| additional_eks_managed_node_groups | Additional node groups to create | any | {} | no |
| allowed_app_cidr_blocks | Allows application access from CIDR blocks. | list(string) | [] | no |
| allowed_ingress_cidr_blocks | Allows ingress from this cidr block. | list(string) | [] | no |
| allowed_ssh_cidr_blocks | Allows SSH from CIDR blocks. | list(string) | [] | no |
| allowed_sso_cidr_blocks | Allows SSO access from CIDR blocks. | list(string) | [] | no |
| ami_filters | List of AMI filters used to select the AMI | list(object({ name = string values = list(string) })) | [] | no |
| ami_id | AMI ID to use when building the cluster instances | string | "" | no |
| ami_most_recent | Select the most recent version of the AMI | bool | true | no |
| ami_owners | List of AWS account IDs used in AMI lookup filter | list(string) | [ "241559654725", "171179903432" ] | no |
| application_nlb_cross_zone_load_balancing | Toggles cross zone load balancing on/off. | bool | true | no |
| application_nlb_egress_rules | Security group rules to apply to the Appliaciton NLB security group to control outbound traffic. Egress to eks nodes on 30021, 30080, and 30443 will be allowed by default | any | null | no |
| application_nlb_enable | Toggles the creation of the Application Network Load Balancer off/on | bool | true | no |
| application_nlb_ingress_rules | Security group rules to apply to the Application NLB security group to control inbound traffic. HTTP and HTTPS rules based on the allowed ingress cidr variable will be used by default | any | null | no |
| application_nlb_internal | Toggles the scheme of the load balancer between internal and internet-facing. Defualt is internal | bool | true | no |
| application_nlb_listeners | Object describing the listeners to be created and associated with the Application NLB | any | { "http": { "forward": { "target_group_key": "http-cluster" }, "port": 80, "protocol": "TCP" }, "https": { "forward": { "target_group_key": "https-cluster" }, "port": 443, "protocol": "TCP" } } | no |
| application_nlb_preserve_client_ip | Toggles the preserve_client_ip setting on/off. Will always be false if compatibility_mode is set | bool | true | no |
| application_nlb_stickiness_enabled | Application NLB Stickiness settings. Will alwasy be an empty set if compatibility_mode is set | any | { "duration": 3600, "enabled": true, "type": "source_ip" } | no |
| application_nlb_subnets | Subnets to use when creating the Application NLB. Will default to the value of subnet_ids if not specified | list(string) | null | no |
| application_nlb_target_groups | Target groups to create as part of the Application Load balancer. A default set of target groups will be created if not specified | any | null | no |
| aws_auth_roles | List of role maps to add to the aws-auth configmap | list(any) | [] | no |
| aws_region | AWS Region used to configure the AWS provider | string | n/a | yes |
| bigbang_values_filename | Filename of the locally-created big bang values include | string | "bigbang-values-eks.yaml" | no |
| cluster_addons | Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with name | any | {} | no |
| cluster_agent_iam_role | Existing IAM role name for the cluster | string | "" | no |
| cluster_autoscaler_enabled | Configures the cluster to support cluster autoscaler | bool | true | no |
| cluster_encryption_config | Configuration block with encryption configuration for the cluster. To disable secret encryption, set this value to {} | map(any) | { "resources": [ "secrets" ] } | no |
| cluster_extra_tags | Map of tags to add to all resources created | map(string) | {} | no |
| cluster_security_group_additional_rules | Cluster security group rules. Will be merged with the defaults unless disable_default_cluster_sg_rules is true | any | {} | no |
| cluster_timeouts | Create, update, and delete timeout configurations for the node group. | object({ create = string update = string delete = string }) | { "create": "60m", "delete": "60m", "update": "120m" } | no |
| compatibility_mode | If enabled, this flag disables some AWS features which are not available in all AWS partitions/regions. | bool | true | no |
| config_output_dir | Path to directory where local config files should be output | string | "." | no |
| controlplane_allowed_cidrs | Server pool security group allowed cidr ranges | list(string) | [] | no |
| controlplane_private_access | Expose the kubernetes API privately. | bool | true | no |
| controlplane_public_access | Expose the kubernetes API publically. Not recommended | bool | false | no |
