Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/gambol99/terraform-aws-eks

Terraform module used to prove out a platform
https://github.com/gambol99/terraform-aws-eks

Last synced: 2 months ago
JSON representation

Terraform module used to prove out a platform

Awesome Lists containing this project

README 

        

## Requirements



| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.6.0 |

|  [aws](#requirement\_aws) | >= 5.34 |



## Providers



| Name | Version |

|------|---------|

|  [aws](#provider\_aws) | >= 5.34 |



## Modules



| Name | Source | Version |

|------|--------|---------|

|  [aws\_ack\_iam\_pod\_identity](#module\_aws\_ack\_iam\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.4.0 |

|  [aws\_argocd\_pod\_identity](#module\_aws\_argocd\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.4.0 |

|  [aws\_cert\_manager\_pod\_identity](#module\_aws\_cert\_manager\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.4.0 |

|  [aws\_cloudwatch\_observability\_pod\_identity](#module\_aws\_cloudwatch\_observability\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.4.0 |

|  [aws\_external\_dns\_pod\_identity](#module\_aws\_external\_dns\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.4.0 |

|  [aws\_external\_secrets\_pod\_identity](#module\_aws\_external\_secrets\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.4.0 |

|  [aws\_terranetes\_pod\_identity](#module\_aws\_terranetes\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.4.0 |

|  [eks](#module\_eks) | terraform-aws-modules/eks/aws | 20.33.1 |

|  [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.4.0 |

|  [vpc](#module\_vpc) | appvia/network/aws | 0.3.5 |



## Resources



| Name | Type |

|------|------|

| [aws_iam_role.argocd_cross_account_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |

| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |

| [aws_iam_policy_document.argocd_cross_account_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |



## Inputs



| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [cluster\_name](#input\_cluster\_name) | Name of the Kubenetes cluster | `string` | n/a | yes |

|  [tags](#input\_tags) | Tags to apply to all resources | `map(string)` | n/a | yes |

|  [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster. This is required if you use a different IAM Role for Terraform Plan actions. | 
map(object({
    ## The list of kubernetes groups to associate the principal with
    kubernetes_groups = optional(list(string))
    ## The list of kubernetes users to associate the principal with
    principal_arn = string
    ## The list of kubernetes users to associate the principal with
    policy_associations = optional(map(object({
      ## The policy arn to associate with the principal
      policy_arn = string
      ## The access scope for the policy i.e. cluster or namespace
      access_scope = object({
        ## The namespaces to apply the policy to
        namespaces = optional(list(string))
        ## The type of access scope i.e. cluster or namespace
        type = string
      })
    })))
  }))
 | `null` | no |

|  [argocd](#input\_argocd) | The ArgoCD configuration | 
object({
    ## Indicates if we should enable the ArgoCD platform
    enabled = optional(bool, false)
    ## The namespace to deploy the ArgoCD platform to
    namespace = optional(string, "argocd")
    ## The service account to deploy the ArgoCD platform to
    service_account = optional(string, "argocd")
  })
 | `{}` | no |

|  [availability\_zones](#input\_availability\_zones) | Number of availability zones when provisioning a network | `number` | `3` | no |

|  [aws\_ack\_iam](#input\_aws\_ack\_iam) | The AWS ACK IAM configuration | 
object({
    ## Indicates if we should enable the AWS ACK IAM platform
    enabled = optional(bool, false)
    ## The namespace to deploy the AWS ACK IAM platform to
    namespace = optional(string, "ack-system")
    ## The service account to deploy the AWS ACK IAM platform to
    service_account = optional(string, "ack-iam-controller")
    ## Managed policies to attach to the AWS ACK IAM platform
    managed_policy_arns = optional(map(string), {})
  })
 | `{}` | no |

