Skip to main content
Version: 5.19.0

EKS Config Reference

Structsure Cluster IaC

Overview

This project contains the IaC to deploy an EKS Based k8s cluster.

Requirements

NameVersion
terraform>= 0.14
aws<= 5.22.0
cloudinit~> 2.3.3
kubernetes~> 2.24.0
local~> 2.4.0
random~> 3.6.0
time~> 0.9.0
tls~> 4.0.5

Providers

NameVersion
aws5.22.0
local2.4.0
random3.6.0
tls4.0.5

Modules

NameSourceVersion
app_nlbterraform-aws-modules/alb/aws~> 9.0.0
eksterraform-aws-modules/eks/aws~> 19.0
log_bucketterraform-aws-modules/s3-bucket/aws~> 3.0
sso_nlbterraform-aws-modules/alb/aws~> 9.0.0
zarf_registry_s3terraform-aws-modules/s3-bucket/aws~> 3.0

Resources

NameType
aws_iam_policy.allow_cluster_autoscalerresource
aws_iam_policy.allow_kmsresource
aws_key_pair.ssh_public_keyresource
aws_secretsmanager_secret.ssh_private_keyresource
aws_secretsmanager_secret_version.ssh_private_keyresource
local_file.bigbang_valuesresource
local_file.zarf_ca_bundleresource
local_file.zarf_init_configresource
random_password.zarf_registry_pull_passwordresource
random_string.uidresource
tls_private_key.sshresource
aws_ami.eksdata source
aws_iam_policy_document.allow_cluster_autoscalerdata source
aws_iam_policy_document.allow_kmsdata source
aws_iam_policy_document.log_bucket_policy_documentdata source
aws_iam_policy_document.registry_bucket_policydata source
aws_iam_role.cluster_agent_iam_roledata source
aws_partition.currentdata source
aws_service.s3data source
aws_vpc.vpcdata source

