Terraform Module for EKS with built-in Flux GitOps
module "example_cluster" {
source = "git::https://Efrat19/terraform-eks-with-gitops.git"
account = "12345678"
region = "us-east-1"
vpc_id = "vpc-12345678"
igw_id = "igw-12345678"
vpc_private_subnets = ["x.x.x.x/x", "x.x.x.x/x","x.x.x.x/x"]
vpc_public_subnets = "x.x.x.x/x"]
nat_gateways = ["nat-123456", "nat-654321", "nat-112233"] # NAT for each AZ, to save cross-AZ traffic costs
cluster_name = "example"
cluster_version = "1.21"
vpc_cidr = "x.x.x.x/x"
auth_users = ["terraform-iam-user", "my-iam-user"]
managed_node_groups = [
{
name = "example_spot_managed_node_group_v1"
capacity_type = "SPOT"
desired_capacity = 2
instance_types = ["t3.2xlarge", "m5.xlarge", "m5.large", "c5.xlarge", "t2.xlarge"]
max_capacity = 4
min_capacity = 2
additional_security_group_ids = []
k8s_labels = {
spot = "true"
env = "example"
}
},
{
name = "example_ondemand_managed_node_group_v1"
capacity_type = "ON_DEMAND"
desired_capacity = 0
instance_types = ["t3.2xlarge", "m5.xlarge", "m5.large", "c5.xlarge", "t2.xlarge"]
max_capacity = 2
min_capacity = 0
additional_security_group_ids = []
k8s_labels = {
spot = "false"
env = "example"
}
}
]
flux_github_url = "ssh://[email protected]/me/my_repo.git"
flux_target_path = "example_cluster_source"
flux_repo = "my_repo"
flux_branch = "main"
flux_auto_image_update = true
extra_flux_sources = [
{
source_name = "another-source"
github_owner = "another-owner"
repository_name = "another_repo"
branch = "main"
target_path = "charts"
read_only = true
}
]
tags = {
Env = "example"
}
irsa_roles = [
{
role_name = "k8s-secretmanager-example-cluster"
service_account = "system:serviceaccount:management:kubernetes-external-secrets"
policies_to_assign = [
"arn:aws:iam::aws:policy/SecretsManagerReadWrite",
]
}
]
}
| Name | Version |
|---|---|
| terraform | >= 0.13.1 |
| aws | >= 3.40.0 |
| http | >= 2.4.1 |
| kubernetes | >= 1.11.1 |
| local | >= 1.4 |
| flux | ~> 0.2 |
| github | ~> 4.5 |
| kubectl | ~> 1.0 |
| Name | Version |
|---|---|
| aws | >= 3.40.0 |
| http | >= 2.4.1 |
| local | >= 1.4 |
| flux | ~> 0.2 |
| github | ~> 4.5 |
| helm | ~> 2.0 |
| kubectl | ~> 1.0 |
| kubernetes | ~> 2.0 |
| tls | n/a |
No modules.
| Name | Type |
|---|---|
| aws_iam_role.irsa_role | Resource |
| aws_route_table.cluster_private_rtb | Resource |
| aws_route_table.cluster_public_rtb_dynamic | Resource |
| aws_route_table_association.cluster_private | Resource= |
| aws_route_table_association.cluster_public | Resource |
| aws_security_group.workers_sg | Resource |
| aws_subnet.cluster_private | Resource |
| aws_subnet.cluster_public | Resource |
| github_repository_deploy_key.main | Resource |
| github_repository_file.ecr-sync | Resource |
| github_repository_file.sync | Resource |
| kubectl_manifest.ecr-sync | Resource |
| kubectl_manifest.sync | Resource |
| kubernetes_secret.main | Resource |
| tls_private_key.main | Resource |
| module.addons_flux.github_repository_deploy_key.main | Resource |
| module.addons_flux.github_repository_file.install | Resource |
| module.addons_flux.github_repository_file.kustomize | Resource |
| module.addons_flux.github_repository_file.sync | Resource |
| module.addons_flux.kubectl_manifest.apply | Resource |
| module.addons_flux.kubectl_manifest.sync | Resource |
| module.addons_flux.kubernetes_namespace.flux2 | Resource |
| module.addons_flux.kubernetes_network_policy.flux2_allow_monitoring | Resource |
| module.addons_flux.kubernetes_network_policy.flux2_allow_namespace | Resource |
| module.addons_flux.kubernetes_priority_class.kubernetes_addons | Resource |
| module.addons_flux.kubernetes_priority_class.kubernetes_addons_ds | Resource |
| module.addons_flux.kubernetes_secret.main | Resource |
| module.addons_flux.tls_private_key.identity | Resource |
| module.eks.aws_eks_cluster.this | Resource |
| module.eks.aws_iam_openid_connect_provider.oidc_provider | Resource |
| module.eks.aws_iam_policy.cluster_elb_sl_role_creation | Resource |
| module.eks.aws_iam_role.cluster | Resource |
| module.eks.aws_iam_role.workers | Resource |
| module.eks.aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy | Resource |
| module.eks.aws_iam_role_policy_attachment.cluster_AmazonEKSServicePolicy | Resource |
| module.eks.aws_iam_role_policy_attachment.cluster_AmazonEKSVPCResourceControllerPolicy | Resource |
| module.eks.aws_iam_role_policy_attachment.cluster_elb_sl_role_creation | Resource |
| module.eks.aws_iam_role_policy_attachment.workers_AmazonEC2ContainerRegistryReadOnly | Resource |
| module.eks.aws_iam_role_policy_attachment.workers_AmazonEKSWorkerNodePolicy | Resource |
| module.eks.aws_iam_role_policy_attachment.workers_AmazonEKS_CNI_Policy | Resource |
| module.eks.aws_security_group.cluster | Resource |
| module.eks.aws_security_group.workers | Resource |
| module.eks.aws_security_group_rule.cluster_egress_internet | Resource |
| module.eks.aws_security_group_rule.cluster_https_worker_ingress | Resource |
| module.eks.aws_security_group_rule.workers_egress_internet | Resource |
| module.eks.aws_security_group_rule.workers_ingress_cluster | Resource |
| module.eks.aws_security_group_rule.workers_ingress_cluster_https | Resource |
