+```
+
+## [v7.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v7.0.1...v7.0.0) - 2019-12-11
+
+- Test against minimum versions specified in `versions.tf` (by @dpiddockcmp)
+- Updated `instance_profile_names` and `instance_profile_arns` outputs to also consider launch template as well as asg (by @ankitwal)
+- Fix broken terraform plan/apply on a cluster < 1.14 (by @hodduc)
+- Updated application of `aws-auth` configmap to create `kube_config.yaml` and `aws_auth_configmap.yaml` in sequence (and not parallel) to `kubectl apply` (by @knittingdev)
+
+## [v7.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v6.0.2...v7.0.0) - 2019-10-30
+
+- **Breaking:** Allow for specifying a custom AMI for the worker nodes. (by @bmcstdio)
+- Added support for Windows workers AMIs (by @hodduc)
+- Allow for replacing the full userdata text with a `userdata_template_file` template and `userdata_template_extra_args` in `worker_groups` (by @snstanton)
+- **Breaking:** The `kubectl` configuration file can now be fully-specified using `config_output_path`. Previously it was assumed that `config_output_path` referred to a directory and always ended with a forward slash. This is a breaking change if `config_output_path` does **not** end with a forward slash (which was advised against by the documentation). (by @joshuaspence)
+- Changed logic for setting default `ebs_optimized` to only require maintaining a list of instance types that don't support it (by @jeffmhastings)
+- Bumped minimum terraform version to 0.12.2 to prevent an error on yamlencode function (by @toadjaune)
+- Access conditional resource using join function in combination with splat syntax (by @miguelaferreira)
+
+#### Important notes
+
+An AMI is now specified using the whole name, for example `amazon-eks-node-1.14-v20190927`.
+
+## [v6.0.2](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v6.0.1...v6.0.2) - 2019-10-07
+
+- Added `tags` to `aws_eks_cluster` introduced by terraform-provider-aws 2.31.0 (by @morganchristiansson)
+- Add option to enable lifecycle hooks creation (by @barryib)
+- Remove helm chart value `sslCertPath` described in `docs/autoscaling.md` (by @wi1dcard)
+- Attaching of IAM policies for autoscaler and CNI to the worker nodes now optional (by @dpiddockcmp)
+
+## [v6.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v6.0.0...v6.0.1) - 2019-09-25
+
+- Added support for different workers AMI's, i.e. with GPU support (by @rvoitenko)
+- Use null as default value for `target_group_arns` attribute of worker autoscaling group (by @tatusl)
+- Output empty string when cluster identity is empty (by @tbarry)
+
+## [v6.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.1.0...v6.0.0) - 2019-09-17
+
+- Added `market_type` to `workers_launch_template.tf` allow the usage of spot nodegroups without mixed instances policy.
+- Added support for log group tag in `./cluster.tf` (@lucas-giaco)
+- Added support for workers iam role tag in `./workers.tf` (@lucas-giaco)
+- Added `required_providers` to enforce provider minimum versions (by @dpiddockcmp)
+- Updated `local.spot_allocation_strategy` docstring to indicate availability of new `capacity-optimized` option. (by @sc250024)
+- Added support for initial lifecycle hooks for autosacling groups (@barryib)
+- Added option to recreate ASG when LT or LC changes (by @barryib)
+- Ability to specify workers role name (by @ivanich)
+- Added output for OIDC Issuer URL (by @russwhelan)
+- Added support for Mixed Instance ASG using `worker_groups_launch_template` variable (by @sppwf)
+- Changed ASG Tags generation using terraform 12 `for` utility (by @sppwf)
+- **Breaking:** Removed `worker_groups_launch_template_mixed` variable (by @sppwf)
+- Update to EKS 1.14 (by @nauxliu)
+- **Breaking:** Support map users and roles to multiple groups (by @nauxliu)
+- Fixed errors sometimes happening during destroy due to usage of coalesce() in local.tf (by @petrikero)
+- Removed historical mention of adding caller's IPv4 to cluster security group (by @dpiddockcmp)
+- Wrapped `kubelet_extra_args` in double quotes instead of singe quotes (by @nxf5025)
+- Make terraform plan more consistent and avoid unnecessary "(known after apply)" (by @barryib)
+- Made sure that `market_type` was correctly passed to `workers_launch_template` (by @to266)
+
+#### Important notes
+
+You will need to move worker groups from `worker_groups_launch_template_mixed` to `worker_groups_launch_template`. You can rename terraform resources in the state to avoid an destructive changes.
+
+Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [""]`.
+
+## [v5.1.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.1.0...v5.1.1) - 2019-07-30
+
+- Added new tag in `worker.tf` with autoscaling_enabled = true flag (by @insider89)
+
+## [v5.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.0.0...v5.1.0) - 2019-07-30
+
+- Option to set a KMS key for the log group and encrypt it (by @till-krauss)
+- Output the name of the cloudwatch log group (by @gbooth27)
+- Added `cpu_credits` param for the workers defined in `worker_groups_launch_template` (by @a-shink)
+- Added support for EBS Volumes tag in `worker_groups_launch_template` and `workers_launch_template_mixed.tf` (by @sppwf)
+- Basic example now tags networks correctly, as per [ELB documentation](https://docs.aws.amazon.com/eks/latest/userguide/load-balancing.html) and [ALB documentation](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) (by @karolinepauls)
+- Update default override instance types to work with Cluster Autoscaler (by @nauxliu on behalf of RightCapital)
+- Examples now specify `enable_dns_hostnames = true`, as per [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) (by @karolinepauls)
+
+## [v5.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v4.0.2...v5.0.0) - 2019-06-19
+
+- Added Termination Policy Option to worker ASGs (by @undeadops)
+- Update EBS optimized instances type (by @gloutsch)
+- Added tagging for iam role created in `./cluster.tf` (@camilosantana)
+- Enable log retention for cloudwatch log groups (by @yuriipolishchuk)
+- Update to EKS 1.13 (by @gloutsch)
+- Finally, Terraform 0.12 support, [Upgrade Guide](https://github.com/terraform-aws-modules/terraform-aws-eks/pull/394) (by @alex-goncharov @nauxliu @timboven)
+- All the xx_count variables have been removed (by @nauxliu on behalf of RightCapital)
+- Use actual lists in the workers group maps instead of strings with commas (by @nauxliu on behalf of RightCapital)
+- Move variable `worker_group_tags` to workers group's attribute `tags` (by @nauxliu on behalf of RightCapital)
+- Change override instance_types to list (by @nauxliu on behalf of RightCapital)
+- Fix toggle for IAM instance profile creation for mixed launch templates (by @jnozo)
+
+## [v4.0.2](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v4.0.1...v4.0.2) - 2019-05-07
+- Added 2 new examples, also tidy up basic example (by @max-rocket-internet)
+- Updates to travis, PR template (by @max-rocket-internet)
+- Fix typo in data.tf (by @max-rocket-internet)
+- Add missing launch template items in `aws_auth.tf` (by @max-rocket-internet)
+
+## [v4.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v4.0.0...v4.0.1) - 2019-05-07
+
+- Fix annoying typo: worker_group_xx vs worker_groups_xx (by @max-rocket-internet)
+
+## [v4.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v3.0.0...v4.0.0) - 2019-05-07
+
+- Added support for custom service linked role for Auto Scaling group (by @voanhduy1512)
+- Added support for custom IAM roles for cluster and workers (by @erks)
+- Added cluster ARN to outputs (by @alexsn)
+- Added outputs for `workers_user_data` and `workers_default_ami_id` (by @max-rocket-internet)
+- Added doc about spot instances (by @max-rocket-internet)
+- Added new worker group option with a mixed instances policy (by @max-rocket-internet)
+- Set default suspended processes for ASG to `AZRebalance` (by @max-rocket-internet)
+- 4 small changes to `aws_launch_template` resource (by @max-rocket-internet)
+- (Breaking Change) Rewritten and de-duplicated code related to Launch Templates (by @max-rocket-internet)
+- Add .prettierignore file (by @rothandrew)
+- Switch to https for the pre-commit repos (by @rothandrew)
+- Add instructions on how to enable the docker bridge network (by @rothandrew)
+
+## [v3.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.3.1...v3.0.0) - 2019-04-15
+
+- Fixed: Ability to destroy clusters due to security groups being attached to ENI's (by @whiskeyjimbo)
+- Added outputs for worker IAM instance profile(s) (by @soapergem)
+- Added support for cluster logging via the `cluster_enabled_log_types` variable (by @sc250024)
+- Updated vpc module version and aws provider version. (by @chenrui333)
+- Upgraded default kubernetes version from 1.11 to 1.12 (by @stijndehaes)
+
+## [v2.3.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.3.0...v2.3.1) - 2019-03-26
+
+- Added support for eks public and private endpoints (by @stijndehaes)
+- Added minimum inbound traffic rule to the cluster worker security group as per the [EKS security group requirements](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) (by @sc250024)
+- (Breaking Change) Replaced `enable_docker_bridge` with a generic option called `bootstrap_extra_args` to resolve [310](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/310) (by @max-rocket-internet)
+
+## [v2.3.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.2.1...v2.3.0) - 2019-03-20
+
+- Allow additional policies to be attached to worker nodes (by @rottenbytes)
+- Ability to specify a placement group for each worker group (by @matheuss)
+- "k8s.io/cluster-autoscaler/{cluster-name}" and "k8s.io/cluster-autoscaler/node-template/resources/ephemeral-storage" tags for autoscaling groups (by @tbarrella)
+- Added "ec2:DescribeLaunchTemplateVersions" action to worker instance role (by @skang0601)
+- Adding ebs encryption for workers launched using workers_launch_template (by @russki)
+- Added output for generated kubeconfig filename (by @syst0m)
+- Added outputs for cluster role ARN and name (by @spingel)
+- Added optional name filter variable to be able to pin worker AMI to a release (by @max-rocket-internet)
+- Added `--enable-docker-bridge` option for bootstrap.sh in AMI (by @michaelmccord)
+
+## [v2.2.2](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.2.1...v2.2.2) - 2019-02-25
+
+- Ability to specify a path for IAM roles (by @tekn0ir)
+
+## [v2.2.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.2.0...v2.2.1) - 2019-02-18
+
+## [v2.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.1.0...v2.2.0) - 2019-02-07
+
+- Ability to specify a permissions_boundary for IAM roles (by @dylanhellems)
+- Ability to configure force_delete for the worker group ASG (by @stefansedich)
+- Ability to configure worker group ASG tags (by @stefansedich)
+- Added EBS optimized mapping for the g3s.xlarge instance type (by @stefansedich)
+- `enabled_metrics` input (by @zanitete)
+- write_aws_auth_config to input (by @yutachaos)
+- Change worker group ASG to use create_before_destroy (by @stefansedich)
+- Fixed a bug where worker group defaults were being used for launch template user data (by @leonsodhi-lf)
+- Managed_aws_auth option is true, the aws-auth configmap file is no longer created, and write_aws_auth_config must be set to true to generate config_map. (by @yutachaos)
+
+## [v2.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.0.0...v2.1.0) - 2019-01-15
+
+- Initial support for worker groups based on Launch Templates (by @skang0601)
+- Updated the `update_config_map_aws_auth` resource to trigger when the EKS cluster endpoint changes. This likely means that a new cluster was spun up so our ConfigMap won't exist (fixes #234) (by @elatt)
+- Removed invalid action from worker_autoscaling iam policy (by @marcelloromani)
+- Fixed zsh-specific syntax in retry loop for aws auth config map (by @marcelloromani)
+- Fix: fail deployment if applying the aws auth config map still fails after 10 attempts (by @marcelloromani)
+
+## [v2.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.8.0...v2.0.0) - 2018-12-14
+
+- (Breaking Change) New input variables `map_accounts_count`, `map_roles_count` and `map_users_count` to allow using computed values as part of `map_accounts`, `map_roles` and `map_users` configs (by @chili-man on behalf of OpenGov).
+- (Breaking Change) New variables `cluster_create_security_group` and `worker_create_security_group` to stop `value of 'count' cannot be computed` error.