Inputs

NameDescriptionTypeDefaultRequired
additional_eks_managed_node_groupsAdditional node groups to createany{}no
allowed_app_cidr_blocksAllows application access from CIDR blocks.list(string)[]no
allowed_ingress_cidr_blocksAllows ingress from this cidr block.list(string)[]no
allowed_ssh_cidr_blocksAllows SSH from CIDR blocks.list(string)[]no
allowed_sso_cidr_blocksAllows SSO access from CIDR blocks.list(string)[]no
ami_filtersList of AMI filters used to select the AMIlist(object({ name = string values = list(string) }))[]no
ami_idAMI ID to use when building the cluster instancesstring""no
ami_most_recentSelect the most recent version of the AMIbooltrueno
ami_ownersList of AWS account IDs used in AMI lookup filterlist(string)[ "241559654725", "171179903432" ]no
application_nlb_cross_zone_load_balancingToggles cross zone load balancing on/off.booltrueno
application_nlb_egress_rulesSecurity group rules to apply to the Appliaciton NLB security group to control outbound traffic. Egress to eks nodes on 30021, 30080, and 30443 will be allowed by defaultanynullno
application_nlb_enableToggles the creation of the Application Network Load Balancer off/onbooltrueno
application_nlb_ingress_rulesSecurity group rules to apply to the Application NLB security group to control inbound traffic. HTTP and HTTPS rules based on the allowed ingress cidr variable will be used by defaultanynullno
application_nlb_internalToggles the scheme of the load balancer between internal and internet-facing. Defualt is internalbooltrueno
application_nlb_listenersObject describing the listeners to be created and associated with the Application NLBany{ "http": { "forward": { "target_group_key": "http-cluster" }, "port": 80, "protocol": "TCP" }, "https": { "forward": { "target_group_key": "https-cluster" }, "port": 443, "protocol": "TCP" } }no
application_nlb_preserve_client_ipToggles the preserve_client_ip setting on/off. Will always be false if compatibility_mode is setbooltrueno
application_nlb_stickiness_enabledApplication NLB Stickiness settings. Will alwasy be an empty set if compatibility_mode is setany{ "duration": 3600, "enabled": true, "type": "source_ip" }no
application_nlb_subnetsSubnets to use when creating the Application NLB. Will default to the value of subnet_ids if not specifiedlist(string)nullno
application_nlb_target_groupsTarget groups to create as part of the Application Load balancer. A default set of target groups will be created if not specifiedanynullno
aws_auth_rolesList of role maps to add to the aws-auth configmaplist(any)[]no
aws_regionAWS Region used to configure the AWS providerstringn/ayes
bigbang_values_filenameFilename of the locally-created big bang values includestring"bigbang-values-eks.yaml"no
cluster_addonsMap of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with nameany{}no
cluster_agent_iam_roleExisting IAM role name for the clusterstring""no
cluster_autoscaler_enabledConfigures the cluster to support cluster autoscalerbooltrueno
cluster_encryption_configConfiguration block with encryption configuration for the cluster. To disable secret encryption, set this value to {}map(any){ "resources": [ "secrets" ] }no
cluster_extra_tagsMap of tags to add to all resources createdmap(string){}no
cluster_security_group_additional_rulesCluster security group rules. Will be merged with the defaults unless disable_default_cluster_sg_rules is trueany{}no
cluster_timeoutsCreate, update, and delete timeout configurations for the node group.object({ create = string update = string delete = string }){ "create": "60m", "delete": "60m", "update": "120m" }no
compatibility_modeIf enabled, this flag disables some AWS features which are not available in all AWS partitions/regions.booltrueno
config_output_dirPath to directory where local config files should be outputstring"."no
controlplane_allowed_cidrsServer pool security group allowed cidr rangeslist(string)[]no
controlplane_private_accessExpose the kubernetes API privately.booltrueno
controlplane_public_accessExpose the kubernetes API publically. Not recommendedboolfalseno
create_aws_auth_configmapDetermines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use manage_aws_auth_configmapboolfalseno
create_cloudwatch_log_groupDetermines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabledbooltrueno
create_kms_keyControls if a KMS key for cluster encryption should be createdbooltrueno
create_logging_bucketCreate a logging bucketbooltrueno
custom_default_bdmUser defined block device mapping to apply to node groups by defaultany{}no
custom_oidc_thumbprintsAdditional list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s)list(string)[]no
default_additional_policiesAdditional policies to associate with the node groups by defaultany{}no
default_ami_typeType of Amazon Machine Image (AMI) associated with the EKS Node Group. Valid values are AL2_x86_64, AL2_x86_64_GPU, AL2_ARM_64, CUSTOM, BOTTLEROCKET_ARM_64, BOTTLEROCKET_x86_64string"CUSTOM"no
default_bdm_delete_on_terminationToggle delete_on_termination off/on for the default block device mappingbooltrueno
default_bdm_encryptedToggle encryption off/on for the default block device mappingbooltrueno
default_bdm_kms_key_idKMS key to use for block device mapping encryptionstringnullno
default_bdm_volume_sizeVolume size to use in the node group default block device mappingnumber280no
default_bdm_volume_typeVolume type to use in the node group default block device mappingstring"gp3"no
default_capacity_typeType of capacity associated with the EKS Node Group. Valid values: ON_DEMAND, SPOTstring"SPOT"no
default_disable_api_terminationIf true, enables EC2 instance termination protectionboolfalseno
default_ebs_optimizedIf true, the launched EC2 instance(s) will be EBS-optimizedbooltrueno
default_eks_node_group_nameSet a fixed name for the default node group.string"structsure-nodes"no
default_eks_node_group_sizeCreate, update, and delete timeout configurations for the node group.object({ min = number max = number desired = number }){ "desired": 6, "max": 15, "min": 3 }no
default_enable_bootstrap_user_dataDetermines whether the bootstrap configurations are populated within the user data template. Only valid when using a custom AMI via ami_idbooltrueno
