Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/sparkfabrik/terraform-aws-eks-bootstrap

This module bootstraps a new EKS cluster with a basic configuration.
https://github.com/sparkfabrik/terraform-aws-eks-bootstrap
aws eks kubernetes
Last synced: 8 days ago
JSON representation
This module bootstraps a new EKS cluster with a basic configuration.
Host: GitHub
URL: https://github.com/sparkfabrik/terraform-aws-eks-bootstrap
Owner: sparkfabrik
License: gpl-3.0
Created: 2023-04-19T13:49:46.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2024-12-05T16:10:27.000Z (about 1 month ago)
Last Synced: 2024-12-24T05:54:46.969Z (16 days ago)
Topics: aws, eks, kubernetes
Language: HCL
Homepage:
Size: 194 KB
Stars: 1
Watchers: 7
Forks: 0
Open Issues: 13
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project

README

        # Terraform aws eks bootstrap

Bootstrap module for AWS EKS cluster.

## Known Issues

Due to issue on [amazon-cloudwatch-observability](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-setup-EKS-addon.html) EKS addon, the fluent-bit and the CloudWatch Agent are not deployed on tainted nodes.

The feature is in "Proposed" state https://github.com/aws/containers-roadmap/issues/2195.

Ultil the feature is released, you must manually add tolerations in the AmazonCloudWatchAgent CRD and fluent-bit daemonset resources.

You can find the patch files in the `eks-add-ons-patches` directory. You can apply the patches using the `kubectl` as follows:

```bash

# Patch the FluentBit DaemonSet

kubectl -n amazon-cloudwatch patch daemonset fluent-bit --type merge --patch-file eks-add-ons-patches/fluent-bit.yaml

# Patch the AmazonCloudWatchAgent resource (which produces the cloudwatch-agent daemonset)

kubectl -n amazon-cloudwatch patch AmazonCloudWatchAgent cloudwatch-agent --type merge --patch-file eks-add-ons-patches/cloudwatch-agent.yaml

```

The patches will add the special toleration to the resources, allowing them to be scheduled on tainted nodes, as described [here](https://k8s-docs.netlify.app/en/docs/concepts/configuration/taint-and-toleration/#concepts):

> An empty key with operator Exists matches all keys, values and effects which means this will tolerate everything.

## Providers

| Name | Version |

|------|---------|

|  [aws](#provider\_aws) | >= 4.63 |

|  [helm](#provider\_helm) | >= 2.9 |

|  [kubectl](#provider\_kubectl) | >= 1.14 |

|  [kubernetes](#provider\_kubernetes) | >= 2.26 |

|  [random](#provider\_random) | >= 3.5 |

|  [template](#provider\_template) | >= 2.2 |

## Requirements

| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.0 |

|  [aws](#requirement\_aws) | >= 4.63 |

|  [helm](#requirement\_helm) | >= 2.9 |

|  [kubectl](#requirement\_kubectl) | >= 1.14 |

|  [kubernetes](#requirement\_kubernetes) | >= 2.26 |

|  [random](#requirement\_random) | >= 3.5 |

|  [template](#requirement\_template) | >= 2.2 |

## Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [admin\_users](#input\_admin\_users) | n/a | `list(any)` | n/a | yes |

|  [aws\_alb\_controller\_helm\_config](#input\_aws\_alb\_controller\_helm\_config) | AWS Load Balancer Controller Helm Chart Configuration | `any` | `{}` | no |

|  [aws\_ebs\_csi\_driver\_helm\_config](#input\_aws\_ebs\_csi\_driver\_helm\_config) | AWS EBS csi driver Helm Chart Configuration | `any` | `{}` | no |

|  [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | Node Termination handler Helm Chart Configuration | `any` | `{}` | no |

|  [calico\_helm\_config](#input\_calico\_helm\_config) | Calico Helm Chart Configuration | `any` | `{}` | no |

|  [cert\_manager\_helm\_config](#input\_cert\_manager\_helm\_config) | Cert Manager Helm Chart Configuration | `any` | `{}` | no |

|  [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain log events. | `number` | `7` | no |

