Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/pelotech/terraform-foundation-aws-stack

Terraform module for the foundation base stack on aws
https://github.com/pelotech/terraform-foundation-aws-stack

Last synced: about 2 months ago
JSON representation

Terraform module for the foundation base stack on aws

Awesome Lists containing this project

README 

          
![pre-commit](https://github.com/pelotech/terraform-foundation-aws-stack/actions/workflows/pre-commit.yaml/badge.svg)



# Foundation - Pelotech's GitOps K8s Cluster

This is the terraform module that helps bootstrap foundation in AWS



This project uses [release-please](https://github.com/googleapis/release-please) for the release flow of contributions



## Requirements



| Name | Version |

| ---- | ------- |

|  [terraform](#requirement\_terraform) | >= 1.5.7 |

|  [aws](#requirement\_aws) | >= 6.14.1 |



## Providers



| Name | Version |

| ---- | ------- |

|  [aws](#provider\_aws) | 6.42.0 |



## Modules



| Name | Source | Version |

| ---- | ------ | ------- |

|  [cert\_manager\_irsa\_role](#module\_cert\_manager\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts | 6.5.0 |

|  [ebs\_csi\_driver\_irsa\_role](#module\_ebs\_csi\_driver\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts | 6.5.0 |

|  [eks](#module\_eks) | terraform-aws-modules/eks/aws | 21.18.0 |

|  [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts | 6.5.0 |

|  [fck\_nat](#module\_fck\_nat) | RaJiska/fck-nat/aws | 1.4.0 |

|  [karpenter](#module\_karpenter) | terraform-aws-modules/eks/aws//modules/karpenter | 21.18.0 |

|  [load\_balancer\_controller\_irsa\_role](#module\_load\_balancer\_controller\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts | 6.5.0 |

|  [s3\_csi](#module\_s3\_csi) | terraform-aws-modules/s3-bucket/aws | 5.12.0 |

|  [s3\_driver\_irsa\_role](#module\_s3\_driver\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts | 6.5.0 |

|  [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 6.6.1 |



## Resources



| Name | Type |

| ---- | ---- |

| [aws_eip.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |

| [aws_vpc_endpoint.eks_vpc_endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |

| [aws_ami.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |

| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |

| [aws_iam_policy_document.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |

| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |



## Inputs



| Name | Description | Type | Default | Required |

| ---- | ----------- | ---- | ------- | :------: |

|  [initial\_instance\_types](#input\_initial\_instance\_types) | instance types of the initial managed node group | `list(string)` | n/a | yes |

|  [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | List of EKS control plane log types to enable. Valid values: api, audit, authenticator, controllerManager, scheduler. | `list(string)` | `[]` | no |

|  [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether the EKS cluster API server endpoint is publicly accessible. Set to false for private-only access (requires VPC connectivity). | `bool` | `true` | no |

|  [create\_node\_security\_group](#input\_create\_node\_security\_group) | Whether to create a dedicated security group for EKS managed node groups. When true, the node\_security\_group\_id output is populated. | `bool` | `false` | no |

|  [eks\_cluster\_version](#input\_eks\_cluster\_version) | Kubernetes version to set for the cluster | `string` | `"1.35"` | no |

|  [extra\_access\_entries](#input\_extra\_access\_entries) | EKS access entries needed by IAM roles interacting with this cluster | 
list(object({
    principal_arn     = string
    kubernetes_groups = optional(list(string))
    policy_associations = optional(map(object({
      policy_arn = string
      access_scope = object({
        type       = string
        namespaces = optional(list(string))
      })
    })), {})

