Skip to content
/ terraform-aws-eks-full Public

eks with default Service Account roles and ALB for ingress

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

k-ader/terraform-aws-eks-full

BranchesTags

Repository files navigation

terraform-eks-full

Create EKS cluster with Controller, Managed Nodegroups and add-ons

Steps to create for Controller:

  1. IAM Role
  2. KMS Key
  3. Security Group
  4. Logs stream in CloudWatch
  5. Control Plane

Steps to create Nodegroups

  1. IAM Role
  2. Security Group
  3. Autoscale Launch Template
  4. EKS NodeGroup ASG from template

Steps to create addons:

VPC-CNI

  1. IAM Role
  2. EBS CNI Driver NB! VPC-CNI set to use custom VPC for pod networks. Eniconfig is needed. ToDo: Add eniconfig by applying kubectl apply -f ENICONFIG.yaml NB! Node system ASG refresh needed.

EBS-CSI

  1. IAM Role
  2. EBS CSI Driver
  3. Add EBS SCI Driver ARN to default EBS KMS Key users

CoreDNS

  1. coredns deployment

Kube-proxy

  1. kube-proxy deployment

Iam Roles for Service Accounts

  1. Create default IRSA if enabled: Autoscaler, ALB Controller, External Secrets Operator, Dashboard.
  2. Custom IRSA if set (available variables for template: "eks_name" and "account_id")

Custom OIDC

  1. Create Additional custom OIDC provider if set.

Requirements

Name Version
terraform >= 1.5
aws ~> 5.32
kubernetes >= 1.7
tls >=4.0

Usage

Basic usage of this module is as follows:

  module "example" {
    	 source  = "<path-to-module>"
        
	 # Required variables
        	 alb_certificate_arn  = ""
        	 dns_zone_id  = ""
        	 eks_version  = ""
        	 key_name  = ""
        	 name  = ""
        	 pod_subnet_ids  = ""
        	 private_subnet_ids  = ""
        	 vpc_id  = ""
}

Resources

Name Type
aws_ebs_default_kms_key.current data source
aws_kms_key.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
alb_certificate_arn The certificate ARN for alb HTTPS listener string n/a yes
alb_internal Create private alb or not bool true no
control_plane_allowed_networks Subnets that allowed access to manage EKS cluster list(string) 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
 no
controller_custom_iam_policy Custom policies for EKS controller map(string) 
{
  "CloudWatch-Policy": "policy_cloudwatch.json",
  "EBS-Policy": "policy_elb.json"
}
 no
controller_well_known_policy_arns Default EKS cluster policies list(string) 
[
  "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
  "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
]
 no
dns_zone_id Zone id for alb alias creation string n/a yes
eks_version Desired Kubernetes master version string n/a yes
eniconfig_create Create Eniconfig using kubernetes provider. Will fail if no access to controlplane bool false no
irsa_create_alb_controller Create IRSA for ALB controllerr bool true no
irsa_create_autoscaler Create IRSA for Cluster Autoscaler bool true no
irsa_create_eso Create IRSA for External Secrets Operator bool false no
irsa_create_gen_dashboard Create IRSA for Cluster Autoscaler bool false no
irsa_custom Custom IRSA.
object with next values:
path = path for policy, default = "/"
policy_file = json template (optional). with variables "eks_name" and "account_id", can be empty if AWS managed policy set
managed_policy_arn = ARN (optional) , can be empty if policy_file set
service_account = name of service account for IAM authentication
namespace = namespace where ServiceAccount will be created		 any null no
key_name ssh key for access to nodegroups string n/a yes
kms_ebs_key_id The ID of the KMS Key to attach the policy for EBS CSI. string null no
latest_addon_version true to use latest addon version or false to use current verion bool false no
log_retention_in_days How many days keep logs for controlplane number 30 no
name EKS cluster name string n/a yes
node_well_known_policy_arns Amazon Controlled IAM Policies arn list list(string) 
[
  "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
  "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
  "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
  "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
  "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
]
 no
nodegroups NodeGroup config map map(any) {} no
oidc_config OIDC configuration settings map(any) {} no
pod_subnet_ids Pod networks ids list(string) n/a yes
private_subnet_ids Subnet id's where should located EKS cluster list(string) n/a yes
service_ipv4_cidr The CIDR block to assign Kubernetes pod and service IP addresses from. string "10.202.0.0/16" no
tags (Optional) Key-value map of resource tags. For all resources. map(string) {} no
tags_alb (Optional) Key-value map of resource tags. Additional tags for ALB map(string) {} no
tags_irsa (Optional) Key-value map of resource tags. Additional tags for IRSA. map(string) {} no
tags_nodegroup (Optional) Key-value map of resource tags. Additional tags for Node Groups map(string) {} no
tags_oidc (Optional) Key-value map of resource tags. Additional tags for OIDC provider. map(string) {} no
vpc_id vpc id for EKS cluster string n/a yes

Outputs

Name Description
addon_coredns Core DNS add-on parameters
addon_ebs_csi EBS CSI add-on parameters
addon_efs_csi EFS CSI add-on parameters
addon_kube_proxy Kube proxy add-on parameters
addon_vpc_cni VPC CNI add-on parameters
control_plane Control Plane parameters
eniconfig ENIconfig for kubectl apply parameters. Custom netwirking for pods
irsa IAM Roles for Service Accounts
kubectl_config_cmd kubectl config command
nodegroup Node Groups parameters and template versions

About

eks with default Service Account roles and ALB for ingress

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages