https://github.com/gambol99/terraform-aws-eks
Terraform module used to prove out a platform
https://github.com/gambol99/terraform-aws-eks
Last synced: 2 months ago
JSON representation
Terraform module used to prove out a platform
- Host: GitHub
- URL: https://github.com/gambol99/terraform-aws-eks
- Owner: gambol99
- Created: 2025-02-22T18:48:51.000Z (4 months ago)
- Default Branch: main
- Last Pushed: 2025-03-20T12:25:07.000Z (3 months ago)
- Last Synced: 2025-03-20T13:41:30.353Z (3 months ago)
- Language: HCL
- Homepage:
- Size: 115 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.6.0 |
| [aws](#requirement\_aws) | >= 5.34 |## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 5.34 |## Modules
| Name | Source | Version |
|------|--------|---------|
| [aws\_ack\_iam\_pod\_identity](#module\_aws\_ack\_iam\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.4.0 |
| [aws\_argocd\_pod\_identity](#module\_aws\_argocd\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.4.0 |
| [aws\_cert\_manager\_pod\_identity](#module\_aws\_cert\_manager\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.4.0 |
| [aws\_cloudwatch\_observability\_pod\_identity](#module\_aws\_cloudwatch\_observability\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.4.0 |
| [aws\_external\_dns\_pod\_identity](#module\_aws\_external\_dns\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.4.0 |
| [aws\_external\_secrets\_pod\_identity](#module\_aws\_external\_secrets\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.4.0 |
| [aws\_terranetes\_pod\_identity](#module\_aws\_terranetes\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.4.0 |
| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 20.33.1 |
| [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.4.0 |
| [vpc](#module\_vpc) | appvia/network/aws | 0.3.5 |## Resources
| Name | Type |
|------|------|
| [aws_iam_role.argocd_cross_account_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.argocd_cross_account_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [cluster\_name](#input\_cluster\_name) | Name of the Kubenetes cluster | `string` | n/a | yes |
| [tags](#input\_tags) | Tags to apply to all resources | `map(string)` | n/a | yes |
| [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster. This is required if you use a different IAM Role for Terraform Plan actions. |map(object({| `null` | no |
## The list of kubernetes groups to associate the principal with
kubernetes_groups = optional(list(string))
## The list of kubernetes users to associate the principal with
principal_arn = string
## The list of kubernetes users to associate the principal with
policy_associations = optional(map(object({
## The policy arn to associate with the principal
policy_arn = string
## The access scope for the policy i.e. cluster or namespace
access_scope = object({
## The namespaces to apply the policy to
namespaces = optional(list(string))
## The type of access scope i.e. cluster or namespace
type = string
})
})))
}))
| [argocd](#input\_argocd) | The ArgoCD configuration |object({| `{}` | no |
## Indicates if we should enable the ArgoCD platform
enabled = optional(bool, false)
## The namespace to deploy the ArgoCD platform to
namespace = optional(string, "argocd")
## The service account to deploy the ArgoCD platform to
service_account = optional(string, "argocd")
})
| [availability\_zones](#input\_availability\_zones) | Number of availability zones when provisioning a network | `number` | `3` | no |
| [aws\_ack\_iam](#input\_aws\_ack\_iam) | The AWS ACK IAM configuration |object({| `{}` | no |
## Indicates if we should enable the AWS ACK IAM platform
enabled = optional(bool, false)
## The namespace to deploy the AWS ACK IAM platform to
namespace = optional(string, "ack-system")
## The service account to deploy the AWS ACK IAM platform to
service_account = optional(string, "ack-iam-controller")
## Managed policies to attach to the AWS ACK IAM platform
managed_policy_arns = optional(map(string), {})
})
| [cert\_manager](#input\_cert\_manager) | The cert-manager configuration |object({| `{}` | no |
## Indicates if we should enable the cert-manager platform
enabled = optional(bool, false)
## The namespace to deploy the cert-manager platform to
namespace = optional(string, "cert-manager")
## The service account to deploy the cert-manager platform to
service_account = optional(string, "cert-manager")
## Route53 zone id to use for the cert-manager platform
route53_zone_arns = optional(list(string), [])
})
| [cloudwatch\_observability](#input\_cloudwatch\_observability) | The CloudWatch Observability configuration |object({| `{}` | no |
## Indicates if we should enable the CloudWatch Observability platform
enabled = optional(bool, false)
## The namespace to deploy the CloudWatch Observability platform to
namespace = optional(string, "cloudwatch-observability")
## The service account to deploy the CloudWatch Observability platform to
service_account = optional(string, "cloudwatch-observability")
})
| [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | List of log types to enable for the EKS cluster. | `list(string)` |[| no |
"api",
"audit",
"authenticator",
"controllerManager",
"scheduler"
]
| [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether to enable public access to the EKS API server endpoint. | `bool` | `true` | no |
| [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS API server endpoint. | `list(string)` |[| no |
"0.0.0.0/0"
]
| [cluster\_security\_group\_additional\_rules](#input\_cluster\_security\_group\_additional\_rules) | List of additional security group rules to add to the cluster security group created. Set `source_node_security_group = true` inside rules to set the `node_security_group` as source. | `any` | `{}` | no |
| [cluster\_version](#input\_cluster\_version) | Kubernetes version for the EKS cluster | `string` | `"1.32"` | no |
| [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Whether to enable a nat gateway for the VPC | `bool` | `false` | no |