+- Added ability to choose local-exec interpreter (by @rothandrew)
+- Added `--with-aggregate-type-defaults` option to terraform-docs (by @max-rocket-internet)
+- Updated AMI ID filtering to only filter AMIs from current cluster k8s version (by @max-rocket-internet)
+- Added `pre-commit-terraform` git hook to automatically create documentation of inputs/outputs (by @antonbabenko)
+- Travis fixes (by @RothAndrew)
+- Fixed some Windows compatibility issues (by @RothAndrew)
+
+## [v1.8.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.7.0...v1.8.0) - 2018-12-04
+
+- Support for using AWS Launch Templates to define autoscaling groups (by @skang0601)
+- `suspended_processes` to `worker_groups` input (by @bkmeneguello)
+- `target_group_arns` to `worker_groups` input (by @zihaoyu)
+- `force_detach_policies` to `aws_iam_role` `cluster` and `workers` (by @marky-mark)
+- Added sleep while trying to apply the kubernetes configurations if failed, up to 50 seconds (by @rmakram-ims)
+- `cluster_create_security_group` and `worker_create_security_group`. This allows using computed cluster and worker security groups. (by @rmakram-ims)
+- new variables worker_groups_launch_template and worker_group_count_launch_template (by @skang0601)
+- Remove aws_iam_service_linked_role (by @max-rocket-internet)
+- Adjust the order and correct/update the ec2 instance type info. (@chenrui333)
+- Removed providers from `main.tf`. (by @max-rocket-internet)
+- Removed `configure_kubectl_session` references in documentation [#171](https://github.com/terraform-aws-modules/terraform-aws-eks/pull/171) (by @dominik-k)
+
+## [v1.7.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.6.0...v1.7.0) - 2018-10-09
+
+- Worker groups can be created with a specified IAM profile. (from @laverya)
+- exposed `aws_eks_cluster` create and destroy timeouts (by @RGPosadas)
+- exposed `placement_tenancy` for autoscaling group (by @monsterxx03)
+- Allow port 443 from EKS service to nodes to run `metrics-server`. (by @max-rocket-internet)
+- fix default worker subnets not working (by @erks)
+- fix default worker autoscaling_enabled not working (by @erks)
+- Cosmetic syntax changes to improve readability. (by @max-rocket-internet)
+- add `protect_from_scale_in` to solve issue #134 (by @kinghajj)
+
+## [v1.6.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.5.0...v1.6.0) - 2018-09-04
+
+- add support for [`amazon-eks-node-*` AMI with bootstrap script](https://aws.amazon.com/blogs/opensource/improvements-eks-worker-node-provisioning/) (by @erks)
+- expose `kubelet_extra_args` worker group option (replacing `kubelet_node_labels`) to allow specifying arbitrary kubelet options (e.g. taints and labels) (by @erks)
+- add optional input `worker_additional_security_group_ids` to allow one or more additional security groups to be added to all worker launch configurations - #47 (by @hhobbsh @mr-joshua)
+- add optional input `additional_security_group_ids` to allow one or more additional security groups to be added to a specific worker launch configuration - #47 (by @mr-joshua)
+- allow a custom AMI to be specified as a default (by @erks)
+- bugfix for above change (by @max-rocket-internet)
+- **Breaking change** Removed support for `eks-worker-*` AMI. The cluster specifying a custom AMI based off of `eks-worker-*` AMI will have to rebuild the AMI from `amazon-eks-node-*`. (by @erks)
+- **Breaking change** Removed `kubelet_node_labels` worker group option in favor of `kubelet_extra_args`. (by @erks)
+
+## [v1.5.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.4.0...v1.5.0) - 2018-08-30
+
+- add spot_price option to aws_launch_configuration
+- add enable_monitoring option to aws_launch_configuration
+- add t3 instance class settings
+- add aws_iam_service_linked_role for elasticloadbalancing. (by @max-rocket-internet)
+- Added autoscaling policies into module that are optionally attached when enabled for a worker group. (by @max-rocket-internet)
+- **Breaking change** Removed `workstation_cidr` variable, http callout and unnecessary security rule. (by @dpiddockcmp)
+ If you are upgrading from 1.4 you should fix state after upgrade: `terraform state rm module.eks.data.http.workstation_external_ip`
+- Can now selectively override keys in `workers_group_defaults` variable rather than callers maintaining a duplicate of the whole map. (by @dpiddockcmp)
+
+## [v1.4.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.3.0...v1.4.0) - 2018-08-02
+
+- manage eks workers' root volume size and type.
+- `workers_asg_names` added to outputs. (kudos to @laverya)
+- New top level variable `worker_group_count` added to replace the use of `length(var.worker_groups)`. This allows using computed values as part of worker group configs. (complaints to @laverya)
+
+## [v1.3.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.2.0...v1.3.0) - 2018-07-11
+
+- New variables `map_accounts`, `map_roles` and `map_users` in order to manage additional entries in the `aws-auth` configmap. (by @max-rocket-internet)
+- kubelet_node_labels worker group option allows setting --node-labels= in kubelet. (Hat-tip, @bshelton229 👒)
+- `worker_iam_role_arn` added to outputs. Sweet, @hatemosphere 🔥
+- Worker subnets able to be specified as a dedicated list per autoscaling group. (up top, @bshelton229 🙏)
+
+## [v1.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.1.0...v1.2.0) - 2018-07-01
+
+- new variable `pre_userdata` added to worker launch configuration allows to run scripts before the plugin does anything. (W00t, @jimbeck 🦉)
+- kubeconfig made much more flexible. (Bang up job, @sdavids13 💥)
+- ASG desired capacity is now ignored as ASG size is more effectively handed by k8s. (Thanks, @ozbillwang 💇♂️)
+- Providing security groups didn't behave as expected. This has been fixed. (Good catch, @jimbeck 🔧)
+- workstation cidr to be allowed by created security group is now more flexible. (A welcome addition, @jimbeck 🔐)
+
+## [v1.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.0.0...v1.1.0) - 2018-06-25
+
+- new variable `worker_sg_ingress_from_port` allows to change the minimum port number from which pods will accept communication (Thanks, @ilyasotkov 👏).
+- expanded on worker example to show how multiple worker autoscaling groups can be created.
+- IPv4 is used explicitly to resolve testing from IPv6 networks (thanks, @tsub 🙏).
+- Configurable public IP attachment and ssh keys for worker groups. Defaults defined in `worker_group_defaults`. Nice, @hatemosphere 🌂
+- `worker_iam_role_name` now an output. Sweet, @artursmet 🕶️
+- IAM test role repaired by @lcharkiewicz 💅
+- `kube-proxy` restart no longer needed in userdata. Good catch, @hatemosphere 🔥
+- worker ASG reattachment wasn't possible when using `name`. Moved to `name_prefix` to allow recreation of resources. Kudos again, @hatemosphere 🐧
+
+## [v1.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v0.2.0...v1.0.0) - 2018-06-11
+
+- security group id can be provided for either/both of the cluster and the workers. If not provided, security groups will be created with sufficient rules to allow cluster-worker communication. - kudos to @tanmng on the idea ⭐
+- outputs of security group ids and worker ASG arns added for working with these resources outside the module.
+- Worker build out refactored to allow multiple autoscaling groups each having differing specs. If none are given, a single ASG is created with a set of sane defaults - big thanks to @kppullin 🥨
+
+## [v0.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v0.1.1...v0.2.0) - 2018-06-08
+
+- ability to specify extra userdata code to execute following kubelet services start.
+- EBS optimization used whenever possible for the given instance type.
+- When `configure_kubectl_session` is set to true the current shell will be configured to talk to the kubernetes cluster using config files output from the module.
+- files rendered from dedicated templates to separate out raw code and config from `hcl`
+- `workers_ami_id` is now made optional. If not specified, the module will source the latest AWS supported EKS AMI instead.
+
+## [v0.1.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v0.1.0...v0.1.1) - 2018-06-07
+- Pre-commit hooks fixed and working.
+- Made progress on CI, advancing the build to the final `kitchen test` stage before failing.
+
+## [v0.1.0] - 2018-06-07
+
+- Everything! Initial release of the module.
+- added a local variable to do a lookup against for a dynamic value in userdata which was previously static. Kudos to @tanmng for finding and fixing bug #1!
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
deleted file mode 100644
index 7730bca7f3..0000000000
--- a/CODE_OF_CONDUCT.md
+++ /dev/null
@@ -1,46 +0,0 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
-
-## Our Standards
-
-Examples of behavior that contributes to creating a positive environment include:
-
-- Using welcoming and inclusive language
-- Being respectful of differing viewpoints and experiences
-- Gracefully accepting constructive criticism
-- Focusing on what is best for the community
-- Showing empathy towards other community members
-
-Examples of unacceptable behavior by participants include:
-
-- The use of sexualized language or imagery and unwelcome sexual attention or advances
-- Trolling, insulting/derogatory comments, and personal or political attacks
-- Public or private harassment
-- Publishing others' private information, such as a physical or electronic address, without explicit permission
-- Other conduct which could reasonably be considered inappropriate in a professional setting
-
-## Our Responsibilities
-
-Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
-
-Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
-
-## Scope
-
-This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at brandon@atscale.run. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
-
-Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
-
-[homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
deleted file mode 100644
index b81ce2db90..0000000000
--- a/CONTRIBUTING.md
+++ /dev/null
@@ -1,13 +0,0 @@
-# Contributing
-
-When contributing to this repository, please first discuss the change you wish to make via issue,
-email, or any other method with the owners of this repository before making a change.
-
-Please note we have a code of conduct, please follow it in all your interactions with the project.
-
-## Pull Request Process
-
-1. Ensure any install or build dependencies are removed before the end of the layer when doing a build.
-2. Update the README.md with details of changes to the interface, this includes new environment variables, exposed ports, useful file locations and container parameters.
-3. Increase the version numbers in any examples files and the README.md to the new version that this Pull Request would represent. The versioning scheme we use is [SemVer](http://semver.org/).
-4. You may merge the Pull Request in once you have the sign-off of two other developers, or if you do not have permission to do that, you may request the second reviewer to merge it for you.
diff --git a/Gemfile b/Gemfile
deleted file mode 100644
index 57a0c15c31..0000000000
--- a/Gemfile
+++ /dev/null
@@ -1,9 +0,0 @@
-# frozen_string_literal: true
-
-ruby '2.4.6'
-
-source 'https://rubygems.org/' do
- gem 'awspec', '~> 1.4.2'
- gem 'kitchen-terraform', '~> 3.2'
- gem 'kitchen-verifier-awspec', '~> 0.1.1'
-end
diff --git a/LICENSE b/LICENSE
index ab6dbd68ad..51fca54c2a 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,19 +1,11 @@
-Copyright (c) 2018 Brandon O'Connor - Run at Scale
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+ http://www.apache.org/licenses/LICENSE-2.0
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000000..92c13f71f7
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,17 @@
+.PHONY: changelog release
+
+SEMTAG=tools/semtag
+
+CHANGELOG_FILE=CHANGELOG.md
+TAG_QUERY=v11.0.0..
+
+scope ?= "minor"
+
+changelog-unrelease:
+ git-chglog -o $(CHANGELOG_FILE) $(TAG_QUERY)
+
+changelog:
+ git-chglog -o $(CHANGELOG_FILE) --next-tag `$(SEMTAG) final -s $(scope) -o -f` $(TAG_QUERY)
+
+release:
+ $(SEMTAG) final -s $(scope)
diff --git a/README.md b/README.md
index 95a2245e2d..8363392e9b 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,6 @@ Read the [AWS docs on EKS to get connected to the k8s dashboard](https://docs.aw
* You want to create an EKS cluster and an autoscaling group of workers for the cluster.
* You want these resources to exist within security groups that allow communication and coordination. These can be user provided or created within the module.
* You've created a Virtual Private Cloud (VPC) and subnets where you intend to put the EKS resources. The VPC satisfies [EKS requirements](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html).
-* If `manage_aws_auth = true`, it's required that both [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl) (>=1.10) and [`aws-iam-authenticator`](https://github.com/kubernetes-sigs/aws-iam-authenticator#4-set-up-kubectl-to-use-authentication-tokens-provided-by-aws-iam-authenticator-for-kubernetes) are installed and on your shell's PATH.
## Usage example
@@ -75,7 +74,7 @@ provider "kubernetes" {
cluster_ca_certificate = base64decode(element(concat(data.aws_eks_cluster.cluster[*].certificate_authority.0.data, list("")), 0))
token = element(concat(data.aws_eks_cluster_auth.cluster[*].token, list("")), 0)
load_config_file = false
- version = "~> 1.10"
+ version = "1.10"
}
# This cluster will not be created
@@ -95,28 +94,6 @@ module "eks" {
* [IAM Permissions](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/iam-permissions.md): Minimum IAM permissions needed to setup EKS Cluster.
* [FAQ](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/faq.md): Frequently Asked Questions
-## Testing
-
-This module has been packaged with [awspec](https://github.com/k1LoW/awspec) tests through [kitchen](https://kitchen.ci/) and [kitchen-terraform](https://newcontext-oss.github.io/kitchen-terraform/). To run them:
-
-1. Install [rvm](https://rvm.io/rvm/install) and the ruby version specified in the [Gemfile](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/Gemfile).
-2. Install bundler and the gems from our Gemfile:
-
- ```bash
- gem install bundler && bundle install
- ```
-
-3. Ensure your AWS environment is configured (i.e. credentials and region) for test.
-4. Test using `bundle exec kitchen test` from the root of the repo.
-
-For now, connectivity to the kubernetes cluster is not tested but will be in the
-future. Once the test fixture has converged, you can query the test cluster from
-that terminal session with
-```bash
-kubectl get nodes --watch --kubeconfig kubeconfig
-```
-(using default settings `config_output_path = "./"` & `write_kubeconfig = true`)
-
## Doc generation
Code formatting and documentation for variables and outputs is generated using [pre-commit-terraform hooks](https://github.com/antonbabenko/pre-commit-terraform) which uses [terraform-docs](https://github.com/segmentio/terraform-docs).
@@ -129,11 +106,12 @@ And install `terraform-docs` with `go get github.com/segmentio/terraform-docs` o
Report issues/questions/feature requests on in the [issues](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/new) section.
-Full contributing [guidelines are covered here](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/CONTRIBUTING.md).
+Full contributing [guidelines are covered here](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/.github/CONTRIBUTING.md).