  }))
 | `[]` | no |

|  [initial\_node\_desired\_size](#input\_initial\_node\_desired\_size) | desired size of the initial managed node group | `number` | `3` | no |

|  [initial\_node\_labels](#input\_initial\_node\_labels) | labels for the initial managed node group | `map(string)` | 
{
  "kube-ovn/role": "master"
}
 | no |

|  [initial\_node\_max\_size](#input\_initial\_node\_max\_size) | max size of the initial managed node group | `number` | `6` | no |

|  [initial\_node\_min\_size](#input\_initial\_node\_min\_size) | minimum size of the initial managed node group | `number` | `2` | no |

|  [initial\_node\_taints](#input\_initial\_node\_taints) | taints for the initial managed node group | `map(object({ key = string, value = string, effect = string }))` | 
{
  "criticalAddonsOnly": {
    "effect": "NO_SCHEDULE",
    "key": "CriticalAddonsOnly",
    "value": "true"
  },
  "nidhogg": {
    "effect": "NO_SCHEDULE",
    "key": "nidhogg.uswitch.com/kube-system.kube-multus-ds",
    "value": "true"
  }
}
 | no |

|  [permissions\_boundary](#input\_permissions\_boundary) | IAM permissions boundary policy name applied to all IAM roles. When set, constructs full ARN from the current account and partition. | `string` | `""` | no |

|  [s3\_csi\_driver\_bucket\_arns](#input\_s3\_csi\_driver\_bucket\_arns) | existing buckets the s3 CSI driver should have access to | `list(string)` | `[]` | no |

|  [s3\_csi\_driver\_create\_bucket](#input\_s3\_csi\_driver\_create\_bucket) | create a new bucket for use with the s3 CSI driver | `bool` | `true` | no |

|  [stack\_admin\_arns](#input\_stack\_admin\_arns) | arn to the roles for the cluster admins role | `list(string)` | `[]` | no |

|  [stack\_create](#input\_stack\_create) | should resources be created | `bool` | `true` | no |

|  [stack\_create\_pelotech\_nat\_eip](#input\_stack\_create\_pelotech\_nat\_eip) | should create pelotech nat eip even if NAT isn't enabled - nice for getting ips created for allow lists | `bool` | `false` | no |

|  [stack\_enable\_cluster\_kms](#input\_stack\_enable\_cluster\_kms) | Should secrets be encrypted by kms in the cluster | `bool` | `true` | no |

|  [stack\_enable\_default\_eks\_managed\_node\_group](#input\_stack\_enable\_default\_eks\_managed\_node\_group) | Ability to disable default node group | `bool` | `true` | no |

|  [stack\_existing\_vpc\_config](#input\_stack\_existing\_vpc\_config) | Setting the VPC | 
object({
    vpc_id     = string
    subnet_ids = list(string)
  })
 | `null` | no |

|  [stack\_name](#input\_stack\_name) | Name of the stack | `string` | `"foundation-stack"` | no |

|  [stack\_pelotech\_nat\_ami\_name\_filter](#input\_stack\_pelotech\_nat\_ami\_name\_filter) | ami name filter to find the correct ami | `string` | `"fck-nat-al2023-hvm-*"` | no |

|  [stack\_pelotech\_nat\_ami\_owner\_id](#input\_stack\_pelotech\_nat\_ami\_owner\_id) | Owner ID to search of ami | `string` | `"568608671756"` | no |

|  [stack\_pelotech\_nat\_enabled](#input\_stack\_pelotech\_nat\_enabled) | Use pelotech-nat as NAT instances instead of NAT gateway | `bool` | `false` | no |

|  [stack\_pelotech\_nat\_instance\_type](#input\_stack\_pelotech\_nat\_instance\_type) | choose instance based on bandwitch requirements | `string` | `"t4g.micro"` | no |

|  [stack\_ro\_arns](#input\_stack\_ro\_arns) | arn to the roles for the cluster read only role, these will also have KMS readonly access for CI plan purposes, more limited access should use the extra entries | `list(string)` | `[]` | no |

|  [stack\_tags](#input\_stack\_tags) | tags to be added to the stack, should at least have Owner and Environment | `map(string)` | 
{
  "Environment": "prod",
  "Owner": "pelotech"
}
 | no |

|  [stack\_use\_vpc\_cni\_max\_pods](#input\_stack\_use\_vpc\_cni\_max\_pods) | Set to true if using the vpc cni - otherwise defaults to 110 max pods | `bool` | `false` | no |