|  [cert\_manager](#input\_cert\_manager) | The cert-manager configuration | 
object({
    ## Indicates if we should enable the cert-manager platform
    enabled = optional(bool, false)
    ## The namespace to deploy the cert-manager platform to
    namespace = optional(string, "cert-manager")
    ## The service account to deploy the cert-manager platform to
    service_account = optional(string, "cert-manager")
    ## Route53 zone id to use for the cert-manager platform
    route53_zone_arns = optional(list(string), [])
  })
 | `{}` | no |

|  [cloudwatch\_observability](#input\_cloudwatch\_observability) | The CloudWatch Observability configuration | 
object({
    ## Indicates if we should enable the CloudWatch Observability platform
    enabled = optional(bool, false)
    ## The namespace to deploy the CloudWatch Observability platform to
    namespace = optional(string, "cloudwatch-observability")
    ## The service account to deploy the CloudWatch Observability platform to
    service_account = optional(string, "cloudwatch-observability")
  })
 | `{}` | no |

|  [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | List of log types to enable for the EKS cluster. | `list(string)` | 
[
  "api",
  "audit",
  "authenticator",
  "controllerManager",
  "scheduler"
]
 | no |

|  [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether to enable public access to the EKS API server endpoint. | `bool` | `true` | no |

|  [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS API server endpoint. | `list(string)` | 
[
  "0.0.0.0/0"
]
 | no |

|  [cluster\_security\_group\_additional\_rules](#input\_cluster\_security\_group\_additional\_rules) | List of additional security group rules to add to the cluster security group created. Set `source_node_security_group = true` inside rules to set the `node_security_group` as source. | `any` | `{}` | no |

|  [cluster\_version](#input\_cluster\_version) | Kubernetes version for the EKS cluster | `string` | `"1.32"` | no |

|  [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Whether to enable a nat gateway for the VPC | `bool` | `false` | no |

|  [enable\_transit\_gateway](#input\_enable\_transit\_gateway) | Whether to enable a transit gateway for the VPC | `bool` | `false` | no |

|  [external\_dns](#input\_external\_dns) | The External DNS configuration | 
object({
    ## Indicates if we should enable the External DNS platform
    enabled = optional(bool, false)
    ## The namespace to deploy the External DNS platform to
    namespace = optional(string, "external-dns")
    ## The service account to deploy the External DNS platform to
    service_account = optional(string, "external-dns")
    ## The route53 zone ARNs to attach to the External DNS platform
    route53_zone_arns = optional(list(string), [])
  })
 | `{}` | no |

|  [external\_secrets](#input\_external\_secrets) | The External Secrets configuration | 
object({
    ## Indicates if we should enable the External Secrets platform
    enabled = optional(bool, false)
    ## The namespace to deploy the External Secrets platform to
    namespace = optional(string, "external-secrets")
    ## The service account to deploy the External Secrets platform to
    service_account = optional(string, "external-secrets")
    ## The secrets manager ARNs to attach to the External Secrets platform
    secrets_manager_arns = optional(list(string), ["arn:aws:secretsmanager:*:*"])
    ## The SSM parameter ARNs to attach to the External Secrets platform
    ssm_parameter_arns = optional(list(string), ["arn:aws:ssm:*:*:parameter/eks/*"])
  })
 | `{}` | no |

|  [hub\_account\_id](#input\_hub\_account\_id) | The AWS account ID of the hub account | `string` | `null` | no |

|  [hub\_account\_role](#input\_hub\_account\_role) | Indicates we should create a cross account role for the hub to assume | `string` | `"argocd-pod-identity-hub"` | no |

|  [hub\_account\_roles\_prefix](#input\_hub\_account\_roles\_prefix) | The prefix of the roles we are permitted to assume via the argocd pod identity | `string` | `"argocd-cross-account-*"` | no |

|  [kms\_key\_administrators](#input\_kms\_key\_administrators) | A list of IAM ARNs for EKS key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available. | `list(string)` | `[]` | no |

|  [nat\_gateway\_mode](#input\_nat\_gateway\_mode) | The mode to use for the NAT gateway, when enable\_gateway is true | `string` | `"single_az"` | no |

