Terraform module with create EKS resources on AWS.
default net.core.somaxconn = 4096, tcp_max_syn_backlog 512
pre_bootstrap_user_data = "sysctl -w net.core.somaxconn='32767' net.ipv4.tcp_max_syn_backlog='32767' && contents=\"$(jq '.allowedUnsafeSysctls=[\"net.*\"]' /etc/kubernetes/kubelet/kubelet-config.json)\" && echo -E \"$${contents}\" > /etc/kubernetes/kubelet/kubelet-config.json"If you are using vpc-cni addons you need to create them first create nodegroup and run below command
kubectl set env daemonset aws-node -n kube-system ENABLE_PREFIX_DELEGATION=true #for enable interface /28additional_addons = {
vpc-cni = {
name = "vpc-cni",
}
}iam role arn with policy below
arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy- (optional) custom policy with (kms) see more
additional_service_accounts = [{
name = "ebs-csi-controller-sa"
namespace = "kube-system"
existing_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy", "<custom-policy-to-allow-kms>"]
}
]
additional_addons = {
aws-ebs-csi-driver = {
name = "aws-ebs-csi-driver",
service_account_role_arn = <iam_role_arn_from_service_account>
}
}- cert-manager
kubectl apply -f https://amazon-eks.s3.amazonaws.com/docs/addons-otel-permissions.yamladditional_service_accounts = [{
name = "otel"
namespace = "opentelemetry-operator-system"
existing_policy_arns = ["arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess", "arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess"]
}]
additional_addons = {
adot = {
name = "adot",
version = "v0.45.0-eksbuild.1"
existing_policy_arns = ["arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"]
}
}| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 4.0.0 |
| tls | >= 3.2.1 |
| Name | Version |
|---|---|
| aws | >= 4.0.0 |
| Name | Source | Version |
|---|---|---|
| bootstrap | ./modules/bootstrap | n/a |
| eks_kms | oozou/kms-key/aws | 1.0.0 |
| nodegroup | ./modules/nodegroup | n/a |
| openid_connect | ./modules/openid_connect_provider | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_addons | additional addons for eks cluster | map(any) |
{ |
no |
| additional_allow_cidr | cidr for allow connection to eks cluster | list(string) |
[] |
no |
| additional_cluster_role | Additional cluster role resource additional_cluster_role = [ { name = "cluster_role_name" rules = [ { # Workloads apiGroups = [""] resources = ["pods", "deployments", "replicasets"] verbs = ["get", "list", "watch", "create", "update", "delete", "patch"] }, { # Config apiGroups = [""] resources = ["configmaps", "secrets", "horizontalpodautoscalers"] verbs = ["get", "list", "watch", "create", "update", "delete", "patch"] }, { # Network apiGroups = ["*"] resources = ["services", "ingresses"] verbs = ["get", "list", "watch", "create", "update", "delete", "patch"] ] } ] |
any |
[] |
no |
| additional_cluster_role_binding | Additional cluster role resource additional_cluster_role_binding = [ { name = "bdd" subjects = [ { kind = "User" name = "role" apiGroup = "rbac.authorization.k8s.io" }, { kind = "User" name = "role-x" apiGroup = "rbac.authorization.k8s.io" } ] roleRef = { apiGroup = "rbac.authorization.k8s.iox" kind = "ClusterRole" name = "devops-clusterrole" } } ] |
any |
[] |
no |
| additional_map_roles | Additional role to map ex. additional_map_roles = [ { role_arn = arn:aws:iam::502734123891:role/cicd-role username = dev-cicd-role } ] |
any |
[] |
no |
| additional_service_accounts | additional service account to access eks | list(object({ |
[] |
no |
| additional_worker_polices | Additional IAM policies block, input as data source or json. Ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document. Bucket Policy Statements can be overriden by the statement with the same sid from the latest policy. | list(string) |
[] |
no |
| admin_iam_arns | admin iam arns for grant permission to aws-auth | list(string) |
[] |
no |
| admin_role_arns | admin role arns for grant permission to aws-auth | list(string) |
[] |
no |
| aws_account | AWS Credentials to access AWS by bootstrap module require if is_config_aws_auth = trues | object({ |
{ |
no |
| bootstrap_ami | AMI for ec2 bootstrap module | string |
"" |
no |
| bootstrap_kms_key_id | ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in bootstrap secret. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager | string |
"" |
no |
| cloudwatch_log_kms_key_id | The ARN for the KMS encryption key. | string |
null |
no |
| cloudwatch_log_retention_in_days | Specifies the number of days you want to retain log events Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire | number |
90 |
no |
| dev_role_arns | dev role arns for grant permission to aws-auth | list(string) |
[] |
no |
| eks_version | Desired Kubernetes version. Downgrades are not supported by EKS. | string |
null |
no |
| enabled_cluster_log_types | List of the desired control plane logging to enable | list(string) |
[] |
no |
| environment | To manage a resources with tags | string |
n/a | yes |
| is_config_aws_auth | require if create lb controler | bool |
true |
no |
| is_create_argo_image_updater_sa | is create default role with permission for argo-cd image updater (name : argo-cd-image-updater) | bool |
true |
no |
| is_create_bootstrap | if true will create bootstrap for config aws-auth | bool |
true |
no |
| is_create_cluster_autoscaler_sa | is create default role with permission for eks cluster autoscaler | bool |
true |
no |
| is_create_loadbalancer_controller_sa | is create default role with permission for aws loadbalancer controller (name : aws-load-balancer-controller) | bool |
true |
no |
| is_create_open_id_connect | if true will create oidc provider and iam role for service account | bool |
true |
no |
| is_enabled_cluster_encryption | if enable will create kms and config eks with kms key to encrpt secret | bool |
true |
no |
| is_endpoint_private_access | Whether the Amazon EKS private API server endpoint is enabled | bool |
true |
no |
| is_endpoint_public_access | Whether the Amazon EKS public API server endpoint is enabled | bool |
false |
no |
| karpenter_node_role_arns | Karpenter node role arns for grant permission to aws-auth | list(string) |
[] |
no |
| name | The Name of the EKS cluster | string |
n/a | yes |
| node_groups | EKS Node Group for create EC2 as worker node | map(any) |
{ |
no |
| prefix | The prefix name of customer to be displayed in AWS console and resource | string |
n/a | yes |
| readonly_role_arns | readonly role group arns for grant permission to aws-auth | list(string) |
[] |
no |
| subnets_ids | List of IDs of subnets for create EKS | list(string) |
n/a | yes |
| tags | Tag for a resource that create by this component | map(string) |
{} |
no |
| vpc_id | The ID of the VPC for create security group | string |
n/a | yes |
| Name | Description |
|---|---|
| cloudwatch_log_group_arn | arn of cluster cloudwatch log group |
| cluster_name | Name of the cluster |
| cluster_security_group_id | Cluster security group that was created by Amazon EKS for the cluster for control-plane-to-data-plane communication. |
| endpoint | cluster endpoint for EKS |
| kms_key_arn | EKS encryption KMS key arn |
| kms_key_id | EKS encryption KMS key id |
| kubeconfig_certificate_authority_data | kubeconfig certificate |
| openid_connect_provider_arn | arn of oidc provider |
| service_account_role_arns | created role arn for create service accounts in cluster |