## Change log
-The [changelog](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/CHANGELOG.md) captures all important release notes.
+- The [changelog](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/CHANGELOG.md) captures all important release notes from v11.0.0
+- For older release notes, refer to [changelog.pre-v11.0.0.md](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/CHANGELOG.pre-v11.0.0.md)
## Authors
@@ -150,8 +128,8 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
| Name | Version |
|------|---------|
-| aws | >= 2.44.0 |
-| kubernetes | >= 1.6.2 |
+| aws | >= 2.52.0 |
+| kubernetes | >= 1.11.1 |
| local | >= 1.2 |
| null | >= 2.1 |
| random | >= 2.1 |
@@ -161,20 +139,22 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:-----:|
-| attach\_worker\_autoscaling\_policy | Whether to attach the module managed cluster autoscaling iam policy to the default worker IAM role. This requires `manage_worker_autoscaling_policy = true` | `bool` | `true` | no |
| attach\_worker\_cni\_policy | Whether to attach the Amazon managed `AmazonEKS_CNI_Policy` IAM policy to the default worker IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster. | `bool` | `true` | no |
-| cluster\_create\_timeout | Timeout value when creating the EKS cluster. | `string` | `"15m"` | no |
+| cluster\_create\_security\_group | Whether to create a security group for the cluster or attach the cluster to `cluster_security_group_id`. | `bool` | `true` | no |
+| cluster\_create\_timeout | Timeout value when creating the EKS cluster. | `string` | `"30m"` | no |
| cluster\_delete\_timeout | Timeout value when deleting the EKS cluster. | `string` | `"15m"` | no |
| cluster\_enabled\_log\_types | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | `[]` | no |
+| cluster\_encryption\_config | Configuration block with encryption configuration for the cluster. See examples/secrets\_encryption/main.tf for example format | list(object({
provider_key_arn = string
resources = list(string)
})) | `[]` | no |
| cluster\_endpoint\_private\_access | Indicates whether or not the Amazon EKS private API server endpoint is enabled. | `bool` | `false` | no |
+| cluster\_endpoint\_private\_access\_cidrs | List of CIDR blocks which can access the Amazon EKS private API server endpoint, when public access is disabled | `list(string)` | [
"0.0.0.0/0"
]
| no |
| cluster\_endpoint\_public\_access | Indicates whether or not the Amazon EKS public API server endpoint is enabled. | `bool` | `true` | no |
-| cluster\_endpoint\_public\_access\_cidrs | List of CIDR blocks which can access the Amazon EKS public API server endpoint. | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| cluster\_endpoint\_public\_access\_cidrs | List of CIDR blocks which can access the Amazon EKS public API server endpoint. | `list(string)` | [
"0.0.0.0/0"
]
| no |
| cluster\_iam\_role\_name | IAM role name for the cluster. Only applicable if manage\_cluster\_iam\_resources is set to false. | `string` | `""` | no |
| cluster\_log\_kms\_key\_id | If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) | `string` | `""` | no |
| cluster\_log\_retention\_in\_days | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no |
| cluster\_name | Name of the EKS cluster. Also used as a prefix in names of related resources. | `string` | n/a | yes |
| cluster\_security\_group\_id | If provided, the EKS cluster will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the workers | `string` | `""` | no |
-| cluster\_version | Kubernetes version to use for the EKS cluster. | `string` | `"1.14"` | no |
+| cluster\_version | Kubernetes version to use for the EKS cluster. | `string` | `"1.15"` | no |
| config\_output\_path | Where to save the Kubectl config file (if `write_kubeconfig = true`). Assumed to be a directory if the value ends with a forward slash `/`. | `string` | `"./"` | no |
| create\_eks | Controls if EKS resources should be created (it affects almost all resources) | `bool` | `true` | no |
| eks\_oidc\_root\_ca\_thumbprint | Thumbprint of Root CA for EKS OIDC, Valid until 2037 | `string` | `"9e99a48a9960b14926bb7f3b02e22da2b0ab7280"` | no |
@@ -187,24 +167,25 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
| kubeconfig\_name | Override the default name used for items kubeconfig. | `string` | `""` | no |
| manage\_aws\_auth | Whether to apply the aws-auth configmap file. | `bool` | `true` | no |
| manage\_cluster\_iam\_resources | Whether to let the module manage cluster IAM resources. If set to false, cluster\_iam\_role\_name must be specified. | `bool` | `true` | no |
-| manage\_worker\_autoscaling\_policy | Whether to let the module manage the cluster autoscaling iam policy. | `bool` | `true` | no |
| manage\_worker\_iam\_resources | Whether to let the module manage worker IAM resources. If set to false, iam\_instance\_profile\_name must be specified for workers. | `bool` | `true` | no |
| map\_accounts | Additional AWS account numbers to add to the aws-auth configmap. See examples/basic/variables.tf for example format. | `list(string)` | `[]` | no |
-| map\_roles | Additional IAM roles to add to the aws-auth configmap. See examples/basic/variables.tf for example format. | list(object({
rolearn = string
username = string
groups = list(string)
}))
| `[]` | no |
-| map\_users | Additional IAM users to add to the aws-auth configmap. See examples/basic/variables.tf for example format. | list(object({
userarn = string
username = string
groups = list(string)
}))
| `[]` | no |
+| map\_roles | Additional IAM roles to add to the aws-auth configmap. See examples/basic/variables.tf for example format. | list(object({
rolearn = string
username = string
groups = list(string)
})) | `[]` | no |
+| map\_users | Additional IAM users to add to the aws-auth configmap. See examples/basic/variables.tf for example format. | list(object({
userarn = string
username = string
groups = list(string)
})) | `[]` | no |
| node\_groups | Map of map of node groups to create. See `node_groups` module's documentation for more details | `any` | `{}` | no |
| node\_groups\_defaults | Map of values to be applied to all node groups. See `node_groups` module's documentaton for more details | `any` | `{}` | no |
| permissions\_boundary | If provided, all IAM roles will be created with this permissions boundary attached. | `string` | n/a | yes |
| subnets | A list of subnets to place the EKS cluster and workers within. | `list(string)` | n/a | yes |
| tags | A map of tags to add to all resources. | `map(string)` | `{}` | no |
| vpc\_id | VPC where the cluster and workers will be deployed. | `string` | n/a | yes |
-| wait\_for\_cluster\_cmd | Custom local-exec command to execute for determining if the eks cluster is healthy. Cluster endpoint will be available as an environment variable called ENDPOINT | `string` | `"until curl -k -s $ENDPOINT/healthz \u003e/dev/null; do sleep 4; done"` | no |
+| wait\_for\_cluster\_cmd | Custom local-exec command to execute for determining if the eks cluster is healthy. Cluster endpoint will be available as an environment variable called ENDPOINT | `string` | `"for i in `seq 1 60`; do wget --no-check-certificate -O - -q $ENDPOINT/healthz \u003e/dev/null \u0026\u0026 exit 0 \|\| true; sleep 5; done; echo TIMEOUT \u0026\u0026 exit 1"` | no |
+| wait\_for\_cluster\_interpreter | Custom local-exec command line interpreter for the command to determining if the eks cluster is healthy. | `list(string)` | [
"/bin/sh",
"-c"
]
| no |
| worker\_additional\_security\_group\_ids | A list of additional security group ids to attach to worker instances | `list(string)` | `[]` | no |
| worker\_ami\_name\_filter | Name filter for AWS EKS worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no |
| worker\_ami\_name\_filter\_windows | Name filter for AWS EKS Windows worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no |
| worker\_ami\_owner\_id | The ID of the owner for the AMI to use for the AWS EKS workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"602401143452"` | no |
| worker\_ami\_owner\_id\_windows | The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"801119661308"` | no |
| worker\_create\_initial\_lifecycle\_hooks | Whether to create initial lifecycle hooks provided in worker groups. | `bool` | `false` | no |
+| worker\_create\_security\_group | Whether to create a security group for the workers or attach the workers to `worker_security_group_id`. | `bool` | `true` | no |
| worker\_groups | A list of maps defining worker group configurations to be defined using AWS Launch Configurations. See workers\_group\_defaults for valid keys. | `any` | `[]` | no |
| worker\_groups\_launch\_template | A list of maps defining worker group configurations to be defined using AWS Launch Templates. See workers\_group\_defaults for valid keys. | `any` | `[]` | no |
| worker\_security\_group\_id | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the EKS cluster. | `string` | `""` | no |
@@ -233,8 +214,6 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
| kubeconfig\_filename | The filename of the generated kubectl config. |
| node\_groups | Outputs from EKS node groups. Map of maps, keyed by var.node\_groups keys |
| oidc\_provider\_arn | The ARN of the OIDC Provider if `enable_irsa = true`. |
-| worker\_autoscaling\_policy\_arn | ARN of the worker autoscaling IAM policy if `manage_worker_autoscaling_policy = true` |
-| worker\_autoscaling\_policy\_name | Name of the worker autoscaling IAM policy if `manage_worker_autoscaling_policy = true` |
| worker\_iam\_instance\_profile\_arns | default IAM instance profile ARN for EKS worker groups |
| worker\_iam\_instance\_profile\_names | default IAM instance profile name for EKS worker groups |
| worker\_iam\_role\_arn | default IAM role ARN for EKS worker groups |
diff --git a/aws_auth.tf b/aws_auth.tf
index 487763b68e..6c41f753e0 100644
--- a/aws_auth.tf
+++ b/aws_auth.tf
@@ -1,52 +1,61 @@
data "aws_caller_identity" "current" {
}
-data "template_file" "launch_template_worker_role_arns" {
- count = var.create_eks ? local.worker_group_launch_template_count : 0
- template = file("${path.module}/templates/worker-role.tpl")
+locals {
+ auth_launch_template_worker_roles = [
+ for index in range(0, var.create_eks ? local.worker_group_launch_template_count : 0) : {
+ worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element(
+ coalescelist(
+ aws_iam_instance_profile.workers_launch_template.*.role,
+ data.aws_iam_instance_profile.custom_worker_group_launch_template_iam_instance_profile.*.role_name,
+ ),
+ index
+ )}"
+ platform = lookup(
+ var.worker_groups_launch_template[index],
+ "platform",
+ local.workers_group_defaults["platform"]
+ )
+ }
+ ]
- vars = {
- worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element(
- coalescelist(
- aws_iam_instance_profile.workers_launch_template.*.role,
- data.aws_iam_instance_profile.custom_worker_group_launch_template_iam_instance_profile.*.role_name,
- ),
- count.index,
- )}"
- platform = lookup(
- var.worker_groups_launch_template[count.index],
- "platform",
- local.workers_group_defaults["platform"]
- )
- }
-}
-
-data "template_file" "worker_role_arns" {
- count = var.create_eks ? local.worker_group_count : 0
- template = file("${path.module}/templates/worker-role.tpl")
-
- vars = {
- worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element(
- coalescelist(
- aws_iam_instance_profile.workers.*.role,
- data.aws_iam_instance_profile.custom_worker_group_iam_instance_profile.*.role_name,
- [""]
- ),
- count.index,
- )}"
- platform = lookup(
- var.worker_groups[count.index],
- "platform",
- local.workers_group_defaults["platform"]
- )
- }
-}
-
-data "template_file" "node_group_arns" {
- count = var.create_eks ? length(module.node_groups.aws_auth_roles) : 0
- template = file("${path.module}/templates/worker-role.tpl")
+ auth_worker_roles = [
+ for index in range(0, var.create_eks ? local.worker_group_count : 0) : {
+ worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element(
+ coalescelist(
+ aws_iam_instance_profile.workers.*.role,
+ data.aws_iam_instance_profile.custom_worker_group_iam_instance_profile.*.role_name,
+ [""]
+ ),
+ index,
+ )}"
+ platform = lookup(
+ var.worker_groups[index],
+ "platform",
+ local.workers_group_defaults["platform"]
+ )
+ }
+ ]
- vars = module.node_groups.aws_auth_roles[count.index]
+ # Convert to format needed by aws-auth ConfigMap
+ configmap_roles = [
+ for role in concat(
+ local.auth_launch_template_worker_roles,
+ local.auth_worker_roles,
+ module.node_groups.aws_auth_roles,
+ ) :
+ {
+ rolearn = role["worker_role_arn"]
+ username = "system:node:{{EC2PrivateDNSName}}"
+ groups = concat(
+ [
+ "system:bootstrappers",
+ "system:nodes",
+ ],
+ role["platform"] == "windows" ? ["eks:kube-proxy-windows"] : []
+ )
+ }
+ ]
}
resource "kubernetes_config_map" "aws_auth" {
@@ -59,12 +68,13 @@ resource "kubernetes_config_map" "aws_auth" {
}
data = {
- mapRoles = < 6m39s v1.14.8-eks-b8860f
+```
+
+Replace `` with your AWS account ID in `cluster-autoscaler-chart-values.yaml`. There is output from terraform for this.
