Terraform aws eks bootstrap

Bootstrap module for AWS EKS cluster.

Known Issues

Due to issue on amazon-cloudwatch-observability EKS addon, the fluent-bit and the CloudWatch Agent are not deployed on tainted nodes.

The feature is in "Proposed" state aws/containers-roadmap#2195.

Ultil the feature is released, you must manually add tolerations in the AmazonCloudWatchAgent CRD and fluent-bit daemonset resources.

You can find the patch files in the eks-add-ons-patches directory. You can apply the patches using the kubectl as follows:

# Patch the FluentBit DaemonSet
kubectl -n amazon-cloudwatch patch daemonset fluent-bit --type merge --patch-file eks-add-ons-patches/fluent-bit.yaml
# Patch the AmazonCloudWatchAgent resource (which produces the cloudwatch-agent daemonset)
kubectl -n amazon-cloudwatch patch AmazonCloudWatchAgent cloudwatch-agent --type merge --patch-file eks-add-ons-patches/cloudwatch-agent.yaml

The patches will add the special toleration to the resources, allowing them to be scheduled on tainted nodes, as described here:

An empty key with operator Exists matches all keys, values and effects which means this will tolerate everything.

Providers

Name	Version
aws	>= 4.63
helm	>= 2.9
kubectl	>= 1.14
kubernetes	>= 2.26
random	>= 3.5
template	>= 2.2

Requirements

Name	Version
terraform	>= 1.0
aws	>= 4.63
helm	>= 2.9
kubectl	>= 1.14
kubernetes	>= 2.26
random	>= 3.5
template	>= 2.2

Inputs

Name	Description	Type	Default	Required
admin_users	n/a	list(any)	n/a	yes
aws_alb_controller_helm_config	AWS Load Balancer Controller Helm Chart Configuration	any	{}	no
aws_ebs_csi_driver_helm_config	AWS EBS csi driver Helm Chart Configuration	any	{}	no
aws_node_termination_handler_helm_config	Node Termination handler Helm Chart Configuration	any	{}	no
calico_helm_config	Calico Helm Chart Configuration	any	{}	no
cert_manager_helm_config	Cert Manager Helm Chart Configuration	any	{}	no
cloudwatch_log_group_retention_in_days	Number of days to retain log events.	number	7	no
cluster_access_admin_groups	The list of groups that will be mapped to the admin role in the application namespaces.	list(string)	n/a	yes
cluster_access_developer_groups	The list of groups that will be mapped to the developer role in the application namespaces.	list(string)	n/a	yes
cluster_access_map_users	Cluster access	list( object({ userarn = string, username = string, groups = list(string) }) )	[]	no
cluster_additional_addons	Additional addons to install for EKS cluster.	map(any)	{}	no
cluster_autoscaler_helm_config	Cluster Autoscaler Helm Chart Configuration	any	{}	no
cluster_enable_amazon_cloudwatch_observability_addon	Indicates whether to enable the Amazon CloudWatch Container Insights for Kubernetes.	bool	true	no
cluster_enabled_log_types	A list of the desired control plane logging to enable. For more information, see Amazon EKS Cluster Logging in the Amazon EKS User Guide.	list(string)	[]	no
cluster_endpoint_private_access	Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is true	bool	true	no
cluster_endpoint_public_access	Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true	bool	true	no
cluster_endpoint_public_access_cidrs	List of CIDR blocks. Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled.	list(string)	[ "0.0.0.0/0" ]	no
cluster_iam_role_additional_policies	Additional policies to be added to the IAM role.	map(string)	{}	no
cluster_name	The name of the EKS cluster	string	n/a	yes
cluster_version	The Kubernetes version to use for the EKS cluster.	string	"1.24"	no
customer_application	Customer application	map(object({ namespaces = list(string) repositories = optional(list(string), []) }))	n/a	yes
developer_users	n/a	list(any)	n/a	yes
eks_managed_node_groups	Cluster node group	any	{ "core_pool": { "desired_size": 2, "instance_types": [ "t3.medium" ], "labels": { "Pool": "core" }, "max_size": 4, "min_size": 1, "tags": { "Pool": "core" } } }	no
enable_aws_alb_controller	Enable AWS Load Balancer Controller	bool	false	no
enable_aws_ebs_csi_driver	Enable AWS EBS CSI Driver	bool	true	no
enable_aws_node_termination_handler	Enable AWS Node Termination Handler	bool	true	no
enable_calico	Enable Calico	bool	false	no
enable_cert_manager	Enable Cert Manager	bool	true	no
enable_cluster_autoscaler	Enable Cluster Autoscaler	bool	true	no
enable_default_eks_addons	Value to enable default eks addons vpc-cni.	bool	true	no
enable_firestarter_operations	Enable Firestarter Operations	bool	false	no
enable_fluentbit	Enable Fluentbit	bool	true	no
enable_gitlab_runner	Enable Gitlab Runner	bool	true	no
enable_ingress_nginx	Enable Ingress Nginx	bool	true	no
enable_kube_prometheus_stack	Enable Kube Prometheus Stack	bool	false	no
enable_metric_server	Enable Metric Server	bool	true	no
enable_velero	Enable Velero	bool	false	no
enable_velero_bucket_lifecycle	Enable Velero Bucket Lifecycle	bool	true	no
enhanced_container_insights_enabled	Indicates whether to enable the enhanced CloudWatch Container Insights for Kubernetes.	bool	true	no
fluentbit_additional_exclude_from_application_log_group	List of application logs to exclude log group	list(string)	[]	no
fluentbit_additional_include_in_platform_log_group	List of platform logs to include log group	list(string)	[]	no
gitlab_runner_additional_policy_arns	Gitlab Runner Additional Policy ARNs	list(string)	[]	no
gitlab_runner_registration_token	Gitlab Runner Registration Token	string	""	no
gitlab_runner_tags	Gitlab Runner Helm Chart Configuration	list(string)	[ "aws" ]	no
ingress_nginx_helm_config	Ingress Nginx Helm Chart Configuration	any	{}	no
install_letsencrypt_issuers	Install Let's Encrypt Issuers	bool	true	no
kube_prometheus_grafana_hostname	n/a	string	""	no
kube_prometheus_storage_zone	n/a	list(string)	[]	no
letsencrypt_email	Email address for expiration emails from Let's Encrypt.	string	"[email protected]"	no
metric_server_helm_config	Metric Server Helm Chart Configuration	any	{}	no
private_subnet_ids	n/a	list(string)	n/a	yes
project	Project name	string	n/a	yes
prometheus_stack_additional_values	Additional values for Kube Prometheus Stack	list(string)	[]	no
velero_bucket_expiration_days	n/a	number	90	no
velero_bucket_glacier_days	n/a	number	60	no
velero_bucket_infrequently_access_days	n/a	number	30	no
velero_helm_config	Velero Helm Chart Configuration	any	{}	no
velero_helm_values	Velero helm chart values	string	""	no
vpc_cidr_block	n/a	string	n/a	yes
vpc_id	VPC	string	n/a	yes

