{"id":13680602,"url":"https://github.com/opszero/terraform-aws-kubespot","last_synced_at":"2025-04-05T02:10:57.405Z","repository":{"id":39582280,"uuid":"87684006","full_name":"opszero/terraform-aws-kubespot","owner":"opszero","description":null,"archived":false,"fork":false,"pushed_at":"2024-10-29T08:04:03.000Z","size":1609,"stargazers_count":111,"open_issues_count":3,"forks_count":28,"subscribers_count":8,"default_branch":"main","last_synced_at":"2024-10-29T09:22:05.123Z","etag":null,"topics":["ami","aws","aws-ec2","hipaa","kops","kubernetes","packer","pci","soc2"],"latest_commit_sha":null,"homepage":"https://opszero.com","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/opszero.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":"SUPPORT","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["abhiyerra"],"custom":["https://www.opszero.com"]}},"created_at":"2017-04-09T04:58:51.000Z","updated_at":"2024-10-29T08:04:07.000Z","dependencies_parsed_at":"2024-04-01T09:23:58.644Z","dependency_job_id":"8288f07d-0017-4863-a641-aa63826cb509","html_url":"https://github.com/opszero/terraform-aws-kubespot","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opszero%2Fterraform-aws-kubespot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opszero%2Fterraform-aws-kubespot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opszero%2Fterraform-aws-kubespot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opszero%2Fterraform-aws-kubespot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/opszero","download_url":"https://codeload.github.com/opszero/terraform-aws-kubespot/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247217174,"owners_count":20903008,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ami","aws","aws-ec2","hipaa","kops","kubernetes","packer","pci","soc2"],"created_at":"2024-08-02T13:01:19.103Z","updated_at":"2025-04-05T02:10:57.383Z","avatar_url":"https://github.com/opszero.png","language":"HCL","funding_links":["https://github.com/sponsors/abhiyerra","https://www.opszero.com"],"categories":["Container"],"sub_categories":[],"readme":"\u003c!-- BEGIN_TF_DOCS --\u003e\n# Kubespot (AWS)\n\nAWS EKS Setup for PCI-DSS, SOC2, HIPAA\n\nKubespot is [AWS EKS](https://aws.amazon.com/eks/) customized to add security\npostures around SOC2, HIPAA, and PCI compliance. It is distributed as [an open\nsource terraform module](https://github.com/opszero/terraform-aws-kubespot)\nallowing you to run it within your own AWS account without lock-in. Kubespot has\nbeen developed over a half a decade evolving with the AWS EKS distribution and\nbefore that [kops.](https://github.com/kubernetes/kops) It is in use within\nmultiple startups that have scaled from a couple founders in an apartment to\nbillion dollar unicorns. By using Kubespot they were able to achieve the\ntechnical requirements for compliance while being able to deploy software fast.\n\nKubespot is a light wrapper around AWS EKS. The primary changes included in\nKubespot are:\n\n- Locked down with security groups, private subnets and other compliance related requirements.\n- Locked down RDS and Elasticache if needed.\n- Users have a single Load Balancer through which all requests go through to reduce costs.\n- [KEDA](https://keda.sh/) is used for scaling on event metrics such as queue sizes, user requests, CPU, memory or anything else Keda supports.\n- [Karpenter](https://karpenter.sh/) is used for autoscaling.\n- Instance are lockdown with encryption, and a regular node cycle rate is set.\n\n# Tools \u0026 Setup\n\n```\nbrew install kubectl kubernetes-helm awscli terraform\n```\n\n# Cluster Usage\n\nIf the infrastructure is using the\n[opsZero infrastructure as code](https://github.com/opszero/template-infra) template\nthen you access the resources like the following:\n\nAdd your IAM credentials in `~/.aws/credentials`.\n\n```\n[profile_name]\naws_access_key_id=\u003c\u003ekey\u003e\naws_secret_access_key=\u003csecret_key\u003e\nregion=us-west-2\n```\n\n```\ncd environments/\u003cnameofenv\u003e\nmake kubeconfig\nexport KUBECONFIG=./kubeconfig # add to a .zshrc\nkubectl get pods\n```\n\n# Autoscaler\n\nKubespot uses [Karpenter](https://karpenter.sh) as the default autoscaler. To\nconfigure the autoscaler we need to create a file like the one below and run:\n\n```sh\nkubectl apply -f karpenter.yml\n```\n\n```yml\napiVersion: karpenter.sh/v1beta1\nkind: NodePool\nmetadata:\n name: default\nspec:\n template:\n spec:\n requirements:\n - key: \"karpenter.k8s.aws/instance-category\"\n operator: In\n values: [\"t\", \"c\", \"m\"]\n - key: \"kubernetes.io/arch\"\n operator: In\n values: [\"amd64\"]\n - key: \"karpenter.k8s.aws/instance-cpu\"\n operator: In\n values: [\"1\", \"2\", \"4\", \"8\", \"16\"]\n - key: \"karpenter.k8s.aws/instance-hypervisor\"\n operator: In\n values: [\"nitro\"]\n - key: karpenter.sh/capacity-type\n operator: In\n values: [\"spot\", \"on-demand\"]\n nodeClassRef:\n name: default\n disruption:\n consolidationPolicy: WhenUnderutilized\n expireAfter: 2h # 30 * 24h = 720h\n---\napiVersion: karpenter.k8s.aws/v1beta1\nkind: EC2NodeClass\nmetadata:\n name: default\nspec:\n amiFamily: Bottlerocket # Amazon Linux 2\n role: \"Karpenter-opszero\" # Set the name of the cluster\n subnetSelectorTerms:\n - tags:\n Name: opszero-public\n securityGroupSelectorTerms:\n - tags:\n Name: eks-cluster-sg-opszero-1249901478\n```\n\n# Cluster Setup\n\n```\naws iam create-service-linked-role --aws-service-name spot.amazonaws.com\n```\n\n# CIS Kubernetes Benchmark\n\nNote: PodSecurityPolicy (PSP) is deprecated and PodSecurity admission controller\nis the new standard. The CIS Benchmark is still using PSP. We have converted\nthe PSP to the [equivalent new standard](https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/).\n\n| Control | Recommendation | Level | Status | Description |\n| ------- | -------------------------------------------------------------------------------------------------------- | ----- | --------- | ------------------------------------------------------------------------------------------------------------ |\n| **1** | **Control Plane Components** | | | |\n| **2** | **Control Plane Configuration** | | | |\n| **2.1** | **Logging** | | | |\n| 2.1.1 | Enable audit logs | L1 | Active | `cluster_logging` is configured |\n| **3** | **Worker Nodes** | | | |\n| **3.1** | **Worker Node Configuration Files** | | | |\n| 3.1.1 | Ensure that the kubeconfig file permissions are set to 644 or more restrictive | L1 | Won't Fix | Use NodeGroups or Fargate |\n| 3.1.2 | Ensure that the kubelet kubeconfig file ownership is set to root:root | L1 | Won't Fix | Use NodeGroups or Fargate |\n| 3.1.3 | Ensure that the kubelet configuration file has permissions set to 644 or more restrictive | L1 | Won't Fix | Use NodeGroups or Fargate |\n| 3.1.4 | Ensure that the kubelet configuration file ownership is set to root:root | L1 | Won't Fix | Use NodeGroups or Fargate |\n| **3.2** | **Kubelet** | | | |\n| 3.2.1 | Ensure that the Anonymous Auth is Not Enabled | L1 | Won't Fix | Use NodeGroups or Fargate |\n| 3.2.2 | Ensure that the --authorization-mode argument is not set to AlwaysAllow | L1 | Won't Fix | Use NodeGroups or Fargate |\n| 3.2.3 | Ensure that a Client CA File is Configured | L1 | Won't Fix | Use NodeGroups or Fargate |\n| 3.2.4 | Ensure that the --read-only-port is disabled | L1 | Won't Fix | Use NodeGroups or Fargate |\n| 3.2.5 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | L1 | Won't Fix | Use NodeGroups or Fargate |\n| 3.2.6 | Ensure that the --protect-kernel-defaults argument is set to true | L1 | Won't Fix | Use NodeGroups or Fargate |\n| 3.2.7 | Ensure that the --make-iptables-util-chains argument is set to true | L1 | Won't Fix | Use NodeGroups or Fargate |\n| 3.2.8 | Ensure that the --hostname-override argument is not set | L1 | Won't Fix | Use NodeGroups or Fargate |\n| 3.2.9 | Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture | L2 | Won't Fix | Use NodeGroups or Fargate |\n| 3.2.10 | Ensure that the --rotate-certificates argument is not present or is set to true | L1 | Won't Fix | Use NodeGroups or Fargate |\n| 3.2.11 | Ensure that the RotateKubeletServerCertificate argument is set to true | L1 | Won't Fix | Use NodeGroups or Fargate |\n| **3.3** | **Container Optimized OS** | | | |\n| 3.3.1 | Prefer using a container-optimized OS when possible | L2 | Active | Bottlerocket ContainerOS is used. |\n| **4** | **Policies** | | | |\n| **4.1** | **RBAC and Service Accounts** | | | |\n| 4.1.1 | Ensure that the cluster-admin role is only used where required | L1 | Active | [Default Configuration](https://github.com/opszero/terraform-aws-kubespot/issues/308) |\n| 4.1.2 | Minimize access to secrets | L1 | Active | `iam_roles` pass limited RBAC |\n| 4.1.3 | Minimize wildcard use in Roles and ClusterRoles | L1 | Manual | [terraform-kubernetes-rbac](https://github.com/opszero/terraform-kubernetes-rbac) Set role |\n| 4.1.4 | Minimize access to create pods | L1 | Manual | [terraform-kubernetes-rbac](https://github.com/opszero/terraform-kubernetes-rbac) Limit role with pod create |\n| 4.1.5 | Ensure that default service accounts are not actively used | L1 | Manual | `kubectl patch serviceaccount default -p $'automountServiceAccountToken: false'` |\n| 4.1.6 | Ensure that Service Account Tokens are only mounted where necessary | L1 | Active | [tiphys](https://github.com/opszero/tiphys) Default set to false |\n| 4.1.7 | Avoid use of system:masters group | L1 | Active | Must manually add users and roles to `system:masters` |\n| 4.1.8 | Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster | L1 | Manual | Limit users with system:masters role |\n| **4.2** | **Pod Security Policies** | | | |\n| 4.2.1 | Minimize the admission of privileged containers | L1 | Active | [tiphys](https://github.com/opszero/tiphys) defaultSecurityContext.allowPrivilegeEscalation=false |\n| 4.2.2 | Minimize the admission of containers wishing to share the host process ID namespace | L1 | Active | [tiphys](https://github.com/opszero/tiphys) hostPID defaults to false |\n| 4.2.3 | Minimize the admission of containers wishing to share the host IPC namespace | L1 | Active | [tiphys](https://github.com/opszero/tiphys) hostIPC defaults to false |\n| 4.2.4 | Minimize the admission of containers wishing to share the host network namespace | L1 | Active | [tiphys](https://github.com/opszero/tiphys) hostNetwork defaults to false |\n| 4.2.5 | Minimize the admission of containers with allowPrivilegeEscalation | L1 | Active | [tiphys](https://github.com/opszero/tiphys) defaultSecurityContext.allowPrivilegeEscalation=false |\n| 4.2.6 | Minimize the admission of root containers | L2 | Active | [tiphys](https://github.com/opszero/tiphys) defaultSecurityContext.