|  [cluster\_access\_admin\_groups](#input\_cluster\_access\_admin\_groups) | The list of groups that will be mapped to the admin role in the application namespaces. | `list(string)` | n/a | yes |

|  [cluster\_access\_developer\_groups](#input\_cluster\_access\_developer\_groups) | The list of groups that will be mapped to the developer role in the application namespaces. | `list(string)` | n/a | yes |

|  [cluster\_access\_map\_users](#input\_cluster\_access\_map\_users) | Cluster access | 
list(
    object({
      userarn  = string,
      username = string,
      groups   = list(string)
    })
  ) | `[]` | no |

|  [cluster\_additional\_addons](#input\_cluster\_additional\_addons) | Additional addons to install for EKS cluster. | `map(any)` | `{}` | no |

|  [cluster\_autoscaler\_chart\_version](#input\_cluster\_autoscaler\_chart\_version) | Cluster Autoscaler Helm Chart Version | `string` | `"9.35.0"` | no |

|  [cluster\_autoscaler\_helm\_config](#input\_cluster\_autoscaler\_helm\_config) | Cluster Autoscaler Helm Chart Configuration | `any` | `{}` | no |

|  [cluster\_enable\_amazon\_cloudwatch\_observability\_addon](#input\_cluster\_enable\_amazon\_cloudwatch\_observability\_addon) | Indicates whether to enable the Amazon CloudWatch Container Insights for Kubernetes. | `bool` | `true` | no |

|  [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Cluster Logging in the Amazon EKS User Guide. | `list(string)` | `[]` | no |

|  [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is true | `bool` | `true` | no |

|  [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true | `bool` | `true` | no |

|  [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks. Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. | `list(string)` | [
  "0.0.0.0/0"
] | no |

|  [cluster\_iam\_role\_additional\_policies](#input\_cluster\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role. | `map(string)` | `{}` | no |

|  [cluster\_name](#input\_cluster\_name) | The name of the EKS cluster | `string` | n/a | yes |

|  [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the EKS cluster. | `string` | `"1.24"` | no |

|  [customer\_application](#input\_customer\_application) | Customer application | map(object({
    namespaces   = list(string)
    repositories = optional(list(string), [])
  })) | n/a | yes |

|  [developer\_users](#input\_developer\_users) | n/a | `list(any)` | n/a | yes |

|  [eks\_managed\_node\_groups](#input\_eks\_managed\_node\_groups) | Cluster node group | `any` | {
  "core_pool": {
    "desired_size": 2,
    "instance_types": [
      "t3.medium"
    ],
    "labels": {
      "Pool": "core"
    },
    "max_size": 4,
    "min_size": 1,
    "tags": {
      "Pool": "core"
    }
  }
} | no |

|  [enable\_aws\_alb\_controller](#input\_enable\_aws\_alb\_controller) | Enable AWS Load Balancer Controller | `bool` | `false` | no |

|  [enable\_aws\_ebs\_csi\_driver](#input\_enable\_aws\_ebs\_csi\_driver) | Enable AWS EBS CSI Driver | `bool` | `true` | no |

|  [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler | `bool` | `true` | no |

|  [enable\_calico](#input\_enable\_calico) | Enable Calico | `bool` | `false` | no |

|  [enable\_cert\_manager](#input\_enable\_cert\_manager) | Enable Cert Manager | `bool` | `true` | no |

|  [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster Autoscaler | `bool` | `true` | no |

|  [enable\_default\_eks\_addons](#input\_enable\_default\_eks\_addons) | Value to enable default eks addons vpc-cni. | `bool` | `true` | no |

|  [enable\_firestarter\_operations](#input\_enable\_firestarter\_operations) | Enable Firestarter Operations | `bool` | `false` | no |

|  [enable\_fluentbit](#input\_enable\_fluentbit) | Enable Fluentbit | `bool` | `true` | no |

|  [enable\_gitlab\_runner](#input\_enable\_gitlab\_runner) | Enable Gitlab Runner | `bool` | `true` | no |

|  [enable\_ingress\_nginx](#input\_enable\_ingress\_nginx) | Enable Ingress Nginx | `bool` | `true` | no |