+
+Install the chart using the provided values file:
+
+```
+helm install --name cluster-autoscaler --namespace kube-system stable/cluster-autoscaler --values=cluster-autoscaler-chart-values.yaml
+```
+
+## Verify
+
+Ensure the cluster-autoscaler pod is running:
+
+```
+$ kubectl --namespace=kube-system get pods -l "app.kubernetes.io/name=aws-cluster-autoscaler"
+NAME READY STATUS RESTARTS AGE
+cluster-autoscaler-aws-cluster-autoscaler-5545d4b97-9ztpm 1/1 Running 0 3m
+```
+
+Observe the `AWS_*` environment variables that were added to the pod automatically by EKS:
+
+```
+kubectl --namespace=kube-system get pods -l "app.kubernetes.io/name=aws-cluster-autoscaler" -o yaml | grep -A3 AWS_ROLE_ARN
+
+- name: AWS_ROLE_ARN
+ value: arn:aws:iam::xxxxxxxxx:role/cluster-autoscaler
+- name: AWS_WEB_IDENTITY_TOKEN_FILE
+ value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
+```
+
+Verify it is working by checking the logs, you should see that it has discovered the autoscaling group successfully:
+
+```
+kubectl --namespace=kube-system logs -l "app.kubernetes.io/name=aws-cluster-autoscaler"
+
+I0128 14:59:00.901513 1 auto_scaling_groups.go:354] Regenerating instance to ASG map for ASGs: [test-eks-irsa-worker-group-12020012814125354700000000e]
+I0128 14:59:00.969875 1 auto_scaling_groups.go:138] Registering ASG test-eks-irsa-worker-group-12020012814125354700000000e
+I0128 14:59:00.969906 1 aws_manager.go:263] Refreshed ASG list, next refresh after 2020-01-28 15:00:00.969901767 +0000 UTC m=+61.310501783
+```
diff --git a/examples/irsa/cluster-autoscaler-chart-values.yaml b/examples/irsa/cluster-autoscaler-chart-values.yaml
new file mode 100644
index 0000000000..71b18c43a0
--- /dev/null
+++ b/examples/irsa/cluster-autoscaler-chart-values.yaml
@@ -0,0 +1,10 @@
+awsRegion: us-west-2
+
+rbac:
+ create: true
+ serviceAccountAnnotations:
+ eks.amazonaws.com/role-arn: "arn:aws:iam:::role/cluster-autoscaler"
+
+autoDiscovery:
+ clusterName: test-eks-irsa
+ enabled: true
diff --git a/examples/irsa/irsa.tf b/examples/irsa/irsa.tf
new file mode 100644
index 0000000000..8ba8f06823
--- /dev/null
+++ b/examples/irsa/irsa.tf
@@ -0,0 +1,57 @@
+module "iam_assumable_role_admin" {
+ source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+ version = "~> v2.6.0"
+ create_role = true
+ role_name = "cluster-autoscaler"
+ provider_url = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
+ role_policy_arns = [aws_iam_policy.cluster_autoscaler.arn]
+ oidc_fully_qualified_subjects = ["system:serviceaccount:${local.k8s_service_account_namespace}:${local.k8s_service_account_name}"]
+}
+
+resource "aws_iam_policy" "cluster_autoscaler" {
+ name_prefix = "cluster-autoscaler"
+ description = "EKS cluster-autoscaler policy for cluster ${module.eks.cluster_id}"
+ policy = data.aws_iam_policy_document.cluster_autoscaler.json
+}
+
+data "aws_iam_policy_document" "cluster_autoscaler" {
+ statement {
+ sid = "clusterAutoscalerAll"
+ effect = "Allow"
+
+ actions = [
+ "autoscaling:DescribeAutoScalingGroups",
+ "autoscaling:DescribeAutoScalingInstances",
+ "autoscaling:DescribeLaunchConfigurations",
+ "autoscaling:DescribeTags",
+ "ec2:DescribeLaunchTemplateVersions",
+ ]
+
+ resources = ["*"]
+ }
+
+ statement {
+ sid = "clusterAutoscalerOwn"
+ effect = "Allow"
+
+ actions = [
+ "autoscaling:SetDesiredCapacity",
+ "autoscaling:TerminateInstanceInAutoScalingGroup",
+ "autoscaling:UpdateAutoScalingGroup",
+ ]
+
+ resources = ["*"]
+
+ condition {
+ test = "StringEquals"
+ variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${module.eks.cluster_id}"
+ values = ["owned"]
+ }
+
+ condition {
+ test = "StringEquals"
+ variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled"
+ values = ["true"]
+ }
+ }
+}
diff --git a/examples/irsa/locals.tf b/examples/irsa/locals.tf
new file mode 100644
index 0000000000..9cdc8af713
--- /dev/null
+++ b/examples/irsa/locals.tf
@@ -0,0 +1,5 @@
+locals {
+ cluster_name = "test-eks-irsa"
+ k8s_service_account_namespace = "kube-system"
+ k8s_service_account_name = "cluster-autoscaler-aws-cluster-autoscaler"
+}
diff --git a/examples/irsa/main.tf b/examples/irsa/main.tf
new file mode 100644
index 0000000000..849db9c28f
--- /dev/null
+++ b/examples/irsa/main.tf
@@ -0,0 +1,83 @@
+terraform {
+ required_version = ">= 0.12.0"
+}
+
+provider "aws" {
+ version = ">= 2.28.1"
+ region = var.region
+}
+
+provider "local" {
+ version = "~> 1.2"
+}
+
+provider "null" {
+ version = "~> 2.1"
+}
+
+provider "template" {
+ version = "~> 2.1"
+}
+
+data "aws_eks_cluster" "cluster" {
+ name = module.eks.cluster_id
+}
+
+data "aws_eks_cluster_auth" "cluster" {
+ name = module.eks.cluster_id
+}
+
+provider "kubernetes" {
+ host = data.aws_eks_cluster.cluster.endpoint
+ cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
+ token = data.aws_eks_cluster_auth.cluster.token
+ load_config_file = false
+ version = "~> 1.11"
+}
+
+data "aws_availability_zones" "available" {}
+
+data "aws_caller_identity" "current" {}
+
+module "vpc" {
+ source = "terraform-aws-modules/vpc/aws"
+ version = "2.6.0"
+ name = "test-vpc"
+ cidr = "10.0.0.0/16"
+ azs = data.aws_availability_zones.available.names
+ public_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+ enable_dns_hostnames = true
+
+ public_subnet_tags = {
+ "kubernetes.io/cluster/${local.cluster_name}" = "shared"
+ "kubernetes.io/role/elb" = "1"
+ }
+}
+
+module "eks" {
+ source = "../.."
+ cluster_name = local.cluster_name
+ subnets = module.vpc.public_subnets
+ vpc_id = module.vpc.vpc_id
+ enable_irsa = true
+
+ worker_groups = [
+ {
+ name = "worker-group-1"
+ instance_type = "t2.medium"
+ asg_desired_capacity = 1
+ tags = [
+ {
+ "key" = "k8s.io/cluster-autoscaler/enabled"
+ "propagate_at_launch" = "false"
+ "value" = "true"
+ },
+ {
+ "key" = "k8s.io/cluster-autoscaler/${local.cluster_name}"
+ "propagate_at_launch" = "false"
+ "value" = "true"
+ }
+ ]
+ }
+ ]
+}
diff --git a/examples/irsa/outputs.tf b/examples/irsa/outputs.tf
new file mode 100644
index 0000000000..ef2ab9577a
--- /dev/null
+++ b/examples/irsa/outputs.tf
@@ -0,0 +1,3 @@
+output "aws_account_id" {
+ value = data.aws_caller_identity.current.account_id
+}
diff --git a/examples/irsa/variables.tf b/examples/irsa/variables.tf
new file mode 100644
index 0000000000..81b8dbe73e
--- /dev/null
+++ b/examples/irsa/variables.tf
@@ -0,0 +1,3 @@
+variable "region" {
+ default = "us-west-2"
+}
diff --git a/examples/launch_templates/main.tf b/examples/launch_templates/main.tf
index 1c95a9fd83..d76a13c561 100644
--- a/examples/launch_templates/main.tf
+++ b/examples/launch_templates/main.tf
@@ -36,7 +36,7 @@ provider "kubernetes" {
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
- version = "~> 1.10"
+ version = "~> 1.11"
}
data "aws_availability_zones" "available" {
@@ -60,10 +60,6 @@ module "vpc" {
azs = data.aws_availability_zones.available.names
public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
enable_dns_hostnames = true
-
- tags = {
- "kubernetes.io/cluster/${local.cluster_name}" = "shared"
- }
}
module "eks" {
diff --git a/examples/managed_node_groups/main.tf b/examples/managed_node_groups/main.tf
index c31abb36b5..eed19c24ff 100644
--- a/examples/managed_node_groups/main.tf
+++ b/examples/managed_node_groups/main.tf
@@ -36,7 +36,7 @@ provider "kubernetes" {
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
- version = "~> 1.10"
+ version = "~> 1.11"
}
data "aws_availability_zones" "available" {
@@ -64,10 +64,6 @@ module "vpc" {
single_nat_gateway = true
enable_dns_hostnames = true
- tags = {
- "kubernetes.io/cluster/${local.cluster_name}" = "shared"
- }
-
public_subnet_tags = {
"kubernetes.io/cluster/${local.cluster_name}" = "shared"
"kubernetes.io/role/elb" = "1"
diff --git a/examples/secrets_encryption/main.tf b/examples/secrets_encryption/main.tf
new file mode 100644
index 0000000000..1a639e1d20
--- /dev/null
+++ b/examples/secrets_encryption/main.tf
@@ -0,0 +1,114 @@
+terraform {
+ required_version = ">= 0.12.0"
+}
+
+provider "aws" {
+ version = ">= 2.52.0"
+ region = var.region
+}
+
+provider "random" {
+ version = "~> 2.1"
+}
+
+provider "local" {
+ version = "~> 1.2"
+}
+
+provider "null" {
+ version = "~> 2.1"
+}
+
+provider "template" {
+ version = "~> 2.1"
+}
+
+data "aws_eks_cluster" "cluster" {
+ name = module.eks.cluster_id
+}
+
+data "aws_eks_cluster_auth" "cluster" {
+ name = module.eks.cluster_id
+}
+
+provider "kubernetes" {
+ host = data.aws_eks_cluster.cluster.endpoint
+ cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
+ token = data.aws_eks_cluster_auth.cluster.token
+ load_config_file = false
+ version = "~> 1.11"
+}
+
+data "aws_availability_zones" "available" {
+}
+
+locals {
+ cluster_name = "test-eks-${random_string.suffix.result}"
+}
+
+resource "random_string" "suffix" {
+ length = 8
+ special = false
+}
+
+resource "aws_kms_key" "eks" {
+ description = "EKS Secret Encryption Key"
+}
+
+module "vpc" {
+ source = "terraform-aws-modules/vpc/aws"
+ version = "2.6.0"
+
+ name = "test-vpc"
+ cidr = "10.0.0.0/16"
+ azs = data.aws_availability_zones.available.names
+ private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+ public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
+ enable_nat_gateway = true
+ single_nat_gateway = true
+ enable_dns_hostnames = true
+
+ public_subnet_tags = {
+ "kubernetes.io/cluster/${local.cluster_name}" = "shared"
+ "kubernetes.io/role/elb" = "1"
+ }
+
+ private_subnet_tags = {
+ "kubernetes.io/cluster/${local.cluster_name}" = "shared"
+ "kubernetes.io/role/internal-elb" = "1"
+ }
+}
+
+module "eks" {
+ source = "../.."
+ cluster_name = local.cluster_name
+ subnets = module.vpc.private_subnets
+
+ cluster_encryption_config = [
+ {
+ provider_key_arn = aws_kms_key.eks.arn
+ resources = ["secrets"]
+ }
+ ]
+
+ tags = {
+ Environment = "test"
+ GithubRepo = "terraform-aws-eks"
+ GithubOrg = "terraform-aws-modules"
+ }
+
+ vpc_id = module.vpc.vpc_id
+
+ worker_groups = [
+ {
+ name = "worker-group-1"
+ instance_type = "t2.small"
+ additional_userdata = "echo foo bar"
+ asg_desired_capacity = 2
+ },
+ ]
+
+ map_roles = var.map_roles
+ map_users = var.map_users
+ map_accounts = var.map_accounts
+}
diff --git a/examples/secrets_encryption/outputs.tf b/examples/secrets_encryption/outputs.tf
new file mode 100644
index 0000000000..51ddb024a2
--- /dev/null
+++ b/examples/secrets_encryption/outputs.tf
@@ -0,0 +1,24 @@
+output "cluster_endpoint" {
+ description = "Endpoint for EKS control plane."
+ value = module.eks.cluster_endpoint
+}
+
+output "cluster_security_group_id" {
+ description = "Security group ids attached to the cluster control plane."
+ value = module.eks.cluster_security_group_id
+}
+
+output "kubectl_config" {
+ description = "kubectl config as generated by the module."
+ value = module.eks.kubeconfig
+}
+
+output "config_map_aws_auth" {
+ description = "A kubernetes configuration to authenticate to this EKS cluster."
+ value = module.eks.config_map_aws_auth
+}
+
+output "region" {
+ description = "AWS region."