default_enable_monitoringEnables/disables detailed monitoringbooltrueno
default_force_update_versionForce version update if existing pods are unable to be drained due to a pod disruption budget issuebooltrueno
default_iam_role_attach_cni_policyAttach the CNI IAM policy to node groups by defaultbooltrueno
default_instance_typesSet of instance types associated with the EKS Node Group. Defaults to ["t3.medium"]list(string)[ "t3a.2xlarge", "t3.2xlarge", "m5a.2xlarge", "m6a.2xlarge" ]no
default_metadata_optionsCustomize the metadata options for the instanceany{ "http_endpoint": "enabled", "http_put_response_hop_limit": 2, "http_tokens": "optional", "instance_metadata_tags": "disabled" }no
default_post_bootstrap_user_dataUser data that is appended to the user data script after of the EKS bootstrap script. Not used when platform = bottlerocketstringnullno
default_pre_bootstrap_user_dataUser data that is injected into the user data script ahead of the EKS bootstrap script. Not used when platform = bottlerocketstringnullno
disable_default_additional_policiesRemoves the default IAM policies instead of merging them with the contents of default_additional_policiesboolfalseno
disable_default_cluster_addonsIf true, var.cluster_addons is merged with a set of default add-ons. If false, only var.cluster_addons is appliedboolfalseno
disable_default_cluster_sg_rulesDisables the default set of cluster security group rulesboolfalseno
disable_default_node_groupsDisables the creation of the default node groupsboolfalseno
disable_default_node_sg_rulesDisables the default set of cluster security group rulesboolfalseno
eks_versionVersion of EKS to deploystring"1.29"no
enable_cas_policyToggles a Cluster Autoscaler IAM policy creation and attacmenent on/offbooltrueno
enable_irsaDetermines whether to create an OpenID Connect Provider for EKS to enable IRSAbooltrueno
enable_kms_policyToggles a KMS usage IAM policy creation and attacmenent on/offbooltrueno
include_oidc_root_ca_thumbprintDetermines whether to include the root CA thumbprint in the OpenID Connect (OIDC) identity provider's server certificate(s)booltrueno
log_bucket_policy_enabledAttach a bucket policy to the logging bucket allowing access from the AWS logs servicebooltrueno
manage_aws_auth_configmapDetermines whether to manage the aws-auth configmapbooltrueno
name_prefixName of the cluster to createstring"structsure"no
name_prefix_include_workspaceToogle to include workspace in name prefixboolfalseno
nlb_enable_deletion_protectionPrevent the NLB(s) from being deletedbooltrueno
node_security_group_additional_rulesCluster security group rules. Will be merged with the defaults unless disable_default_cluster_sg_rules is trueany{}no
openid_connect_audiencesList of OpenID Connect audience client IDs to add to the IRSA providerlist(string)[]no
persistentFlag to set the deployment to persistent or ephemeralboolfalseno
resize_disksEnables automatic resizing of disks in userdata scriptbooltrueno
root_casList containing root certificate authorities (optionally base64 encoded)list( object( { name = string cert = string } ) )[]no
ssh_enabledToggles the SSH inbound security group on/offbooltrueno
sso_nlb_cross_zone_load_balancingToggles cross zone load balancing on/off.booltrueno
sso_nlb_egress_rulesSecurity group rules to apply to the SSO NLB security group to control outbound traffic. Egress to eks nodes on 32021, 32080, and 32443 will be allowed by defaultanynullno
sso_nlb_ingress_rulesSecurity group rules to apply to the SSO NLB security group to control inbound traffic. HTTP and HTTPS rules based on the allowed ingress cidr variable will be used by defaultanynullno
sso_nlb_internalToggles the scheme of the load balancer between internal and internet-facing. Defualt is internalbooltrueno
sso_nlb_listenersObject describing the listeners to be created and associated with the SSO NLBany{ "http": { "forward": { "target_group_key": "http-cluster" }, "port": 80, "protocol": "TCP" }, "https": { "forward": { "target_group_key": "https-cluster" }, "port": 443, "protocol": "TCP" } }no
sso_nlb_preserve_client_ipToggles the preserve_client_ip setting on/off. Will always be false if compatibility_mode is setbooltrueno
sso_nlb_stickiness_enabledSSO NLB Stickiness settings. Will alwasy be an empty set if compatibility_mode is setany{ "duration": 3600, "enabled": true, "type": "source_ip" }no
sso_nlb_subnetsSubnets to use when creating the SSO NLB. Will default to the value of subnet_ids if not specifiedlist(string)[]no
sso_nlb_target_groupsTarget groups to create as part of the SSO Load balancer. A default set of target groups will be created if not specifiedanynullno
sso_passthrough_enableToggles SSO (Keycloak) to use the passthrough Network Load Balancerboolfalseno
subnet_idsThe ids of the specific subnets to uselist(string)n/ayes
vault_passthrough_enableToggles Vault to use the passthrough Network Load Balancerboolfalseno
vpc_idVPC ID to create resources instringn/ayes
zarf_init_ca_bundle_filenameFilename of the locally-created zarf init config yaml filestring"zarf-ca-bundle.pem"no
zarf_init_config_filenameFilename of the locally-created zarf init config yaml filestring"zarf-init-config.yaml"no
zarf_registry_enabledFlag to enable the creation of zarf registry bucket and configurationbooltrueno
zarf_registry_ironbank_mirror_enabledtoggle for configuring a containerd mirror to point registry1.dso.mil to zarf's registrybooltrueno
zarf_registry_nodeportzarf registry node port; must be between 30000-32767number31999no
zarf_registry_policy_enabledAttach a bucket policy to the registry bucket allowing access from the cluster nodesbooltrueno
zarf_registry_pull_passwordzarf registry pull password; if not supplied, a random one will be generatedstring""no
zarf_registry_pull_usernamezarf registry pull usernamestring"zarf-pull"no
zarf_registry_redirect_disableDisable the registry redirectstring"true"no
zarf_registry_shared_bucket_idName of an existing shared zarf registry bucketstring"shared-zarf-registry"no
zarf_registry_shared_enabledFlag to enable using an existing shared zarf registry bucketboolfalseno