[runAsNonRoot=true,runAsUser=1001] |\n| 4.2.7 | Minimize the admission of containers with added capabilities | L1 | Active | [tiphys](https://github.com/opszero/tiphys) defaultSecurityContext.allowPrivilegeEscalation=false |\n| 4.2.8 | Minimize the admission of containers with capabilities assigned | L1 | Active | [tiphys](https://github.com/opszero/tiphys) defaultSecurityContext.capabilities.drop: ALL |\n| **4.3** | **CNI Plugin** | | | |\n| 4.3.1 | Ensure CNI plugin supports network policies. | L1 | Manual | `calico_enabled=true` |\n| 4.3.2 | Ensure that all Namespaces have Network Policies defined | L1 | Manual | Add Network Policy manually |\n| **4.4** | **Secrets Management** | | | |\n| 4.4.1 | Prefer using secrets as files over secrets as environment variables | L2 | Active | [tiphys](https://github.com/opszero/tiphys) writes secrets to file |\n| 4.4.2 | Consider external secret storage | L2 | Manual | Pull secrets using AWS Secret Manager. |\n| **4.5** | **Extensible Admission Control** | | | |\n| **4.6** | **General Policies** | | | |\n| 4.6.1 | Create administrative boundaries between resources using namespaces | L1 | Manul | [tiphys](https://github.com/opszero/tiphys) deploy on different namespace |\n| 4.6.2 | Apply Security Context to Your Pods and Containers | L2 | Active | [tiphys](https://github.com/opszero/tiphys) defaultSecurityContext is set |\n| 4.6.3 | The default namespace should not be used | L2 | Active | [tiphys](https://github.com/opszero/tiphys) select namespace |\n| **5** | **Managed services** | | | |\n| **5.1** | **Image Registry and Image Scanning** | | | |\n| 5.1.1 | Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider | L1 | Active | [Example](examples/eks/main.tf#L79) |\n| 5.1.2 | Minimize user access to Amazon ECR | L1 | Active | [terraform-aws-mrmgr](https://github.com/opszero/terraform-aws-mrmgr) |\n| 5.1.3 | Minimize cluster access to read-only for Amazon ECR | L1 | Active | [terraform-aws-mrmgr](https://github.com/opszero/terraform-aws-mrmgr) with OIDC |\n| 5.1.4 | Minimize Container Registries to only those approved | L2 | Active | [terraform-aws-mrmgr](https://github.com/opszero/terraform-aws-mrmgr) |\n| **5.2** | **Identity and Access Management (IAM)** | | | |\n| 5.2.1 | Prefer using dedicated EKS Service Accounts | L1 | Active | [terraform-aws-mrmgr](https://github.com/opszero/terraform-aws-mrmgr) with OIDC |\n| **5.3** | **AWS EKS Key Management Service** | | | |\n| 5.3.1 | Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS | L1 | Active | |\n| **5.4** | **Cluster Networking** | | | |\n| 5.4.1 | Restrict Access to the Control Plane Endpoint | L1 | Active | Set `cluster_public_access_cidrs` |\n| 5.4.2 | Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled | L2 | Active | Set `cluster_private_access = true` and `cluster_public_access = false` |\n| 5.4.3 | Ensure clusters are created with Private Nodes | L1 | Active | Set `enable_nat = true` and set `nodes_in_public_subnet = false` |\n| 5.4.4 | Ensure Network Policy is Enabled and set as appropriate | L1 | Manual | `calico_enabled=true` |\n| 5.4.5 | Encrypt traffic to HTTPS load balancers with TLS certificates | L2 | Active | [terraform-helm-kubespot](https://github.com/opszero/terraform-helm-kubespot) |\n| **5.5** | **Authentication and Authorization** | | | |\n| 5.5.1 | Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes | L2 | Active | `iam_users` use AWS IAM Authenticator |\n| **5.6** | **Other Cluster Configurations** | | | |\n| 5.6.1 | Consider Fargate for running untrusted workloads | L1 | Active | Set the `fargate_selector` |\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | n/a |\n| \u003ca name=\"provider_helm\"\u003e\u003c/a\u003e [helm](#provider\\_helm) | n/a |\n| \u003ca name=\"provider_http\"\u003e\u003c/a\u003e [http](#provider\\_http) | n/a |\n| \u003ca name=\"provider_kubernetes\"\u003e\u003c/a\u003e [kubernetes](#provider\\_kubernetes) | n/a |\n| \u003ca name=\"provider_null\"\u003e\u003c/a\u003e [null](#provider\\_null) | n/a |\n| \u003ca name=\"provider_tls\"\u003e\u003c/a\u003e [tls](#provider\\_tls) | n/a |\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_access_policies\"\u003e\u003c/a\u003e [access\\_policies](#input\\_access\\_policies) | access policies | `list` | `[]` | no |\n| \u003ca name=\"input_alb_controller_version\"\u003e\u003c/a\u003e [alb\\_controller\\_version](#input\\_alb\\_controller\\_version) | The chart version of the ALB controller helm chart | `string` | `\"1.4.4\"` | no |\n| \u003ca name=\"input_asg_nodes\"\u003e\u003c/a\u003e [asg\\_nodes](#input\\_asg\\_nodes) | Map of ASG node configurations | \u003cpre\u003emap(object({\u003cbr/\u003e instance_type = string\u003cbr/\u003e max_instance_lifetime = number\u003cbr/\u003e nodes_desired_capacity = number\u003cbr/\u003e nodes_max_size = number\u003cbr/\u003e nodes_min_size = number\u003cbr/\u003e nodes_in_public_subnet = bool\u003cbr/\u003e node_disk_size = number\u003cbr/\u003e node_enabled_metrics = list(string)\u003cbr/\u003e spot_price = string\u003cbr/\u003e subnet_ids = list(string)\u003cbr/\u003e }))\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_aws_load_balancer_controller_enabled\"\u003e\u003c/a\u003e [aws\\_load\\_balancer\\_controller\\_enabled](#input\\_aws\\_load\\_balancer\\_controller\\_enabled) | Enable ALB controller by default | `bool` | `true` | no |\n| \u003ca name=\"input_calico_enabled\"\u003e\u003c/a\u003e [calico\\_enabled](#input\\_calico\\_enabled) | Whether calico add-on is installed | `bool` | `false` | no |\n| \u003ca name=\"input_calico_version\"\u003e\u003c/a\u003e [calico\\_version](#input\\_calico\\_version) | The version of the calico