|  [enable\_kube\_prometheus\_stack](#input\_enable\_kube\_prometheus\_stack) | Enable Kube Prometheus Stack | `bool` | `false` | no |

|  [enable\_metric\_server](#input\_enable\_metric\_server) | Enable Metric Server | `bool` | `true` | no |

|  [enable\_velero](#input\_enable\_velero) | Enable Velero | `bool` | `false` | no |

|  [enable\_velero\_bucket\_lifecycle](#input\_enable\_velero\_bucket\_lifecycle) | Enable Velero Bucket Lifecycle | `bool` | `true` | no |

|  [enhanced\_container\_insights\_enabled](#input\_enhanced\_container\_insights\_enabled) | Indicates whether to enable the enhanced CloudWatch Container Insights for Kubernetes. | `bool` | `true` | no |

|  [fluentbit\_additional\_exclude\_from\_application\_log\_group](#input\_fluentbit\_additional\_exclude\_from\_application\_log\_group) | List of application logs to exclude log group | `list(string)` | `[]` | no |

|  [fluentbit\_additional\_include\_in\_platform\_log\_group](#input\_fluentbit\_additional\_include\_in\_platform\_log\_group) | List of platform logs to include log group | `list(string)` | `[]` | no |

|  [gitlab\_runner\_additional\_policy\_arns](#input\_gitlab\_runner\_additional\_policy\_arns) | Gitlab Runner Additional Policy ARNs | `list(string)` | `[]` | no |

|  [gitlab\_runner\_registration\_token](#input\_gitlab\_runner\_registration\_token) | Gitlab Runner Registration Token | `string` | `""` | no |

|  [gitlab\_runner\_tags](#input\_gitlab\_runner\_tags) | Gitlab Runner Helm Chart Configuration | `list(string)` | [
  "aws"
] | no |

|  [ingress\_nginx\_helm\_config](#input\_ingress\_nginx\_helm\_config) | Ingress Nginx Helm Chart Configuration | `any` | `{}` | no |

|  [install\_letsencrypt\_issuers](#input\_install\_letsencrypt\_issuers) | Install Let's Encrypt Issuers | `bool` | `true` | no |

|  [kube\_prometheus\_grafana\_hostname](#input\_kube\_prometheus\_grafana\_hostname) | n/a | `string` | `""` | no |

|  [kube\_prometheus\_storage\_zone](#input\_kube\_prometheus\_storage\_zone) | n/a | `list(string)` | `[]` | no |

|  [letsencrypt\_email](#input\_letsencrypt\_email) | Email address for expiration emails from Let's Encrypt. | `string` | `"[email protected]"` | no |

|  [metric\_server\_chart\_version](#input\_metric\_server\_chart\_version) | Metric Server Helm Chart Version | `string` | `"3.12.0"` | no |

|  [metric\_server\_helm\_config](#input\_metric\_server\_helm\_config) | Metric Server Helm Chart Configuration | `any` | `{}` | no |

|  [private\_subnet\_ids](#input\_private\_subnet\_ids) | n/a | `list(string)` | n/a | yes |

|  [project](#input\_project) | Project name | `string` | n/a | yes |

|  [prometheus\_stack\_additional\_values](#input\_prometheus\_stack\_additional\_values) | Additional values for Kube Prometheus Stack | `list(string)` | `[]` | no |

|  [velero\_bucket\_expiration\_days](#input\_velero\_bucket\_expiration\_days) | n/a | `number` | `90` | no |

|  [velero\_bucket\_glacier\_days](#input\_velero\_bucket\_glacier\_days) | n/a | `number` | `60` | no |

|  [velero\_bucket\_infrequently\_access\_days](#input\_velero\_bucket\_infrequently\_access\_days) | n/a | `number` | `30` | no |

|  [velero\_chart\_version](#input\_velero\_chart\_version) | Velero Helm Chart Version | `string` | `"6.0.0"` | no |

|  [velero\_helm\_config](#input\_velero\_helm\_config) | Velero Helm Chart Configuration | `any` | `{}` | no |

|  [velero\_helm\_values](#input\_velero\_helm\_values) | Velero helm chart values | `string` | `""` | no |

|  [velero\_schedule\_cron](#input\_velero\_schedule\_cron) | Velero Schedule Cron | `string` | `"0 4 * * *"` | no |

|  [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | n/a | `string` | n/a | yes |

|  [vpc\_id](#input\_vpc\_id) | VPC | `string` | n/a | yes |

## Outputs

| Name | Description |

|------|-------------|

|  [aws\_eks\_cluster\_auth\_token](#output\_aws\_eks\_cluster\_auth\_token) | n/a |

|  [cluster\_arn](#output\_cluster\_arn) | n/a |

|  [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | n/a |

|  [cluster\_endpoint](#output\_cluster\_endpoint) | n/a |

|  [customer\_application\_ecr\_repository](#output\_customer\_application\_ecr\_repository) | n/a |

|  [customer\_application\_namespaces](#output\_customer\_application\_namespaces) | n/a |

|  [grafana\_admin\_password](#output\_grafana\_admin\_password) | # Grafana password |

|  [ingress\_nginx\_dns\_name](#output\_ingress\_nginx\_dns\_name) | n/a |

|  [ingress\_nginx\_zone\_id](#output\_ingress\_nginx\_zone\_id) | n/a |

## Resources

| Name | Type |

|------|------|

| [aws_ecr_repository.repository](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |

| [aws_iam_policy.aws_ebs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |

| [aws_s3_bucket.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |

| [aws_s3_bucket_lifecycle_configuration.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |

| [aws_s3_bucket_public_access_block.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |

| [aws_s3_bucket_versioning.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |

| [helm_release.aws_load_balancer_controller](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |

| [helm_release.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |

| [helm_release.calico](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |

| [helm_release.cert_manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |

| [helm_release.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |

| [helm_release.ebs](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |

| [helm_release.metric_server](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |

| [helm_release.velero](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |

| [kubectl_manifest.cert_manager_cluster_issuer](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |

| [kubernetes_manifest.ebs_storageclass](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |

| [kubernetes_namespace.aws_ebs_csi_driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |

| [kubernetes_namespace.aws_load_balancer_controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |

| [kubernetes_namespace.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |

| [kubernetes_namespace.calico](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |

| [kubernetes_namespace.cert_manager](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |

| [kubernetes_namespace.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |

| [kubernetes_namespace.customer_application](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |

| [kubernetes_namespace.metric_server](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |

| [kubernetes_namespace.velero](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |

| [random_id.resources_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |

| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |

| [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |

| [aws_lb.ingress_nginx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lb) | data source |

| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |

| [template_file.velero_default_values](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |

## Modules

| Name | Source | Version |

|------|--------|---------|

|  [aws\_ebs\_csi\_driver\_identity](#module\_aws\_ebs\_csi\_driver\_identity) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 4.2 |

|  [cluster\_access](#module\_cluster\_access) | github.com/sparkfabrik/terraform-kubernetes-cluster-access | 0.1.0 |

|  [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.17 |

|  [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.13 |

|  [firestarter\_operations](#module\_firestarter\_operations) | ./modules/firestarter-operations | n/a |

|  [fluentbit](#module\_fluentbit) | github.com/sparkfabrik/terraform-helm-fluentbit | 0.3.1 |

|  [gitlab\_runner](#module\_gitlab\_runner) | github.com/sparkfabrik/terraform-aws-eks-gitlab-runner | 4e020f8 |

|  [iam\_assumable\_role\_with\_oidc\_for\_eks\_addons](#module\_iam\_assumable\_role\_with\_oidc\_for\_eks\_addons) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 5.0 |

|  [ingress\_nginx](#module\_ingress\_nginx) | github.com/sparkfabrik/terraform-helm-ingress-nginx | 0.7.0 |

|  [kube\_prometheus\_stack](#module\_kube\_prometheus\_stack) | github.com/sparkfabrik/terraform-sparkfabrik-prometheus-stack | 3.0.0 |

|  [load\_balancer\_controller\_irsa\_role](#module\_load\_balancer\_controller\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.17 |

|  [node\_termination\_handler\_irsa\_role](#module\_node\_termination\_handler\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.17 |

|  [velero\_irsa\_role](#module\_velero\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.20 |