\\_time) | Scale down unneeded in minutes | `number` | `2` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | Extra tags to attach to eks cluster. | `any` | `{}` | no |\n| \u003ca name=\"input_users\"\u003e\u003c/a\u003e [users](#input\\_users) | List of users to open eks cluster api access | `list(any)` | `[]` | no |\n| \u003ca name=\"input_vpc\"\u003e\u003c/a\u003e [vpc](#input\\_vpc) | VPC configuration for eks, we support both cases create new vpc(create field) and using already created one(link) | \u003cpre\u003eobject({\u003cbr/\u003e # for linking using existing vpc\u003cbr/\u003e link = optional(object({\u003cbr/\u003e id = string\u003cbr/\u003e private_subnet_ids = list(string) # please have the existing vpc public/private subnets(at least 2 needed) tagged with corresponding tags(look into create case subnet tags defaults)\u003cbr/\u003e }), { id = null, private_subnet_ids = null })\u003cbr/\u003e # for creating new vpc\u003cbr/\u003e create = optional(object({\u003cbr/\u003e name = string\u003cbr/\u003e availability_zones = list(string)\u003cbr/\u003e cidr = string\u003cbr/\u003e private_subnets = list(string)\u003cbr/\u003e public_subnets = list(string)\u003cbr/\u003e public_subnet_tags = optional(map(any), {}) # to pass additional tags for public subnet or override default ones. The default ones are: {\"kubernetes.io/cluster/${var.cluster_name}\" = \"shared\",\"kubernetes.io/role/elb\" = 1}\u003cbr/\u003e private_subnet_tags = optional(map(any), {}) # to pass additional tags for public subnet or override default ones. The default ones are: {\"kubernetes.io/cluster/${var.cluster_name}\" = \"shared\",\"kubernetes.io/role/internal-elb\" = 1}\u003cbr/\u003e }), { name = null, availability_zones = null, cidr = null, private_subnets = null, public_subnets = null })\u003cbr/\u003e })\u003c/pre\u003e | n/a | yes |\n| \u003ca name=\"input_weave_scope_config\"\u003e\u003c/a\u003e [weave\\_scope\\_config](#input\\_weave\\_scope\\_config) | Weave scope namespace configuration variables | \u003cpre\u003eobject({\u003cbr/\u003e create_namespace = bool\u003cbr/\u003e namespace = string\u003cbr/\u003e annotations = map(string)\u003cbr/\u003e ingress_host = string\u003cbr/\u003e ingress_class = string\u003cbr/\u003e ingress_name = string\u003cbr/\u003e service_type = string\u003cbr/\u003e weave_helm_release_name = string\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"annotations\": {},\u003cbr/\u003e \"create_namespace\": true,\u003cbr/\u003e \"ingress_class\": \"\",\u003cbr/\u003e \"ingress_host\": \"\",\u003cbr/\u003e \"ingress_name\": \"weave-ingress\",\u003cbr/\u003e \"namespace\": \"meta-system\",\u003cbr/\u003e \"service_type\": \"NodePort\",\u003cbr/\u003e \"weave_helm_release_name\": \"weave\"\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_weave_scope_enabled\"\u003e\u003c/a\u003e [weave\\_scope\\_enabled](#input\\_weave\\_scope\\_enabled) | Weather enable Weave Scope or not | `bool` | `false` | no |\n| \u003ca name=\"input_worker_groups\"\u003e\u003c/a\u003e [worker\\_groups](#input\\_worker\\_groups) | Worker groups. | `any` | `{}` | no |\n| \u003ca name=\"input_workers_group_defaults\"\u003e\u003c/a\u003e [workers\\_group\\_defaults](#input\\_workers\\_group\\_defaults) | Worker group defaults. | `any` | \u003cpre\u003e{\u003cbr/\u003e \"launch_template_name\": \"default\",\u003cbr/\u003e \"launch_template_use_name_prefix\": true,\u003cbr/\u003e \"root_volume_size\": 50,\u003cbr/\u003e \"root_volume_type\": \"gp3\"\u003cbr/\u003e}\u003c/pre\u003e | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_account_id\"\u003e\u003c/a\u003e [account\\_id](#output\\_account\\_id) | n/a |\n| \u003ca name=\"output_cert_manager_certificate_names\"\u003e\u003c/a\u003e [cert\\_manager\\_certificate\\_names](#output\\_cert\\_manager\\_certificate\\_names) | Map of created cert-manager Certificate resource names by namespace/name |\n| \u003ca name=\"output_cert_manager_cluster_issuer_names\"\u003e\u003c/a\u003e [cert\\_manager\\_cluster\\_issuer\\_names](#output\\_cert\\_manager\\_cluster\\_issuer\\_names) | Map of ClusterIssuer names created by cert-manager module |\n| \u003ca name=\"output_cluster_certificate\"\u003e\u003c/a\u003e [cluster\\_certificate](#output\\_cluster\\_certificate) | EKS cluster certificate used for authentication/access in helm/kubectl/kubernetes providers |\n| \u003ca name=\"output_cluster_host\"\u003e\u003c/a\u003e [cluster\\_host](#output\\_cluster\\_host) | EKS cluster host name used for authentication/access in helm/kubectl/kubernetes providers |\n| \u003ca name=\"output_cluster_iam_role_name\"\u003e\u003c/a\u003e [cluster\\_iam\\_role\\_name](#output\\_cluster\\_iam\\_role\\_name) | n/a |\n| \u003ca name=\"output_cluster_id\"\u003e\u003c/a\u003e [cluster\\_id](#output\\_cluster\\_id) | n/a |\n| \u003ca name=\"output_cluster_primary_security_group_id\"\u003e\u003c/a\u003e [cluster\\_primary\\_security\\_group\\_id](#output\\_cluster\\_primary\\_security\\_group\\_id) | n/a |\n| \u003ca name=\"output_cluster_security_group_id\"\u003e\u003c/a\u003e [cluster\\_security\\_group\\_id](#output\\_cluster\\_security\\_group\\_id) | n/a |\n| \u003ca name=\"output_cluster_token\"\u003e\u003c/a\u003e [cluster\\_token](#output\\_cluster\\_token) | EKS cluster token used for authentication/access in helm/kubectl/kubernetes providers |\n| \u003ca name=\"output_eks_auth_configmap\"\u003e\u003c/a\u003e [eks\\_auth\\_configmap](#output\\_eks\\_auth\\_configmap) | n/a |\n| \u003ca name=\"output_eks_module\"\u003e\u003c/a\u003e [eks\\_module](#output\\_eks\\_module) | n/a |\n| \u003ca name=\"output_eks_oidc_root_ca_thumbprint\"\u003e\u003c/a\u003e [eks\\_oidc\\_root\\_ca\\_thumbprint](#output\\_eks\\_oidc\\_root\\_ca\\_thumbprint) | Grab eks\\_oidc\\_root\\_ca\\_thumbprint from oidc\\_provider\\_arn. |\n| \u003ca name=\"output_external_secret_deployment\"\u003e\u003c/a\u003e [external\\_secret\\_deployment](#output\\_external\\_secret\\_deployment) | n/a |\n| \u003ca name=\"output_map_user_data\"\u003e\u003c/a\u003e [map\\_user\\_data](#output\\_map\\_user\\_data) | n/a |\n| \u003ca name=\"output_namespaces_and_docker_auth_helm_metadata\"\u003e\u003c/a\u003e [namespaces\\_and\\_docker\\_auth\\_helm\\_metadata](#output\\_namespaces\\_and\\_docker\\_auth\\_helm\\_metadata) | n/a |\n| \u003ca name=\"output_oidc_provider_arn\"\u003e\u003c/a\u003e [oidc\\_provider\\_arn](#output\\_oidc\\_provider\\_arn) | ## CLUSTER |\n| \u003ca name=\"output_region\"\u003e\u003c/a\u003e [region](#output\\_region) | n/a |\n| \u003ca name=\"output_role_arns\"\u003e\u003c/a\u003e [role\\_arns](#output\\_role\\_arns) | n/a |\n| \u003ca name=\"output_role_arns_without_path\"\u003e\u003c/a\u003e [role\\_arns\\_without\\_path](#output\\_role\\_arns\\_without\\_path) | n/a |\n| \u003ca name=\"output_vpc_cidr_block\"\u003e\u003c/a\u003e [vpc\\_cidr\\_block](#output\\_vpc\\_cidr\\_block) | The cidr block of the vpc |\n| \u003ca name=\"output_vpc_default_security_group_id\"\u003e\u003c/a\u003e [vpc\\_default\\_security\\_group\\_id](#output\\_vpc\\_default\\_security\\_group\\_id) | The ID of default security group created for vpc |\n| \u003ca name=\"output_vpc_id\"\u003e\u003c/a\u003e [vpc\\_id](#output\\_vpc\\_id) | The newly created vpc id |\n| \u003ca name=\"output_vpc_nat_public_ips\"\u003e\u003c/a\u003e [vpc\\_nat\\_public\\_ips](#output\\_vpc\\_nat\\_public\\_ips) | The list of elastic public IPs for vpc |\n| \u003ca name=\"output_vpc_private_subnets\"\u003e\u003c/a\u003e [vpc\\_private\\_subnets](#output\\_vpc\\_private\\_subnets) | The newly created vpc private subnets IDs list |\n| \u003ca name=\"output_vpc_public_subnets\"\u003e\u003c/a\u003e [vpc\\_public\\_subnets](#output\\_vpc\\_public\\_subnets) | The newly created vpc public subnets IDs list |\n\u003c!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdasmeta%2Fterraform-aws-eks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdasmeta%2Fterraform-aws-eks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdasmeta%2Fterraform-aws-eks/lists"}