helm chart | `string` | `\"v3.26.1\"` | no |\n| \u003ca name=\"input_cidr_block\"\u003e\u003c/a\u003e [cidr\\_block](#input\\_cidr\\_block) | The CIDR block used by the VPC | `string` | `\"10.2.0.0/16\"` | no |\n| \u003ca name=\"input_cidr_block_private_subnet\"\u003e\u003c/a\u003e [cidr\\_block\\_private\\_subnet](#input\\_cidr\\_block\\_private\\_subnet) | The CIDR block used by the private subnet | `list` | \u003cpre\u003e[\u003cbr/\u003e \"10.2.2.0/24\",\u003cbr/\u003e \"10.2.3.0/24\"\u003cbr/\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_cidr_block_public_subnet\"\u003e\u003c/a\u003e [cidr\\_block\\_public\\_subnet](#input\\_cidr\\_block\\_public\\_subnet) | The CIDR block used by the private subnet | `list` | \u003cpre\u003e[\u003cbr/\u003e \"10.2.0.0/24\",\u003cbr/\u003e \"10.2.1.0/24\"\u003cbr/\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_cloudwatch_observability_config\"\u003e\u003c/a\u003e [cloudwatch\\_observability\\_config](#input\\_cloudwatch\\_observability\\_config) | Configuration values for the amazon-cloudwatch-observability addon | `string` | `null` | no |\n| \u003ca name=\"input_cloudwatch_observability_enabled\"\u003e\u003c/a\u003e [cloudwatch\\_observability\\_enabled](#input\\_cloudwatch\\_observability\\_enabled) | Enable or disable the CloudWatch Observability Add-on for EKS | `bool` | `false` | no |\n| \u003ca name=\"input_cloudwatch_pod_logs_enabled\"\u003e\u003c/a\u003e [cloudwatch\\_pod\\_logs\\_enabled](#input\\_cloudwatch\\_pod\\_logs\\_enabled) | Stream EKS pod logs to cloudwatch | `bool` | `false` | no |\n| \u003ca name=\"input_cloudwatch_retention_in_days\"\u003e\u003c/a\u003e [cloudwatch\\_retention\\_in\\_days](#input\\_cloudwatch\\_retention\\_in\\_days) | How long to keep CloudWatch logs in days | `number` | `30` | no |\n| \u003ca name=\"input_cluster_authentication_mode\"\u003e\u003c/a\u003e [cluster\\_authentication\\_mode](#input\\_cluster\\_authentication\\_mode) | Desired Kubernetes authentication. API or API\\_AND\\_CONFIG\\_MAP | `string` | `\"API\"` | no |\n| \u003ca name=\"input_cluster_encryption_config\"\u003e\u003c/a\u003e [cluster\\_encryption\\_config](#input\\_cluster\\_encryption\\_config) | Cluster Encryption Config Resources to encrypt, e.g. ['secrets'] | `list(any)` | \u003cpre\u003e[\u003cbr/\u003e \"secrets\"\u003cbr/\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_cluster_kms_policy\"\u003e\u003c/a\u003e [cluster\\_kms\\_policy](#input\\_cluster\\_kms\\_policy) | Cluster Encryption Config KMS Key Resource argument - key policy | `string` | `null` | no |\n| \u003ca name=\"input_cluster_logging\"\u003e\u003c/a\u003e [cluster\\_logging](#input\\_cluster\\_logging) | List of the desired control plane logging to enable. https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html | `list` | \u003cpre\u003e[\u003cbr/\u003e \"api\",\u003cbr/\u003e \"audit\",\u003cbr/\u003e \"authenticator\",\u003cbr/\u003e \"controllerManager\",\u003cbr/\u003e \"scheduler\"\u003cbr/\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_cluster_private_access\"\u003e\u003c/a\u003e [cluster\\_private\\_access](#input\\_cluster\\_private\\_access) | Whether the Amazon EKS private API server endpoint is enabled | `bool` | `true` | no |\n| \u003ca name=\"input_cluster_public_access\"\u003e\u003c/a\u003e [cluster\\_public\\_access](#input\\_cluster\\_public\\_access) | Whether the Amazon EKS private API server endpoint is enabled | `bool` | `true` | no |\n| \u003ca name=\"input_cluster_public_access_cidrs\"\u003e\u003c/a\u003e [cluster\\_public\\_access\\_cidrs](#input\\_cluster\\_public\\_access\\_cidrs) | List of CIDR blocks. Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled | `list` | \u003cpre\u003e[\u003cbr/\u003e \"0.0.0.0/0\"\u003cbr/\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_cluster_version\"\u003e\u003c/a\u003e [cluster\\_version](#input\\_cluster\\_version) | Desired Kubernetes master version | `string` | `\"1.30\"` | no |\n| \u003ca name=\"input_csi_enabled_namespaces\"\u003e\u003c/a\u003e [csi\\_enabled\\_namespaces](#input\\_csi\\_enabled\\_namespaces) | n/a | `list(string)` | `[]` | no |\n| \u003ca name=\"input_csi_secrets_store_enabled\"\u003e\u003c/a\u003e [csi\\_secrets\\_store\\_enabled](#input\\_csi\\_secrets\\_store\\_enabled) | Specify whether the CSI driver is enabled on the EKS cluster | `bool` | `false` | no |\n| \u003ca name=\"input_csi_secrets_store_version\"\u003e\u003c/a\u003e [csi\\_secrets\\_store\\_version](#input\\_csi\\_secrets\\_store\\_version) | The version of the CSI store helm chart | `string` | `\"1.4.6\"` | no |\n| \u003ca name=\"input_efs_enabled\"\u003e\u003c/a\u003e [efs\\_enabled](#input\\_efs\\_enabled) | Specify whether the EFS is enabled on the EKS cluster | `bool` | `false` | no |\n| \u003ca name=\"input_eips\"\u003e\u003c/a\u003e [eips](#input\\_eips) | List of Elastic IPs | `list` | `[]` | no |\n| \u003ca name=\"input_eks_auto_mode_enabled\"\u003e\u003c/a\u003e [eks\\_auto\\_mode\\_enabled](#input\\_eks\\_auto\\_mode\\_enabled) | Enable Auto Mode for EKS cluster | `bool` | `false` | no |\n| \u003ca name=\"input_enable_egress_only_internet_gateway\"\u003e\u003c/a\u003e [enable\\_egress\\_only\\_internet\\_gateway](#input\\_enable\\_egress\\_only\\_internet\\_gateway) | Create an egress-only Internet gateway for your VPC0 | `bool` | `false` | no |\n| \u003ca name=\"input_enable_ipv6\"\u003e\u003c/a\u003e [enable\\_ipv6](#input\\_enable\\_ipv6) | Enable