|  [stack\_vpc\_block](#input\_stack\_vpc\_block) | Variables for defining the vpc for the stack | 
object({
    cidr             = string
    azs              = list(string)
    private_subnets  = list(string)
    public_subnets   = list(string)
    database_subnets = list(string)
  })
 | 
{
  "azs": [
    "us-west-2a",
    "us-west-2b",
    "us-west-2c"
  ],
  "cidr": "172.16.0.0/16",
  "database_subnets": [
    "172.16.200.0/24",
    "172.16.201.0/24",
    "172.16.202.0/24"
  ],
  "private_subnets": [
    "172.16.0.0/24",
    "172.16.1.0/24",
    "172.16.2.0/24"
  ],
  "public_subnets": [
    "172.16.100.0/24",
    "172.16.101.0/24",
    "172.16.102.0/24"
  ]
}
 | no |

|  [vpc\_endpoints](#input\_vpc\_endpoints) | vpc endpoints within the cluster vpc network, note: this only works when using the internal created VPC | `list(string)` | `[]` | no |



## Outputs



| Name | Description |

| ---- | ----------- |

|  [cert\_manager\_role\_arn](#output\_cert\_manager\_role\_arn) | ARN of the Cert Manager IRSA role |

|  [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | Cluster security group that was created by Amazon EKS for the cluster |

|  [ebs\_csi\_driver\_role\_arn](#output\_ebs\_csi\_driver\_role\_arn) | ARN of the EBS CSI driver IRSA role |

|  [eks\_cluster\_certificate\_authority\_data](#output\_eks\_cluster\_certificate\_authority\_data) | Base64 encoded certificate data for the cluster |

|  [eks\_cluster\_endpoint](#output\_eks\_cluster\_endpoint) | The endpoint for the EKS cluster API server |

|  [eks\_cluster\_iam\_role\_name](#output\_eks\_cluster\_iam\_role\_name) | The name of the EKS cluster IAM role |

|  [eks\_cluster\_name](#output\_eks\_cluster\_name) | The name of the EKS cluster |

|  [eks\_cluster\_tls\_certificate\_sha1\_fingerprint](#output\_eks\_cluster\_tls\_certificate\_sha1\_fingerprint) | The SHA1 fingerprint of the public key of the cluster's certificate |

|  [eks\_managed\_node\_groups](#output\_eks\_managed\_node\_groups) | Map of attribute maps for all EKS managed node groups created |

|  [eks\_managed\_node\_groups\_autoscaling\_group\_names](#output\_eks\_managed\_node\_groups\_autoscaling\_group\_names) | List of the autoscaling group names created by EKS managed node groups |

|  [eks\_oidc\_provider](#output\_eks\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) |

|  [eks\_oidc\_provider\_arn](#output\_eks\_oidc\_provider\_arn) | EKS OIDC provider ARN to be able to add IRSA roles to the cluster out of band |

|  [external\_dns\_role\_arn](#output\_external\_dns\_role\_arn) | ARN of the External DNS IRSA role |

|  [karpenter\_node\_iam\_role\_name](#output\_karpenter\_node\_iam\_role\_name) | The name of the Karpenter node IAM role |

|  [karpenter\_queue\_name](#output\_karpenter\_queue\_name) | The name of the Karpenter SQS queue |

|  [karpenter\_role\_arn](#output\_karpenter\_role\_arn) | ARN of the Karpenter IRSA role |

|  [kms\_key\_arn](#output\_kms\_key\_arn) | The Amazon Resource Name (ARN) of the KMS key |

|  [load\_balancer\_controller\_role\_arn](#output\_load\_balancer\_controller\_role\_arn) | ARN of the ALB controller IRSA role |

|  [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group |

|  [s3\_csi\_driver\_role\_arn](#output\_s3\_csi\_driver\_role\_arn) | ARN of the S3 CSI driver IRSA role |

|  [vpc](#output\_vpc) | The vpc object when it's created |