| create_aws_auth_configmap | Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use manage_aws_auth_configmap | bool | false | no |
| create_cloudwatch_log_group | Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled | bool | true | no |
| create_kms_key | Controls if a KMS key for cluster encryption should be created | bool | true | no |
| create_logging_bucket | Create a logging bucket | bool | true | no |
| custom_default_bdm | User defined block device mapping to apply to node groups by default | any | {} | no |
| custom_oidc_thumbprints | Additional list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s) | list(string) | [] | no |
| default_additional_policies | Additional policies to associate with the node groups by default | any | {} | no |
| default_ami_type | Type of Amazon Machine Image (AMI) associated with the EKS Node Group. Valid values are AL2_x86_64, AL2_x86_64_GPU, AL2_ARM_64, CUSTOM, BOTTLEROCKET_ARM_64, BOTTLEROCKET_x86_64 | string | "CUSTOM" | no |
| default_bdm_delete_on_termination | Toggle delete_on_termination off/on for the default block device mapping | bool | true | no |
| default_bdm_encrypted | Toggle encryption off/on for the default block device mapping | bool | true | no |
| default_bdm_kms_key_id | KMS key to use for block device mapping encryption | string | null | no |
| default_bdm_volume_size | Volume size to use in the node group default block device mapping | number | 280 | no |
| default_bdm_volume_type | Volume type to use in the node group default block device mapping | string | "gp3" | no |
| default_capacity_type | Type of capacity associated with the EKS Node Group. Valid values: ON_DEMAND, SPOT | string | "SPOT" | no |
| default_disable_api_termination | If true, enables EC2 instance termination protection | bool | false | no |
| default_ebs_optimized | If true, the launched EC2 instance(s) will be EBS-optimized | bool | true | no |
| default_eks_node_group_name | Set a fixed name for the default node group. | string | "structsure-nodes" | no |
| default_eks_node_group_size | Create, update, and delete timeout configurations for the node group. | object({ min = number max = number desired = number }) | { "desired": 6, "max": 15, "min": 3 } | no |
| default_enable_bootstrap_user_data | Determines whether the bootstrap configurations are populated within the user data template. Only valid when using a custom AMI via ami_id | bool | true | no |
| default_enable_monitoring | Enables/disables detailed monitoring | bool | true | no |
| default_force_update_version | Force version update if existing pods are unable to be drained due to a pod disruption budget issue | bool | true | no |
| default_iam_role_attach_cni_policy | Attach the CNI IAM policy to node groups by default | bool | true | no |
| default_instance_types | Set of instance types associated with the EKS Node Group. Defaults to ["t3.medium"] | list(string) | [ "t3a.2xlarge", "t3.2xlarge", "m5a.2xlarge", "m6a.2xlarge" ] | no |
| default_metadata_options | Customize the metadata options for the instance | any | { "http_endpoint": "enabled", "http_put_response_hop_limit": 2, "http_tokens": "optional", "instance_metadata_tags": "disabled" } | no |
| default_post_bootstrap_user_data | User data that is appended to the user data script after of the EKS bootstrap script. Not used when platform = bottlerocket | string | null | no |
| default_pre_bootstrap_user_data | User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when platform = bottlerocket | string | null | no |
| disable_default_additional_policies | Removes the default IAM policies instead of merging them with the contents of default_additional_policies | bool | false | no |
| disable_default_cluster_addons | If true, var.cluster_addons is merged with a set of default add-ons. If false, only var.cluster_addons is applied | bool | false | no |
| disable_default_cluster_sg_rules | Disables the default set of cluster security group rules | bool | false | no |
| disable_default_node_groups | Disables the creation of the default node groups | bool | false | no |
| disable_default_node_sg_rules | Disables the default set of cluster security group rules | bool | false | no |
| eks_version | Version of EKS to deploy | string | "1.29" | no |
| enable_cas_policy | Toggles a Cluster Autoscaler IAM policy creation and attacmenent on/off | bool | true | no |
| enable_irsa | Determines whether to create an OpenID Connect Provider for EKS to enable IRSA | bool | true | no |
| enable_kms_policy | Toggles a KMS usage IAM policy creation and attacmenent on/off | bool | true | no |
| include_oidc_root_ca_thumbprint | Determines whether to include the root CA thumbprint in the OpenID Connect (OIDC) identity provider's server certificate(s) | bool | true | no |