an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC | `bool` | `false` | no |\n| \u003ca name=\"input_environment_name\"\u003e\u003c/a\u003e [environment\\_name](#input\\_environment\\_name) | Name of the environment to create AWS resources | `string` | n/a | yes |\n| \u003ca name=\"input_fargate_selector\"\u003e\u003c/a\u003e [fargate\\_selector](#input\\_fargate\\_selector) | Terraform object to create the EKS fargate profiles | `map` | \u003cpre\u003e{\u003cbr/\u003e \"serverless\": {}\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_iam_roles\"\u003e\u003c/a\u003e [iam\\_roles](#input\\_iam\\_roles) | Terraform object of the IAM roles | `map` | `{}` | no |\n| \u003ca name=\"input_iam_users\"\u003e\u003c/a\u003e [iam\\_users](#input\\_iam\\_users) | List of IAM users | `list` | `[]` | no |\n| \u003ca name=\"input_karpenter_ami_family\"\u003e\u003c/a\u003e [karpenter\\_ami\\_family](#input\\_karpenter\\_ami\\_family) | AMI family to use for the EC2 Node Class. Possible values: AL2 or Bottlerocket | `string` | `\"Bottlerocket\"` | no |\n| \u003ca name=\"input_karpenter_enabled\"\u003e\u003c/a\u003e [karpenter\\_enabled](#input\\_karpenter\\_enabled) | Specify whether the karpenter is enabled | `bool` | `false` | no |\n| \u003ca name=\"input_karpenter_version\"\u003e\u003c/a\u003e [karpenter\\_version](#input\\_karpenter\\_version) | The version of the karpenter helm chart | `string` | `\"1.0.1\"` | no |\n| \u003ca name=\"input_metrics_server_version\"\u003e\u003c/a\u003e [metrics\\_server\\_version](#input\\_metrics\\_server\\_version) | The version of the metric server helm chart | `string` | `\"3.11.0\"` | no |\n| \u003ca name=\"input_nat_enabled\"\u003e\u003c/a\u003e [nat\\_enabled](#input\\_nat\\_enabled) | Whether the NAT gateway is enabled | `bool` | `true` | no |\n| \u003ca name=\"input_node_group_cpu_threshold\"\u003e\u003c/a\u003e [node\\_group\\_cpu\\_threshold](#input\\_node\\_group\\_cpu\\_threshold) | The value of the CPU threshold | `string` | `\"70\"` | no |\n| \u003ca name=\"input_node_groups\"\u003e\u003c/a\u003e [node\\_groups](#input\\_node\\_groups) | Terraform object to create the EKS node groups | `map` | `{}` | no |\n| \u003ca name=\"input_node_role_policies\"\u003e\u003c/a\u003e [node\\_role\\_policies](#input\\_node\\_role\\_policies) | A list of The ARN of the policies you want to attach | `list` | `[]` | no |\n| \u003ca name=\"input_redis_enabled\"\u003e\u003c/a\u003e [redis\\_enabled](#input\\_redis\\_enabled) | Whether the redis cluster is enabled | `bool` | `false` | no |\n| \u003ca name=\"input_redis_engine_version\"\u003e\u003c/a\u003e [redis\\_engine\\_version](#input\\_redis\\_engine\\_version) | Version number of the cache engine to be used for the cache clusters in this replication group | `string` | `\"7.1\"` | no |\n| \u003ca name=\"input_redis_node_type\"\u003e\u003c/a\u003e [redis\\_node\\_type](#input\\_redis\\_node\\_type) | Instance class of the redis cluster to be used | `string` | `\"cache.t4g.micro\"` | no |\n| \u003ca name=\"input_redis_num_nodes\"\u003e\u003c/a\u003e [redis\\_num\\_nodes](#input\\_redis\\_num\\_nodes) | Number of nodes for redis | `number` | `1` | no |\n| \u003ca name=\"input_s3_csi_bucket_names\"\u003e\u003c/a\u003e [s3\\_csi\\_bucket\\_names](#input\\_s3\\_csi\\_bucket\\_names) | The name of the S3 bucket for the CSI driver | `list(string)` | \u003cpre\u003e[\u003cbr/\u003e \"\"\u003cbr/\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_s3_csi_driver_enabled\"\u003e\u003c/a\u003e [s3\\_csi\\_driver\\_enabled](#input\\_s3\\_csi\\_driver\\_enabled) | Enable or disable the S3 CSI driver | `bool` | `false` | no |\n| \u003ca name=\"input_sql_cluster_enabled\"\u003e\u003c/a\u003e [sql\\_cluster\\_enabled](#input\\_sql\\_cluster\\_enabled) | Whether the sql cluster is enabled | `bool` | `false` | no |\n| \u003ca name=\"input_sql_cluster_monitoring_interval\"\u003e\u003c/a\u003e [sql\\_cluster\\_monitoring\\_interval](#input\\_sql\\_cluster\\_monitoring\\_interval) | Monitoring Interval for SQL Cluster | `any` | `null` | no |\n| \u003ca name=\"input_sql_cluster_monitoring_role_arn\"\u003e\u003c/a\u003e [sql\\_cluster\\_monitoring\\_role\\_arn](#input\\_sql\\_cluster\\_monitoring\\_role\\_arn) | The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs | `any` | `null` | no |\n| \u003ca name=\"input_sql_database_name\"\u003e\u003c/a\u003e [sql\\_database\\_name](#input\\_sql\\_database\\_name) | The name of the database to create when the DB instance is created | `string` | `\"\"` | no |\n| \u003ca name=\"input_sql_encrypted\"\u003e\u003c/a\u003e [sql\\_encrypted](#input\\_sql\\_encrypted) | Specify whether the DB instance is encrypted | `bool` | `true` | no |\n| \u003ca name=\"input_sql_engine\"\u003e\u003c/a\u003e [sql\\_engine](#input\\_sql\\_engine) | The name of the database engine to be used for this DB cluster | `string` | `\"aurora-postgresql\"` | no |\n| \u003ca name=\"input_sql_engine_mode\"\u003e\u003c/a\u003e [sql\\_engine\\_mode](#input\\_sql\\_engine\\_mode) | The database engine mode | `string` | `\"provisioned\"` | no |\n| \u003ca name=\"input_sql_engine_version\"\u003e\u003c/a\u003e [sql\\_engine\\_version](#input\\_sql\\_engine\\_version) | The SQL engine version to use | `string` | `\"15.3\"` | no |\n| \u003ca name=\"input_sql_iam_auth_enabled\"\u003e\u003c/a\u003e [sql\\_iam\\_auth\\_enabled](#input\\_sql\\_iam\\_auth\\_enabled) | Specifies whether or not mappings of IAM accounts to database accounts is enabled | `bool` | `true` | no |\n| \u003ca name=\"input_sql_identifier\"\u003e\u003c/a\u003e [sql\\_identifier](#input\\_sql\\_identifier) | The name of the database | `string` | `\"\"` | no |\n| \u003ca name=\"input_sql_instance_allocated_storage\"\u003e\u003c/a\u003e [sql\\_instance\\_allocated\\_storage](#input\\_sql\\_instance\\_allocated\\_storage) | The allocated storage in gibibytes | `number` | `20` | no |\n| \u003ca name=\"input_sql_instance_class\"\u003e\u003c/a\u003e [sql\\_instance\\_class](#input\\_sql\\_instance\\_class) | The instance type of the RDS instance. | `string` | `\"db.t4g.micro\"` | no |\n| \u003ca name=\"input_sql_instance_enabled\"\u003e\u003c/a\u003e [sql\\_instance\\_enabled](#input\\_sql\\_instance\\_enabled) | Whether the sql instance is enabled | `bool` | `false` | no |\n| \u003ca name=\"input_sql_instance_engine\"\u003e\u003c/a\u003e [sql\\_instance\\_engine](#input\\_sql\\_instance\\_engine) | The database engine to use | `string` | `\"postgres\"` | no |\n| \u003ca name=\"input_sql_instance_max_allocated_storage\"\u003e\u003c/a\u003e [sql\\_instance\\_max\\_allocated\\_storage](#input\\_sql\\_instance\\_max\\_allocated\\_storage) | the upper limit to which Amazon RDS can automatically scale the storage of the DB instance | `number` | `200` | no |\n| \u003ca name=\"input_sql_master_password\"\u003e\u003c/a\u003e [sql\\_master\\_password](#input\\_sql\\_master\\_password) | Password for the master DB user | `string` | `\"\"` | no |\n| \u003ca name=\"input_sql_master_username\"\u003e\u003c/a\u003e [sql\\_master\\_username](#input\\_sql\\_master\\_username) | Username for the master DB user | `string` | `\"\"` | no |\n| \u003ca name=\"input_sql_node_count\"\u003e\u003c/a\u003e [sql\\_node\\_count](#input\\_sql\\_node\\_count) | The number of instances to be used for this DB cluster | `number` | `0` | no |\n| \u003ca name=\"input_sql_parameter_group_name\"\u003e\u003c/a\u003e [sql\\_parameter\\_group\\_name](#input\\_sql\\_parameter\\_group\\_name) | Name of the DB parameter group to associate | `string` | `\"\"` | no |\n| \u003ca name=\"input_sql_performance_insights_enabled\"\u003e\u003c/a\u003e [sql\\_performance\\_insights\\_enabled](#input\\_sql\\_performance\\_insights\\_enabled) | Specifies whether Performance Insights are enabled. Defaults to false | `bool` | `false` | no |\n| \u003ca name=\"input_sql_rds_multi_az\"\u003e\u003c/a\u003e [sql\\_rds\\_multi\\_az](#input\\_sql\\_rds\\_multi\\_az) | Specify if the RDS instance is enabled multi-AZ | `bool` | `false` | no |\n| \u003ca name=\"input_sql_serverless_seconds_until_auto_pause\"\u003e\u003c/a\u003e [sql\\_serverless\\_seconds\\_until\\_auto\\_pause](#input\\_sql\\_serverless\\_seconds\\_until\\_auto\\_pause) | The time, in seconds, before the DB cluster in serverless mode is paused | `number` | `300` | no |\n| \u003ca name=\"input_sql_skip_final_snapshot\"\u003e\u003c/a\u003e [sql\\_skip\\_final\\_snapshot](#input\\_sql\\_skip\\_final\\_snapshot) | Determines whether a final DB snapshot is created before the DB instance is deleted. | `bool` | `false` | no |\n| \u003ca name=\"input_sql_storage_type\"\u003e\u003c/a\u003e [sql\\_storage\\_type](#input\\_sql\\_storage\\_type) | The allocated storage type for DB Instance | `string` | `\"gp3\"` | no |\n| \u003ca name=\"input_sql_subnet_group_include_public\"\u003e\u003c/a\u003e [sql\\_subnet\\_group\\_include\\_public](#input\\_sql\\_subnet\\_group\\_include\\_public) | Include public subnets as part of the clusters subnet configuration. | `bool` | `false` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | Terraform map to create custom tags for the AWS resources | `map` | `{}` | no |\n| \u003ca name=\"input_vpc_flow_logs_enabled\"\u003e\u003c/a\u003e [vpc\\_flow\\_logs\\_enabled](#input\\_vpc\\_flow\\_logs\\_enabled) | Specify whether the vpc flow log is enabled | `bool` | `false` | no |\n| \u003ca name=\"input_zones\"\u003e\u003c/a\u003e [zones](#input\\_zones) | AZs for the subnets | `list` | \u003cpre\u003e[\u003cbr/\u003e \"us-west-2a\",\u003cbr/\u003e \"us-west-2b\"\u003cbr/\u003e]\u003c/pre\u003e | no |\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_autoscaling_group.asg_nodes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |\n| [aws_cloudwatch_log_group.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |\n| [aws_cloudwatch_metric_alarm.asg_nodes_cpu_threshold](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |\n| [aws_cloudwatch_metric_alarm.database_cpu_database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |\n| [aws_cloudwatch_metric_alarm.database_cpu_database-rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |\n| [aws_cloudwatch_metric_alarm.database_disk_database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |\n| [aws_cloudwatch_metric_alarm.database_free_disk_database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |\n| [aws_cloudwatch_metric_alarm.database_free_disk_database2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |\n| [aws_cloudwatch_metric_alarm.database_free_disk_database3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |\n| [aws_cloudwatch_metric_alarm.database_free_disk_database4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |\n| [aws_cloudwatch_metric_alarm.database_free_disk_database5](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |\n| [aws_cloudwatch_metric_alarm.database_io_mysql](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |\n| [aws_cloudwatch_metric_alarm.database_io_postgres](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |\n| [aws_cloudwatch_metric_alarm.database_io_rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |\n| [aws_cloudwatch_metric_alarm.node_group_cpu_threshold](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |\n| [aws_db_instance.