|  [node\_pools](#input\_node\_pools) | Collection of nodepools to create via auto-mote karpenter | `list(string)` | 
[
  "system"
]
 | no |

|  [node\_security\_group\_additional\_rules](#input\_node\_security\_group\_additional\_rules) | List of additional security group rules to add to the node security group created. Set `source_cluster_security_group = true` inside rules to set the `cluster_security_group` as source. | `any` | `{}` | no |

|  [pod\_identity](#input\_pod\_identity) | The pod identity configuration | 
map(object({
    ## Indicates if we should enable the pod identity
    enabled = optional(bool, true)
    ## The namespace to deploy the pod identity to
    description = optional(string, null)
    ## The service account to deploy the pod identity to
    service_account = optional(string, null)
    ## The managed policy ARNs to attach to the pod identity
    managed_policy_arns = optional(map(string), {})
    ## The permissions boundary ARN to use for the pod identity
    permissions_boundary_arn = optional(string, null)
    ## The namespace to deploy the pod identity to
    namespace = optional(string, null)
    ## The name of the pod identity role
    name = optional(string, null)
    ## Additional policy statements to attach to the pod identity role
    policy_statements = optional(list(object({
      sid       = optional(string, null)
      actions   = optional(list(string), [])
      resources = optional(list(string), [])
      effect    = optional(string, null)
    })), [])
  }))
 | `{}` | no |

|  [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet IDs, if you want to use existing subnets | `list(string)` | `null` | no |

|  [private\_subnet\_netmask](#input\_private\_subnet\_netmask) | The netmask for the private subnets | `number` | `24` | no |

|  [public\_subnet\_netmask](#input\_public\_subnet\_netmask) | The netmask for the public subnets | `number` | `24` | no |

|  [terranetes](#input\_terranetes) | The Terranetes platform configuration | 
object({
    ## Indicates if we should enable the Terranetes platform
    enabled = optional(bool, false)
    ## The namespace to deploy the Terranetes platform to
    namespace = optional(string, "terraform-system")
    ## The service account to deploy the Terranetes platform to
    service_account = optional(string, "terranetes-executor")
    ## The permissions boundary ARN to use for the Terranetes platform
    permissions_boundary_arn = optional(string, null)
    ## Managed policies to attach to the Terranetes platform
    managed_policy_arns = optional(map(string), {
      "AdministratorAccess" = "arn:aws:iam::aws:policy/AdministratorAccess"
    })
  })
 | `{}` | no |

|  [transit\_gateway\_id](#input\_transit\_gateway\_id) | The ID of the transit gateway to use | `string` | `null` | no |

|  [transit\_gateway\_routes](#input\_transit\_gateway\_routes) | The routes to add to the transit gateway route table | `map(string)` | 
{
  "private": "10.0.0.0/8"
}
 | no |

|  [vpc\_cidr](#input\_vpc\_cidr) | CIDR block for the Wayfinder VPC. | `string` | `"10.0.0.0/21"` | no |

|  [vpc\_id](#input\_vpc\_id) | ID of the VPC where the EKS cluster will be created | `string` | `null` | no |



## Outputs



| Name | Description |

|------|-------------|

|  [account\_id](#output\_account\_id) | The AWS account ID. |

|  [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | The base64 encoded certificate data for the Wayfinder EKS cluster |

|  [cluster\_endpoint](#output\_cluster\_endpoint) | The endpoint for the Wayfinder EKS Kubernetes API |

|  [cluster\_name](#output\_cluster\_name) | The name of the Wayfinder EKS cluster. |

|  [cluster\_oidc\_provider\_arn](#output\_cluster\_oidc\_provider\_arn) | The ARN of the OIDC provider for the Wayfinder EKS cluster |

|  [cross\_account\_role\_arn](#output\_cross\_account\_role\_arn) | The cross account arn when we are using a hub |

|  [region](#output\_region) | The AWS region in which the cluster is provisioned |