+ value = var.region
+}
diff --git a/examples/secrets_encryption/variables.tf b/examples/secrets_encryption/variables.tf
new file mode 100644
index 0000000000..7085aeabd4
--- /dev/null
+++ b/examples/secrets_encryption/variables.tf
@@ -0,0 +1,52 @@
+variable "region" {
+ default = "us-west-2"
+}
+
+variable "map_accounts" {
+ description = "Additional AWS account numbers to add to the aws-auth configmap."
+ type = list(string)
+
+ default = [
+ "777777777777",
+ "888888888888",
+ ]
+}
+
+variable "map_roles" {
+ description = "Additional IAM roles to add to the aws-auth configmap."
+ type = list(object({
+ rolearn = string
+ username = string
+ groups = list(string)
+ }))
+
+ default = [
+ {
+ rolearn = "arn:aws:iam::66666666666:role/role1"
+ username = "role1"
+ groups = ["system:masters"]
+ },
+ ]
+}
+
+variable "map_users" {
+ description = "Additional IAM users to add to the aws-auth configmap."
+ type = list(object({
+ userarn = string
+ username = string
+ groups = list(string)
+ }))
+
+ default = [
+ {
+ userarn = "arn:aws:iam::66666666666:user/user1"
+ username = "user1"
+ groups = ["system:masters"]
+ },
+ {
+ userarn = "arn:aws:iam::66666666666:user/user2"
+ username = "user2"
+ groups = ["system:masters"]
+ },
+ ]
+}
diff --git a/examples/spot_instances/main.tf b/examples/spot_instances/main.tf
index 8382d14c90..5d6b5eee5c 100644
--- a/examples/spot_instances/main.tf
+++ b/examples/spot_instances/main.tf
@@ -36,7 +36,7 @@ provider "kubernetes" {
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
- version = "~> 1.10"
+ version = "~> 1.11"
}
data "aws_availability_zones" "available" {
@@ -60,10 +60,6 @@ module "vpc" {
azs = data.aws_availability_zones.available.names
public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
enable_dns_hostnames = true
-
- tags = {
- "kubernetes.io/cluster/${local.cluster_name}" = "shared"
- }
}
module "eks" {
diff --git a/irsa.tf b/irsa.tf
index 08096d8f08..11c0cc735c 100644
--- a/irsa.tf
+++ b/irsa.tf
@@ -8,7 +8,7 @@
# https://github.com/terraform-providers/terraform-provider-aws/issues/10104
resource "aws_iam_openid_connect_provider" "oidc_provider" {
- count = var.enable_irsa ? 1 : 0
+ count = var.enable_irsa && var.create_eks ? 1 : 0
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = [var.eks_oidc_root_ca_thumbprint]
url = flatten(concat(aws_eks_cluster.this[*].identity[*].oidc.0.issuer, [""]))[0]
diff --git a/local.tf b/local.tf
index 609185816f..658290b06e 100644
--- a/local.tf
+++ b/local.tf
@@ -8,10 +8,10 @@ locals {
)
]
- cluster_security_group_id = var.cluster_security_group_id == "" ? join("", aws_security_group.cluster.*.id) : var.cluster_security_group_id
+ cluster_security_group_id = var.cluster_create_security_group ? join("", aws_security_group.cluster.*.id) : var.cluster_security_group_id
cluster_iam_role_name = var.manage_cluster_iam_resources ? join("", aws_iam_role.cluster.*.name) : var.cluster_iam_role_name
cluster_iam_role_arn = var.manage_cluster_iam_resources ? join("", aws_iam_role.cluster.*.arn) : join("", data.aws_iam_role.custom_cluster_iam_role.*.arn)
- worker_security_group_id = var.worker_security_group_id == "" ? join("", aws_security_group.workers.*.id) : var.worker_security_group_id
+ worker_security_group_id = var.worker_create_security_group ? join("", aws_security_group.workers.*.id) : var.worker_security_group_id
default_iam_role_id = concat(aws_iam_role.workers.*.id, [""])[0]
kubeconfig_name = var.kubeconfig_name == "" ? "eks_${var.cluster_name}" : var.kubeconfig_name
@@ -19,19 +19,23 @@ locals {
worker_group_count = length(var.worker_groups)
worker_group_launch_template_count = length(var.worker_groups_launch_template)
- default_ami_id_linux = data.aws_ami.eks_worker.id
- default_ami_id_windows = data.aws_ami.eks_worker_windows.id
+ default_ami_id_linux = coalesce(local.workers_group_defaults.ami_id, data.aws_ami.eks_worker.id)
+ default_ami_id_windows = coalesce(local.workers_group_defaults.ami_id_windows, data.aws_ami.eks_worker_windows.id)
+ policy_arn_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
workers_group_defaults_defaults = {
name = "count.index" # Name of the worker group. Literal count.index will never be used but if name is not set, the count.index interpolation will be used.
tags = [] # A list of map defining extra tags to be applied to the worker group autoscaling group.
- ami_id = "" # AMI ID for the eks workers. If none is provided, Terraform will search for the latest version of their EKS optimized worker AMI based on platform.
+ ami_id = "" # AMI ID for the eks linux based workers. If none is provided, Terraform will search for the latest version of their EKS optimized worker AMI based on platform.
+ ami_id_windows = "" # AMI ID for the eks windows based workers. If none is provided, Terraform will search for the latest version of their EKS optimized worker AMI based on platform.
asg_desired_capacity = "1" # Desired worker capacity in the autoscaling group and changing its value will not affect the autoscaling group's desired capacity because the cluster-autoscaler manages up and down scaling of the nodes. Cluster-autoscaler add nodes when pods are in pending state and remove the nodes when they are not required by modifying the desirec_capacity of the autoscaling group. Although an issue exists in which if the value of the asg_min_size is changed it modifies the value of asg_desired_capacity.
asg_max_size = "3" # Maximum worker capacity in the autoscaling group.
asg_min_size = "1" # Minimum worker capacity in the autoscaling group. NOTE: Change in this paramater will affect the asg_desired_capacity, like changing its value to 2 will change asg_desired_capacity value to 2 but bringing back it to 1 will not affect the asg_desired_capacity.
asg_force_delete = false # Enable forced deletion for the autoscaling group.
asg_initial_lifecycle_hooks = [] # Initital lifecycle hook for the autoscaling group.
asg_recreate_on_change = false # Recreate the autoscaling group when the Launch Template or Launch Configuration change.
+ default_cooldown = null # The amount of time, in seconds, after a scaling activity completes before another scaling activity can start.
+ health_check_grace_period = null # Time in seconds after instance comes into service before checking health.
instance_type = "m4.large" # Size of the workers instances.
spot_price = "" # Cost of spot instance.
placement_tenancy = "" # The tenancy of the instance. Valid values are "default" or "dedicated".
@@ -49,7 +53,6 @@ locals {
public_ip = false # Associate a public ip address with a worker
kubelet_extra_args = "" # This string is passed directly to kubelet if set. Useful for adding labels or taints.
subnets = var.subnets # A list of subnets to place the worker nodes in. i.e. ["subnet-123", "subnet-456", "subnet-789"]
- autoscaling_enabled = false # Sets whether policy and matching tags will be added to allow autoscaling.
additional_security_group_ids = [] # A list of additional security group ids to include in worker launch config
protect_from_scale_in = false # Prevent AWS from scaling in, so that cluster-autoscaler is solely responsible.
iam_instance_profile_name = "" # A custom IAM instance profile name. Used when manage_worker_iam_resources is set to false. Incompatible with iam_role_id.
@@ -61,13 +64,14 @@ locals {
service_linked_role_arn = "" # Arn of custom service linked role that Auto Scaling group will use. Useful when you have encrypted EBS
termination_policies = [] # A list of policies to decide how the instances in the auto scale group should be terminated.
platform = "linux" # Platform of workers. either "linux" or "windows"
+ additional_ebs_volumes = [] # A list of additional volumes to be attached to the instances on this Auto Scaling group. Each volume should be an object with the following: block_device_name (required), volume_size, volume_type, iops, encrypted, kms_key_id (only on launch-template), delete_on_termination. Optional values are grabbed from root volume or from defaults
# Settings for launch templates
root_block_device_name = data.aws_ami.eks_worker.root_device_name # Root device name for workers. If non is provided, will assume default AMI was used.
root_kms_key_id = "" # The KMS key to use when encrypting the root storage device
launch_template_version = "$Latest" # The lastest version of the launch template to use in the autoscaling group
launch_template_placement_tenancy = "default" # The placement tenancy for instances
launch_template_placement_group = "" # The name of the placement group into which to launch the instances, if any.
- root_encrypted = "" # Whether the volume should be encrypted or not
+ root_encrypted = false # Whether the volume should be encrypted or not
eni_delete = true # Delete the Elastic Network Interface (ENI) on termination (if set to false you will have to manually delete before destroying)
cpu_credits = "standard" # T2/T3 unlimited mode, can be 'standard' or 'unlimited'. Used 'standard' mode as default to avoid paying higher costs
market_type = null
@@ -79,6 +83,7 @@ locals {
spot_allocation_strategy = "lowest-price" # Valid options are 'lowest-price' and 'capacity-optimized'. If 'lowest-price', the Auto Scaling group launches instances using the Spot pools with the lowest price, and evenly allocates your instances across the number of Spot pools. If 'capacity-optimized', the Auto Scaling group launches instances using Spot pools that are optimally chosen based on the available Spot capacity.
spot_instance_pools = 10 # "Number of Spot pools per availability zone to allocate capacity. EC2 Auto Scaling selects the cheapest Spot pools and evenly allocates Spot capacity across the number of Spot pools that you specify."
spot_max_price = "" # Maximum price per unit hour that the user is willing to pay for the Spot instances. Default is the on-demand price
+ max_instance_lifetime = 0 # Maximum number of seconds instances can run in the ASG. 0 is unlimited.
}
workers_group_defaults = merge(
diff --git a/modules/node_groups/README.md b/modules/node_groups/README.md
index 5681ff769e..6ac8842f35 100644
--- a/modules/node_groups/README.md
+++ b/modules/node_groups/README.md
@@ -28,6 +28,7 @@ The role ARN specified in `var.default_iam_role_arn` will be used by default. In
| key\_name | Key name for workers. Set to empty string to disable remote access | string | `var.workers_group_defaults[key_name]` |
| max\_capacity | Max number of workers | number | `var.workers_group_defaults[asg_max_size]` |
| min\_capacity | Min number of workers | number | `var.workers_group_defaults[asg_min_size]` |
+| name | Name of the node group | string | Auto generated |
| source\_security\_group\_ids | Source security groups for remote access to workers | list(string) | If key\_name is specified: THE REMOTE ACCESS WILL BE OPENED TO THE WORLD |
| subnets | Subnets to contain workers | list(string) | `var.workers_group_defaults[subnets]` |
| version | Kubernetes version | string | Provider default behavior |
diff --git a/modules/node_groups/node_groups.tf b/modules/node_groups/node_groups.tf
index e42a4ee6c4..62dc6bff98 100644
--- a/modules/node_groups/node_groups.tf
+++ b/modules/node_groups/node_groups.tf
@@ -1,7 +1,7 @@
resource "aws_eks_node_group" "workers" {
for_each = local.node_groups_expanded
- node_group_name = join("-", [var.cluster_name, each.key, random_pet.node_groups[each.key].id])
+ node_group_name = lookup(each.value, "name", join("-", [var.cluster_name, each.key, random_pet.node_groups[each.key].id]))
cluster_name = var.cluster_name
node_role_arn = each.value["iam_role_arn"]