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance) | resource |\n| [aws_db_subnet_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |\n| [aws_egress_only_internet_gateway.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/egress_only_internet_gateway) | resource |\n| [aws_eip.eips](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |\n| [aws_eks_access_entry.entries](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_entry) | resource |\n| [aws_eks_access_policy_association.policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_policy_association) | resource |\n| [aws_eks_addon.core](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource |\n| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster) | resource |\n| [aws_eks_fargate_profile.fargate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_fargate_profile) | resource |\n| [aws_eks_node_group.node_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group) | resource |\n| [aws_elasticache_cluster.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster) | resource |\n| [aws_elasticache_subnet_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group) | resource |\n| [aws_flow_log.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |\n| [aws_iam_instance_profile.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |\n| [aws_iam_openid_connect_provider.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |\n| [aws_iam_policy.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.eks_pod_logs_to_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.secrets_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_role.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role.fargate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role.secrets_manager_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role_policy.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |\n| [aws_iam_role_policy_attachment.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.cloudwatch_observability](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.cluster-AmazonEKSClusterPolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.cluster-AmazonEKSServicePolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.cluster_AmazonEKSBlockStoragePolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.cluster_AmazonEKSComputePolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.cluster_AmazonEKSLoadBalancingPolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.cluster_AmazonEKSNetworkingPolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.fargate-AmazonEKSFargatePodExecutionRolePolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.node_AmazonEKSWorkerNodeMinimalPolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.node_eks_pod_logs_to_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.node_role_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.secrets_manager_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_internet_gateway.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |\n| [aws_kms_key.cloudwatch_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |\n| [aws_kms_key.cluster_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |\n| [aws_launch_configuration.asg_nodes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration) | resource |\n| [aws_launch_template.encrypted_launch_template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |\n| [aws_nat_gateway.gw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |\n| [aws_rds_cluster.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster) | resource |\n| [aws_rds_cluster_instance.cluster_instances](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance) | resource |\n| [aws_route.ig](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |\n| [aws_route.ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |\n| [aws_route.nat](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |\n| [aws_route_table.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |\n| [aws_route_table.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |\n| [aws_route_table_association.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |\n| [aws_route_table_association.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |\n| [aws_security_group.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |\n| [aws_security_group.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |\n| [aws_security_group_rule.cluster-ingress-node-https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |\n| [aws_security_group_rule.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |\n| [aws_security_group_rule.node-ingress-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |\n| [aws_security_group_rule.node-ingress-self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |\n| [aws_security_group_rule.private_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |\n| [aws_security_group_rule.public_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |\n| [aws_subnet.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |\n| [aws_subnet.