| log_bucket_policy_enabled | Attach a bucket policy to the logging bucket allowing access from the AWS logs service | bool | true | no |
| manage_aws_auth_configmap | Determines whether to manage the aws-auth configmap | bool | true | no |
| name_prefix | Name of the cluster to create | string | "structsure" | no |
| name_prefix_include_workspace | Toogle to include workspace in name prefix | bool | false | no |
| nlb_enable_deletion_protection | Prevent the NLB(s) from being deleted | bool | true | no |
| node_security_group_additional_rules | Cluster security group rules. Will be merged with the defaults unless disable_default_cluster_sg_rules is true | any | {} | no |
| openid_connect_audiences | List of OpenID Connect audience client IDs to add to the IRSA provider | list(string) | [] | no |
| persistent | Flag to set the deployment to persistent or ephemeral | bool | false | no |
| resize_disks | Enables automatic resizing of disks in userdata script | bool | true | no |
| root_cas | List containing root certificate authorities (optionally base64 encoded) | list( object( { name = string cert = string } ) ) | [] | no |
| ssh_enabled | Toggles the SSH inbound security group on/off | bool | true | no |
| sso_nlb_cross_zone_load_balancing | Toggles cross zone load balancing on/off. | bool | true | no |
| sso_nlb_egress_rules | Security group rules to apply to the SSO NLB security group to control outbound traffic. Egress to eks nodes on 32021, 32080, and 32443 will be allowed by default | any | null | no |
| sso_nlb_ingress_rules | Security group rules to apply to the SSO NLB security group to control inbound traffic. HTTP and HTTPS rules based on the allowed ingress cidr variable will be used by default | any | null | no |
| sso_nlb_internal | Toggles the scheme of the load balancer between internal and internet-facing. Defualt is internal | bool | true | no |
| sso_nlb_listeners | Object describing the listeners to be created and associated with the SSO NLB | any | { "http": { "forward": { "target_group_key": "http-cluster" }, "port": 80, "protocol": "TCP" }, "https": { "forward": { "target_group_key": "https-cluster" }, "port": 443, "protocol": "TCP" } } | no |
| sso_nlb_preserve_client_ip | Toggles the preserve_client_ip setting on/off. Will always be false if compatibility_mode is set | bool | true | no |
| sso_nlb_stickiness_enabled | SSO NLB Stickiness settings. Will alwasy be an empty set if compatibility_mode is set | any | { "duration": 3600, "enabled": true, "type": "source_ip" } | no |
| sso_nlb_subnets | Subnets to use when creating the SSO NLB. Will default to the value of subnet_ids if not specified | list(string) | [] | no |
| sso_nlb_target_groups | Target groups to create as part of the SSO Load balancer. A default set of target groups will be created if not specified | any | null | no |
| sso_passthrough_enable | Toggles SSO (Keycloak) to use the passthrough Network Load Balancer | bool | false | no |
| subnet_ids | The ids of the specific subnets to use | list(string) | n/a | yes |
| vault_passthrough_enable | Toggles Vault to use the passthrough Network Load Balancer | bool | false | no |
| vpc_id | VPC ID to create resources in | string | n/a | yes |
| zarf_init_ca_bundle_filename | Filename of the locally-created zarf init config yaml file | string | "zarf-ca-bundle.pem" | no |
| zarf_init_config_filename | Filename of the locally-created zarf init config yaml file | string | "zarf-init-config.yaml" | no |
| zarf_registry_enabled | Flag to enable the creation of zarf registry bucket and configuration | bool | true | no |
| zarf_registry_ironbank_mirror_enabled | toggle for configuring a containerd mirror to point registry1.dso.mil to zarf's registry | bool | true | no |
| zarf_registry_nodeport | zarf registry node port; must be between 30000-32767 | number | 31999 | no |
| zarf_registry_policy_enabled | Attach a bucket policy to the registry bucket allowing access from the cluster nodes | bool | true | no |
| zarf_registry_pull_password | zarf registry pull password; if not supplied, a random one will be generated | string | "" | no |
| zarf_registry_pull_username | zarf registry pull username | string | "zarf-pull" | no |
| zarf_registry_redirect_disable | Disable the registry redirect | string | "true" | no |
| zarf_registry_shared_bucket_id | Name of an existing shared zarf registry bucket | string | "shared-zarf-registry" | no |
| zarf_registry_shared_enabled | Flag to enable using an existing shared zarf registry bucket | bool | false | no |