| [enable\_transit\_gateway](#input\_enable\_transit\_gateway) | Whether to enable a transit gateway for the VPC | `bool` | `false` | no |
| [external\_dns](#input\_external\_dns) | The External DNS configuration |object({| `{}` | no |
## Indicates if we should enable the External DNS platform
enabled = optional(bool, false)
## The namespace to deploy the External DNS platform to
namespace = optional(string, "external-dns")
## The service account to deploy the External DNS platform to
service_account = optional(string, "external-dns")
## The route53 zone ARNs to attach to the External DNS platform
route53_zone_arns = optional(list(string), [])
})
| [external\_secrets](#input\_external\_secrets) | The External Secrets configuration |object({| `{}` | no |
## Indicates if we should enable the External Secrets platform
enabled = optional(bool, false)
## The namespace to deploy the External Secrets platform to
namespace = optional(string, "external-secrets")
## The service account to deploy the External Secrets platform to
service_account = optional(string, "external-secrets")
## The secrets manager ARNs to attach to the External Secrets platform
secrets_manager_arns = optional(list(string), ["arn:aws:secretsmanager:*:*"])
## The SSM parameter ARNs to attach to the External Secrets platform
ssm_parameter_arns = optional(list(string), ["arn:aws:ssm:*:*:parameter/eks/*"])
})
| [hub\_account\_id](#input\_hub\_account\_id) | The AWS account ID of the hub account | `string` | `null` | no |
| [hub\_account\_role](#input\_hub\_account\_role) | Indicates we should create a cross account role for the hub to assume | `string` | `"argocd-pod-identity-hub"` | no |
| [hub\_account\_roles\_prefix](#input\_hub\_account\_roles\_prefix) | The prefix of the roles we are permitted to assume via the argocd pod identity | `string` | `"argocd-cross-account-*"` | no |
| [kms\_key\_administrators](#input\_kms\_key\_administrators) | A list of IAM ARNs for EKS key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available. | `list(string)` | `[]` | no |
| [nat\_gateway\_mode](#input\_nat\_gateway\_mode) | The mode to use for the NAT gateway, when enable\_gateway is true | `string` | `"single_az"` | no |
| [node\_pools](#input\_node\_pools) | Collection of nodepools to create via auto-mote karpenter | `list(string)` |[| no |
"system"
]
| [node\_security\_group\_additional\_rules](#input\_node\_security\_group\_additional\_rules) | List of additional security group rules to add to the node security group created. Set `source_cluster_security_group = true` inside rules to set the `cluster_security_group` as source. | `any` | `{}` | no |
| [pod\_identity](#input\_pod\_identity) | The pod identity configuration |map(object({| `{}` | no |
## Indicates if we should enable the pod identity
enabled = optional(bool, true)
## The namespace to deploy the pod identity to
description = optional(string, null)
## The service account to deploy the pod identity to
service_account = optional(string, null)
## The managed policy ARNs to attach to the pod identity
managed_policy_arns = optional(map(string), {})
## The permissions boundary ARN to use for the pod identity
permissions_boundary_arn = optional(string, null)
## The namespace to deploy the pod identity to
namespace = optional(string, null)
## The name of the pod identity role
name = optional(string, null)
## Additional policy statements to attach to the pod identity role
policy_statements = optional(list(object({
sid = optional(string, null)
actions = optional(list(string), [])
resources = optional(list(string), [])
effect = optional(string, null)
})), [])
}))
| [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet IDs, if you want to use existing subnets | `list(string)` | `null` | no |
| [private\_subnet\_netmask](#input\_private\_subnet\_netmask) | The netmask for the private subnets | `number` | `24` | no |
| [public\_subnet\_netmask](#input\_public\_subnet\_netmask) | The netmask for the public subnets | `number` | `24` | no |
| [terranetes](#input\_terranetes) | The Terranetes platform configuration |object({| `{}` | no |
## Indicates if we should enable the Terranetes platform
enabled = optional(bool, false)
## The namespace to deploy the Terranetes platform to
namespace = optional(string, "terraform-system")
## The service account to deploy the Terranetes platform to
service_account = optional(string, "terranetes-executor")
## The permissions boundary ARN to use for the Terranetes platform
permissions_boundary_arn = optional(string, null)
## Managed policies to attach to the Terranetes platform
managed_policy_arns = optional(map(string), {
"AdministratorAccess" = "arn:aws:iam::aws:policy/AdministratorAccess"
})
})
| [transit\_gateway\_id](#input\_transit\_gateway\_id) | The ID of the transit gateway to use | `string` | `null` | no |
| [transit\_gateway\_routes](#input\_transit\_gateway\_routes) | The routes to add to the transit gateway route table | `map(string)` |{| no |
"private": "10.0.0.0/8"
}
| [vpc\_cidr](#input\_vpc\_cidr) | CIDR block for the Wayfinder VPC. | `string` | `"10.0.0.0/21"` | no |
| [vpc\_id](#input\_vpc\_id) | ID of the VPC where the EKS cluster will be created | `string` | `null` | no |## Outputs
| Name | Description |
|------|-------------|
| [account\_id](#output\_account\_id) | The AWS account ID. |
| [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | The base64 encoded certificate data for the Wayfinder EKS cluster |
| [cluster\_endpoint](#output\_cluster\_endpoint) | The endpoint for the Wayfinder EKS Kubernetes API |
| [cluster\_name](#output\_cluster\_name) | The name of the Wayfinder EKS cluster. |
| [cluster\_oidc\_provider\_arn](#output\_cluster\_oidc\_provider\_arn) | The ARN of the OIDC provider for the Wayfinder EKS cluster |
| [cross\_account\_role\_arn](#output\_cross\_account\_role\_arn) | The cross account arn when we are using a hub |
| [region](#output\_region) | The AWS region in which the cluster is provisioned |