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |\n| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |\n| [helm_release.aws_load_balancer](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.calico](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.csi_secrets_store](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.karpenter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.karpenter_crd](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.metrics-server](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [kubernetes_config_map.aws_auth](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |\n| [kubernetes_config_map.fluent_bit_cluster_info](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |\n| [kubernetes_namespace.amazon_cloudwatch](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_service_account.efs_csi_controller_sa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |\n| [kubernetes_service_account.efs_csi_node_sa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |\n| [kubernetes_service_account.main](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |\n| [null_resource.csi_secrets_store_aws_provider](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |\n| [null_resource.delete_aws_node](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |\n| [null_resource.karpenter_ec2_node_class_apply](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |\n| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |\n| [aws_iam_policy.ssm_managed_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |\n| [aws_iam_policy_document.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.trust_relationship](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |\n| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |\n| [aws_ssm_parameter.amis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |\n| [aws_ssm_parameter.eks_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |\n| [http_http.csi_secrets_store_aws_provider](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [tls_certificate.cluster](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source |\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_eks_cluster\"\u003e\u003c/a\u003e [eks\\_cluster](#output\\_eks\\_cluster) | n/a |\n| \u003ca name=\"output_eks_cluster_oidc_provider_arn\"\u003e\u003c/a\u003e [eks\\_cluster\\_oidc\\_provider\\_arn](#output\\_eks\\_cluster\\_oidc\\_provider\\_arn) | n/a |\n| \u003ca name=\"output_eks_cluster_token\"\u003e\u003c/a\u003e [eks\\_cluster\\_token](#output\\_eks\\_cluster\\_token) | n/a |\n| \u003ca name=\"output_internet_gateway_id\"\u003e\u003c/a\u003e [internet\\_gateway\\_id](#output\\_internet\\_gateway\\_id) | n/a |\n| \u003ca name=\"output_nat_gateway_ids\"\u003e\u003c/a\u003e [nat\\_gateway\\_ids](#output\\_nat\\_gateway\\_ids) | n/a |\n| \u003ca name=\"output_node_role\"\u003e\u003c/a\u003e [node\\_role](#output\\_node\\_role) | n/a |\n| \u003ca name=\"output_node_security_group_id\"\u003e\u003c/a\u003e [node\\_security\\_group\\_id](#output\\_node\\_security\\_group\\_id) | n/a |\n| \u003ca name=\"output_private_route_table\"\u003e\u003c/a\u003e [private\\_route\\_table](#output\\_private\\_route\\_table) | n/a |\n| \u003ca name=\"output_private_subnet_ids\"\u003e\u003c/a\u003e [private\\_subnet\\_ids](#output\\_private\\_subnet\\_ids) | n/a |\n| \u003ca name=\"output_public_route_table\"\u003e\u003c/a\u003e [public\\_route\\_table](#output\\_public\\_route\\_table) | n/a |\n| \u003ca name=\"output_public_subnet_ids\"\u003e\u003c/a\u003e [public\\_subnet\\_ids](#output\\_public\\_subnet\\_ids) | n/a |\n| \u003ca name=\"output_vpc_id\"\u003e\u003c/a\u003e [vpc\\_id](#output\\_vpc\\_id) | n/a |\n# 🚀 Built by opsZero!\n\n\u003ca href=\"https://opszero.com\"\u003e\u003cimg src=\"https://opszero.com/wp-content/uploads/2024/07/opsZero_logo_svg.svg\" width=\"300px\"/\u003e\u003c/a\u003e\n\nSince 2016 [opsZero](https://opszero.com) has been providing Kubernetes\nexpertise to companies of all sizes on any Cloud. With a focus on AI and\nCompliance we can say we seen it all whether SOC2, HIPAA, PCI-DSS, ITAR,\nFedRAMP, CMMC we have you and your customers covered.\n\nWe provide support to organizations in the following ways:\n\n- [Modernize or Migrate to Kubernetes](https://opszero.com/solutions/modernization/)\n- [Cloud Infrastructure with Kubernetes on AWS, Azure, Google Cloud, or Bare Metal](https://opszero.com/solutions/cloud-infrastructure/)\n- [Building AI and Data Pipelines on Kubernetes](https://opszero.com/solutions/ai/)\n- [Optimizing Existing Kubernetes Workloads](https://opszero.com/solutions/optimized-workloads/)\n\nWe do this with a high-touch support model where you:\n\n- Get access to us on Slack, Microsoft Teams or Email\n- Get 24/7 coverage of your infrastructure\n- Get an accelerated migration to Kubernetes\n\nPlease [schedule a call](https://calendly.com/opszero-llc/discovery) if you need support.\n\n\u003cbr/\u003e\u003cbr/\u003e\n\n\u003cdiv style=\"display: block\"\u003e\n \u003cimg src=\"https://opszero.com/wp-content/uploads/2024/07/aws-advanced.png\" width=\"150px\" /\u003e\n \u003cimg src=\"https://opszero.com/wp-content/uploads/2024/07/AWS-public-sector.png\" width=\"150px\" /\u003e\n \u003cimg src=\"https://opszero.com/wp-content/uploads/2024/07/AWS-eks.png\" width=\"150px\" /\u003e\n\u003c/div\u003e\n\u003c!-- END_TF_DOCS --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopszero%2Fterraform-aws-kubespot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopszero%2Fterraform-aws-kubespot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopszero%2Fterraform-aws-kubespot/lists"}