| module.eks.aws_security_group_rule.workers_ingress_self | Resource |
| module.eks.kubernetes_config_map.aws_auth | Resource |
| module.eks.local_file.kubeconfig | Resource |
| module.eks.module.node_groups.aws_eks_node_group.workers | Resource |
| module.eks.module.node_groups.aws_launch_template.workers | Resource |
| data.aws_availability_zones.available | Data Source |
| data.aws_eks_cluster.cluster | Data Source |
| data.aws_eks_cluster_auth.cluster | Data Source |
| data.aws_nat_gateway.cluster_networking | Data Source |
| data.aws_subnet.cluster_networking | Data Source |
| data.flux_sync.main | Data Source |
| data.github_repository.main | Data Source |
| data.kubectl_file_documents.sync | Data Source |
| module.addons_flux.data.flux_install.main | Data Source |
| module.addons_flux.data.flux_sync.main | Data Source |
| module.addons_flux.data.github_repository.main | Data Source |
| module.addons_flux.data.kubectl_file_documents.apply | Data Source |
| module.addons_flux.data.kubectl_file_documents.sync | Data Source |
| module.addons_flux.data.kubectl_path_documents.cert-manager_cluster_issuers | Data Source |
| module.addons_flux.data.kubectl_path_documents.cert-manager_csi_driver | Data Source |
| module.eks.data.aws_caller_identity.current | Data Source |
| module.eks.data.aws_iam_policy_document.cluster_assume_role_policy | Data Source |
| module.eks.data.aws_iam_policy_document.cluster_elb_sl_role_creation | Data Source |
| module.eks.data.aws_iam_policy_document.workers_assume_role_policy | Data Source |
| module.eks.data.aws_partition.current | Data Source |
| module.eks.data.http.wait_for_cluster | Data Source |
| module.eks.module.node_groups.data.cloudinit_config.workers_userdata | Data Source |
| Name | Description |
|---|---|
| cloudwatch_log_group_arn | Arn of cloudwatch log group created |
| cloudwatch_log_group_name | Name of cloudwatch log group created |
| cluster_arn | The Amazon Resource Name (ARN) of the cluster. |
| cluster_certificate_authority_data | Nested attribute containing certificate-authority-data for your cluster. This is the base64 encoded certificate data required to communicate with your cluster. |
| cluster_endpoint | The endpoint for your EKS Kubernetes API. |
| cluster_iam_role_arn | IAM role ARN of the EKS cluster. |
| cluster_iam_role_name | IAM role name of the EKS cluster. |
| cluster_id | The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready. |
| cluster_oidc_issuer_url | The URL on the EKS cluster OIDC Issuer |
| cluster_primary_security_group_id | The cluster primary security group ID created by the EKS cluster on 1.14 or later. Referred to as 'Cluster security group' in the EKS console. |
| cluster_security_group_id | Security group ID attached to the EKS cluster. On 1.14 or later, this is the 'Additional security groups' in the EKS console. |
| cluster_version | The Kubernetes server version for the EKS cluster. |
| config_map_aws_auth | A kubernetes configuration to authenticate to this EKS cluster. |
| fargate_iam_role_arn | IAM role ARN for EKS Fargate pods |
| fargate_iam_role_name | IAM role name for EKS Fargate pods |
| fargate_profile_arns | Amazon Resource Name (ARN) of the EKS Fargate Profiles. |
| fargate_profile_ids | EKS Cluster name and EKS Fargate Profile names separated by a colon (:). |
| kubeconfig | kubectl config file contents for this EKS cluster. Will block on cluster creation until the cluster is really ready. |
| kubeconfig_filename | The filename of the generated kubectl config. Will block on cluster creation until the cluster is really ready. |
| node_groups | Outputs from EKS node groups. Map of maps, keyed by var.node_groups keys |
| oidc_provider_arn | The ARN of the OIDC Provider if enable_irsa = true. |
| security_group_rule_cluster_https_worker_ingress | Security group rule responsible for allowing pods to communicate with the EKS cluster API. |
| worker_iam_instance_profile_arns | default IAM instance profile ARN for EKS worker groups |
| worker_iam_instance_profile_names | default IAM instance profile name for EKS worker groups |
| worker_iam_role_arn | default IAM role ARN for EKS worker groups |
| worker_iam_role_name | default IAM role name for EKS worker groups |
| worker_security_group_id | Security group ID attached to the EKS workers. |
| workers_asg_arns | IDs of the autoscaling groups containing workers. |
| workers_asg_names | Names of the autoscaling groups containing workers. |
| workers_default_ami_id | ID of the default worker group AMI |
| workers_default_ami_id_windows | ID of the default Windows worker group AMI |
| workers_launch_template_arns | ARNs of the worker launch templates. |
| workers_launch_template_ids | IDs of the worker launch templates. |
| workers_launch_template_latest_versions | Latest versions of the worker launch templates. |
| workers_user_data | User data of worker groups |
| private_subnets_ids | IDs of the created private subnets |
| public_subnets_ids | IDs of the created public subnets |
| cluster_private_rtb_ids | IDs of the created private route tables |
| cluster_publi\c_rtb_id | ID of the created public route table |
| irsa_roles | ARNs of the created IRSA roles |