diff --git a/node_groups.tf b/node_groups.tf
index 6c7b438cfb..5c2b92eb4e 100644
--- a/node_groups.tf
+++ b/node_groups.tf
@@ -4,16 +4,15 @@ data "null_data_source" "node_groups" {
count = var.create_eks ? 1 : 0
inputs = {
- cluster_name = var.cluster_name
+ cluster_name = aws_eks_cluster.this[0].name
# Ensure these resources are created before "unlocking" the data source.
# `depends_on` causes a refresh on every run so is useless here.
# [Re]creating or removing these resources will trigger recreation of Node Group resources
- aws_auth = coalescelist(kubernetes_config_map.aws_auth[*].id, [""])[0]
- role_NodePolicy = coalescelist(aws_iam_role_policy_attachment.workers_AmazonEKSWorkerNodePolicy[*].id, [""])[0]
- role_CNI_Policy = coalescelist(aws_iam_role_policy_attachment.workers_AmazonEKS_CNI_Policy[*].id, [""])[0]
- role_Container = coalescelist(aws_iam_role_policy_attachment.workers_AmazonEC2ContainerRegistryReadOnly[*].id, [""])[0]
- role_autoscaling = coalescelist(aws_iam_role_policy_attachment.workers_autoscaling[*].id, [""])[0]
+ aws_auth = coalescelist(kubernetes_config_map.aws_auth[*].id, [""])[0]
+ role_NodePolicy = coalescelist(aws_iam_role_policy_attachment.workers_AmazonEKSWorkerNodePolicy[*].id, [""])[0]
+ role_CNI_Policy = coalescelist(aws_iam_role_policy_attachment.workers_AmazonEKS_CNI_Policy[*].id, [""])[0]
+ role_Container = coalescelist(aws_iam_role_policy_attachment.workers_AmazonEC2ContainerRegistryReadOnly[*].id, [""])[0]
}
}
diff --git a/outputs.tf b/outputs.tf
index 59a4077569..b1f8c3c049 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -153,16 +153,6 @@ output "worker_iam_role_arn" {
)[0]
}
-output "worker_autoscaling_policy_name" {
- description = "Name of the worker autoscaling IAM policy if `manage_worker_autoscaling_policy = true`"
- value = concat(aws_iam_policy.worker_autoscaling[*].name, [""])[0]
-}
-
-output "worker_autoscaling_policy_arn" {
- description = "ARN of the worker autoscaling IAM policy if `manage_worker_autoscaling_policy = true`"
- value = concat(aws_iam_policy.worker_autoscaling[*].arn, [""])[0]
-}
-
output "node_groups" {
description = "Outputs from EKS node groups. Map of maps, keyed by var.node_groups keys"
value = module.node_groups.node_groups
diff --git a/templates/worker-role.tpl b/templates/worker-role.tpl
deleted file mode 100644
index 9d5e93bb30..0000000000
--- a/templates/worker-role.tpl
+++ /dev/null
@@ -1,8 +0,0 @@
-- rolearn: ${worker_role_arn}
- username: system:node:{{EC2PrivateDNSName}}
- groups:
- - system:bootstrappers
- - system:nodes
- %{~ if platform == "windows" ~}
- - eks:kube-proxy-windows
- %{~ endif ~}
diff --git a/test/integration/default/test_eks.rb b/test/integration/default/test_eks.rb
deleted file mode 100644
index acf27844f6..0000000000
--- a/test/integration/default/test_eks.rb
+++ /dev/null
@@ -1,9 +0,0 @@
-# frozen_string_literal: true
-
-require 'awspec'
-
-# rubocop:disable LineLength
-state_file = 'terraform.tfstate.d/kitchen-terraform-default-aws/terraform.tfstate'
-tf_state = JSON.parse(File.open(state_file).read)
-region = tf_state['modules'][0]['outputs']['region']['value']
-ENV['AWS_REGION'] = region
diff --git a/tools/semtag b/tools/semtag
new file mode 100755
index 0000000000..568d4241ad
--- /dev/null
+++ b/tools/semtag
@@ -0,0 +1,627 @@
+#!/usr/bin/env bash
+#
+# Thanks to @pnikosis for this script https://github.com/pnikosis/semtag
+#
+PROG=semtag
+PROG_VERSION="v0.1.0"
+
+SEMVER_REGEX="^v?(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(\-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?(\+[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?$"
+IDENTIFIER_REGEX="^\-([0-9A-Za-z-]+)\.([0-9A-Za-z-]+)*$"
+
+# Global variables
+FIRST_VERSION="v0.0.0"
+finalversion=$FIRST_VERSION
+lastversion=$FIRST_VERSION
+hasversiontag="false"
+scope="patch"
+displayonly="false"
+forcetag="false"
+forcedversion=
+versionname=
+identifier=
+
+HELP="\
+Usage:
+ $PROG
+ $PROG getlast
+ $PROG getfinal
+ $PROG (final|alpha|beta|candidate) [-s (major|minor|patch|auto) | -o]
+ $PROG --help
+ $PROG --version
+Options:
+ -s The scope that must be increased, can be major, minor or patch.
+ The resulting version will match X.Y.Z(-PRERELEASE)(+BUILD)
+ where X, Y and Z are positive integers, PRERELEASE is an optionnal
+ string composed of alphanumeric characters describing if the build is
+ a release candidate, alpha or beta version, with a number.
+ BUILD is also an optional string composed of alphanumeric
+ characters and hyphens.
+ Setting the scope as 'auto', the script will chose the scope between
+ 'minor' and 'patch', depending on the amount of lines added (<10% will
+ choose patch).
+ -v Specifies manually the version to be tagged, must be a valid semantic version
+ in the format X.Y.Z where X, Y and Z are positive integers.
+ -o Output the version only, shows the bumped version, but doesn't tag.
+ -f Forces to tag, even if there are unstaged or uncommited changes.
+Commands:
+ --help Print this help message.
+ --version Prints the program's version.
+ get Returns both current final version and last tagged version.
+ getlast Returns the latest tagged version.
+ getfinal Returns the latest tagged final version.
+ getcurrent Returns the current version, based on the latest one, if there are uncommited or
+ unstaged changes, they will be reflected in the version, adding the number of
+ pending commits, current branch and commit hash.
+ final Tags the current build as a final version, this only can be done on the master branch.
+ candidate Tags the current build as a release candidate, the tag will contain all
+ the commits from the last final version.
+ alpha Tags the current build as an alpha version, the tag will contain all
+ the commits from the last final version.
+ beta Tags the current build as a beta version, the tag will contain all
+ the commits from the last final version."
+
+# Commands and options
+ACTION="getlast"
+ACTION="$1"
+shift
+
+# We get the parameters
+while getopts "v:s:of" opt; do
+ case $opt in
+ v)
+ forcedversion="$OPTARG"
+ ;;
+ s)
+ scope="$OPTARG"
+ ;;
+ o)
+ displayonly="true"
+ ;;
+ f)
+ forcetag="true"
+ ;;
+ \?)
+ echo "Invalid option: -$OPTARG" >&2
+ exit 1
+ ;;
+ :)
+ echo "Option -$OPTARG requires an argument." >&2
+ exit 1
+ ;;
+ esac
+done
+
+# Gets a string with the version and returns an array of maximum size of 5 with all the parts of the sematinc version
+# $1 The string containing the version in semantic format
+# $2 The variable to store the result array:
+# position 0: major number
+# position 1: minor number
+# position 2: patch number
+# position 3: identifier (or prerelease identifier)
+# position 4: build info
+function explode_version {
+ local __version=$1
+ local __result=$2
+ if [[ $__version =~ $SEMVER_REGEX ]] ; then
+ local __major=${BASH_REMATCH[1]}
+ local __minor=${BASH_REMATCH[2]}
+ local __patch=${BASH_REMATCH[3]}
+ local __prere=${BASH_REMATCH[4]}
+ local __build=${BASH_REMATCH[5]}
+ eval "$__result=(\"$__major\" \"$__minor\" \"$__patch\" \"$__prere\" \"$__build\")"
+ else
+ eval "$__result="
+ fi
+}
+
+# Compare two versions and returns -1, 0 or 1
+# $1 The first version to compare
+# $2 The second version to compare
+# $3 The variable where to store the result
+function compare_versions {
+ local __first
+ local __second
+ explode_version $1 __first
+ explode_version $2 __second
+ local lv=$3
+
+ # Compares MAJOR, MINOR and PATCH
+ for i in 0 1 2; do
+ local __numberfirst=${__first[$i]}
+ local __numbersecond=${__second[$i]}
+ case $(($__numberfirst - $__numbersecond)) in
+ 0)
+ ;;
+ -[0-9]*)
+ eval "$lv=-1"
+ return 0
+ ;;
+ [0-9]*)
+ eval "$lv=1"
+ return 0
+ ;;
+ esac
+ done
+
+ # Identifiers should compare with the ASCII order.
+ local __identifierfirst=${__first[3]}
+ local __identifiersecond=${__second[3]}
+ if [[ -n "$__identifierfirst" ]] && [[ -n "$__identifiersecond" ]]; then
+ if [[ "$__identifierfirst" > "$__identifiersecond" ]]; then
+ eval "$lv=1"
+ return 0
+ elif [[ "$__identifierfirst" < "$__identifiersecond" ]]; then
+ eval "$lv=-1"
+ return 0
+ fi
+ elif [[ -z "$__identifierfirst" ]] && [[ -n "$__identifiersecond" ]]; then
+ eval "$lv=1"
+ return 0
+ elif [[ -n "$__identifierfirst" ]] && [[ -z "$__identifiersecond" ]]; then
+ eval "$lv=-1"
+ return 0
+ fi
+
+ eval "$lv=0"
+}
+
+# Returns the last version of two
+# $1 The first version to compare
+# $2 The second version to compare
+# $3 The variable where to store the last one
+function get_latest_of_two {
+ local __first=$1
+ local __second=$2
+ local __result
+ local __latest=$3
+ compare_versions $__first $__second __result
+ case $__result in
+ 0)
+ eval "$__latest=$__second"
+ ;;
+ -1)
+ eval "$__latest=$__second"
+ ;;
+ 1)
+ eval "$__latest=$__first"
+ ;;
+ esac
+}
+
+# Assigns a 2 size array with the identifier, having the identifier at pos 0, and the number in pos 1
+# $1 The identifier in the format -id.#
+# $2 The vferiable where to store the 2 size array
+function explode_identifier {
+ local __identifier=$1
+ local __result=$2
+ if [[ $__identifier =~ $IDENTIFIER_REGEX ]] ; then
+ local __id=${BASH_REMATCH[1]}
+ local __number=${BASH_REMATCH[2]}
+ if [[ -z "$__number" ]]; then
+ __number=1
+ fi
+ eval "$__result=(\"$__id\" \"$__number\")"
+ else
+ eval "$__result="
+ fi
+}
+
+# Gets a list of tags and assigns the base and latest versions
+# Receives an array with the tags containing the versions
+# Assigns to the global variables finalversion and lastversion the final version and the latest version
+function get_latest {
+ local __taglist=("$@")
+ local __tagsnumber=${#__taglist[@]}
+ local __current
+ case $__tagsnumber in
+ 0)
+ finalversion=$FIRST_VERSION
+ lastversion=$FIRST_VERSION
+ ;;
+ 1)
+ __current=${__taglist[0]}
+ explode_version $__current ver
+ if [ -n "$ver" ]; then
+ if [ -n "${ver[3]}" ]; then
+ finalversion=$FIRST_VERSION
+ else
+ finalversion=$__current
+ fi
+ lastversion=$__current
+ else
+ finalversion=$FIRST_VERSION
+ lastversion=$FIRST_VERSION
+ fi
+ ;;
+ *)
+ local __lastpos=$(($__tagsnumber-1))
+ for i in $(seq 0 $__lastpos)
+ do
+ __current=${__taglist[i]}
+ explode_version ${__taglist[i]} ver
+ if [ -n "$ver" ]; then
+ if [ -z "${ver[3]}" ]; then
+ get_latest_of_two $finalversion $__current finalversion
+ get_latest_of_two $lastversion $finalversion lastversion
+ else
+ get_latest_of_two $lastversion $__current lastversion
+ fi
+ fi
+ done
+ ;;
+ esac
+
+ if git rev-parse -q --verify "refs/tags/$lastversion" >/dev/null; then
+ hasversiontag="true"
+ else
+ hasversiontag="false"
+ fi
+}
+
+# Gets the next version given the provided scope
+# $1 The version that is going to be bumped
+# $2 The scope to bump
+# $3 The variable where to stoer the result
+function get_next_version {
+ local __exploded
+ local __fromversion=$1
+ local __scope=$2
+ local __result=$3
+ explode_version $__fromversion __exploded
+ case $__scope in
+ major)
+ __exploded[0]=$((${__exploded[0]}+1))
+ __exploded[1]=0
+ __exploded[2]=0
+ ;;
+ minor)
+ __exploded[1]=$((${__exploded[1]}+1))
+ __exploded[2]=0
+ ;;
+ patch)
+ __exploded[2]=$((${__exploded[2]}+1))
+ ;;
+ esac
+
+ eval "$__result=v${__exploded[0]}.${__exploded[1]}.${__exploded[2]}"
+}
+
+function bump_version {
+ ## First we try to get the next version based on the existing last one