Outputs

NameDescription
app_nlb_dns_nameDNS name for the application ELB
aws_dns_suffixOutput the DNS suffix of the current aws partition
aws_partitionOutput the name of the current aws partition
aws_regionAWS region used
bucket_prefixPrefix used to create gitlab buckets
cluster_nameUnique cluster name generated for EKS
cluster_security_groupSecurity group shared by cluster nodes
core_iam_roleIAM role of core node pool
core_security_groupSecurity group shared by core nodepool
create_agent_roleBool that determines if an IAM role is created
desired_node_countTotal desired (initial) node count across all node groups
enable_irsaDetermines whether to create an OpenID Connect Provider for EKS to enable IRSA
kms_key_arnARN of the KMS secret encryption key, if created
kms_key_idID of the KMS secret encryption key, if created
kms_key_policyIAM resource policy set on the KMS secret encryption key, if created
kubeconfig_dataMap of the connection information contained within the kubeconfig
minimum_node_countTotal minimum node count across all node groups
node_group_namesn/a
node_group_role_namesn/a
oidc_providerThe OpenID Connect identity provider (issuer URL without leading https://)
oidc_provider_arnThe ARN of the OIDC Provider if enable_irsa = true
server_security_groupSecurity group shared by server nodepool
ssh_keypair_nameName of the keypair created for this project
ssh_private_keyThe SSH private key configured as an authorized key on nodes.
target_group_arnsn/a
zarf_registry_bucket_idName of the bucket created for use with the Zarf registry