Outputs

Name	Description
aws_eks_cluster_auth_token	n/a
cluster_arn	n/a
cluster_certificate_authority_data	n/a
cluster_endpoint	n/a
customer_application_ecr_repository	n/a
customer_application_namespaces	n/a
grafana_admin_password	# Grafana password
ingress_nginx_dns_name	n/a
ingress_nginx_zone_id	n/a

Resources

Name	Type
aws_ecr_repository.repository	resource
aws_iam_policy.aws_ebs_csi_driver	resource
aws_s3_bucket.velero	resource
aws_s3_bucket_lifecycle_configuration.velero	resource
aws_s3_bucket_public_access_block.velero	resource
aws_s3_bucket_versioning.velero	resource
helm_release.aws_load_balancer_controller	resource
helm_release.aws_node_termination_handler	resource
helm_release.calico	resource
helm_release.cert_manager	resource
helm_release.cluster_autoscaler	resource
helm_release.ebs	resource
helm_release.metric_server	resource
helm_release.velero	resource
kubectl_manifest.cert_manager_cluster_issuer	resource
kubernetes_manifest.ebs_storageclass	resource
kubernetes_namespace.aws_ebs_csi_driver	resource
kubernetes_namespace.aws_load_balancer_controller	resource
kubernetes_namespace.aws_node_termination_handler	resource
kubernetes_namespace.calico	resource
kubernetes_namespace.cert_manager	resource
kubernetes_namespace.cluster_autoscaler	resource
kubernetes_namespace.customer_application	resource
kubernetes_namespace.metric_server	resource
kubernetes_namespace.velero	resource
random_id.resources_suffix	resource
aws_caller_identity.current	data source
aws_eks_cluster_auth.this	data source
aws_lb.ingress_nginx	data source
aws_region.current	data source
template_file.velero_default_values	data source

Modules

Name	Source	Version
aws_ebs_csi_driver_identity	terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc	~> 4.2
cluster_access	github.com/sparkfabrik/terraform-kubernetes-cluster-access	0.1.0
cluster_autoscaler_irsa_role	terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks	~> 5.17
eks	terraform-aws-modules/eks/aws	~> 19.13
firestarter_operations	./modules/firestarter-operations	n/a
fluentbit	github.com/sparkfabrik/terraform-helm-fluentbit	0.3.1
gitlab_runner	github.com/sparkfabrik/terraform-aws-eks-gitlab-runner	4e020f8
iam_assumable_role_with_oidc_for_eks_addons	terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc	~> 5.0
ingress_nginx	github.com/sparkfabrik/terraform-helm-ingress-nginx	0.4.0
kube_prometheus_stack	github.com/sparkfabrik/terraform-sparkfabrik-prometheus-stack	3.0.0
load_balancer_controller_irsa_role	terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks	~> 5.17
node_termination_handler_irsa_role	terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks	~> 5.17
velero_irsa_role	terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks	~> 5.20