+ if [ "$scope" == "auto" ]; then
+ get_scope_auto scope
+ fi
+
+ local __candidatefromlast=$FIRST_VERSION
+ local __explodedlast
+ explode_version $lastversion __explodedlast
+ if [[ -n "${__explodedlast[3]}" ]]; then
+ # Last version is not final
+ local __idlast
+ explode_identifier ${__explodedlast[3]} __idlast
+
+ # We get the last, given the desired id based on the scope
+ __candidatefromlast="v${__explodedlast[0]}.${__explodedlast[1]}.${__explodedlast[2]}"
+ if [[ -n "$identifier" ]]; then
+ local __nextid="$identifier.1"
+ if [ "$identifier" == "${__idlast[0]}" ]; then
+ # We target the same identifier as the last so we increase one
+ __nextid="$identifier.$(( ${__idlast[1]}+1 ))"
+ __candidatefromlast="$__candidatefromlast-$__nextid"
+ else
+ # Different identifiers, we make sure we are assigning a higher identifier, if not, we increase the version
+ __candidatefromlast="$__candidatefromlast-$__nextid"
+ local __comparedwithlast
+ compare_versions $__candidatefromlast $lastversion __comparedwithlast
+ if [ "$__comparedwithlast" == -1 ]; then
+ get_next_version $__candidatefromlast $scope __candidatefromlast
+ __candidatefromlast="$__candidatefromlast-$__nextid"
+ fi
+ fi
+ fi
+ fi
+
+ # Then we try to get the version based on the latest final one
+ local __candidatefromfinal=$FIRST_VERSION
+ get_next_version $finalversion $scope __candidatefromfinal
+ if [[ -n "$identifier" ]]; then
+ __candidatefromfinal="$__candidatefromfinal-$identifier.1"
+ fi
+
+ # Finally we compare both candidates
+ local __resultversion
+ local __result
+ compare_versions $__candidatefromlast $__candidatefromfinal __result
+ case $__result in
+ 0)
+ __resultversion=$__candidatefromlast
+ ;;
+ -1)
+ __resultversion="$__candidatefromfinal"
+ ;;
+ 1)
+ __resultversion=$__candidatefromlast
+ ;;
+ esac
+
+ eval "$1=$__resultversion"
+}
+
+function increase_version {
+ local __version=
+
+ if [ -z $forcedversion ]; then
+ bump_version __version
+ else
+ if [[ $forcedversion =~ $SEMVER_REGEX ]] ; then
+ compare_versions $forcedversion $lastversion __result
+ if [ $__result -le 0 ]; then
+ echo "Version can't be lower than last version: $lastversion"
+ exit 1
+ fi
+ else
+ echo "Non valid version to bump"
+ exit 1
+ fi
+ __version=$forcedversion
+ fi
+
+ if [ "$displayonly" == "true" ]; then
+ echo "$__version"
+ else
+ if [ "$forcetag" == "false" ]; then
+ check_git_dirty_status
+ fi
+ local __commitlist
+ if [ "$finalversion" == "$FIRST_VERSION" ] || [ "$hasversiontag" != "true" ]; then
+ __commitlist="$(git log --pretty=oneline | cat)"
+ else
+ __commitlist="$(git log --pretty=oneline $finalversion... | cat)"
+ fi
+
+ # If we are forcing a bump, we add bump to the commit list
+ if [[ -z $__commitlist && "$forcetag" == "true" ]]; then
+ __commitlist="bump"
+ fi
+
+ if [[ -z $__commitlist ]]; then
+ echo "No commits since the last final version, not bumping version"
+ else
+ if [[ -z $versionname ]]; then
+ versionname=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+ fi
+ local __message="$versionname
+$__commitlist"
+
+ # We check we have info on the user
+ local __username=$(git config user.name)
+ if [ -z "$__username" ]; then
+ __username=$(id -u -n)
+ git config user.name $__username
+ fi
+ local __useremail=$(git config user.email)
+ if [ -z "$__useremail" ]; then
+ __useremail=$(hostname)
+ git config user.email "$__username@$__useremail"
+ fi
+
+ git tag -a $__version -m "$__message"
+
+ # If we have a remote, we push there
+ local __remotes=$(git remote)
+ if [[ -n $__remotes ]]; then
+ for __remote in $__remotes; do
+ git push $__remote $__version > /dev/null
+ if [ $? -eq 0 ]; then
+ echo "$__version pushed to $__remote"
+ else
+ echo "Error pushing the tag $__version to $__remote"
+ exit 1
+ fi
+ done
+ else
+ echo "$__version"
+ fi
+ fi
+ fi
+}
+
+function check_git_dirty_status {
+ local __repostatus=
+ get_work_tree_status __repostatus
+
+ if [ "$__repostatus" == "uncommitted" ]; then
+ echo "ERROR: You have uncommitted changes"
+ git status --porcelain
+ exit 1
+ fi
+
+ if [ "$__repostatus" == "unstaged" ]; then
+ echo "ERROR: You have unstaged changes"
+ git status --porcelain
+ exit 1
+ fi
+}
+
+# Get the total amount of lines of code in the repo
+function get_total_lines {
+ local __empty_id="$(git hash-object -t tree /dev/null)"
+ local __changes="$(git diff --numstat $__empty_id | cat)"
+ local __added_deleted=$1
+ get_changed_lines "$__changes" $__added_deleted
+}
+
+# Get the total amount of lines of code since the provided tag
+function get_sincetag_lines {
+ local __sincetag=$1
+ local __changes="$(git diff --numstat $__sincetag | cat)"
+ local __added_deleted=$2
+ get_changed_lines "$__changes" $__added_deleted
+}
+
+function get_changed_lines {
+ local __changes_numstat=$1
+ local __result=$2
+ IFS=$'\n' read -rd '' -a __changes_array <<<"$__changes_numstat"
+ local __diff_regex="^([0-9]+)[[:space:]]+([0-9]+)[[:space:]]+.+$"
+
+ local __total_added=0
+ local __total_deleted=0
+ for i in "${__changes_array[@]}"
+ do
+ if [[ $i =~ $__diff_regex ]] ; then
+ local __added=${BASH_REMATCH[1]}
+ local __deleted=${BASH_REMATCH[2]}
+ __total_added=$(( $__total_added+$__added ))
+ __total_deleted=$(( $__total_deleted+$__deleted ))
+ fi
+ done
+ eval "$2=( $__total_added $__total_deleted )"
+}
+
+function get_scope_auto {
+ local __verbose=$2
+ local __total=0
+ local __since=0
+ local __scope=
+
+ get_total_lines __total
+ get_sincetag_lines $finalversion __since
+
+ local __percentage=0
+ if [ "$__total" != "0" ]; then
+ local __percentage=$(( 100*$__since/$__total ))
+ if [ $__percentage -gt "10" ]; then
+ __scope="minor"
+ else
+ __scope="patch"
+ fi
+ fi
+
+ eval "$1=$__scope"
+ if [[ -n "$__verbose" ]]; then
+ echo "[Auto Scope] Percentage of lines changed: $__percentage"
+ echo "[Auto Scope] : $__scope"
+ fi
+}
+
+function get_work_tree_status {
+ # Update the index
+ git update-index -q --ignore-submodules --refresh > /dev/null
+ eval "$1="
+
+ if ! git diff-files --quiet --ignore-submodules -- > /dev/null
+ then
+ eval "$1=unstaged"
+ fi
+
+ if ! git diff-index --cached --quiet HEAD --ignore-submodules -- > /dev/null
+ then
+ eval "$1=uncommitted"
+ fi
+}
+
+function get_current {
+ if [ "$hasversiontag" == "true" ]; then
+ local __commitcount="$(git rev-list $lastversion.. --count)"
+ else
+ local __commitcount="$(git rev-list --count HEAD)"
+ fi
+ local __status=
+ get_work_tree_status __status
+
+ if [ "$__commitcount" == "0" ] && [ -z "$__status" ]; then
+ eval "$1=$lastversion"
+ else
+ local __buildinfo="$(git rev-parse --short HEAD)"
+ local __currentbranch="$(git rev-parse --abbrev-ref HEAD)"
+ if [ "$__currentbranch" != "master" ]; then
+ __buildinfo="$__currentbranch.$__buildinfo"
+ fi
+
+ local __suffix=
+ if [ "$__commitcount" != "0" ]; then
+ if [ -n "$__suffix" ]; then
+ __suffix="$__suffix."
+ fi
+ __suffix="$__suffix$__commitcount"
+ fi
+ if [ -n "$__status" ]; then
+ if [ -n "$__suffix" ]; then
+ __suffix="$__suffix."
+ fi
+ __suffix="$__suffix$__status"
+ fi
+
+ __suffix="$__suffix+$__buildinfo"
+ if [ "$lastversion" == "$finalversion" ]; then
+ scope="patch"
+ identifier=
+ local __bumped=
+ bump_version __bumped
+ eval "$1=$__bumped-dev.$__suffix"
+ else
+ eval "$1=$lastversion.$__suffix"
+ fi
+ fi
+}
+
+function init {
+ git fetch > /dev/null
+ TAGS="$(git tag)"
+ IFS=$'\n' read -rd '' -a TAG_ARRAY <<<"$TAGS"
+
+ get_latest ${TAG_ARRAY[@]}
+ currentbranch="$(git rev-parse --abbrev-ref HEAD)"
+}
+
+case $ACTION in
+ --help)
+ echo -e "$HELP"
+ ;;
+ --version)
+ echo -e "${PROG}: $PROG_VERSION"
+ ;;
+ final)
+ init
+ diff=$(git diff master | cat)
+ if [ "$forcetag" == "false" ]; then
+ if [ -n "$diff" ]; then
+ echo "ERROR: Branch must be updated with master for final versions"
+ exit 1
+ fi
+ fi
+ increase_version
+ ;;
+ alpha|beta)
+ init
+ identifier="$ACTION"
+ increase_version
+ ;;
+ candidate)
+ init
+ identifier="rc"
+ increase_version
+ ;;
+ getlast)
+ init
+ echo "$lastversion"
+ ;;
+ getfinal)
+ init
+ echo "$finalversion"
+ ;;
+ getcurrent)
+ init
+ get_current current
+ echo "$current"
+ ;;
+ get)
+ init
+ echo "Current final version: $finalversion"
+ echo "Last tagged version: $lastversion"
+ ;;
+ *)
+ echo "'$ACTION' is not a valid command, see --help for available commands."
+ ;;
+esac
diff --git a/variables.tf b/variables.tf
index 195cc58b47..3d6f8fabd2 100644
--- a/variables.tf
+++ b/variables.tf
@@ -28,7 +28,7 @@ variable "cluster_security_group_id" {
variable "cluster_version" {
description = "Kubernetes version to use for the EKS cluster."
type = string
- default = "1.14"
+ default = "1.15"
}
variable "config_output_path" {
@@ -189,7 +189,7 @@ variable "kubeconfig_name" {
variable "cluster_create_timeout" {
description = "Timeout value when creating the EKS cluster."
type = string
- default = "15m"
+ default = "30m"
}
variable "cluster_delete_timeout" {
@@ -201,7 +201,25 @@ variable "cluster_delete_timeout" {
variable "wait_for_cluster_cmd" {
description = "Custom local-exec command to execute for determining if the eks cluster is healthy. Cluster endpoint will be available as an environment variable called ENDPOINT"
type = string
- default = "until curl -k -s $ENDPOINT/healthz >/dev/null; do sleep 4; done"
+ default = "for i in `seq 1 60`; do wget --no-check-certificate -O - -q $ENDPOINT/healthz >/dev/null && exit 0 || true; sleep 5; done; echo TIMEOUT && exit 1"
+}
+
+variable "wait_for_cluster_interpreter" {
+ description = "Custom local-exec command line interpreter for the command to determining if the eks cluster is healthy."
+ type = list(string)
+ default = ["/bin/sh", "-c"]
+}
+
+variable "cluster_create_security_group" {
+ description = "Whether to create a security group for the cluster or attach the cluster to `cluster_security_group_id`."
+ type = bool
+ default = true
+}
+
+variable "worker_create_security_group" {
+ description = "Whether to create a security group for the workers or attach the workers to `worker_security_group_id`."
+ type = bool
+ default = true
}
variable "worker_create_initial_lifecycle_hooks" {
@@ -222,6 +240,12 @@ variable "iam_path" {
default = "/"
}
+variable "cluster_endpoint_private_access_cidrs" {
+ description = "List of CIDR blocks which can access the Amazon EKS private API server endpoint, when public access is disabled"
+ type = list(string)
+ default = ["0.0.0.0/0"]
+}
+
variable "cluster_endpoint_private_access" {
description = "Indicates whether or not the Amazon EKS private API server endpoint is enabled."
type = bool
@@ -264,18 +288,6 @@ variable "workers_role_name" {
default = ""
}
-variable "manage_worker_autoscaling_policy" {
- description = "Whether to let the module manage the cluster autoscaling iam policy."
- type = bool
- default = true
-}
-
-variable "attach_worker_autoscaling_policy" {
- description = "Whether to attach the module managed cluster autoscaling iam policy to the default worker IAM role. This requires `manage_worker_autoscaling_policy = true`"
- type = bool
- default = true
-}
-
variable "attach_worker_cni_policy" {
description = "Whether to attach the Amazon managed `AmazonEKS_CNI_Policy` IAM policy to the default worker IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster."
type = bool
@@ -311,3 +323,12 @@ variable "eks_oidc_root_ca_thumbprint" {
description = "Thumbprint of Root CA for EKS OIDC, Valid until 2037"
default = "9e99a48a9960b14926bb7f3b02e22da2b0ab7280"
}
+
+variable "cluster_encryption_config" {
+ description = "Configuration block with encryption configuration for the cluster. See examples/secrets_encryption/main.tf for example format"
+ type = list(object({
+ provider_key_arn = string
+ resources = list(string)
+ }))
+ default = []
+}
diff --git a/version b/version
deleted file mode 100644
index 7c330f2dc9..0000000000
--- a/version
+++ /dev/null
@@ -1 +0,0 @@
-v8.2.0
diff --git a/versions.tf b/versions.tf
index 95fb1ef19e..fd052bbe15 100644
--- a/versions.tf
+++ b/versions.tf
@@ -2,11 +2,11 @@ terraform {
required_version = ">= 0.12.9"
required_providers {
- aws = ">= 2.44.0"
+ aws = ">= 2.52.0"
local = ">= 1.2"
null = ">= 2.1"
template = ">= 2.1"
random = ">= 2.1"
- kubernetes = ">= 1.6.2"
+ kubernetes = ">= 1.11.1"
}
}
diff --git a/workers.tf b/workers.tf
index b6e6f69f9e..2eed088c4f 100644
--- a/workers.tf
+++ b/workers.tf
@@ -73,6 +73,21 @@ resource "aws_autoscaling_group" "workers" {
"termination_policies",
local.workers_group_defaults["termination_policies"]
)
+ max_instance_lifetime = lookup(
+ var.worker_groups[count.index],
+ "max_instance_lifetime",
+ local.workers_group_defaults["max_instance_lifetime"],
+ )
+ default_cooldown = lookup(
+ var.worker_groups[count.index],
+ "default_cooldown",
+ local.workers_group_defaults["default_cooldown"]
+ )
+ health_check_grace_period = lookup(
+ var.worker_groups[count.index],
+ "health_check_grace_period",
+ local.workers_group_defaults["health_check_grace_period"]
+ )
dynamic "initial_lifecycle_hook" {
for_each = var.worker_create_initial_lifecycle_hooks ? lookup(var.worker_groups[count.index], "asg_initial_lifecycle_hooks", local.workers_group_defaults["asg_initial_lifecycle_hooks"]) : []
@@ -104,29 +119,6 @@ resource "aws_autoscaling_group" "workers" {
"value" = "owned"
"propagate_at_launch" = true
},
- {
- "key" = "k8s.io/cluster-autoscaler/${lookup(
- var.worker_groups[count.index],
- "autoscaling_enabled",
- local.workers_group_defaults["autoscaling_enabled"],
- ) ? "enabled" : "disabled"}"
- "value" = "true"
- "propagate_at_launch" = false
- },
- {
- "key" = "k8s.io/cluster-autoscaler/${aws_eks_cluster.this[0].name}"
- "value" = aws_eks_cluster.this[0].name
- "propagate_at_launch" = false
- },
- {
- "key" = "k8s.io/cluster-autoscaler/node-template/resources/ephemeral-storage"
- "value" = "${lookup(
- var.worker_groups[count.index],
- "root_volume_size",
- local.workers_group_defaults["root_volume_size"],
- )}Gi"
- "propagate_at_launch" = false
- },
],
local.asg_tags,
lookup(
@@ -208,6 +200,11 @@ resource "aws_launch_configuration" "workers" {
)
root_block_device {
+ encrypted = lookup(
+ var.worker_groups[count.index],
+ "root_encrypted",
+ local.workers_group_defaults["root_encrypted"],
+ )
volume_size = lookup(
var.worker_groups[count.index],
"root_volume_size",
@@ -226,6 +223,36 @@ resource "aws_launch_configuration" "workers" {
delete_on_termination = true
}
+ dynamic "ebs_block_device" {
+ for_each = lookup(var.worker_groups[count.index], "additional_ebs_volumes", local.workers_group_defaults["additional_ebs_volumes"])
+
+ content {
+ device_name = ebs_block_device.value.block_device_name
+ volume_size = lookup(
+ ebs_block_device.value,
+ "volume_size",
+ local.workers_group_defaults["root_volume_size"],
+ )
+ volume_type = lookup(
+ ebs_block_device.value,
+ "volume_type",
+ local.workers_group_defaults["root_volume_type"],
+ )
+ iops = lookup(
+ ebs_block_device.value,
+ "iops",
+ local.workers_group_defaults["root_iops"],
+ )
+ encrypted = lookup(
+ ebs_block_device.value,
+ "encrypted",
+ local.workers_group_defaults["root_encrypted"],
+ )
+ delete_on_termination = lookup(ebs_block_device.value, "delete_on_termination", true)
+ }
+
+ }
+
lifecycle {
create_before_destroy = true
}
@@ -243,7 +270,7 @@ resource "random_pet" "workers" {
}
resource "aws_security_group" "workers" {
- count = var.worker_security_group_id == "" && var.create_eks ? 1 : 0
+ count = var.worker_create_security_group && var.create_eks ? 1 : 0
name_prefix = aws_eks_cluster.this[0].name
description = "Security group for all nodes in the cluster."
vpc_id = var.vpc_id
@@ -257,7 +284,7 @@ resource "aws_security_group" "workers" {
}
resource "aws_security_group_rule" "workers_egress_internet" {
- count = var.worker_security_group_id == "" && var.create_eks ? 1 : 0
+ count = var.worker_create_security_group && var.create_eks ? 1 : 0
description = "Allow nodes all egress to the Internet."
protocol = "-1"
security_group_id = local.worker_security_group_id
@@ -268,7 +295,7 @@ resource "aws_security_group_rule" "workers_egress_internet" {
}
resource "aws_security_group_rule" "workers_ingress_self" {
- count = var.worker_security_group_id == "" && var.create_eks ? 1 : 0
+ count = var.worker_create_security_group && var.create_eks ? 1 : 0
description = "Allow node to communicate with each other."
protocol = "-1"
security_group_id = local.worker_security_group_id
@@ -279,7 +306,7 @@ resource "aws_security_group_rule" "workers_ingress_self" {
}
resource "aws_security_group_rule" "workers_ingress_cluster" {
- count = var.worker_security_group_id == "" && var.create_eks ? 1 : 0
+ count = var.worker_create_security_group && var.create_eks ? 1 : 0
description = "Allow workers pods to receive communication from the cluster control plane."
protocol = "tcp"
security_group_id = local.worker_security_group_id
@@ -290,7 +317,7 @@ resource "aws_security_group_rule" "workers_ingress_cluster" {
}
resource "aws_security_group_rule" "workers_ingress_cluster_kubelet" {
- count = var.worker_security_group_id == "" && var.create_eks ? var.worker_sg_ingress_from_port > 10250 ? 1 : 0 : 0
+ count = var.worker_create_security_group && var.create_eks ? var.worker_sg_ingress_from_port > 10250 ? 1 : 0 : 0
description = "Allow workers Kubelets to receive communication from the cluster control plane."
protocol = "tcp"
security_group_id = local.worker_security_group_id
@@ -301,7 +328,7 @@ resource "aws_security_group_rule" "workers_ingress_cluster_kubelet" {
}
resource "aws_security_group_rule" "workers_ingress_cluster_https" {
- count = var.worker_security_group_id == "" && var.create_eks ? 1 : 0
+ count = var.worker_create_security_group && var.create_eks ? 1 : 0
description = "Allow pods running extension API servers on port 443 to receive communication from cluster control plane."
protocol = "tcp"
security_group_id = local.worker_security_group_id
@@ -336,19 +363,19 @@ resource "aws_iam_instance_profile" "workers" {
resource "aws_iam_role_policy_attachment" "workers_AmazonEKSWorkerNodePolicy" {
count = var.manage_worker_iam_resources && var.create_eks ? 1 : 0
- policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+ policy_arn = "${local.policy_arn_prefix}/AmazonEKSWorkerNodePolicy"
role = aws_iam_role.workers[0].name
}
resource "aws_iam_role_policy_attachment" "workers_AmazonEKS_CNI_Policy" {
count = var.manage_worker_iam_resources && var.attach_worker_cni_policy && var.create_eks ? 1 : 0
- policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+ policy_arn = "${local.policy_arn_prefix}/AmazonEKS_CNI_Policy"
role = aws_iam_role.workers[0].name
}
resource "aws_iam_role_policy_attachment" "workers_AmazonEC2ContainerRegistryReadOnly" {
count = var.manage_worker_iam_resources && var.create_eks ? 1 : 0
- policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+ policy_arn = "${local.policy_arn_prefix}/AmazonEC2ContainerRegistryReadOnly"
role = aws_iam_role.workers[0].name
}
@@ -357,60 +384,3 @@ resource "aws_iam_role_policy_attachment" "workers_additional_policies" {
role = aws_iam_role.workers[0].name
policy_arn = var.workers_additional_policies[count.index]
}
-
-resource "aws_iam_role_policy_attachment" "workers_autoscaling" {
- count = var.manage_worker_iam_resources && var.manage_worker_autoscaling_policy && var.attach_worker_autoscaling_policy && var.create_eks ? 1 : 0
- policy_arn = aws_iam_policy.worker_autoscaling[0].arn
- role = aws_iam_role.workers[0].name
-}
-
-resource "aws_iam_policy" "worker_autoscaling" {
- count = var.manage_worker_iam_resources && var.manage_worker_autoscaling_policy && var.create_eks ? 1 : 0
- name_prefix = "eks-worker-autoscaling-${aws_eks_cluster.this[0].name}"
- description = "EKS worker node autoscaling policy for cluster ${aws_eks_cluster.this[0].name}"
- policy = data.aws_iam_policy_document.worker_autoscaling[0].json
- path = var.iam_path
-}
-
-data "aws_iam_policy_document" "worker_autoscaling" {
- count = var.manage_worker_iam_resources && var.manage_worker_autoscaling_policy && var.create_eks ? 1 : 0
- statement {
- sid = "eksWorkerAutoscalingAll"
- effect = "Allow"
-
- actions = [
- "autoscaling:DescribeAutoScalingGroups",
- "autoscaling:DescribeAutoScalingInstances",
- "autoscaling:DescribeLaunchConfigurations",
- "autoscaling:DescribeTags",
- "ec2:DescribeLaunchTemplateVersions",
- ]
-
- resources = ["*"]
- }
-
- statement {
- sid = "eksWorkerAutoscalingOwn"
- effect = "Allow"
-
- actions = [
- "autoscaling:SetDesiredCapacity",
- "autoscaling:TerminateInstanceInAutoScalingGroup",
- "autoscaling:UpdateAutoScalingGroup",
- ]
-
- resources = ["*"]
-
- condition {
- test = "StringEquals"
- variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${aws_eks_cluster.this[0].name}"
- values = ["owned"]
- }
-
- condition {
- test = "StringEquals"
- variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled"
- values = ["true"]
- }
- }
-}
diff --git a/workers_launch_template.tf b/workers_launch_template.tf
index 519a289942..947bd19a6d 100644
--- a/workers_launch_template.tf
+++ b/workers_launch_template.tf
@@ -72,6 +72,21 @@ resource "aws_autoscaling_group" "workers_launch_template" {
"termination_policies",
local.workers_group_defaults["termination_policies"]
)
+ max_instance_lifetime = lookup(
+ var.worker_groups_launch_template[count.index],
+ "max_instance_lifetime",
+ local.workers_group_defaults["max_instance_lifetime"],
+ )
+ default_cooldown = lookup(
+ var.worker_groups_launch_template[count.index],
+ "default_cooldown",
+ local.workers_group_defaults["default_cooldown"]
+ )
+ health_check_grace_period = lookup(
+ var.worker_groups_launch_template[count.index],
+ "health_check_grace_period",
+ local.workers_group_defaults["health_check_grace_period"]
+ )
dynamic mixed_instances_policy {
iterator = item
@@ -179,29 +194,6 @@ resource "aws_autoscaling_group" "workers_launch_template" {
"value" = "owned"
"propagate_at_launch" = true
},
- {
- "key" = "k8s.io/cluster-autoscaler/${lookup(
- var.worker_groups_launch_template[count.index],
- "autoscaling_enabled",
- local.workers_group_defaults["autoscaling_enabled"],
- ) ? "enabled" : "disabled"}"
- "value" = "true"
- "propagate_at_launch" = false
- },
- {
- "key" = "k8s.io/cluster-autoscaler/${aws_eks_cluster.this[0].name}"
- "value" = aws_eks_cluster.this[0].name
- "propagate_at_launch" = false
- },
- {
- "key" = "k8s.io/cluster-autoscaler/node-template/resources/ephemeral-storage"
- "value" = "${lookup(
- var.worker_groups_launch_template[count.index],
- "root_volume_size",
- local.workers_group_defaults["root_volume_size"],
- )}Gi"
- "propagate_at_launch" = false
- },
],
local.asg_tags,
lookup(
@@ -359,6 +351,43 @@ resource "aws_launch_template" "workers_launch_template" {
}
}
+ dynamic "block_device_mappings" {
+ for_each = lookup(var.worker_groups_launch_template[count.index], "additional_ebs_volumes", local.workers_group_defaults["additional_ebs_volumes"])
+ content {
+ device_name = block_device_mappings.value.block_device_name
+
+ ebs {
+ volume_size = lookup(
+ block_device_mappings.value,
+ "volume_size",
+ local.workers_group_defaults["root_volume_size"],
+ )
+ volume_type = lookup(
+ block_device_mappings.value,
+ "volume_type",
+ local.workers_group_defaults["root_volume_type"],
+ )
+ iops = lookup(
+ block_device_mappings.value,
+ "iops",
+ local.workers_group_defaults["root_iops"],
+ )
+ encrypted = lookup(
+ block_device_mappings.value,
+ "encrypted",
+ local.workers_group_defaults["root_encrypted"],
+ )
+ kms_key_id = lookup(
+ block_device_mappings.value,
+ "kms_key_id",
+ local.workers_group_defaults["root_kms_key_id"],
+ )
+ delete_on_termination = lookup(block_device_mappings.value, "delete_on_termination", true)
+ }
+ }
+
+ }
+
tag_specifications {
resource_type = "volume"
@@ -374,6 +403,21 @@ resource "aws_launch_template" "workers_launch_template" {
)
}
+ tag_specifications {
+ resource_type = "instance"
+
+ tags = merge(
+ {
+ "Name" = "${aws_eks_cluster.this[0].name}-${lookup(
+ var.worker_groups_launch_template[count.index],
+ "name",
+ count.index,
+ )}-eks_asg"
+ },
+ var.tags,
+ )
+ }
+
tags = var.tags
lifecycle {